Cybersecurity has emerged as a unique discipline and is not a sub-field or niche area of software engineering or system administration. There are a few distinct characteristics of cybersecurity that distinguish it from other technical fields. First, security involves malicious and intelligent actors (i.e. opponents).
網路安全已成為一門獨特的學科，而非軟體工程或系統管理的子領域或利基領域。網路安全有一些與其他技術領域不同的獨特特徵。首先，安全涉及惡意且具智慧的參與者（即對手）。

The problem of dealing with an intelligent opponent requires a different approach, discipline, and mindset compared to facing a naturally-occurring or accidental problem. Whether we are simulating an attack or defending against one, we will need to consider the perspective and potential actions of our opponent and try to anticipate what they might do. Because our opponents are human beings with agency, they can reason, predict, judge, analyze, conjecture, and deliberate. They can also feel emotions like happiness, sorrow, greed, fear, triumph, and guilt. Both attackers and defenders can leverage the emotions of their human opponents. For example, an attacker might rely on embarrassment by holding a computer system hostage and threaten to publish its data. Defenders, meanwhile, might leverage fear to dissuade attackers from entering their networks. This reality means human beings are a critical component of cybersecurity.
處理智能對手的問題，需要與應對自然發生或意外問題相比，採取不同的方法、紀律和思維模式。無論我們是模擬攻擊還是防禦攻擊，都需要考慮對手的觀點和潛在行動，並設法預測他們可能採取的行動。因為我們的對手是具有能動性的人類，他們可以推理、預測、判斷、分析、推測和深思熟慮。他們也會感受到快樂、悲傷、貪婪、恐懼、勝利和罪惡等情緒。攻擊者和防禦者都可以利用人類對手的感情。例如，攻擊者可能會利用公開電腦系統資料的威脅來造成當事人的尷尬。同時，防禦者可能會利用恐懼來阻止攻擊者進入他們的網絡。這種現實意味著人類是網絡安全的一個關鍵組成部分。

Another important aspect of security is that it usually involves reasoning under uncertainty. Although we have plenty of deductive skills, we are by no means mentally omniscient. We cannot determine everything that follows from a given truth, and we cannot know or remember an infinite number of facts.
另一個重要的安全面向是它通常涉及到不確定性下的推理。雖然我們擁有豐富的演繹能力，但我們絕非全知全能。我們無法確定從既定事實中所有的推論，也無法知道或記住無限多的事實。

Consider how a game like chess is different from a game like poker. In chess, you know everything that your opponent does about the game state (and vice versa). You may not know what they are thinking, but you can make predictions about their next move based on the same information that they are using to determine it. Playing poker, however, you do not have all of the information that your opponent possesses, so you must make predictions based on incomplete data.
考慮一下像西洋棋這樣的遊戲與像撲克這樣的遊戲有何不同。在西洋棋中，你知道你的對手關於遊戲狀態的一切（反之亦然）。你可能不知道他們在想什麼，但你可以根據他們用來決定下一步棋的相同資訊來預測他們的下一步棋。然而，玩撲克時，你並沒有掌握對手所擁有的一切資訊，因此你必須根據不完整的數據做出預測。

When considering the mental perspectives of attackers and defenders, information security is a lot closer to poker than chess. For example, when we simulate an attack, we will never know everything there is to know about the machine/system/network/organization we are targeting. We therefore must make assumptions and estimate probabilities, sometimes implicitly and sometimes explicitly.
在考慮攻擊者和防禦者的思維角度時，資訊安全更接近撲克而不是西洋棋。例如，當我們模擬攻擊時，我們永遠不會知道我們所針對的機器/系統/網絡/組織的一切資訊。因此，我們必須做出假設並估計概率，有時是隱含的，有時是明確的。

Conversely, as defenders, we will not be aware of every potential attack vector or vulnerability we might be exposed to. We therefore need to hedge our bets and make sure that our attack surfaces that are most likely to be vulnerable are adequately protected.
相反地，作為防守方，我們不可能意識到所有潛在的攻擊向量或我們可能面臨的漏洞。因此，我們需要分散風險，確保最有可能受到攻擊的攻擊面得到充分保護。

The problem of the intelligent adversary and the problem of uncertainty both suggest that understanding cybersecurity necessitates learning more about how we think as human agents, and how to solve problems. This means we'll need to adopt and nurture specific mindsets that will help us as we learn and apply our skills.
智能對手和不確定性問題都表明，理解網絡安全需要更多地了解我們思考的方式，以及如何解決問題。這意味著我們需要培養和養成特定的思維模式，以幫助我們學習和應用技能。

Security is not only about understanding technology and code but also about understanding your own mind and that of your adversary. We tend to think of a mindset as a set of beliefs that inform our personal perspective on something.
安全不僅僅是關於理解技術和代碼，還關於理解你自己的思維和你對手的思維。我們傾向於將思維模式視為一套影響我們對某事物的個人觀點的信念。

Two contrasting examples of well-known mindsets are the fixed mindset and the growth mindset.
兩個截然不同的知名思維模式例子是固定思維模式和成長思維模式。

An individual with a fixed mindset believes that their skill/talent/capacity to learn is what it is and that there is no gain to be made by trying to improve.
擁有固定思維模式的個人認為他們的技能/才能/學習能力就是這樣，努力改進沒有任何好處。

On the other hand, a growth mindset encourages the belief that mental ability is flexible and adaptable and that one can grow their capacity to learn over time.
另一方面，成長型思維鼓勵人們相信心智能力是靈活且可適應的，並且一個人可以隨著時間推移增強學習能力。

Research suggests that, for example, a mindset in which we believe ourselves capable of recovering from a mistake makes us measurably better at doing so. This is just one aspect of the growth mindset, but it's an important one. This is because security requires us to make mistakes and learn from them and to be constantly learning and re-evaluating.
研究表明，例如，一種我們相信自己能夠從錯誤中恢復的心態，會使我們在這樣做方面明顯更好。這只是成長型思維的一個方面，但卻是一個重要的方面。這是因為安全需要我們犯錯並從中學習，並不斷學習和重新評估。

Another extremely valuable mindset is the aptly-coined security mindset. Proposed by security researcher Bruce Schneier. This mindset encourages a constant questioning of how one can attack (or defend) a system. If we can begin to ask this question automatically when encountering a novel idea, machine, system, network, or object, we can start noticing a wide array of recurring patterns.
另一個極其寶貴的心態是恰如其分的安全思維。由安全研究員布魯斯·施奈爾提出。這種思維方式鼓勵人們不斷地質疑如何攻擊（或防禦）一個系統。如果我們在遇到新的想法、機器、系統、網絡或物體時，能夠自動開始提出這個問題，我們就能開始注意到各種重複出現的模式。

At OffSec, we encourage learners to adopt the "Try Harder" mindset. To better understand this mindset, let's quickly consider two potential perspectives in a moment of "failure."
在 OffSec，我們鼓勵學習者採用「更努力嘗試」的心態。為了更好地理解這種心態，讓我們快速考慮一下在「失敗」時刻的兩種潛在觀點。

1. If my attack or defense fails, it represents a truth about my current skills/processes/configurations/approach as much as it is a truth about the system.
   如果我的攻擊或防禦失敗，這反映了我目前的技能/流程/配置/方法的真相，正如它反映系統真相一樣。

2. If my attack or defense fails, this allows me to learn something new, change my approach, and do something differently.
   如果我的攻擊或防禦失敗，這讓我學習新事物、改變方法並採取不同的做法。

These two perspectives help provide someone with the mental fortitude to make mistakes and learn from them, which is essential in any cybersecurity sub-field. More information about how to learn and the Try Harder mindset can be found in the "Effective Learning Strategies" Module that is part of this introductory Learning Path.
這兩種觀點有助於培養個人的心理韌性，使其能夠犯錯並從中學習，這在任何網絡安全子領域都至關重要。更多關於如何學習以及「更努力嘗試」的心態的資訊，可以在此入門學習路徑中包含的「有效的學習策略」模組中找到。

It's worth pausing to consider the particular attention that we will give to the offensive side of security, even in many of our defensive courses and Modules. One might wonder why a cybersecurity professional whose primary interest and goal is defending a network, organization, or government should also learn the offensive side.
值得停下來思考一下，即使在我們的許多防禦課程和模組中，我們也會特別關注安全性的進攻方面。有人可能會好奇，一個主要興趣和目標是保護網絡、組織或政府的網絡安全專業人員，為什麼也需要學習進攻方面。

Let's take the analogy of a medieval monarch building a castle. If the monarch learns that their enemy has catapults capable of hurling large boulders, they might design their castle to have thicker walls. Similarly, if their enemy is equipped with ladders, the monarch might give their troops tools to push the ladders off the walls.
讓我們以中世紀君主建造城堡的比喻來說明。如果君主得知敵人擁有能夠投擲巨石的投石機，他們可能會設計建造更厚的城牆。同樣地，如果敵人配備了梯子，君主可能會給予士兵工具來將梯子推下城牆。

The more this monarch knows about their would-be attacker and the more they can think like an attacker, the better defense they can build. The monarch might engage in "offensive" types of activities or audits to understand the gaps in their own defenses. For example, they could conduct "war games" where they direct their own soldiers to mock-battle each other, helping them fully understand the capabilities and destructive potential of a real attacker.
君主越了解潛在的攻擊者，越能以攻擊者的角度思考，就能建造更好的防禦工事。君主可能會從事「進攻性」的活動或進行審計以了解自身防禦中的漏洞。例如，他們可以進行「戰爭遊戲」，讓自己的士兵互相模擬戰鬥，幫助他們充分了解真實攻擊者的能力和破壞潛力。

In cybersecurity, enterprises might hire an individual or a firm to perform a penetration test, also known as a pentest. A penetration tester takes on the role of an attacker to better understand the system's vulnerabilities and exposed weaknesses.
在網絡安全領域，企業可能會聘請個人或公司進行滲透測試，也稱為滲透測試 (pentest)。滲透測試人員扮演攻擊者的角色，以更好地了解系統的漏洞和暴露的弱點。

Leveraging the skill-sets and mindsets of an attacker allows us to better answer questions like:
利用攻擊者的技能和思維方式，可以讓我們更好地解答以下問題：

• "How might an attacker gain access?"
  攻擊者如何取得存取權限？
• "What can they do with that access?" -" What are the worst possible outcomes from an attack?"
  他們取得存取權限後可以做什麼？- 攻擊可能造成的最悪後果是什麼？

While learning hacking skills is (of course) essential for aspiring penetration testers, we also believe that defenders, system administrators, and developers will greatly benefit from at least a cursory education in offensive techniques and technologies as well.
雖然學習駭客技能對於有抱負的滲透測試人員來說當然是必要的，但我們也相信，防禦者、系統管理員和開發人員也能從至少略懂攻擊技術和技術中受益良多。

Conversely, it's been our experience that many of the best penetration testers and web application hackers are those who have had extensive exposure to defending networks, building web applications, or administrating systems.
相反地，根據我們的經驗，許多最優秀的滲透測試人員和網頁應用程式駭客都曾廣泛接觸過網路防禦、網頁應用程式建置或系統管理。

Cybersecurity can be especially fascinating because it involves multiple agents trying to achieve mutually exclusive outcomes. In the most basic example, a defender wants to control access to an asset they own, and an attacker wants to gain control over the same asset. This is interesting because both roles, defender and attacker, exist on the continued persistence of the other. In particular, each will become more skilled and sophisticated because of the efforts (or imagined efforts) of their counterpart.
網路安全之所以特別引人入勝，是因為它涉及多個代理人試圖達成相互排斥的結果。在最基本的例子中，防禦者想要控制他們擁有的資產的存取權，而攻擊者則想要控制相同的資產。這很有趣，因為防禦者和攻擊者這兩個角色都存在於對方的持續存在中。特別是，由於其對手的努力（或想像中的努力），因此雙方都會變得更加熟練和複雜。

The attacker-defender relationship dynamic helps to fundamentally explain why cybersecurity becomes exponentially more complicated over time. To understand this dynamic better, let's introduce the fictional characters Alice and Bob. We'll make use of them often throughout the OffSec Learning Library and the cryptography literature in various contexts to demonstrate examples and thought experiments.
攻擊者與防禦者之間的動態關係有助於從根本上解釋為什麼網路安全隨著時間推移會變得越來越複雜。為了更好地理解這種動態關係，讓我們介紹虛構人物愛麗絲和鮑勃。我們將經常在 OffSec 學習圖書館和各種情境下的密碼學文獻中使用他們來演示示例和思想實驗。

For this particular story, let's imagine that Bob has an asset that he wants to defend: a great banana tree! Bob wants to make sure that only he can pick its bananas. Meanwhile, attacker Alice would love to nothing more than to steal Bob's bananas.
在這個故事中，讓我們想像一下鮑勃擁有一項他想要保護的資產：一棵很棒的香蕉樹！鮑勃想要確保只有他才能採摘它的香蕉。同時，攻擊者愛麗絲最想做的就是偷走鮑勃的香蕉。

First, Bob doesn't pay any special attention to the security of his tree. It's relatively easy for Alice to just walk up to it and steal a banana. As Alice gets better and better at stealing however, Bob will also get better at protecting his tree.
首先，鮑勃沒有特別注意他樹木的安全。愛麗絲很容易走過去偷走一根香蕉。然而，隨著愛麗絲越來越擅長偷香蕉，鮑勃也會越來越擅長保護他的樹。

When Bob first realizes Alice's treachery, he learns that standing guard prevents Alice from attempting to steal bananas. But Alice hypothesizes that Bob must sleep at some point. She pays attention to when Bob goes to sleep, then quietly sneaks up to the tree to steal.
當鮑伯第一次意識到愛麗絲的背叛時，他發現站崗可以阻止愛麗絲偷香蕉。但愛麗絲推測鮑伯一定會睡覺。她注意鮑伯何時睡覺，然後悄悄地溜到樹旁偷香蕉。

Bob then figures out how to build a tall stone wall around the tree. Alice struggles to break through it or climb over it. Eventually, she learns how to dig under the wall.
於是鮑伯想出辦法在樹周圍築起一道高高的石牆。愛麗絲努力想突破或翻越它，最終她學會了如何在牆下挖掘。

Next, Bob trains a guard dog to protect the tree. Alice learns that she can pacify the dog with treats.
接著，鮑伯訓練了一隻警犬來保護那棵樹。愛麗絲發現可以用點心來安撫那隻狗。

Bob takes a hardware security course and installs cameras and alarms to warn him anytime Alice is nearby. Alice learns how to disable the cameras and alarms.
鮑伯參加了硬體安全課程，並安裝了攝影機和警報器，以便隨時警告他愛麗絲的靠近。愛麗絲學會了如何禁用攝影機和警報器。

This cycle can continue almost indefinitely. Strangely, both attacker and defender depend on each other to increase their skill sets and better understand their respective crafts.
這個循環幾乎可以無限期地持續下去。奇怪的是，攻擊者和防禦者都互相依賴，以提升各自的技能並更好地理解各自的技藝。

We can take this analogy further to include compliance and risk management aspects of security. At some point, Bob accepts the risk that Alice may steal bananas and decides to get insurance. But his banana insurance won't pay for stolen bananas unless he complies with their requirements for risk mitigation, which entail having a sturdy wall and guard dog.
我們可以進一步延伸這個比喻，納入安全性的合規性和風險管理層面。在某個時間點，Bob 接受了 Alice 可能會偷香蕉的風險，並決定投保。但是，除非他遵守香蕉保險公司關於風險降低的要求，例如擁有堅固的圍牆和警犬，否則他的香蕉保險不會賠償被盜的香蕉。

Like many technical fields, cybersecurity relies on a significant amount of jargon, acronyms, and abbreviations. Throughout the OffSec Learning Library, we'll try to introduce terms and vocabulary as they come up organically. Before we learn about various cybersecurity theories and principles, however, it's important to define a few terms so we can follow what we're learning. Let's begin with a cursory review of some of the basic concepts that cybersecurity is about: risks, threats, vulnerabilities, and exploits.
許多技術領域都一樣，網路安全仰賴大量的術語、縮寫和簡稱。在整個 OffSec 學習資源庫中，我們將嘗試在自然的情況下介紹術語和詞彙。然而，在我們學習各種網路安全理論和原則之前，重要的是要定義一些術語，以便我們能理解我們正在學習的內容。讓我們從簡要回顧網路安全關於的一些基本概念開始：風險、威脅、弱點和漏洞利用。

The most fundamental of these four terms is risk because it applies to many domains outside of cybersecurity and information technology. A simple way to define risk is to consider two axes: the probability that a negative event will occur, and the impact on something we value if such an event happens. This definition allows us to conceptualize risks via four quadrants:
這四個術語中最基本的是風險，因為它適用於網路安全和資訊科技以外的許多領域。定義風險的一種簡單方法是考慮兩個軸：負面事件發生的可能性，以及如果此類事件發生，對我們重視的事物造成的影響。此定義使我們能夠透過四個象限來概念化風險：

1. Low-probability, low impact events
   低可能性，低影響事件
2. Low-probability, high impact events
   低可能性，高影響事件
3. High-probability, low impact events
   高可能性，低影響事件
4. High-probability, high impact events
   高可能性，高影響事件

As cybersecurity professionals, we should always consider risk by examining the questions:
作為資安專業人員，我們應始終考慮風險，並檢視以下問題：

• How likely is it that a particular attack might happen?
  特定攻擊發生的可能性有多大？
• What would be the worst possible outcome if the attack occurs?
  如果攻擊發生，最糟糕的結果是什麼？

When we can attribute a specific risk to a particular cause, we're describing a threat. In cybersecurity, a threat is something that poses risk to an asset we care about protecting. Not all threats are human; if our network depends on the local electricity grid, a severe lightning storm could be a threat to ongoing system operations.
當我們可以將特定風險歸因於特定原因時，我們正在描述一個威脅。在網路安全中，威脅是指對我們關心保護的資產構成風險的任何事物。並非所有威脅都是人為的；如果我們的網路依賴於當地電網，嚴重的雷暴可能威脅到系統的持續運作。

Nevertheless, in many cases, we are focused on human threats, including malicious programs built by people. A person or group of people embodying a threat is known as a threat actor, a term signifying agency, motivation, and intelligence. We'll learn more about different kinds of threat actors in the next section.
然而，在許多情況下，我們都專注於人類威脅，包括由人編寫的惡意程式。一個或一群構成威脅的人稱為威脅行為者，這個詞語代表著代理、動機和情報。我們將在下個章節學習更多關於不同類型威脅行為者的知識。

For a threat to become an actual risk, the target being threatened must be vulnerable in some manner. A vulnerability is a flaw that allows a threat to cause harm. Not all flaws are vulnerabilities. To take a non-security example, let's imagine a bridge. A bridge can have some aesthetic flaws; maybe some pavers are scratched or it isn't perfectly straight. However, these flaws aren't vulnerabilities because they don't pose any risk of damage to the bridge. Alternatively, if the bridge does have structural flaws in its construction, it may be vulnerable to specific threats such as overloading or too much wind.
要使威脅成為實際風險，受威脅的目標必須以某種方式脆弱。一個弱點是一個允許威脅造成傷害的缺陷。並非所有缺陷都是弱點。舉一個非安全性的例子，讓我們想像一座橋樑。一座橋樑可能有一些美觀上的缺陷；也許有些鋪路石刮傷了，或者它並不完全筆直。然而，這些缺陷並不是弱點，因為它們不會對橋樑造成任何損壞的風險。或者，如果橋樑確實存在結構上的缺陷，它可能容易受到特定威脅的影響，例如超載或強風。

Let's dive into an example. In December 2021, a vulnerability was discovered in the Apache Log4J library, a popular Java-based logging library. This vulnerability could lead to arbitrary code execution by taking advantage of a JNDI Java toolkit feature which, by default, allowed for download requests to enrich logging. If a valid Java file was downloaded, this program would be executed by the server. This means that if user-supplied input (such as a username or HTTP header) was improperly sanitized before being logged, it was possible to make the server download a malicious Java file that would allow a remote, unauthorized user to execute commands on the server.
讓我們深入探討一個例子。在 2021 年 12 月，一個漏洞在廣泛使用的基於 Java 的日誌記錄程式庫Apache Log4J中被發現。這個漏洞可能導致任意程式碼執行，方法是利用JNDI Java 工具包的功能，該功能預設允許下載請求以豐富日誌記錄。如果下載了有效的 Java 檔案，則伺服器將執行此程式。這意味著，如果在記錄使用者提供的輸入（例如使用者名稱或 HTTP 標頭）之前未正確清理，則可能使伺服器下載惡意 Java 檔案，從而允許遠端未經授權的使用者在伺服器上執行命令。

Due to the popularity of the Log4j library, this vulnerability was given the highest possible rating under the Common Vulnerability Scoring System (CVSS) used to score vulnerabilities: 10.0 Critical. This rating led to a frenzied aftermath including vendors, companies, and individuals scrambling to identify and patch vulnerable systems as well as search for indications of compromise. Additional Log4J vulnerabilities were discovered soon after, exacerbating matters.
由於 Log4j 函式庫的普及性，此漏洞在用於評分漏洞的通用漏洞評分系統(CVSS)中獲得了最高評級：10.0 嚴重。此評級導致了混亂的後果，包括供應商、公司和個人爭先恐後地識別和修補易受攻擊的系統，以及搜尋入侵跡象。不久之後又發現了其他 Log4J 漏洞，使情況更加惡化。

This vulnerability could have been prevented by ensuring that user-supplied data is properly sanitized. The issue could have been mitigated by ensuring that potentially dangerous features (such as allowing web requests and code execution) were disabled by default.
此漏洞本可以通過確保用戶提供的數據得到適當清理來避免。通過確保預設情況下禁用潛在危險的功能（例如允許網頁請求和代碼執行），可以減輕此問題。

In computer programs, vulnerabilities occur when someone who interacts with the program can achieve specific objectives that are unintended by the programmer. When these objectives provide the user with access or privileges that they aren't supposed to have, and when they are pursued deliberately and maliciously, the user's actions become an exploit.
在電腦程式中，當與程式互動的人可以實現程式設計師未預期到的特定目標時，就會發生漏洞。當這些目標為使用者提供他們不應擁有的訪問權限或特權時，並且當這些目標被故意且惡意地追求時，使用者的行為就成為一種漏洞利用。

The word exploit in cybersecurity can be used as both a noun and as a verb. As a noun, an exploit is a procedure for abusing a particular vulnerability. As a verb, to exploit a vulnerability is to perform the procedure that reliably abuses it.
在網路安全領域中，exploit 一詞既可用作名詞，也可用作動詞。作為名詞，exploit 指的是一種濫用特定漏洞的程序。作為動詞，exploit 一個漏洞是指執行可靠地濫用該漏洞的程序。

Let's wrap up this section by exploring attack surfaces and vectors. An attack surface describes all the points of contact on our system or network that could be vulnerable to exploitation. An attack vector is a specific vulnerability and exploitation combination that can further a threat actor's objectives. Defenders attempt to reduce their attack surfaces as much as possible, while attackers try to probe a given attack surface to locate promising attack vectors.
讓我們總結一下本節內容，探討一下攻擊面和攻擊向量。攻擊面 描述了我們系統或網路中所有可能容易遭受攻擊利用的接觸點。攻擊向量 是一種特定的漏洞和利用組合，可以促進威脅參與者的目標達成。防禦者盡可能減少其攻擊面，而攻擊者則嘗試探測給定的攻擊面以尋找有希望的攻擊向量。

The previous section introduced threats and threat actors. Cybersecurity professionals are chiefly interested in threat actors since typically, most threats that our systems, networks, and enterprises are vulnerable to are human. Some key attributes of cybercrime compared to physical crime include its relative anonymity, the ability to execute attacks at a distance, and (typically) a lack of physical danger and monetary cost.
前一部分介紹了威脅和威脅參與者。資安專業人員主要關注威脅參與者，因為通常我們的系統、網絡和企業容易受到大多數威脅的影響都是人為的。與實體犯罪相比，網路犯罪的一些關鍵屬性包括其相對匿名性、能夠遠程執行攻擊，以及（通常）缺乏人身危險和金錢成本。

There are a wide variety of threat actors. Different people and groups have various levels of technical sophistication, different resources, personal motivations, and a variety of legal and moral systems guiding their behavior. While we cannot list out every kind of threat actor, there are several high-level classifications to keep in mind:
威脅參與者種類繁多。不同的人和團體擁有不同的技術水平、不同的資源、個人動機以及各種指導其行為的法律和道德體系。雖然我們無法列出所有類型的威脅參與者，但仍有一些需要牢記的高級分類：

Individual Malicious Actors: On the most superficial level, anyone attempting to do something that they are not supposed to do fits into this category. In cybersecurity, malicious actors can explore digital tactics that are unintended by developers, such as authenticating to restricted services, stealing credentials, and defacing websites.
個別惡意行為者：在最淺顯的層面上，任何企圖做他們不應該做的事情的人都屬於這一類。在網絡安全領域，惡意行為者可以探索開發人員未預料到的數位策略，例如驗證受限服務、竊取憑證和篡改網站。

The case of Paige Thompson is an example of how an individual attacker can cause extreme amounts of damage and loss. In July 2019, Thompson was arrested for exploiting a router that had unnecessarily high privileges to download the private information of 100 million people from Capital One. This attack led to the loss of personal information including SSNs, account numbers, addresses, phone numbers, email addresses, etc.
Paige Thompson 的案例說明了單一攻擊者如何造成極大的損害和損失。2019 年 7 月，Thompson 因利用一台擁有過高權限的路由器下載 Capital One 公司 1 億人的私人資訊而被捕。這次攻擊導致個人資訊遺失，包括社會安全號碼、帳戶號碼、地址、電話號碼、電子郵件地址等。

This attack was partly enabled by a misconfigured Web Application Firewall (WAF) that had excessive permissions allowing it to list and read files. The attack could have been prevented by applying the principle of least privilege and verifying the correct configuration of the WAF. Since the attacker posted about their actions on social media, another mitigation could have included social media monitoring.
這次攻擊 部分是由於網頁應用程式防火牆 (WAF) 配置錯誤，其權限過高，允許其列出和讀取檔案。透過應用最小權限原則並驗證 WAF 的正確配置，本可防止 這次攻擊。由於攻擊者在社群媒體上發布了他們的行為，另一種緩解措施可能是包含社群媒體監控。

Malicious Groups: When individuals band together to form groups, they often become stronger than their individual group members. This can be even more true online because the ability to communicate instantly and at vast distances enables people to achieve goals that would have been impossible without such powerful communication tools. For example, the ability to quickly coordinate on who-does-what over instant messaging services is just as valuable to malicious cyber groups as it is to modern businesses. Malicious groups can have any number of goals but are usually more purposeful, organized, and resourceful than individuals. Thus, they are often considered to be one of the more dangerous threat actors.
惡意組織：當個人結合起來形成組織時，他們往往比單個成員更强大。這在網路上更是如此，因為即時且遠距離溝通的能力使人們能夠達成在沒有此類强大通訊工具的情況下不可能達成的目標。例如，透過即時通訊服務快速協調誰做什麼的能力，對惡意網路組織來說與對現代企業一樣寶貴。惡意組織可能有許多目標，但通常比個人更有目的性、組織性和資源性。因此，它們通常被認為是更危險的威脅參與者之一。

Let's examine an example of a group-led attack. Over the span of several months, the "Lapsus$" group performed several attacks on a wide range of companies, stealing proprietary information and engaging in extortion. These attacks resulted in a loss of corporate data - including proprietary data such as source code, schematics, and other documentation. The attacks further resulted in the public exposure of data, and financial losses for companies that submitted to extortion.
讓我們檢視一個集團領導的攻擊案例。在數個月內，「Lapsus$」集團對許多公司發動了多次攻擊，竊取專有資訊並從事勒索。這些攻擊導致公司數據損失——包括專有數據，例如原始碼、原理圖和其他文件。攻擊進一步導致數據公開曝光，以及屈服於勒索的公司的財務損失。

The variety and sophistication of techniques used by the group show how this kind of malicious actor can be so dangerous. In particular, individuals within a group can bring their own specialties to the table that people working alone wouldn't be able to leverage. In addition, they can launch many different types of attacks at targets at a volume and velocity that an individual wouldn't be able to. There's a common truism in the cybersecurity industry that the attacker only needs to succeed once, while the defender must succeed every time. The efficacy of groups of attackers highlights this asymmetry.
該組織所使用的技巧種類繁多且精良，顯示出此類惡意行為者為何如此危險。尤其是在團體中，個人可以貢獻其專長，而單打獨鬥者則無法做到。此外，他們可以對目標發動多種不同類型的攻擊，其數量和速度是個人無法企及的。資安產業中有一句常見的格言：攻擊者只需成功一次，而防禦者則必須每次都成功。攻擊者團體的效力突顯了這種不對稱性。

There are only a few targeted mitigations available for such a wide variety of attack vectors. Because recruiting employees was one of the techniques used, awareness of internal threat actors and anomaly detection is key. Palo Alto Networks additionally suggests focusing on security best practices such as MFA, access control, and network segmentation.
針對這麼多樣化的攻擊向量，可用的目標減輕措施寥寥無幾。由於招募員工是其中一種使用的技巧，因此提高對內部威脅參與者和異常偵測的意識至關重要。Palo Alto Networks此外建議專注於安全最佳實務，例如 MFA、存取控制和網路分割。

Insider Threats: Perhaps one of the most dangerous types of threat actors, an insider threat is anyone who already has privileged access to a system and can abuse their privileges to attack it. Often, insider threats are individuals or groups of employees or ex-employees of an enterprise that become motivated to harm it in some capacity. Insider threats can be so treacherous because they are usually assumed to have a certain level of trust. That trust can be exploited to gain further access to resources, or these actors may simply have access to internal knowledge that isn't meant to be public.
內部威脅：內部威脅可能是最危險的一種類型的威脅參與者，任何已經擁有系統特權訪問權限並可以濫用其特權來攻擊系統的人。通常，內部威脅是企業的員工或前任員工個人或團體，他們會受到某些動機而損害企業。內部威脅之所以如此陰險，是因為通常假設他們具有一定的信任度。可以利用這種信任來獲得更多資源的訪問權限，或者這些參與者可能只是訪問不應公開的內部知識。

During a PPE shortage in March 2020 at the beginning of the COVID-19 pandemic, Christopher Dobbins, who had just been fired as Vice President of a medical packaging company, used a fake account that he had created during his employment to access company systems and change/delete data that was critical to the company's distribution of medical supplies.
在 COVID-19 疫情爆發初期2020 年 3 月的個人防護設備短缺期間，克里斯多福·多賓斯（Christopher Dobbins）剛被解僱，此前他擔任某醫療包裝公司副總裁，他利用在職期間創建的假帳戶訪問公司系統，更改/刪除對公司醫療用品分配至關重要的數據。

This attack resulted in the delayed delivery of critical medical supplies at a crucial stage of the pandemic and the disruption of the company's broader shipment operations. The danger of an insider threat is showcased here. The attack was enabled by a fake account created by a vice president, who may have had access to more permissions than what might be considered best practice for a VP of Finance.
此次攻擊導致關鍵醫療用品在疫情最關鍵階段延遲交付，並打亂了公司更廣泛的運輸業務。此處突顯了內部威脅的危險性。此次攻擊是由一位副總裁創建的假帳戶造成的，該副總裁可能擁有比財務副總裁最佳實務應有權限更多的權限。

This attack likely could have been prevented by applying the principle of least privilege, which we'll explore in a later section. Since the attack was enabled by a fake account, it also could have been prevented by rigorously auditing accounts. Lastly, since this activity was performed after the VP's termination, better monitoring of anomalous activity may have also prevented or mitigated the attack.
此次攻擊很可能透過應用最小權限原則來避免，我們將在後續章節探討此原則。由於攻擊是由假帳戶造成的，因此也可以透過嚴格審計帳戶來避免。最後，由於此活動是在副總裁離職後執行的，因此更好的異常活動監控也可能已避免或減輕了此次攻擊。

Nation States: Although international cyber politics, cyber war, and digital intelligence are vast subjects and significantly beyond the scope of this Module, we should recognize that some of the most proficient, resourceful, and well-financed operators of cyber attacks exist at the nation-state level within many different countries across the globe.
民族國家：雖然國際網絡政治、網絡戰爭和數字情報是廣泛的主題，遠遠超出了本模組的範圍，但我們應該認識到，一些最熟練、最有資源和資金最充足的網絡攻擊操作者存在於全球許多不同國家的民族國家層面。

Since 2009, North Korean threat actors, usually grouped under the name Lazarus, have engaged in several different attacks ranging from data theft (Sony, 2014) to ransomware (WannaCry, 2017) to financial theft targeting banks (Bangladesh Bank, 2016) and cryptocurrencies - notably, the 2022 Axie Infinity attack. These attacks have resulted in the loss and leak of corporate data, including proprietary data (Sony) and financial losses for companies that paid a ransom.
自 2009 年以來，朝鮮威脅行為者（通常被稱為Lazarus）參與了數次不同的攻擊，範圍從數據竊取（索尼，2014 年）到勒索軟件（WannaCry，2017 年），再到針對銀行（孟加拉國銀行，2016 年）和加密貨幣的金融竊取——尤其值得注意的是 2022 年的 Axie Infinity 攻擊。這些攻擊導致公司數據丟失和洩露，包括專有數據（索尼）以及支付贖金的公司造成的財務損失。

An information assurance firm called NCC Group suggests the following steps prevent or mitigate attacks from the Lazarus group: network segmentation, patching and updating internet-facing resources, ensuring the correct implementation of MFA, monitoring for anomalous user behavior (example: multiple, concurrent sessions from different locations), ensuring sufficient logging, and log analysis.
一家名為NCC 集團的資訊安全公司建議採取以下步驟來預防或減輕來自 Lazarus 集團的攻擊：網路區隔、修補和更新面向網際網路的資源、確保多因素驗證 (MFA) 的正確實施、監控異常使用者行為（例如：來自不同位置的多個併發會話）、確保足夠的日誌記錄以及日誌分析。

While the above section focused on who performs attacks, in this section we'll cover different kinds of breaches that have occurred in the last few years. We'll analyze some more recent cybersecurity attacks, discuss the impact they had on enterprises, users, and victims, and then consider how they could have been prevented or mitigated.
上一部分重點關注的是誰發動攻擊，在本部分中，我們將探討過去幾年中發生的各種違規事件。我們將分析一些最近的網路安全攻擊事件，討論它們對企業、使用者和受害者的影響，然後考慮如何預防或減輕這些攻擊。

There are many examples of recent breaches to choose from. For each breach, we'll indicate the kind of attack that allowed the breach to occur. This list by no means represents a complete survey of all types of attacks, so instead we'll aim to provide a survey highlighting the scope and impact of cybersecurity breaches.
有許多最近違規事件的例子可供選擇。對於每個違規事件，我們將指出允許發生違規事件的攻擊類型。此列表絕不代表所有類型攻擊的完整調查，因此我們將著重於提供一份調查，以突顯網路安全違規事件的範圍和影響。

Social Engineering: Social Engineering represents a broad class of attacks where an attacker persuades or manipulates human victims to provide them with information or access that they shouldn't have.
社會工程：社會工程代表一種類型廣泛的攻擊，攻擊者藉由說服或操縱受害者提供他們不應該擁有的資訊或存取權限。

In July 2020, attackers used a social engineering technique called spearphishing to gain access to(https://www.bbc.com/news/technology-53607374) an internal Twitter tool that allowed them to reset the passwords of several high-profile accounts. They used these accounts to tweet promotions of a Bitcoin scam. The impacts of this attack included financial losses for specific Twitter users, data exposure for several high-profile accounts, and reputational damage to Twitter itself.
2020 年 7 月，攻擊者使用一種稱為魚叉式網路釣魚的社會工程技術來取得存取權限(https://www.bbc.com/news/technology-53607374)一個內部的Twitter工具，該工具允許他們重設幾個高知名度帳戶的密碼。他們利用這些帳戶發送比特幣詐騙的推文。這次攻擊的影響包括特定 Twitter 用戶的財務損失、幾個高知名度帳戶的數據洩露以及 Twitter 自身的聲譽損害。

To understand potential prevention and mitigation, we need to understand how and why the attack occurred. The attack began with phone spear-phishing and social engineering, which allowed attackers to obtain employee credentials and access to Twitter's internal network. This could have been prevented had employees been better equipped to recognize social engineering and spear-phishing attacks. Additional protections that could have prevented or mitigated this attack include limiting access to sensitive internal tools using the principle of least privilege and increased monitoring for anomalous user activity.
為了解潛在的預防和減輕措施，我們需要了解攻擊是如何發生的以及原因。攻擊始於電話釣魚和社會工程，這使得攻擊者得以取得員工憑證並存取 Twitter 的內部網絡。如果員工能更好地識別社會工程和魚叉式釣魚攻擊，本可預防此事。其他可以預防或減輕此攻擊的保護措施包括：根據最小權限原則限制對敏感內部工具的存取，以及加強對異常使用者活動的監控。

Phishing: Phishing is a more general class of attack relative to spear-phishing. While spear-phishing attacks are targeted to specific individuals, phishing is usually done in broad sweeps. Phishing strategy is usually performed by sending a malicious communication to as many people as possible, increasing the likelihood of a victim clicking a link or otherwise doing something that would compromise security.
網絡釣魚：相較於魚叉式網絡釣魚，網絡釣魚是一種更廣泛的攻擊類型。魚叉式網絡釣魚攻擊針對特定個人，而網絡釣魚通常是大範圍進行。網絡釣魚策略通常是向盡可能多的人發送惡意郵件，從而增加受害者點擊連結或採取其他可能危及安全行為的可能性。

In September 2021, a subsidiary of Toyota acknowledged that they had fallen prey to a Business Email Compromise (BEC) phishing scam. The scam resulted in a transfer of ¥ 4 billion (JPY), equivalent to roughly 37 million USD, to the scammer's account. This attack occurred because an employee was persuaded to change account information associated with a series of payments.
2021 年 9 月，豐田汽車的一家子公司承認他們成為商業電郵入侵（BEC）網絡釣魚詐騙的受害者。該詐騙導致 40 億日元（JPY）的款項（約合 3700 萬美元）轉入詐騙者的帳戶。這次攻擊之所以發生，是因為一名員工被誘騙更改與一系列付款相關的帳戶信息。

The United States Federal Bureau of Investigation (FBI) recommends these and other steps be taken to prevent BEC:
美國聯邦調查局（FBI）建議採取這些以及其他步驟來預防 BEC：

• Verify the legitimacy of any request for payment, purchase, or changes to account information or payment policies in person.
  親自核實任何付款、購買或更改帳戶信息或付款政策的要求的合法性。
• If this is not possible, verify legitimacy over the phone.
  如果無法親自核實，請通過電話核實其合法性。
• Be wary of requests that indicate urgency.
  警惕那些暗示緊急性的請求。
• Carefully inspect email addresses and URLs in email communications.
  仔细检查电子邮件通信中的电子邮件地址和网址。
• Do not open email attachments from people that you do not know.
  不要打开来自陌生人的电子邮件附件。
• Carefully inspect the email address of the sender before responding.
  在回复之前，仔细检查发件人的电子邮件地址。

Ransomware: Ransomware is a type of malware that infects computer systems and then locks a legitimate user from accessing it properly. Often, users are contacted by the attacker and asked for a ransom to unlock their machine or documents.
勒索軟體：勒索軟體是一種感染電腦系統並鎖定合法使用者使其無法正常存取的惡意軟體。使用者通常會收到攻擊者的聯繫，要求支付贖金以解鎖其機器或文件。

In May 2021, a ransomware incident occurred at Colonial Pipeline, a major American oil company. The attack lead to the disruption of fuel distribution for multiple days. This attack resulted in a loss of corporate data, the halting of fuel distribution, millions of dollars in ransomware payments, increased fuel prices, and fuel shortage fears.
2021 年 5 月，美國主要石油公司Colonial Pipeline發生一起勒索軟體事件。此次攻擊導致燃料分配中斷數天。此次攻擊導致公司數據丟失、燃料分配停止、數百萬美元的勒索軟體支付、油價上漲以及對燃料短缺的擔憂。

In this attack, hackers gained access to Colonial Pipeline's network with a single compromised password. This attack could have been prevented or at least made less likely by ensuring that MFA was enabled on all internet-facing resources, as well as by prohibiting password reuse.
在此次攻擊中，黑客利用單個被盜密碼獲得了 Colonial Pipeline 網絡的訪問權限。通過確保在所有面向互聯網的資源上啟用 MFA，以及禁止密碼重複使用，可以防止或至少降低此類攻擊發生的可能性。

Credential Abuse: Credential Abuse can occur when an attacker acquires legitimate credentials, allowing them to log into machines or services that they otherwise would not be able to. Often, attackers can guess user passwords because they are predictable or weak.
憑證濫用：憑證濫用可能發生在攻擊者取得合法憑證時，讓他們得以登入否則無法登入的機器或服務。通常，攻擊者可以猜到使用者的密碼，因為這些密碼是可以預測的或薄弱的。

In December 2020, a series of malicious updates were discovered in the SolarWinds Orion platform, an infrastructure monitoring and management tool. These malicious updates allowed malware to be installed on the environment of any SolarWinds customer that installed this update and led to the compromise of several these customers, including universities, US government agencies, and other major organizations.
在2020 年 12 月，SolarWinds Orion 平台（一種基礎架構監控和管理工具）中發現了一系列惡意更新。這些惡意更新允許將惡意軟體安裝在安裝此更新的任何 SolarWinds 客戶的環境中，並導致數家客戶遭到入侵，其中包括大學、美國政府機構和其他主要組織。

As a supply-chain attack, this attack affected approximately 18,000 SolarWinds customers and led to the breach of a subset of customers including government agencies and other major companies. According to former SolarWinds CEO Kevin Thompson, this attack resulted from a weak password that was accidentally exposed publicly on GitHub. This attack could have been prevented by ensuring that passwords are sufficiently strong and by monitoring the internet for leaked secrets. CISA has also stated that this attack could have been mitigated by blocking outbound internet traffic from SolarWinds Orion servers.
作為一次供應鏈攻擊，此次攻擊影響了大約 18,000 名 SolarWinds 客戶，並導致包括政府機構和其他大型公司在內的一部分客戶遭到入侵。根據 SolarWinds 前執行長 Kevin Thompson 的說法，此次攻擊是由於弱密碼意外地在 GitHub 上公開洩露所致。透過確保密碼強度足夠，並監控網際網路以防洩露機密，本可防止此攻擊。CISA 也表示，透過封鎖來自 SolarWinds Orion 伺服器的出站網路流量，本可減輕此次攻擊的影響。

Authentication Bypass: While Credential Abuse allows attackers to log in to services by legitimate means, Authentication Bypasses can allow attackers to ignore or step around intended authentication protocols.
驗證繞過：憑證濫用允許攻擊者透過合法途徑登入服務，而驗證繞過則允許攻擊者忽略或繞過預期的驗證協定。

Similar to the above SolarWinds attack, on July 2nd 2021 an attack was detected that took advantage of a vulnerability in software vendor Kaseya's VSA remote management tool. Attackers were able to bypass the authentication system of the remote tool to eventually push REvil ransomware from compromised customer Virtual System Administrator (VSA) servers to endpoints via a malicious update.
類似於上述 SolarWinds 攻擊事件，2021 年 7 月 2 日偵測到一項攻擊，該攻擊利用軟體供應商 Kaseya 的 VSA 遙控管理工具中的漏洞。攻擊者能夠繞過遙控工具的驗證系統，最終透過惡意更新，從受入侵的客戶虛擬系統管理員 (VSA) 伺服器將 REvil 勒索軟體推送到終端點。

Since this attack targeted several Managed Service Providers (MSPs), its potential scope encompassed not only the MSP customers of Kaseya but also the customers of those MSPs. According to Brian Krebs, this vulnerability had been known about for at least three months before this ransomware incident. This attack could have been prevented by prioritizing and fixing known vulnerabilities in an urgent and timely manner.
由於此攻擊針對多個託管服務供應商 (MSP)，其潛在範圍不僅涵蓋 Kaseya 的 MSP 客戶，還包括這些 MSP 的客戶。根據Brian Krebs 的說法，此漏洞在此勒索軟體事件發生前至少已知曉三個月。透過優先處理並及時修復已知的漏洞，本可防止此攻擊事件發生。

A system is Confidential if the only people who can access it are the people explicitly permitted to do so. A person's social media account credentials are considered confidential as long as the user's password is known only to the owner. If a hacker steals or guesses the password and can access the account, this would constitute an attack against confidentiality. Common attacks against confidentiality include network eavesdropping and credential stuffing.
一個系統如果只有明確被允許的人才能存取，則該系統為機密的。只要使用者的密碼只有所有者知道，個人的社群媒體帳號憑證就被認為是機密的。如果駭客竊取或猜測到密碼並能存取帳號，這將構成對機密性的攻擊。針對機密性的常見攻擊包括網路竊聽和憑證填充。

Let's consider an example of an attack against confidentiality, assess its impact, and understand how it could have been prevented or mitigated. In August 2021, T-Mobile announced that hackers had accessed data associated with over 50 million current, former, and prospective customers. While no payment information, passwords, or PINs were accessed, some of the data included first and last names, dates of birth, social security numbers, and ID/drivers' license information. This data was subsequently offered for sale on the dark web.
讓我們以一個針對機密性的攻擊案例為例，評估其影響，並了解如何預防或減輕其影響。2021 年 8 月，T-Mobile宣佈駭客已存取與超過 5000 萬現有、前任和潛在客戶相關的數據。雖然沒有存取任何付款資訊、密碼或個人識別碼，但部分數據包括姓名、出生日期、社會安全號碼和身份證/駕駛執照資訊。這些數據隨後在暗網上被出售。

The attack impacted the confidentiality of the personal information of millions of current, former, and prospective customers. The confidentiality of this information was subsequently further compromised by being made available for purchase on the dark web. This also led to further reputational damage to T-Mobile as the attack was one of several then-recent breaches.
此次攻擊影響了數百萬現有、前任和潛在客戶個人信息的機密性。這些信息的機密性隨後因在暗網上被公開出售而進一步受到損害。由於此次攻擊是當時最近幾起數據洩露事件之一，這也導致 T-Mobile 的聲譽進一步受損。

There is limited information available on the exact methodology used by the attackers; however, they claim to have first compromised a router to gain access to over 100 servers including the database or databases that contained the affected customer data. This breach could have been prevented by ensuring that all internet-facing resources were properly configured, patched, and updated. Then the network should have been monitoring for anomalous user behavior, and by instituting better network segmentation.
關於攻擊者使用的確切方法的信息有限；然而，他們聲稱首先入侵了一台路由器，以訪問超過 100 台服務器，包括包含受影響客戶數據的數據庫。通過確保所有面向互聯網的資源都已正確配置、修補和更新，可以防止這種數據洩露。然後，網絡應該監控異常用戶行為，並建立更好的網絡分段。

Private documents such as driver's licenses ought to be confidential because they contain information that can identify individuals.
駕駛執照等私人文件應該保密，因為它們包含可以識別個人的信息。

However, not all information possessed by a company is necessarily confidential. For example, T-Mobile's board members are publicly listed on their website. Therefore, if an attack were to divulge that information, it would not be a breach of confidentiality.
然而，公司所擁有的資訊並不一定都是機密的。例如，T-Mobile 的董事會成員已公開列在其網站上。因此，如果攻擊洩露該資訊，則不構成機密洩露。

A system has Integrity if the information and functionality it stores is only that which the owner intends to store. Integrity is concerned with maintaining the accuracy and reliability of data and services. Merely logging on to a user's social media account by guessing their password is not an attack against integrity. However, if the attacker starts to post messages or delete information, this would become an attack on integrity as well. A common attack against integrity is arbitrary code execution.
如果系統儲存的資訊和功能僅限於所有者打算儲存的資訊和功能，則該系統具有完整性。完整性關心的是維護數據和服務的準確性和可靠性。僅僅通過猜測用戶的密碼登錄用戶的社交媒體帳戶並不構成對完整性的攻擊。但是，如果攻擊者開始發佈訊息或刪除資訊，這也將成為對完整性的攻擊。一種常見的針對完整性的攻擊是任意代碼執行。

In January 2022, researchers identified a new wiper malware, dubbed WhisperGate, being used against Ukrainian targets. This malware has two stages: stage one overwrites the Master Boot Record (MBR) to display a fake ransomware note, while stage two downloads further malware overwriting files with specific extensions, thus rendering them corrupt and unrecoverable. This attack impacts the integrity of data on the affected system by overwriting files in an irrecoverable manner, effectively deleting them.
在2022 年 1 月，研究人員發現一種新的擦除式惡意軟體，稱為WhisperGate，正被用於攻擊烏克蘭目標。此惡意軟體分兩個階段：第一階段覆寫主開機記錄 (MBR) 以顯示偽造的勒索軟體訊息，而第二階段則下載更多惡意軟體，覆寫具有特定副檔名的檔案，使其損壞且無法復原。此攻擊會透過無法復原的方式覆寫檔案，有效地刪除檔案，從而影響受影響系統上的數據完整性。

In their advisory, Microsoft recommended that potential targets take the following steps to protect themselves: enable MFA to mitigate potentially compromised credentials, enable Controlled Folder Access (CFA) in Microsoft Defender to prevent MBR/VBR tampering, use provided IoCs to search for potential breaches, review and validate authentication activity for all remote access, and investigate other anomalous activity. More information about the technical details of the attack has been published by CrowdStrike.
微軟在其安全公告中建議潛在目標採取以下步驟來保護自己：啟用 MFA 以減輕潛在的被盜用憑證風險；在 Microsoft Defender 中啟用受控資料夾存取 (CFA) 以防止 MBR/VBR 篡改；使用提供的 IoC 搜尋潛在的入侵事件；審查並驗證所有遠端存取的驗證活動；以及調查其他異常活動。CrowdStrike 已發布有關此攻擊技術細節的更多資訊。

Put simply, integrity is important for an enterprise to protect because other businesses and consumers need to be able to trust the information held by the enterprise.
簡而言之，誠信對企業至關重要，因為其他企業和消費者需要能夠信任企業所持有的資訊。

A system is considered Available if the people who are supposed to access it can do so. Imagine an attacker has gained access to a social media account and also posted content of their choosing. So far, this would constitute an attack against confidentiality and integrity. If the attacker changes the user's password and prevents them from logging on, this would also become an attack against availability. A common attack against availability is a denial of service attack.
如果應該存取系統的人員能夠存取，則該系統被認為是可用的。想像一下，攻擊者已取得社群媒體帳戶的存取權，並張貼了他們選擇的內容。到目前為止，這將構成對機密性和完整性的攻擊。如果攻擊者更改使用者的密碼並阻止他們登入，這也將成為對可用性的攻擊。針對可用性的常見攻擊是拒絕服務攻擊。

On February 24, 2022, at the beginning of the Russian invasion of Ukraine, Viasat's satellite broadband service was hit by a Denial of Service (DoS) attack that brought down satellite internet for Ukrainian customers, including the Ukrainian government and military. This attack utilized a then-novel wiper malware known as AcidRain.
2022 年 2 月 24 日，在俄羅斯入侵烏克蘭初期，Viasat的衛星寬頻服務遭到拒絕服務(DoS)攻擊，導致烏克蘭客戶（包括烏克蘭政府和軍方）的衛星網路癱瘓。這次攻擊使用了當時一種新穎的清除式惡意軟體，稱為AcidRain。

The impact of this attack was that Viasat's satellite internet was temporarily unavailable in Ukraine at a critical moment at the beginning of the invasion, disrupting communication and coordination. Very little information is available about how this attack unfolded. Viasat stated that a VPN "misconfiguration" allowed initial access. Though it is unclear what the specific misconfiguration was, this attack could have been prevented by ensuring proper VPN configuration.
此次攻擊的影響是，在入侵初期關鍵時刻，Viasat 的衛星網絡在烏克蘭暫時無法使用，打斷了通訊和協調。關於這次攻擊是如何發生的，幾乎沒有任何信息。Viasat 表示，VPN 的「錯誤配置」允許了最初的訪問。雖然目前尚不清楚具體的錯誤配置是什麼，但通過確保正確的 VPN 配置，本可以防止這次攻擊。

It is possible that this attack could have been prevented, though we should acknowledge the well-known difficulties associated with prevention, by following general guidance for defending against Advanced Persistent Threats (APTs). This guidance suggests ensuring complete visibility into one's environment, engaging in threat intelligence, and performing threat hunting, among other recommendations.
儘管我們應該承認預防工作中眾所周知的困難，但這次攻擊可能是可以避免的，方法是遵循防禦高級持續性威脅 (APT) 的一般指導方針。這些指導方針建議確保對自身環境的完全可見性、參與威脅情報以及進行威脅狩獵，以及其他建議。

Before concluding this section, let's zoom out and consider how prioritizing the CIA triad can impact an organization. In particular, an important nuance to consider is that security controls themselves can sometimes be a detriment to availability. Extremely strong security isn't always optimal for an organization. If security is so strong that users are not able to use the systems, or frequently become frustrated with the systems, this may lead to inefficiency, low morale, and potentially the collapse of the organization.
在結束本節之前，讓我們退一步思考，優先考慮 CIA 三要素如何影響組織。特別需要注意的是，安全控制本身有時可能會損害可用性。極其強大的安全性並不總是對組織最理想的。如果安全性強到用戶無法使用系統，或經常對系統感到沮喪，這可能會導致效率低下、士氣低落，並可能導致組織崩潰。

Balancing security controls with availability is a critical and continuous process of evaluation, exploration, threat modeling, discussion, testing, and releasing. Making rules that prevent employees from participating in improvements is an easy way to ruin a security program.
將安全控制與可用性相平衡是一個持續不斷的評估、探索、威脅建模、討論、測試和發佈的關鍵過程。制定阻止員工參與改進的規則是破壞安全計劃的簡單方法。

Security is everyone's responsibility, and processes that receive feedback from the entire organization as well as educate employees about how to use the controls are typically important to a successful security program.
安全是每個人的責任，從整個組織收集反饋並教育員工如何使用控制措施的流程通常對成功的安全計劃至關重要。

During this Learning Unit, we'll begin to explore a few we might encounter throughout our OffSec Learning Journey.
在本學習單元中，我們將開始探討一些我們在 OffSec 學習旅程中可能會遇到的安全原則。

Two excellent resources for security principles are David Wheeler's website and the OWASP cheatsheet.
兩個關於安全原則的優秀資源是 David Wheeler 的 網站 和 OWASP 參考表。

Although this subject could be its own in-depth Module, for now, we'll cover a few high-level descriptions.
雖然這個主題本身可以構成一個深入的模組，但目前我們將涵蓋一些高層次的描述。

The Principle of Least Privilege expresses the idea that each part within a system should only be granted the lowest possible privileges needed to achieve its task. Whether referring to users on a machine or lines of code in a program, correctly adhering to this discipline can greatly narrow the attack surface.
最小權限原則 表達了這樣一個理念：系統中的每個部分都應該只被授予完成其任務所需的最低權限。無論是指機器上的使用者還是程式中的程式碼，正確遵守這一原則可以大大縮小攻擊面。

Earlier we referenced the 2019 Capital One attack. We'll recall that this attack was facilitated by leveraging a Web Application Firewall with permissions that were too high for its required functions. It's important to understand that the Principle of Least Privilege does not only apply to human individuals or groups, but any entity (including machines, routers, and firewalls) that can read, write, or modify data.
早些時候我們提到了 2019 年 Capital One 的攻擊事件。我們將回想起這次攻擊是通過利用具有過高權限的 Web 應用程式防火牆而發生的。重要的是要理解，最小權限原則不僅適用於個人或群體，而且適用於任何可以讀取、寫入或修改資料的實體（包括機器、路由器和防火牆）。

The Zero Trust security model takes the Principle of Least Privilege and carries it to its ultimate conclusion. This model advocates for removing all implicit trust in networks and has a goal of protecting access to resources, often with granular authorization processes for every resource request. Zero Trust encapsulates five key elements: Just in Time Access (JITA), which requires access to be validated just before access is granted; Just Enough Access (JEA), which aligns with the traditional concept of least privilege; tokenization and encryption to protect data; dynamic (or adaptive) access control policies to ensure that policy is always fit for purpose; and microsegmentation, to limit access to the appropriate level of granularity.
零信任安全模型將最小權限原則貫徹到極致。此模型主張移除網絡中所有隱含的信任，目標是保護資源存取，通常會針對每個資源請求採用細緻的授權流程。零信任包含五個關鍵要素：即時存取 (JITA)，這需要在授予存取權限之前驗證存取權限；最小存取 (JEA)，這符合傳統的最小權限概念；令牌化和加密以保護數據；動態（或自適應）存取控制策略，以確保策略始終符合目的；以及微隔離，以將存取權限限制在適當的粒度級別。

Open Security, a somewhat counter-intuitive principle, states that the security of a system should not depend on its secrecy. In other words, even if an attacker knows exactly how the system's security is implemented, the attacker should still be thwarted. This isn't to say that nothing should be secret. Credentials are a clear case where the security of a password depends on its secrecy. However, we'd want our system to be secure even if the attacker knows there is a password, and even if they know the cryptographic algorithm behind it.
開放式安全，一個有點違反直覺的原則，指出系統的安全性不應依賴其機密性。換句話說，即使攻擊者完全知道系統安全性的實現方式，也應該仍然可以阻止攻擊者。這並不是說沒有任何東西應該保密。憑證是一個明顯的例子，密碼的安全性取決於其機密性。但是，我們希望我們的系統即使即使攻擊者知道存在密碼，甚至知道其背後的加密演算法，也能保持安全。

Defense in Depth advocates for adding defenses to as many layers of a system as possible, so that if one is bypassed, another may still prevent full infiltration. An example of defense in depth outside the context of cybersecurity would be a garage that requires entering an electronic code, using a key on a bolted door lock, and then finally disabling a voice-activated internal alarm system to open the garage.
縱深防禦主張盡可能在系統的各個層次添加防禦措施，以便如果一個層次被繞過，另一個層次仍然可以防止完全滲透。縱深防禦在網絡安全以外的例子，例如一個車庫需要輸入電子密碼，使用螺栓門鎖上的鑰匙，然後最後禁用聲控內部警報系統才能打開車庫。

Many organizations do not apply adequate defenses for their systems. They lean too heavily on external tools or providers that focus on one specific area of defense. This can lead to single points of failure, resulting in a very weak security posture. We must learn to apply many layers of controls, and design our systems with defense in depth to resist more threats and better respond to incidents.
許多組織沒有為其系統應用足夠的防禦措施。他們過度依賴專注於單一特定防禦領域的外部工具或提供商。這可能導致單點故障，從而導致非常薄弱的安全態勢。我們必須學習應用多層控制，並以縱深防禦的理念設計我們的系統，以抵抗更多威脅並更好地響應事件。

To meet the ideals of concepts such as least privilege, open security, and defense-in-depth, we need to implement Security Strategies. These can include interventions like:
為了滿足最小權限、開放安全和縱深防禦等概念的理想，我們需要實施安全策略。這些策略可能包括以下干預措施：

• 24/7 vigilance 全天候監控
• Threat modeling 威脅建模
• Table top discussions 桌面討論
• Continuous training on tactics, processes, and procedures
  持續針對策略、流程和程序進行訓練
• Continuous automated patching
  持續自動化修補
• Continuous supply chain verification
  持續供應鏈驗證
• Secure coding and design 安全的編碼和設計
• Daily log reviews 每日日誌審查
• Multiple layers of well-implemented Security Controls
  多層良好實施的 安全控制

This might feel overwhelming at first. In particular, a defense-in-depth strategy involves people and technologies creating layers of barriers to protect resources.
這一開始可能會讓人不知所措。特別是，縱深防禦策略涉及人員和技術，創造多層屏障來保護資源。

In the CIA Triad Learning Unit, we mentioned that a consequence of strong security can be reduced availability. If a system's security is prioritized over availability, then there may be increased downtime and ultimately increased user frustration. An example of this could be using the Kerberos authentication protocol without a fallback authentication method. In GNU/Linux, Kerberos might be configured without a failsafe, with no alternate network access authorization method. This can result in no one being able to access network services if there is a Kerberos issue. If security is the top priority, this could be ideal depending on the organization's goals. However, if availability is the top priority, such an approach could damage the system by improving its security without care.
在 CIA 三元組學習單元中，我們提到強大的安全性可能導致可用性降低。如果系統的安全性優先於可用性，則可能會增加停機時間，並最終增加用戶的挫敗感。一個例子可能是使用 Kerberos 驗證協議，而沒有備用驗證方法。在 GNU/Linux 中，Kerberos 的配置可能沒有故障保護，也沒有備用的網路訪問授權方法。如果 Kerberos 出現問題，這可能導致沒有人能夠訪問網路服務。如果安全性是首要任務，那麼這可能是理想的 取決於組織的目標。但是，如果可用性是首要任務，則這種方法可能會損害系統，因為它在沒有考慮的情況下提高了安全性。

Security controls can also be extremely time-consuming to properly use and maintain. If a control is expensive enough, an organization could lose profitability. Security controls must also be balanced with financial resources and personnel restraints.
安全控制也可能非常耗時才能正確使用和維護。如果控制措施的成本過高，組織可能會損失盈利能力。安全控制措施還必須與財務資源和人員限制相平衡。

Next, let's explore a variety of different security controls that an organization might implement.
接下來，讓我們探討組織可能實施的各種不同安全控制措施。

A security model is a type of schema that is used to implement security controls in information systems. They rarely specify specific controls but they present a theoretical framework and, in some cases, a set of rules that can be implemented in several different contexts.
安全模型是一種用於在資訊系統中實施安全控制的模式。它們很少指定特定的控制措施，但它們提供了一個理論框架，在某些情況下，還提供了一套可在不同環境中實施的規則。

Many of the most well-known models target access controls. We'll focus on examples of these in this section. Some of these specifically focus on confidentiality or integrity, others are more general.
許多最著名的模型都針對存取控制。我們將在本節重點介紹這些模型的示例。其中一些模型特別側重於機密性或完整性，而另一些模型則更通用。

First, let's consider a security model that deals primarily with confidentiality. The Bell–LaPadula model is used to enforce access controls in systems with multiple security levels (for instance, unclassified, confidential, secret and top secret). It's often used in a government or military context to determine who can access what objects at the various security levels. In this model, individuals cannot read content with a security level higher than their own (known as the Simple Security Property) or write content with a security level lower than their own (known as the Star Security Property). In certain contexts, they may not be allowed to read or write at a level other than their own (known as the Discretionary Security Property).
首先，讓我們考慮一個主要處理機密性的安全模型。 Bell-LaPadula 模型用於在具有多個安全級別（例如，非機密、機密、秘密和絕密）的系統中執行存取控制。它通常用於政府或軍事環境中，以確定誰可以存取不同安全級別的哪些物件。在此模型中，個人無法讀取安全級別高於其自身安全級別的內容（稱為簡單安全屬性），也無法寫入安全級別低於其自身安全級別的內容（稱為星號安全屬性）。在某些情況下，他們可能不被允許讀取或寫入與其自身安全級別不同的級別的內容（稱為自主安全屬性）。

Similarly, the Brewer and Nash model is used to enforce access controls to maintain confidentiality, but with the specific aim of minimizing conflict of interest. This may be used by accounting or consulting organizations. The model uses data segregation and dynamic access controls. Dynamic access controls may function by denying access to certain individuals based on other information that they have viewed or have access to. For instance, an organization that works with customers who compete with one another may temporarily restrict an individual from accessing a company's data once they have accessed data belonging to their competitor.
同樣地，Brewer 和 Nash 模型用於執行存取控制以維護機密性，但其特定目標是將利益衝突降至最低。會計或諮詢組織可能會使用此模型。此模型使用數據隔離和動態存取控制。動態存取控制可能會透過拒絕某些個人存取某些資訊來運作，這些資訊是他們已查看或已存取的。例如，一個與彼此競爭的客戶合作的組織，可能會在個人存取其競爭對手的數據後，暫時限制該個人存取該公司的數據。

Next, let's consider some security models that deal primarily with integrity. The Biba model is also used to enforce access controls and is designed to protect the integrity of information where individuals and information are assigned different integrity levels. In this model, individuals cannot read data with a lower integrity level than their own (known as the Simple Integrity Property) or write content with an integrity level higher than their own (known as the Star Integrity Property). Another rule, states that individuals cannot request access to information with a higher integrity level than their own (known as the Invocation Property).
接下來，讓我們考慮一些主要處理完整性的安全模型。 Biba 模型 也用於執行存取控制，旨在保護資訊的完整性，其中個人和資訊被賦予不同的完整性等級。在此模型中，個人無法讀取完整性等級低於自身等級的數據（稱為簡單完整性屬性），也無法寫入完整性等級高於自身等級的內容（稱為星狀完整性屬性）。另一條規則規定，個人不能請求存取完整性等級高於自身等級的資訊（稱為呼叫屬性）。

The Clark-Wilson model is another module used to protect data integrity. This is implemented through access control triples (or simply triples), which consist of a subject, program (also known as a transaction) and object. According to this model, individual subjects don't have direct access to data objects but only access and modify them through a series of programs, which themselves operate on data objects and enforce integrity policies.
Clark-Wilson 模型 是另一個用於保護數據完整性的模組。這是透過存取控制三元組（或簡稱為三元組）來實現的，它由主體、程式（也稱為交易）和客體組成。根據此模型，個別主體無權直接存取數據物件，而只能透過一系列程式來存取和修改它們，這些程式本身會操作數據物件並執行完整性策略。

Other access control security modules are focused on access controls more generally. One example of this is Role-Based Access Control (RBAC). This security model, widely used in cloud computing Identity and Access Management (IAM), grants permissions to roles, which are in turn applied to individual users. Rather than permissions being granted to each user directly, permissions are granted to users based on the roles that they have.
其他存取控制安全模組更側重於一般存取控制。一個例子是基於角色的存取控制 (RBAC)。這個安全模型廣泛應用於雲端運算身分和存取管理 (IAM)，它將權限授予角色，然後再將這些角色應用於個別使用者。權限不是直接授予每個使用者，而是根據使用者擁有的角色來授予權限。

Another variant is Attribute-Based Access Control (ABAC). This security model is based on a series of attributes that are applied to users and objects, and rules use these attributes to determine which users can perform which types of access on which objects. ABAC has the advantage of providing more granular access control and of being more dynamic.
另一種變體是基於屬性的存取控制 (ABAC)。此安全模型基於一系列應用於使用者和物件的屬性，而規則則使用這些屬性來確定哪些使用者可以對哪些物件執行哪些類型的存取。ABAC 的優勢在於提供更精細的存取控制和更高的動態性。

These are only a few security models but they give us a general idea of what security models are, what goals specific models have, where they may be used and what level of specification they involve.
這只是一些安全模型，但它們讓我們大致了解了什麼是安全模型、特定模型有什麼目標、它們可能在哪裡使用以及它們涉及的規格級別。

One of the best ways to avoid extra costs and impacts on availability is to design an entire system so that security is built into the service architecture, rather than requiring many additional software layers. To design systems with built-in security, the idea of shift-left security can improve efficiency. The idea of shift-left security is to consider security engineering from the outset when designing a product or system, rather than attempt to bake it in after the product has been built.
避免額外成本和可用性影響的最佳方法之一，是在設計整個系統時將安全性內建到服務架構中，而不是需要許多額外的軟體層。為了設計具有內建安全性的系統，左移安全 的理念可以提高效率。左移安全的理念是在設計產品或系統時從一開始就考慮安全工程，而不是在產品建成後再試圖將其整合進去。

Without shift-left security, we might have developers shipping products without security, and then need to add additional layers of security on top of, or along with, the product. If the security team is involved in the development process, we have a better chance of creating a product with controls built in, making a more seamless user experience as well as reducing the need for additional security services.
沒有左移安全，開發人員可能會交付沒有安全性的產品，然後需要在產品之上或與產品一起添加額外的安全層。如果安全團隊參與開發過程，我們更有機會創建一個內建控制的產品，從而提供更無縫的用戶體驗，並減少對額外安全服務的需求。

Most applications do not have security built in and instead rely on platform-level security controls surrounding the services. This can work well; however, it can result in security being weaker or easier to bypass. For example, if a specific technology (for example, Kubernetes modules) is providing all of the security services, then someone who controls that technology (in this case, a Kubernetes administrator) could remove or tamper with it and bypass security for all services.
大多數應用程式並沒有內建安全性，而是依賴於圍繞服務的平台級別安全控制。這可以很好地工作；但是，它可能導致安全性較弱或更容易繞過。例如，如果某項特定技術（例如，Kubernetes 模組）提供所有安全服務，那麼控制該技術的人（在本例中為 Kubernetes 管理員）可以移除或篡改它，從而繞過所有服務的安全性。

However, we once again need to consider business impact. In particular, shifting left can potentially cause slower production times because developers will need to explicitly think about security in addition to the product specifications. An organization therefore will need to decide what trade-offs they can make in their particular circumstance. Despite the potential reduction in security posture, focusing on platform-level security controls can provide the lowest friction to development efforts and the fastest time to market for application developers while producing a reasonable security posture.
然而，我們再次需要考慮業務影響。特別是，左移可能會導致生產時間變慢，因為開發人員除了需要考慮產品規格外，還需要明確考慮安全性。因此，組織需要決定在其特定情況下可以做出哪些權衡。儘管安全性可能降低，但專注於平台級別的安全控制可以為開發工作提供最低的摩擦，並為應用程式開發人員提供最快的上市時間，同時也能提供合理的安全性。

It may seem okay to have an administrator bypass security controls based on their role and functional needs. Shouldn't we trust our administrators? However, when a threat is internal or otherwise able to obtain valid administrative credentials, our security posture becomes weaker. To defeat internal threats and threats that have acquired valid credentials or authentication capability, we must segment controls so that no single authority can bypass all controls. To accomplish this, we may need to split controls between application teams and administrators, or split access for administration between multiple administrators, as with Shamir's Secret Sharing (SSS).
讓管理員根據其角色和職能需求繞過安全控制，似乎是可以接受的。難道我們不應該信任我們的管理員嗎？然而，當威脅來自內部或能夠獲得有效的管理員憑證時，我們的安全態勢就會變弱。為了擊敗內部威脅以及已獲得有效憑證或驗證能力的威脅，我們必須分割控制，以便沒有單一權限可以繞過所有控制。為此，我們可能需要在應用程式團隊和管理員之間分割控制，或者像Shamir 秘密分享 (SSS)一樣，在多個管理員之間分割管理訪問權限。

With SSS, we might design a system so that three different administrator authorizations are required to authorize any one administrative root access. Shamir's secret sharing scheme enables a system to split access authorization requirements between multiple systems or persons. With this in place, we can design a system so that no one person has the root credentials.
使用 SSS，我們可以設計一個系統，以便需要三個不同的管理員授權才能授權任何一個管理員根訪問權限。Shamir 秘密分享方案使系統能夠在多個系統或人員之間分割訪問授權要求。有了這個，我們可以設計一個系統，這樣沒有任何人擁有根憑證。

Before researching potential threats against an organization, it is vital for an organization to have a detailed inventory of their assets. It would make no sense to devote time and energy on identifying potential threats against Cisco devices when an organization only uses Juniper devices. After we've completed an inventory for both systems and software and we understand our organization's requirements, we're ready to begin researching potential threats. Security teams research (or leverage vendor research about) threats to different industries and software.
在研究組織可能面臨的威脅之前，組織必須詳細盤點其資產。如果組織只使用瞻博網絡設備，那麼投入時間和精力去識別針對思科設備的潛在威脅就沒有意義了。在完成系統和軟體的盤點，並了解組織的需求後，我們就可以開始研究潛在威脅了。安全團隊會研究（或利用廠商的研究）針對不同行業和軟體的威脅。

We can use this information in our Threat Modeling. Threat modeling involves taking data from real-world adversaries and evaluating those attack patterns and techniques against our people, processes, systems, and software. It is important to consider how the compromise of one system in our network might impact others.
我們可以在我們的威脅建模中使用這些資訊。威脅建模涉及從現實世界的攻擊者那裡獲取數據，並根據這些攻擊模式和技術評估我們的人員、流程、系統和軟體。重要的是要考慮網路中一個系統的損害可能會如何影響其他系統。

Threat Intelligence is data that has been refined in the context of the organization: actionable information that an organization has gathered via threat modeling about a valid threat to that organization's success. Information isn't considered threat intelligence unless it results in an action item for the organization. The existence of an exploit is not threat intelligence; however, it is potentially useful information that might lead to threat intelligence.
威脅情報是指已在組織的情境中經過提煉的數據：組織透過威脅建模收集到的，關於對該組織成功構成有效威脅的可行情報。除非資訊能為組織帶來行動項目，否則不被視為威脅情報。漏洞的存在並非威脅情報；然而，它是可能導致威脅情報的有用資訊。

An example of threat intelligence occurs when a relevant adversary's attack patterns are learned, and those attack patterns could defeat the current controls in the organization, and when that adversary is a potential threat to the organization. The difference between security information and threat intelligence is often that security information has only been studied out of context for the specific organization. When real threat intelligence is gathered, an organization can take informed action to improve its processes, procedures, tactics, and controls.
威脅情報的一個例子是，當了解到相關敵手的攻擊模式時，而且這些攻擊模式可能擊敗組織目前的控制措施，而且當該敵手對組織構成潛在威脅時。安全資訊與威脅情報之間的區別通常在於，安全資訊僅針對特定組織進行了非情境化的研究。當收集到真正的威脅情報時，組織可以採取知情的行動來改進其流程、程序、策略和控制措施。

After concerning threat intelligence or other important information is received, enterprises may benefit from immediately scheduling a cross-organization discussion. One type of discussion is known as a table-top, which brings together engineers, stakeholders, and security professionals to discuss how the organization might react to various types of disasters and attacks. Conducting these regular table-tops discussions to evaluate different systems and environments is a great way to ensure that all teams know the Tactics, Techniques, and Procedures (TTPs) for handling various scenarios. Often organizations don't build out proper TTPs, resulting in longer incident response times.
接獲相關威脅情報或其他重要資訊後，企業可能會受益於立即安排跨組織討論。其中一種討論稱為桌面演練，它將工程師、利益相關者和安全專業人員聚集在一起，討論組織可能如何應對各種災難和攻擊。定期舉行這些桌面演練以評估不同的系統和環境，是確保所有團隊都了解策略、技術和程序 (TTP) 以應對各種情況的好方法。組織通常不會建立適當的 TTP，導致事件響應時間更長。

Table-top discussions help organizations raise cross-team awareness. This helps teams understand weaknesses and gaps in controls so they can better plan for different scenarios in their tactics, procedures, and systems designs. Having engineers and specialists involved in table-tops might help other teams find solutions to security issues, or vice-versa.
桌面演練有助於組織提高跨團隊的意識。這有助於團隊了解控制方面的弱點和差距，以便他們可以更好地為其策略、程序和系統設計中的不同場景做好規劃。讓工程師和專家參與桌面演練可能會幫助其他團隊找到安全問題的解決方案，反之亦然。

Let's imagine a scenario in which we learn that a phishing email attack on an administrator would represent a complete company compromise. To build up our defensive controls, we may decide to create an email access portal for administrators that is physically isolated. When the administrators view their email, they would do so through a screen displaying a client view into a heavily-secured email sandbox. This way, emails are opened up inside a sandboxed machine on separate hardware, instead of on administrative workstations that have production access.
讓我們想像一種情況，我們得知針對管理員的釣魚郵件攻擊將代表公司完全被攻破。為了加強我們的防禦控制，我們可能會決定為管理員創建一個物理隔離的電子郵件訪問入口網站。當管理員查看他們的電子郵件時，他們將通過顯示客戶端視圖進入高度安全的電子郵件沙箱的屏幕來進行。這樣，電子郵件就會在獨立硬件上的沙箱機器內打開，而不是在具有生產訪問權限的管理工作站上打開。

Table-top security sessions are part of Business Continuity Planning (BCP). BCP also includes many other aspects such as live drill responses to situations like ransomware and supply-chain compromise. BCP extends outside of cybersecurity emergencies to include processes and procedures for natural disasters and gun violence. Routine table-top sessions and continuous gathering of relevant intelligence provide a proactive effort for mitigating future issues as well as rehearsing tactics, processes, and procedures.
桌面安全會議是業務持續性規劃 (BCP) 的一部分。BCP 還包括許多其他方面，例如對勒索軟體和供應鏈受損等情況的現場演練響應。BCP 不僅限於網絡安全緊急情況，還包括針對自然災害和槍支暴力的流程和程序。例行的桌面會議和持續收集相關情報，為減輕未來問題以及排練策略、流程和程序提供了一種積極主動的努力。

Another defensive technique known as continuous automated patching is accomplished by pulling the upstream source code and applying it to the lowest development environment. Next, the change is tested and only moved to production if it is successful. We can leverage cloud provider infrastructure to spin up complete replicas of environments for testing these changes. Rather than continuously running a full patch test environment, we can create one with relative ease using our cloud provider, run the relevant tests, and then delete it. The primary risk of this approach is supply chain compromise.
另一種稱為持續自動修補的防禦技術，是透過提取上游原始碼並將其應用於最低開發環境來完成。接下來，測試更改，只有在成功的情況下才移至生產環境。我們可以利用雲端供應商的基礎架構來啟動完整的環境複製品以測試這些更改。我們不必持續運行完整的修補程式測試環境，而是可以利用我們的雲端供應商相對輕鬆地建立一個環境，執行相關測試，然後刪除它。這種方法的主要風險是供應鏈遭到入侵。

Continuous supply chain validation happens by both the vendor and the consumer. It occurs when people and systems validate that the software and hardware received from vendors is the expected material and that it hasn't been tampered with. For the vendor, it ensures that the software and materials being sent out are verifiable by customers and business partners.
持續供應鏈驗證是由供應商和消費者共同進行的。當人員和系統驗證從供應商收到的軟體和硬體是否為預期材料，且未被篡改時，就會發生這種情況。對於供應商而言，這確保發送的軟體和材料可以被客戶和業務夥伴驗證。

Continuous supply chain validation is difficult and sometimes requires more than software checks, such as physical inspections of equipment ordered. On the software side of supply chain security, we can use deeper testing and inspection techniques to evaluate upstream data more closely. We might opt to increase the security testing duration to attempt to detect sleeper malware implanted in upstream sources. Sleeper malware is software that is inactive while on a system for for some period of time, potentially weeks before it starts taking action.
持續的供應鏈驗證很困難，有時需要的不只是軟體檢查，例如訂購設備的實體檢查。在供應鏈安全的軟體方面，我們可以使用更深入的測試和檢查技術來更仔細地評估上游數據。我們可能會選擇延長安全測試時間，以嘗試檢測植入上游來源的休眠惡意軟體。休眠惡意軟體是在系統上處於非活動狀態一段時間（潛在幾週）後才開始採取行動的軟體。

Utilizing a software bill of materials (SBOM) as a way to track dependencies automatically in the application build process greatly helps us evaluate supply chain tampering. If we identify the software dependencies, create an SBOM with them, and package the container and SBOM together in a cryptographically-verifiable way, then we can verify the container's SBOM signature before loading it into production. This kind of process presents additional challenges for adversaries.
利用軟體物料清單 (SBOM) 作為一種在應用程式構建過程中自動追蹤依賴項的方法，極大地幫助我們評估供應鏈篡改。如果我們識別軟體依賴項，使用它們創建 SBOM，並以加密可驗證的方式將容器和 SBOM 打包在一起，那麼我們可以在將容器載入生產環境之前驗證容器的 SBOM 簽名。這種流程為攻擊者帶來了額外的挑戰。

A backup is a copy of data made at a certain point in time. Backups enable us to restore data if it has been deleted or corrupted. Data can be deleted or corrupted in several different ways, for instance, as a result of an attack (ransomware, wiper malware, etc), human error or natural disasters (electrical surges, fire, etc), among other possibilities.
備份是在特定時間點所做的資料副本。備份使我們能夠在資料被刪除或損毀時復原資料。資料可能因多種不同方式而被刪除或損毀，例如：遭受攻擊（勒索軟體、清除式惡意程式等）、人為錯誤或天災（電涌、火災等）等。

Since a backup is a copy of data at a specific point in time, restoring data using a backup only returns data to the state that it was in when the backup was taken. If that data does not change over time, this effectively allows us to ensure its availability and integrity. If it does change over time, restoration allows us to mitigate data loss.
由於備份是在特定時間點的資料副本，因此使用備份復原資料只會將資料還原到備份時所在的狀態。如果該資料不會隨時間改變，這有效地讓我們能夠確保其可用性和完整性。如果它會隨時間改變，則復原可以讓我們減輕資料遺失。

In the second case, taking regular backups is an important part of data management because it reduces the difference between the backup and the state of the data when the incident occurs, further reducing data loss.
在第二種情況下，定期備份是資料管理的重要組成部分，因為它減少了備份與事件發生時資料狀態之間的差異，進一步減少資料遺失。

There are a few different types of backups: full, incremental and differential. A full backup is a complete copy of the data. This is the simplest solution and is easy to recover from since we simply restore the entire backup. The disadvantage is that it may be slow to copy large amounts of data. Further, it may be expensive to store many different copies, which we may wish to do if we want to retain different versions of the data.
備份主要分為幾種類型：完整備份、增量備份和差異備份。 完整 備份會完整複製所有資料。這是最簡單的解決方案，而且容易恢復，因為我們只需還原整個備份即可。缺點是複製大量資料可能很慢。此外，儲存許多不同的備份副本可能成本很高，如果我們想要保留不同版本的資料，我們可能希望這麼做。

An incremental backup copies files that have changed since the last backup, which may be either a full backup or another incremental backup. This reduces the amount of data that is backed up, the time needed to copy data, and the space needed to store it. However, this makes recovery slightly more complicated because the most recent version of the data must be reconstructed from multiple different backups.
增量 備份會複製自上次備份以來已更改的檔案，上次備份可以是完整備份或另一個增量備份。這減少了備份的資料量、複製資料所需的時間以及儲存資料所需的空間。但是，這使得恢復過程略微複雜一些，因為必須從多個不同的備份重建資料的最新版本。

A differential backup copies files that have changed since the last full backup. This is similar to an incremental backup except that it does not take prior incremental backups into account when determining which files have changed. For this reason, the time and storage space required for a differential backup is less than a full backup but more than an incremental backup. Recovering from differential backups, on the other hand is more complex than recovery from full backups but less complex than recovering from incremental backups.
差異備份會複製自上次完整備份以來已變更的檔案。這類似於增量備份，但它在確定哪些檔案已變更時不會考慮先前的增量備份。因此，差異備份所需的時間和儲存空間少於完整備份，但多於增量備份。另一方面，從差異備份中復原比從完整備份中復原更複雜，但比從增量備份中復原更簡單。

The following table summarizes these backup types.
下表總結了這些備份類型。

Table 1 - Comparison of backup types
表 1 - 備份類型的比較

The are two other types of backups that refer to the state of the system when the backup is made: hot and cold. A hot backup is taken from a running, online system. We can create these backups without shutting down the system or service. The backup can be stored on the same computer as the original files or on a different designated computer. Hot backups can be performed periodically, scheduled, or triggered by changes or specific conditions. Either way, this creates a backup of the current state of the system or files.
還有兩種備份類型指的是備份製作時的系統狀態：熱備份和冷備份。 熱備份 是從正在運行的線上系統中取得的。我們可以在不關閉系統或服務的情況下建立這些備份。備份可以儲存在與原始檔案相同的電腦上，也可以儲存在不同的指定電腦上。熱備份可以定期執行、排程或由變更或特定條件觸發。無論哪種方式，這都會建立系統或檔案目前狀態的備份。

Cold backups, on the other hand, are taken when the system or service is offline. Cold backups are safer in terms of data consistency but require system downtime, which can be a significant drawback for systems that require full-time availability.
相反地，冷備份是在系統或服務離線時進行的。就資料一致性而言，冷備份更安全，但需要系統停機，這對於需要全天候運作的系統來說可能是一個很大的缺點。

Backups can be stored in a few different places. For example, they can be stored on the source machine, on another machine, or on some sort of external medium such as an external hard drive, DVD, USB flash drive, magnetic tape, or other storage device.
備份可以儲存在幾個不同的位置。例如，它們可以儲存在來源機器上、另一台機器上，或某種外部媒體上，例如外接硬碟、DVD、USB 隨身碟、磁帶或其他儲存裝置。

Once we create a backup, we can detach the backup media and store it offline. This incurs obvious logistical challenges as well as a significant time and cost investment as we must buy external media and physically manage the media. However, this protects the backups from online threats, although they are still at risk from physical threats. If an adversary manages to steal the physical backup, they can obviously leverage that as part of an extortion scheme. To combat this, we can use escrow backup services in which we transport physical backups to a third party, which locks the backup in a secure location. This provides redundancy, separation and further assurance that we'll be able to protect and recover that data.
建立備份後，我們可以卸下備份媒體並將其離線儲存。這顯然會帶來後勤方面的挑戰，也會造成大量的時間和成本投入，因為我們必須購買外部媒體並實際管理媒體。但是，這可以保護備份免受線上威脅，儘管它們仍然面臨物理威脅。如果攻擊者設法竊取實體備份，他們顯然可以利用它作為勒索計劃的一部分。為此，我們可以使用託管備份服務，我們將實體備份傳輸到第三方，該第三方將備份鎖定在安全位置。這提供了冗餘性、隔離性和進一步的保證，確保我們能夠保護和恢復數據。

In contrast with offline backup storage, online storage solutions offer convenience, allowing us to store data on dedicated servers and restore quickly in the event of data loss. However, online backups are susceptible to deletion or alteration by adversaries.
與離線備份儲存相比，線上儲存解決方案提供了便利性，允許我們將數據儲存在專用伺服器上，並在數據丟失的情況下快速恢復。但是，線上備份容易受到攻擊者刪除或更改的影響。

We can offset this by creating read-only, protected backups which resist deletion and modification. To create protected hot backups, we need to remove our own access to certain functions, add security layers such as MFA or add multi-user authentication. Even with these measures in place, we're still at risk from unforeseen exploits or social engineering tactics that an adversary could use to delete the backups before activating the ransomware.
我們可以透過建立唯讀、受保護的備份來抵銷這個風險，這些備份能抵抗刪除和修改。要建立受保護的熱備份，我們需要移除自身對某些功能的訪問權限，添加安全層，例如多因素身份驗證 (MFA) 或添加多用戶身份驗證。即使採取了這些措施，我們仍然面臨來自不可預見的漏洞或社會工程策略的風險，攻擊者可能會利用這些策略在啟用勒索軟體之前刪除備份。

A hybrid approach using redundant backups is the safest approach. We can combine hot and cold backup strategies, as well as online and offline storage solutions. We should consider a strategy that makes the most sense given our business needs and level of accepted risk.
使用冗餘備份的混合方法是最安全的方法。我們可以結合熱備份和冷備份策略，以及線上和離線存儲解決方案。我們應該考慮一種最符合我們業務需求和可接受風險水平的策略。

Specifically, we should focus on redundancy. We should adopt several different backup techniques so that if one backup system fails, we have another at our disposal. This creates defense in depth, a strategy that layers multiple security controls and measures to protect against a variety of different threats. The idea is that no single security measure is foolproof, so multiple layers of defense can help mitigate the risks of an attack.
具體而言，我們應該專注於冗餘性。我們應該採用幾種不同的備份技術，這樣如果一個備份系統失敗，我們還有另一個備份系統可用。這創造了縱深防禦，這是一種策略，它分層多個安全控制和措施來防禦各種不同的威脅。其理念是沒有單一的安全措施是萬無一失的，因此多層防禦可以幫助降低攻擊的風險。

Backups must also be stored securely. One of the ways that we can do this is by encrypting them. We'll discuss encryption in the next section.
備份也必須安全地存儲。我們可以做到這一點的方法之一是對其進行加密。我們將在下節討論加密。

Beyond tracking software, many organizations likely want to leverage encryption. Encryption often protects us from adversaries more than any other type of control. While using encryption doesn't solve all problems, well-integrated encryption at multiple layers of controls creates a stronger security posture.
除了追蹤軟體之外，許多組織可能還希望利用加密。與任何其他類型的控制相比，加密通常能更好地保護我們免受對手的攻擊。雖然使用加密並不能解決所有問題，但在多個控制層中良好整合的加密可以建立更強大的安全態勢。

Keeping this in mind, there are some caveats to consider when it comes to encryption. Encrypting all our data won't be useful if we can't decrypt it and restore it when required. We must also consider some types of data that we won't want to decrypt as the information is to be used only ephemerally. One example of ephemeral encryption is TLS. Here, only the server and the client of that specific interaction can decrypt the information (not even the administrators). On top of this, the decryption keys only exist in memory for a brief time before being discarded.
考慮到這一點，在加密方面有一些需要注意的事項。如果我們無法解密並在需要時恢復加密的所有數據，那麼加密所有數據將無濟於事。我們還必須考慮某些我們不想解密的數據類型，因為這些信息僅供臨時使用。臨時加密的一個例子是TLS。在此，只有該特定交互的服務器和客戶端才能解密信息（甚至管理員也不行）。最重要的是，解密密鑰僅在內存中存在很短的時間，然後就會被丟棄。

Decryption keys in such a scenario are never on disk and never sent across the network. This type of privacy is commonly used when sending secrets or Personal Identifiable Information (PII) across the wire. Any required tracing and auditing data can be output from the applications rather than intercepted, and the secrets and PII can be excluded, encrypted, or scrubbed. PII can include names, addresses, phone numbers, email addresses, SSNs, and other information that can be used to track down or spy on a person.
在這種情況下，解密密鑰永遠不會存儲在磁盤上，也不會通過網絡發送。這種类型的隐私通常用于在网络上传输秘密或個人身份識別信息（PII）。任何所需的追蹤和審計數據都可以從應用程序輸出，而不是被攔截，並且可以排除、加密或清除秘密和 PII。PII 可能包括姓名、地址、電話號碼、電子郵件地址、社會安全號碼以及其他可用於追蹤或監視個人的信息。

Along with ensuring we can encrypt data, we should ensure that only the minimum required persons or systems can decrypt said data. We also probably want backups that are encrypted with different keys. In general, we don't want to reuse encryption keys for different uses, as each key should only have one purpose. A file encryption key might encrypt millions of files, but that key should be used for only that purpose, and not, for example, signing or TLS.
除了確保我們可以加密數據外，還應確保只有最低限度所需的人員或系統才能解密數據。我們可能還需要使用不同密鑰加密的備份。一般來說，我們不希望將加密密鑰重複用於不同的用途，因為每個密鑰都應該只有一個用途。檔案加密密鑰可能會加密數百萬個檔案，但該密鑰應該僅用於此用途，而不是用於簽名或 TLS 等其他用途。

Although using encryption and backups are great practices, we also should implement protocols for routinely restoring from backups to ensure that we know how and that the process works for every component. In some cases, we don't need to back up detailed log data; however, most compliance and auditing standards require historic logs. Some specifications may even require that systems are in place to query for and delete specific historic log records.
儘管使用加密和備份是很好的做法，但我們還應該實施例行從備份中恢復的協議，以確保我們知道如何操作以及該流程適用於每個組件。在某些情況下，我們不需要備份詳細的日誌數據；但是，大多數合規性和審計標準都需要歷史日誌。某些規範甚至可能要求系統能夠查詢和刪除特定的歷史日誌記錄。

Being able to access granular data quickly is of great benefit to an organization. Well-engineered logging is one of the most important security aspects of application design. With consistent, easy-to-process, and sufficiently-detailed logging, an operations team can more quickly respond to problems, meaning incidents can be detected and resolved faster.
快速存取細粒度數據對組織非常有益。完善的日誌記錄是應用程式設計中最重要的安全方面之一。透過一致、易於處理且細節充分的日誌記錄，營運團隊可以更快地回應問題，這意味著可以更快地偵測和解決事件。

Logging is not limited to just what happens on the network. Network equipment such as routers, switches and firewalls, the backbone of a company's network also need to be logged. This type of logging can include purchase date, OS version, and end of life date. Having this inventory allows management to not only budget for large purchases when the end of life date appears, but it also allow the security team to have a quick reference of their network devices.
日誌記錄不僅限於網路上的事件。網路設備（例如路由器、交換器和防火牆）作為公司網路的骨幹，也需要記錄日誌。此類日誌記錄可以包括購買日期、作業系統版本和壽命終止日期。擁有此清單不僅允許管理層在壽命終止日期出現時預算大型採購，也讓安全團隊可以快速參考其網路設備。

Imagine a network administrator waking up the morning of the SolarWinds' attack. Would it be easier for the administrator to check an inventory database to verify if the company used SolarWinds devices, or having to call remote sites and have someone check server rooms.
試想一下，網路管理員在 SolarWinds 攻擊的早晨醒來。對於管理員來說，檢查清單資料庫以驗證公司是否使用 SolarWinds 設備，還是必須致電遠端站點並讓某人檢查伺服器機房，哪個更容易？

Having an asset register also allows companies to track devices such as laptops or mobile devices. This helps in the event a device is lost, stolen, or when the device has reached its end-of-life.
擁有資產登記也能讓公司追蹤筆記型電腦或行動裝置等設備。這有助於在設備遺失、被竊或已達使用壽命終點時。

As devices age, they fall out of warranty and need to be replaced. Having an asset inventory allows a company to be prepared for large equipment purchases.
隨著設備老化，它們會超出保固期並需要更換。擁有資產清單讓公司可以為大型設備採購做好準備。

The last control we'll explore is Chaos Testing. Chaos testing is a type of BCP or disaster recovery (DR) practice that is often handled via automation. For example, we might leverage a virtual machine that has valid administrative credentials in the production network to cause intentional disasters from within.
我們將探討的最後一個控制項是混沌測試。混沌測試是一種 BCP 或災難復原 (DR) 作法，通常透過自動化處理。例如，我們可能會利用在生產網路中擁有有效管理員憑證的虛擬機器，從內部造成蓄意的災難。

Chaos engineering includes a variety of different approaches, such as having red teams create chaos in the organization to test how well the organization can handle it, scheduling programmed machine shutdowns at various intervals, or having authenticated malicious platform API commands sent in. The goal is to truly test controls during messy and unpredictable situations. If a production system and organization can handle chaos with relative grace, then it is an indication that it will be robust and resilient to security threats.
混沌工程包含各種不同的方法，例如讓紅隊在組織中製造混亂以測試組織應對混亂的能力、安排定時關閉機器、或發送經過驗證的惡意平台 API 命令。目標是在混亂且不可預測的情況下真正測試控制措施。如果生產系統和組織能夠相對從容地應對混亂，則表明它將具有很強的健壯性和韌性，能夠抵禦安全威脅。

Much can be written about cybersecurity laws and regulations, especially since different countries and jurisdictions all have their own. Most of the items we'll discuss here are centered in the United States; however, some are applicable globally as well. As a security professional, it's always important to understand exactly which laws and regulations one might be subject to.
關於網路安全法律法規，可以寫很多，尤其不同國家和司法管轄區都有各自的法規。我們在此討論的大部分內容都集中在美國；然而，有些內容也適用於全球。身為安全專業人員，始終了解自己可能受哪些法律法規約束非常重要。

HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law regulating health care coverage and the privacy of patient health information. Included in this law was a requirement to create of a set of standards for protecting patient health information, known as Protected Health Information (PHI). The standards that regulate how PHI can be used and disclosed are established by the Privacy Rule. This rule sets limits on what information can be shared without a patient's consent and grants patients several additional rights over their information, such as the right to obtain a copy of their health records.
HIPAA：1996 年的《健康保險攜帶及責任法案》(HIPAA) 是一部美國聯邦法律，規範醫療保健保險和病人健康信息的隱私。這部法律包括一項要求，即創建一套保護病人健康信息的標準，稱為受保護的健康信息 (PHI)。規範 PHI 使用和披露方式的標準由隱私規則制定。此規則限制了在未經病人同意的情況下可以共享哪些信息，並賦予病人幾項額外的信息權利，例如獲得其健康記錄副本的權利。

Another rule known as the Security Rule outlines how electronic PHI (e-PHI) must be protected. It describes three classes of safeguards that must be in place:
另一項稱為安全規則的規則概述了如何保護電子 PHI (e-PHI)。它描述了必須實施的三類保障措施：

• administrative (having a designated security official
  行政方面（指定安全官員
• a security management process, periodic assessments, etc.)
  安全管理流程、定期評估等）
• physical (facility access control, device security), and technical (access control, transmission security, audit abilities, etc.).
  物理方面（設施訪問控制、設備安全）和技術方面（訪問控制、傳輸安全、審計能力等）。

These rules also include provisions for enforcement and monetary penalties for non-compliance. Importantly, HIPAA also requires that covered entities (healthcare providers, health plans, business associates, etc.) provide notification if a PHI breach occurs.
這些規則也包括執法條款和對不遵守規定者的金錢處罰。重要的是，HIPAA 也要求受規範實體（醫療保健提供者、醫療計劃、業務夥伴等）在發生 PHI 違規時提供通知。

FERPA: The Family Educational Rights and Privacy Act of 1974 (FERPA) is a United States federal law regulating the privacy of learners' education records. This law sets limits upon the disclosure and use of these records without parents' or learners' consent. Some instances where schools are permitted to disclose these records are school transfers, cases of health or safety emergencies, and compliance with a judicial order.
FERPA：1974 年家庭教育權利與隱私權法案（FERPA）是美國聯邦法律，規範學生教育記錄的隱私權。這項法律限制未經家長或學生同意而洩露和使用這些記錄。學校允許洩露這些記錄的一些情況包括學校轉學、健康或安全緊急情況以及遵守法院命令。

FERPA also grants parents and learners over the age of 18 several rights over this information. These rights include the right to inspect these records, the right to request modification to inaccurate or misleading records, and more. Schools that fail to comply with these laws risk losing access to federal funding.
FERPA 也賦予家長和 18 歲以上的學生幾項關於此信息的權利。這些權利包括檢查這些記錄的權利、要求修改不準確或誤導性記錄的權利等等。未能遵守這些法律的學校將面臨失去聯邦資金的風險。

GLBA: The Gramm-Leach-Bliley Act (GLBA), enacted by the United States Congress in 1999, establishes several requirements that financial institutions must follow to protect consumers' financial information. This law requires that institutions describe how they use and share information and allow individuals to opt-out in certain cases.
GLBA：美國國會於 1999 年通過的格蘭姆-利奇-布萊利法案（GLBA）制定了金融機構必須遵守的若干規定，以保護消費者的金融信息。該法要求機構說明其如何使用和共享信息，並允許個人在某些情況下選擇退出。

Like other cybersecurity laws, GLBA requires that financial institutions ensure the confidentiality and integrity of customer financial information by anticipating threats to security and taking steps to protect against unauthorized access. In addition, financial institutions must also describe the steps that they are taking to achieve this.
與其他網絡安全法一樣，GLBA 要求金融機構通過預測安全威脅並採取措施防止未經授權的訪問，來確保客戶金融信息的機密性和完整性。此外，金融機構還必須說明為實現此目標而採取的步驟。

GDPR: The General Data Protection Regulation (GDPR) is a law adopted by the European Union in 2016 that regulates data privacy and security. It applies to the private sector and most public sector entities that collect and process personal data. It provides individuals with a wide set of rights over their data including the well-known "right to be forgotten" and other rights related to notifications of data breaches and portability of data between providers.
GDPR：一般資料保護規範（GDPR）是歐盟於 2016 年通過的一項法律，用以規範資料隱私和安全。它適用於收集和處理個人資料的私營部門和大多數公共部門實體。它賦予個人廣泛的資料權利，包括眾所周知的「被遺忘權」以及其他與資料洩露通知和供應商間資料可攜性相關的權利。

GDPR outlines a strict legal baseline for processing personal data. For example, personal data may be processed only if the data subject has given consent, to comply with legal obligations, to perform certain tasks in the public interest, or for other "legitimate interests". For businesses that process data on a large scale or for whom data processing is a core operation, a data protection officer - who is responsible for overseeing data protection - must be appointed.
GDPR 概述了處理個人資料的嚴格法律基準。例如，只有在資料主體同意、為遵守法律義務、執行某些公共利益任務或出於其他「合法利益」的情況下，才能處理個人資料。對於大規模處理資料或以資料處理為核心業務的企業，必須任命一名負責監督資料保護的資料保護官。

GDPR also establishes an independent supervisory authority to audit and enforce compliance with these regulations and administer punishment for non-compliance. The fines for violating these regulations are very high: a maximum of 20 million Euros or 4% of revenue (whichever is higher), plus any additional damages that individuals may seek.
GDPR 也設立了一個獨立的監督機構，負責審計和執行這些法規的遵守情況，並對違規行為處以懲罰。違反這些法規的罰款非常高：最高可達 2000 萬歐元或 4% 的收入（以較高者為準），此外還可能需要支付個人可能要求的任何額外損害賠償。

One unique aspect of GDPR is that it applies to any entity collecting or processing data related to people in the European Union, regardless of that entity's location. At the time of its adoption, it was considered the most strict data privacy law in the world and has since become a model for several laws and regulations enacted around the globe.
GDPR 的一個獨特之處在於，它適用於任何收集或處理與歐盟人員相關數據的實體，無論該實體位於何處。在其通過時，它被認為是世界上最嚴格的數據隱私法，此後已成為全球許多法律法規制定的典範。

Key disclosure laws are laws that compel the disclosure of cryptographic keys or passwords under specific conditions. This is typically done as part of a criminal investigation when seeking evidence of a suspected crime. Several countries have adopted key disclosure laws requiring disclosure under varying conditions. For instance, Part III of the United Kingdom's Regulation of Investigatory Powers Act 2000 (RIPA) grants authorities the power to force suspects to disclose decryption keys or decrypt data. Failure to comply is punishable by a maximum of two years in prison or five years if a matter of national security or child indecency is involved.
揭露密鑰法 是強制在特定條件下揭露加密密鑰或密碼的法律。這通常是在刑事調查中尋求犯罪嫌疑證據時進行的。許多國家已通過揭露密鑰法，要求在不同條件下揭露。例如，英國的《2000 年調查權力規管法》(RIPA) 第三部分賦予當局強制嫌疑人揭露解密密鑰或解密數據的權力。拒絕遵守者將面臨最高兩年監禁，如果涉及國家安全或兒童猥褻事項，則最高可判五年監禁。

CCPA: The California Consumer Privacy Act of 2018 (CCPA) is a Californian law granting residents of the state certain privacy rights concerning personal information held by for-profit businesses. One of these rights is the "right to know", which requires businesses to disclose to consumers, upon request, what personal information has been collected, used, and sold about them, and why.
CCPA：2018 年加州消費者隱私法案 (CCPA) 是一項加州法律，賦予該州居民關於營利性企業持有的個人信息的某些隱私權利。其中一項權利是「知情權」，這要求企業應消費者要求，披露已收集、使用和銷售關於他們的個人信息以及原因。

The "right to opt-out" also allows consumers to request that their personal information not be sold, something that must, with few exceptions, be approved. Another right is the "right to delete", which allows consumers to request that businesses delete collected personal information. In this case, however, some exceptions allow businesses to decline these requests.
「選擇退出權」也允許消費者要求不銷售其個人信息，除非少數例外情況，否則必須批准此要求。另一項權利是「刪除權」，允許消費者要求企業刪除收集的個人信息。但是，在這種情況下，一些例外情況允許企業拒絕這些請求。

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, first published in 2004, for organizations handling customer payment data for several major credit card companies. It is managed by the Payment Card Industry Standards Council. Its purpose is to ensure that payment data is properly secured to reduce the risk of credit card fraud. As with other frameworks, PCI DSS consists of several requirements and an organization's compliance must be assessed annually.
PCI DSS：支付卡產業資料安全標準 (PCI DSS) 是一個資訊安全標準，於 2004 年首次發布，適用於處理多家主要信用卡公司客戶支付資料的組織。它由支付卡產業標準委員會管理。其目的是確保支付資料得到妥善保護，以降低信用卡詐騙的風險。與其他框架一樣，PCI DSS 包含多項要求，且組織的合規性必須每年評估。

Most of these requirements resemble other industry best practices regarding network and system security, access control, vulnerability management, monitoring, etc. For example, Requirement 2 prohibits the use of vendor-supplied defaults for system passwords and other security-related parameters. Other requirements are credit-card-specific formulations of other familiar best practices. For example, Requirement 3 outlines what types of credit card data can be stored and how it must be protected.
這些要求大多類似於其他產業關於網路和系統安全、存取控制、弱點管理、監控等的最佳實務。例如，要求 2 禁止使用供應商提供的系統密碼和其他安全相關參數的預設值。其他要求是針對其他熟悉最佳實務的信用卡特定規定。例如，要求 3 概述了可以儲存哪些類型的信用卡資料以及如何保護這些資料。

CIS Top 18: The Center for Internet Security (CIS) Critical Security Controls, also known as CIS Controls, is a set of 18 (previously 20) recommended controls intended to increase an organization's security posture. While not laws or regulations, these controls pertain to areas that regulations are concerned with, including data protection, access control management, continuous vulnerability management, malware detection, and more.
CIS 前 18 項：網路安全中心 (CIS) 關鍵安全控制，也稱為CIS 控制，是一組 18 項（先前為 20 項）建議的控制措施，旨在提升組織的安全態勢。雖然不是法律或法規，但這些控制措施與法規關注的領域相關，包括資料保護、存取控制管理、持續弱點管理、惡意軟體偵測等等。

These controls are divided into safeguards (previously known as sub-controls), which, in turn, are grouped into three implementation groups (IG1, IG2, IG3) intended to help prioritize safeguard implementation.
這些控制項分為安全防護措施（先前稱為子控制項），而這些安全防護措施又分為三個實施群組（IG1、IG2、IG3），旨在協助優先實施安全防護措施。

IG1 consists of controls that are considered the minimum standard for information security meant to protect against the most common attacks and should be implemented by every organization. They are typically implemented by small businesses with limited IT expertise that manage data of low sensitivity. IG2 is composed of additional safeguards that are meant to apply to more complex organizations, typically those with multiple departments and staff dedicated to managing IT infrastructure with more sensitive customer and proprietary data. IG3, which consists of all safeguards, is typically implemented by organizations with dedicated cybersecurity experts managing sensitive data that may be subject to oversight.
IG1 包含被認為是資訊安全最低標準的控制項，旨在防範最常見的攻擊，每個組織都應實施。它們通常由具有有限 IT 專業知識的小型企業實施，這些企業管理的數據敏感性較低。IG2 由額外的安全防護措施組成，適用於更複雜的組織，通常是那些擁有多個部門和專門負責管理 IT 基礎設施、擁有更敏感客戶和專有數據的組織。IG3 包含所有安全防護措施，通常由擁有專門的網絡安全專家來管理可能受到監督的敏感數據的組織實施。

NIST Cyber Security Framework: The National Institute for Standards and Technology (NIST) Cybersecurity Framework is a collection of standards and practices designed to help organizations understand and reduce cybersecurity risk. It was originally developed to help protect critical infrastructure; however, it has been subsequently adopted by a wide array of organizations.
NIST 網路安全架構：美國國家標準與技術研究院 (NIST) 網路安全架構 是一套標準和實務的集合，旨在幫助組織了解和降低網路安全風險。它最初是為了保護關鍵基礎設施而開發的；然而，它隨後已被廣泛的組織採用。

The NIST framework consists of three components: Core, Implementation Tiers, and Profiles. The Framework Core is set of cybersecurity activities and outcomes. It is divided into the six high-level functions: Govern, Identify(ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC) as shown below.
NIST 架構包含三個組成部分：核心、實施層級和配置文件。架構核心是一組網路安全活動和成果。它分為六個高階功能：治理、識別 (ID)、保護 (PR)、偵測 (DE)、回應 (RS) 和復原 (RC)，如下所示。

Each function encompasses and number of categories. For example, the Identify function consists of the three categories of Asset Management (ID.AM), Risk Assessment (ID.RA), and Improvement (ID.IM). These categories, in turn, include subcategories that consist of statements describing the outcome of improved security and which are aligned with Information References. ID.RA for example consists of 10 subcategories starting with ID.RA.1: Vulnerabilities in assets are identified, validated and recorded through to ID.RA.10: Critical suppliers are assessed prior to acquisition. These subcategories go into deeper detail about possible technical implementations.
每個功能包含多個類別。例如，「識別」功能包含資產管理 (ID.AM)、風險評估 (ID.RA) 和改進 (ID.IM) 三個類別。這些類別進而包含子類別，其中包含描述改進安全性結果的陳述，並且與資訊參考相符。例如，ID.RA 包含 10 個子類別，從 ID.RA.1：識別、驗證和記錄資產中的漏洞 到 ID.RA.10：在收購之前評估關鍵供應商。這些子類別更深入地探討可能的技術實施。

The Framework Implementation Tiers specify the degree to which an organization's Cybersecurity practices satisfy the outcome described by the subcategories of the Framework Core. There are four such Tiers: partial (the least degree), risk-informed, repeatable, and adaptive. Framework Profiles refer to the relationship between the present implementation of an organization's cybersecurity activities (Current Profile) and their desired outcome (Target Profile). This is determined by the organization's business objectives, requirements, controls, and risk appetite. The comparison of these profiles can help the organization perform a gap analysis, as well as understand and prioritize the work required to fill it.
架構實作層級指定組織的資安實務滿足架構核心子類別所描述之成果的程度。共有四個層級：部分（程度最低）、風險知情、可重複及具適應性。架構概要指的是組織現行資安活動之實作（現況概要）與其期望成果（目標概要）之間的關係。這由組織的業務目標、需求、控制項及風險承受度決定。比較這些概要有助於組織執行差距分析，以及了解和優先處理填補差距所需的工作。

ATT&CK and D3FEND: The MITRE organization has tabulated and organized a framework for cataloging how groups of attackers work together to infiltrate systems and achieve their goals. This framework called the MITRE ATT&CK framework, is constantly updated to reflect the latest TTPs used by malicious groups across the globe. More details about the ATT&CK framework and how adversaries can be classified are available in OffSec's SOC-200 course.
ATT&CK 和 D3FEND：MITRE組織已編制並組織了一個框架，用於編目攻擊者群體如何合作滲透系統並實現其目標。這個稱為MITRE ATT&CK框架的框架不斷更新，以反映全球惡意組織使用的最新 TTP。有關 ATT&CK 框架以及如何對攻擊者進行分類的更多詳細信息，請參閱 OffSec 的 SOC-200 課程。

More recently, MITRE released a mirrored framework from the defensive perspective. While ATT&CK is meant to catalog and categorize the various ways that threat actors operate in the real world, D3FEND portrays a set of best practices, actions, and methodologies employed by defenders to prevent, detect, mitigate, and react to attacks.
最近，MITRE 發布了一個從防禦角度出發的鏡像框架。D3FEND描繪了一套最佳實務、行動和方法，供防禦者用於預防、檢測、減輕和應對攻擊，而 ATT&CK 旨在編目和分類威脅參與者在現實世界中運作的各種方式。

ISA/IEC 62443: An important standard for organisations operating industrial automation systems is ISA/IEC 62443. This standard defines the security requirements to secure Industrial Automation and Control Systems (IACS). This is also referred to as Operational Technology (OT). These standards set best practices for security controls and provide a way to assess the maturity level of an organisations operational security.
ISA/IEC 62443：對於營運工業自動化系統的組織而言，ISA/IEC 62443 是一項重要的標準。此標準定義了保護工業自動化與控制系統 (IACS) 的安全需求。這也稱為營運技術 (OT)。這些標準設定安全控制的最佳實務，並提供評估組織營運安全成熟度的方法。

Cyber Kill Chain: The Cyber Kill Chain is a methodology developed by Lockheed Martin to help defenders identify and defend against cyber attacks. It outlines seven stages of the attack lifecycle: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
網路殺傷鏈：網路殺傷鏈 是洛克希德·馬丁公司開發的一種方法，用以協助防禦者識別和防禦網路攻擊。它概述了攻擊生命週期的七個階段：偵察、武器化、傳遞、利用、安裝、命令與控制以及達成目標的行動。

In the reconnaissance phase, an attacker identifies a target and enumerates potential weaknesses through which it may be exploited. Weaponization is the process by which an attack method to exploit this weakness is identified. This attack is launched in the delivery phase and, in the exploitation phase, the payload is executed on the target system. This leads to the installation stage in which malware is installed on the system. This malware is used to execute further commands in the command and control phase. In the actions on objectives phase, the attacker performs the actions required to achieve their ultimate goals, which may be data theft, modification, destruction, etc.
在偵察階段，攻擊者會識別目標並列舉可能被利用的潛在弱點。武器化是識別用於利用此弱點的攻擊方法的過程。此攻擊在傳遞階段發動，而在利用階段，有效載荷在目標系統上執行。這導致安裝階段，其中惡意軟體安裝在系統上。此惡意軟體用於在指令與控制階段執行更多指令。在達成目標的行動階段，攻擊者執行實現其最終目標所需的行動，這些目標可能是數據竊取、修改、破壞等。

FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is a United States program that provides a standardized security framework for cloud services used by the federal government. Previously, a cloud service may have been required to obtain different authorizations for different federal agencies, FedRAMP allows a cloud service to obtain a single authorization for all government agencies. Its goal is to accelerate the government's adoption of cloud services while also ensuring that these services are secure. The controls are based on NIST SP 800-53 Revision 4 and enhanced by additional controls that pertain specifically to cloud computing. More details about cloud technology are explored in OffSec's CLD-100.
FedRAMP：聯邦風險與授權管理計劃 (FedRAMP) 是一個美國政府計劃，為聯邦政府使用的雲端服務提供標準化的安全架構。以往，雲端服務可能需要為不同的聯邦機構取得不同的授權，FedRAMP 允許雲端服務向所有政府機構取得單一授權。其目標是加快政府採用雲端服務的步伐，同時確保這些服務的安全。其控制措施基於NIST SP 800-53 修訂版 4，並通過與雲計算相關的額外控制措施增強。OffSec 的 CLD-100 課程將更詳細地探討雲端技術。

Cybersecurity is, fundamentally, a specific form of risk management. It is about network-borne threats which affect assets processed by and stored in technology systems. Those systems are used in the organization's business to create value, and so attacks on them can result in value being lost. As a result we use controls to manage that risk. We can represent the various elements, or anatomy, of cybersecurity in a way which shows the relationship of the elements in the diagram below.
網路安全從根本上來說，是一種特定形式的風險管理。它關乎影響技術系統處理和儲存資產的網路威脅。這些系統用於組織的業務以創造價值，因此對它們的攻擊可能導致價值損失。因此，我們使用控制措施來管理這種風險。我們可以用下圖所示的方式來表示網路安全的各種要素或結構，以顯示各要素之間的關係。

At the bottom of the figure we show the Security Framework providing controls to protect the organisation by reducing risk. This framework might be ISO27000, the NIST Cyber Security Framework, or any of the frameworks which incorporate controls. One of those controls is Security Incident Management.
在圖的底部，我們展示了安全架構，它提供控制措施來保護組織，降低風險。此架構可能是 ISO27000、NIST 網路安全架構或任何包含控制措施的架構。其中一項控制措施是安全事件管理。

At the top of the diagram we have a threat which by exploiting a vulnerability will cause a security event which is then classified as a security incident. This will harm the organisation, reducing its value in various ways, including the cost of running an incident response. The final element in the diagram is the asset which is of value to the organisation but as a target for attack also introduces risk.
在圖表頂端，我們有一個威脅，它通過利用漏洞將導致安全事件，然後被歸類為安全事件。這將損害組織，以各種方式降低其價值，包括運行事件響應的成本。圖表中的最後一個元素是資產，它對組織具有價值，但作為攻擊目標也帶來了風險。

The Security Incident Management control is the overall process where events are detected and triaged, with some becoming incidents. Those incidents are then investigated and resolved.
安全事件管理控制是整體流程，其中事件被檢測和分類，有些事件會演變成事件。然後對這些事件進行調查和解決。

Taking the NIST Cyber Security Framework (CSF) as one example of what might be the Security Framework in the diagram, we can position the six functions of the CSF around the diagram to show where those controls come into play. This distills the essence of cybersecurity into a very understandable form suitable for helping executives and cybersecurity professionals understand how security protects the business.
以 NIST 網絡安全框架 (CSF) 為例，作為圖表中安全框架的一個例子，我們可以將 CSF 的六個功能圍繞圖表進行定位，以顯示這些控制措施發揮作用的地方。這將網絡安全的精髓提煉成一種非常易於理解的形式，適用於幫助高管和網絡安全專業人員了解安全如何保護業務。

Network Penetration Tester: A Network Penetration Tester is responsible for discovering and exploiting vulnerabilities that exist in a targeted network. This career may be a good choice for someone who has a strong understanding of networking and systems and enjoys finding ways of subverting their security measures. This role also benefits from clear technical writing abilities. To learn such skills, we suggest reviewing OffSec's PEN courses at the 100, 200, and 300 levels.
網路滲透測試人員：網路滲透測試人員 負責發現和利用目標網路中存在的漏洞。對於深入了解網路和系統，並樂於尋找規避其安全措施方法的人來說，這個職業可能是一個不錯的選擇。此職位也受益於清晰的技術寫作能力。要學習這些技能，我們建議您回顧 OffSec 的 PEN 課程（100、200 和 300 級）。

Web Application Testers: A Web Application Tester is responsible for testing web applications for security weaknesses. A good candidate for this role likely has a strong knowledge of web application vulnerabilities, enjoys testing them, and enjoys subverting the security measures that they employ. The skills required to become a Web Application Tester are covered in the WEB track at the 100, 200, and 300 levels. These Modules teach the basics of how web applications work as well as black-box and white-box approaches to web application testing.
網頁應用程式測試人員：網頁應用程式測試人員 負責測試網頁應用程式的安全弱點。此職位的理想候選人可能具有紮實的網頁應用程式漏洞知識，喜歡測試它們，並樂於規避它們所採用的安全措施。成為網頁應用程式測試人員所需的技能在 WEB 軌道的 100、200 和 300 級課程中都有涵蓋。這些模組講授網頁應用程式的工作原理基礎知識，以及黑盒和白盒方法的網頁應用程式測試。

Cloud Penetration Tester: A Cloud Penetration Tester is responsible for performing penetration testing on cloud infrastructure. This might be a good career path for someone who has knowledge and experience in cloud infrastructure and penetration testing. As with other penetration testing positions, you may enjoy this role if you have fun probing infrastructure for weaknesses and figuring out ways to exploit them. CLD-100 teaches learners how to test, attack, and exploit cloud technologies.
雲端滲透測試人員：雲端滲透測試人員 負責對雲端基礎架構進行滲透測試。對於具備雲端基礎架構和滲透測試知識與經驗的人來說，這可能是一條不錯的職業道路。與其他滲透測試職位一樣，如果您喜歡探測基礎架構的弱點並找出利用它們的方法，您可能會喜歡這個角色。CLD-100 課程教導學員如何測試、攻擊和利用雲端技術。

Exploit Developer: An Exploit Developer is responsible for discovering and developing exploits for software vulnerabilities. Someone looking to become an Exploit Developer might enjoy reverse engineering applications to determine how they work, reading low-level code, and bypassing security mitigations. The EXP-301 course offers more information about Windows binary exploitation, while EXP-312 explores macOS logical exploitation.
漏洞開發人員：漏洞開發人員 負責發現和開發軟體漏洞的利用程式。想要成為漏洞開發人員的人可能會喜歡反向工程應用程式以確定它們的工作方式、閱讀低階程式碼和繞過安全防護措施。EXP-301 課程提供有關 Windows 二進位檔案漏洞利用的更多資訊，而 EXP-312 則探討 macOS 邏輯漏洞利用。

Vulnerability Researcher: A Vulnerability Researcher is responsible for researching new software vulnerabilities and exploitation techniques, determining their impact, developing Proofs of Concept (PoCs), and communicating their findings to different stakeholders. A person may wish to be a Vulnerability Researcher if they enjoy reverse engineering and researching new and emerging vulnerabilities and techniques. You can follow EXP-301 and EXP-312 to learn how to reverse engineer and develop exploits for Windows and macOS software, respectively.
資安漏洞研究員：資安漏洞研究員負責研究新的軟體漏洞和利用技術，確定其影響，開發概念驗證 (PoC)，並將其發現傳達給不同的利益相關者。如果您喜歡逆向工程和研究新的和新興的漏洞和技術，您可能希望成為資安漏洞研究員。您可以參考 EXP-301 和 EXP-312 來學習如何分別對 Windows 和 macOS 軟體進行逆向工程和開發漏洞利用程式。

Security Administrator: The term Security Administrator refers to a systems administration role which focuses on security across the organisation at an operational level. This role is suitable for experienced cybersecurity specialists. The OffSec library includes a range of 200-level modules in the Defend category which are appropriate for this role.
安全管理員：安全管理員 這個術語指的是一種系統管理角色，其重點是在營運層面上關注整個組織的安全。此職位適合經驗豐富的網路安全專家。OffSec 程式庫包含「防禦」類別中一系列 200 級別的模組，這些模組適用於此職位。

Cyber Defence Analyst: A Cyber Defence Analyst, otherwise known as a SOC Analyst is responsible for monitoring, triaging, and when necessary, escalating security alerts that arise from within monitored networks. Someone may be a good fit for this position if they enjoy investigating and gathering information surrounding suspicious activity. To prepare, we recommend following the SOC track at the 100 and 200 levels in the OffSec library. SOC Modules will explore the techniques attackers use to infiltrate networks and those that analysts use to discover this activity.
資安防禦分析師：資安防禦分析師，也稱為安全作業中心 (SOC) 分析師，負責監控、分類並在必要時升級來自受監控網路的安全警報。如果您喜歡調查和收集可疑活動相關資訊，那麼您可能很適合這個職位。為做好準備，我們建議您學習 OffSec 程式庫中 100 級和 200 級的 SOC 課程。SOC 模組將探討攻擊者滲透網路所使用的技術，以及分析師用於發現此類活動的技術。

Malware Analyst: A Malware Analyst is responsible for analyzing suspected or confirmed malware samples to determine how they work and, ultimately, what their purpose is. Someone might enjoy this role if they have a basic understanding of networking and like analyzing suspicious samples and reverse engineering.
惡意軟體分析師：惡意軟體分析師 負責分析可疑或已確認的惡意軟體樣本，以確定其運作方式以及最終目的。如果您具備基本的網路知識，並且喜歡分析可疑樣本和逆向工程，那麼您可能會喜歡這個角色。

The OffSec library contains numerous resources that can help learners learn these skills. For example, EXP-301 teaches reverse engineering and some basics of the Windows API. PEN courses at the 200 and 300 levels describe how attackers craft malicious documents and payloads as well as the techniques that they use to evade antivirus and other detection mechanisms. Finally, the 100-level library contains Modules that can help to learn the basics of networking.
OffSec 函式庫包含許多資源，可以幫助學習者學習這些技能。例如，EXP-301 教授逆向工程和一些 Windows API 的基礎知識。200 級和 300 級的 PEN 課程描述了攻擊者如何製作惡意文件和有效載荷，以及他們用於規避防病毒和其他偵測機制的技術。最後，100 級函式庫包含可幫助學習網路基礎知識的模組。

Digital Forensics Analyst: A Digital Forensics Analyst is responsible for investigating cybersecurity incidents by gathering and analyzing evidence of intrusions and recovering data. Someone who enjoys this role likely has a strong understanding of how systems and networks operate and is interested in investigating how intrusions occur, and then assembling evidence into a complete story. To begin learning these skills, we recommend reviewing the SOC track at the 100 and 200 levels. SOC-200 shows some of the specific ways attackers operate and how to search for evidence of their attacks.
數位鑑識分析師：數位鑑識分析師 負責調查網路安全事件，方法是收集和分析入侵證據並恢復數據。喜歡這個角色的人很可能對系統和網路的運作方式有深入的了解，並且有興趣調查入侵是如何發生的，然後將證據整合到一個完整的故事中。要開始學習這些技能，我們建議回顧 100 級和 200 級的 SOC 軌跡。SOC-200 展示了攻擊者運作的一些具體方式以及如何搜尋其攻擊的證據。

Cyber Defence Incident Responder: A Cyber Defence Incident Responder is responsible for reacting to cybersecurity events. This includes identifying the cause and scope of an incident and recommending measures to contain, eliminate, and recover from it. Someone may be a good fit for this role if they have a strong technical background and enjoy working in a fast-paced environment and performing root cause analysis. This role also benefits from strong cross-functional communication skills. Starting with the SOC track at the 100 and 200 level will help learners prepare for this career. SOC-200 in particular shows some of the ways attackers operate and how to search for evidence of their attacks.
資安事件回應人員：資安事件回應人員負責應對資安事件。這包括識別事件的起因和範圍，並建議措施以遏制、消除和從事件中恢復。具備紮實技術背景、喜歡在快節奏環境中工作並進行根本原因分析的人可能適合此職位。此職位也受益於強大的跨職能溝通能力。從 100 級和 200 級的 SOC 軌跡開始將有助於學習者為此職業做準備。特別是 SOC-200 展示了攻擊者的一些操作方式以及如何搜尋其攻擊的證據。

Threat Hunter: A Threat Hunter is responsible for proactively searching networks and systems for Indicators of Compromise (IOCs) using the most up-to-date threat intelligence. This role could be a good choice for someone who enjoys following the most recent cybersecurity feeds and searching for malicious activity that may have evaded existing defenses. There are resources in the OffSec library that can help to prepare for this position. For example, the SOC track at the 100 and 200 levels teaches about common techniques used by attackers and how to search for and identify them. The PEN-300 course is helpful to learn about the ways that attackers bypass existing defenses.
威脅獵人：威脅獵人負責使用最新的威脅情報，主動搜尋網路和系統中的入侵指標 (IOCs)。這個職位很適合喜歡追蹤最新的網路安全資訊，並搜尋可能避開現有防禦的惡意活動的人。OffSec 函式庫中有資源可以幫助您為此職位做準備。例如，100 級和 200 級的 SOC 課程講授攻擊者常用的技術，以及如何搜尋和識別這些技術。PEN-300 課程有助於了解攻擊者繞過現有防禦的方法。

There's another area we can usefully consider to have important cybersecurity activities, and that's the folks involved in the Build part of the lifecycle. Designing and implementing security during build is the most efficient way of doing security. let's check out some of the roles that might include cybersecurity.
我們可以考慮另一個領域，其中包含重要的網路安全活動，那就是參與生命週期「建置」部分的人員。在建置過程中設計和實施安全措施是執行安全措施最有效的方法。讓我們看看一些可能包含網路安全的職位。

Enterprise Security Architect. Many large organizations will have one or more Enterprise Security Architect (ESA) positions, either in the cyber security team or the architecture team. This role involves understanding the business activities and building the models which associate security solutions to security services which support the business. Individuals with a deep, cutting-edge understanding of on-premise and cloud computing who enjoy developing high-level business strategies and excel at communicating technical concepts across business areas may enjoy this role.
企業安全架構師。許多大型組織都會有一個或多個企業安全架構師 (ESA)職位，無論是在資安團隊或架構團隊中。此職位需要了解業務活動，並建立將安全解決方案與支援業務的安全服務相關聯的模型。擁有深厚、尖端的前端和雲端運算知識，並樂於制定高階業務策略，且擅長跨業務領域溝通技術概念的人，可能會喜歡這個職位。

Cloud Architect. A Cloud Architect is a specialist architecture role responsible for designing and overseeing the implementation of a cloud-computing strategy aligned with the business's goals and needs, and this role will include or may specialize in cloud security. OffSec's CLD-100 offers more information about important cloud concepts and technologies. It teaches learners how to build clouds safely and secure these technologies. This career may be a good fit for someone who enjoys programming and building infrastructure and has experience with cloud service providers and other cloud-related technologies.
雲端架構師。一位雲端架構師是專門負責設計和監督符合企業目標和需求的雲端運算策略實施的專業架構角色，此角色將包含或可能專精於雲端安全。OffSec 的 CLD-100 提供有關重要雲端概念和技術的更多資訊。它教導學習者如何安全地建構雲端並保護這些技術。這個職涯可能適合喜歡程式設計和建構基礎架構，並且具有雲端服務供應商和其他雲端相關技術經驗的人。

Security Solution Architect. The Security Architect (SA) develops high level architectural solutions for application security, ensuring the security architecture for the solution is aligned with the enterprise security architecture. This role isn't involved with specific security or IT products, but focuses on development of a generic security model suitable for specifying security requirements for products. It's a good fit for someone with a wide knowledge of the types of security solutions that are available and can build application-driven security models.
資安解決方案架構師。此資安架構師 (SA)負責開發應用程式安全性的高階架構解決方案，確保解決方案的資安架構與企業資安架構一致。此職位不涉及特定的資安或 IT 產品，而是專注於開發適用於指定產品資安需求的通用資安模型。對於熟悉各種可用資安解決方案類型並能建立應用程式驅動的資安模型的人來說，這是一個不錯的選擇。

Security Designer. A Security Designer is responsible for designing, building and in many cases maintaining the cyber defense structures for applications and the IT infrastructure. There are similar roles in the security assurance team but these are not responsible for carrying out design work, instead they review and approve security design work carried out by external suppliers or internal development teams. A Cloud Engineer is a specialist designer responsible for designing, building and maintaining the cloud infrastructure.
資安設計師。一位資安設計師負責設計、建置，且在許多情況下也負責維護應用程式與 IT 基礎架構的資安防禦結構。資安保證團隊中也有類似的角色，但這些角色不負責執行設計工作，而是負責審查和批准外部供應商或內部開發團隊執行的資安設計工作。一位雲端工程師是負責設計、建置和維護雲端基礎架構的專業設計師。

Developer: A Software Developer is responsible for writing computer programs which, depending on the precise role, may range from core operating system components to desktop, mobile, and web applications. Someone who enjoys designing elegant and efficient programmatic solutions to problems may enjoy this role. Depending on the type of software development, the OffSec Library contains a considerable number of resources to help learners understand attack vectors and create secure software. A general understanding of software vulnerabilities is available in the PEN-200 course, while information about web development can be found in OffSec's WEB courses at the 200 and 300 levels. Those who may be programming in memory-unsafe languages such as C may be interested in the EXP-301 and EXP-312 courses.
開發人員：軟體開發人員 負責撰寫電腦程式，具體職責可能涵蓋核心作業系統元件到桌面、行動和網頁應用程式等。喜歡設計優雅且高效的程式化解決方案的人可能會喜歡這個職位。根據軟體開發的類型，OffSec 函式庫包含大量資源，可幫助學習者了解攻擊向量並建立安全的軟體。PEN-200 課程提供軟體弱點的基礎知識，而關於網頁開發的資訊可在 OffSec 的 200 和 300 級別的 WEB 課程中找到。使用記憶體不安全語言（例如 C 語言）進行程式設計的人員可能會對 EXP-301 和 EXP-312 課程感興趣。

DevSecOps: DevSecOps (an abbreviation for Development, Security, and Operations) is an approach to software development that integrates security into all stages of the software development lifecycle, rather than postponing it to the end. A DevSecOps Engineer is responsible for automating security testing and other security-related processes. This role might be a good fit for someone who has an understanding of the Continuous Integration/Continuous Development (CI/CD) pipeline and tools, an interest in security testing automation, and the ability to work in a fast-paced environment.
DevSecOps：DevSecOps（開發、安全和營運的縮寫）是一種軟體開發方法，它將安全整合到軟體開發生命週期的所有階段，而不是將其延遲到最後。一位DevSecOps 工程師負責自動化安全測試和其他與安全相關的流程。這個職位可能很適合了解持續整合/持續開發 (CI/CD) 管線和工具、對安全測試自動化感興趣，並且能夠在快節奏環境中工作的人。

The OffSec Library contains a considerable number of resources that can help learners with software development, including understanding the different attack vectors to automate testing for and the types of automation testing tools available. This information can be found in the WEB and PEN courses at the 200, and 300 level. CLD-100 also provides details about Docker and Kubernetes: two essential tools for DevSecOps.
OffSec 函式庫包含大量資源，可以幫助學習者進行軟體開發，包括了解不同的攻擊向量以自動化測試以及可用的自動化測試工具類型。這些資訊可以在 200 和 300 級別的 WEB 和 PEN 課程中找到。CLD-100 也提供了關於 Docker 和 Kubernetes 的詳細資訊：DevSecOps 的兩個重要工具。

Site Reliability Engineer: A Site Reliability Engineer is responsible for ensuring and improving the availability and performance of software systems. A person may wish to be a Site Reliability Engineer if they have software development experience and are interested in using automation to monitor for, alert, and respond to reliability-related issues. learners can learn about containers and Kubernetes, some of the key technologies used to support SRE, by following CLD-100 in the OffSec library.
網站可靠性工程師：網站可靠性工程師 負責確保及提升軟體系統的可用性和效能。若具備軟體開發經驗且有興趣利用自動化技術監控、警示及回應與可靠性相關的問題，則可能想成為網站可靠性工程師。學習者可透過 OffSec 函式庫中的 CLD-100 課程，學習容器和 Kubernetes 等支援 SRE 的關鍵技術。

System Hardener (System Administrator): A System Hardener is responsible for configuring systems to reduce their security risk. This involves changing insecure default configurations, removing unused programs, ensuring firewalls are appropriately restrictive, etc. A person may seek out this career if they have experience with system administration, are familiar with attack techniques, and enjoy making systems and the data they store more secure. Many of the skills required for this position are covered in the PEN track at the 100, 200 and 300 levels. PEN-100, for instance, explores some of the basics of networking and system administration. PEN-200 describes some of the common techniques that attackers use. PEN-300 teaches more advanced techniques that attackers use to bypass defenses.
系統強化人員 (系統管理員)：系統強化人員 負責配置系統以降低其安全風險。這包括更改不安全的預設組態、移除未使用的程式、確保防火牆具有適當的限制性等等。如果具備系統管理經驗、熟悉攻擊技術，並且喜歡使系統及其儲存的資料更安全，則個人可能會尋求此職位。此職位所需的許多技能都在 100、200 和 300 級別的 PEN 軌跡中涵蓋。例如，PEN-100 探討網路和系統管理的一些基礎知識。PEN-200 描述攻擊者使用的一些常見技術。PEN-300 教授攻擊者用於繞過防禦的更進階技術。

There are many more roles and role titles in the wider cyber security discipline.
在更廣泛的網路安全領域中，還有許多其他的角色和職稱。

Information Security Officer: There are various titles for the head of a cybersecurity program including Chief Information Security Officer (CISO), Chief Security Officer (CSO), Principal Security Officer (PSO), Information Security Officer (ISO), and so on. Working to the CISO, there are management roles leading teams within the security function, for example Manager Governance, Risk & Controls (Manager GRC) and Manager SOC. These are all cybersecurity governance functions and are suitable for experienced cybersecurity specialists.
資訊安全主管：資安計畫負責人有多種職稱，包括資安長 (CISO)、安全長 (CSO)、首席安全官 (PSO)、資訊安全官 (ISO)等等。在資安長領導下，還有管理職位負責帶領安全部門內的團隊，例如治理、風險與控制經理 (GRC 經理)和安全作業中心經理 (SOC 經理)。這些都是資安治理職能，適合經驗豐富的資安專家。

Security Tester: There are many security assurance roles beyond those involving hands-on pen testing, starting with the Security Tester, a role which is typically part of the development team and which is responsible for running security test cases on products to verify that the security features work as documented. The role of Security Controls Assessor (SCA) involves validating the operation of controls in advance of an audit or compliance check. A special type of testing role is the Common Criteria Security Evaluator whose role it is to evaluate vendor products to ensure they meet their claimed security functionality and assurance levels.
資安測試人員：除了實際進行滲透測試的角色之外，還有許多資安保證職位，首先是資安測試人員，這個角色通常是開發團隊的一份子，負責執行產品的資安測試案例，以驗證資安功能是否符合文件記載。 資安控制評估師 (SCA) 的角色則是在稽核或合規檢查之前驗證控制項的運作。一種特殊的測試角色是通用標準資安評估師，其職責是評估廠商產品以確保其符合聲稱的資安功能和保證等級。

Security Assurance Officer. There are a number of terms used to describe security assurance roles all of which are focused on verifying that controls exists in systems under review and are operating correctly. These include Security Assurance Officers, Security Compliance Officers, and Cyber Security Auditors. A specific example of this kind of role is the PCI Qualified Security Assessor in which the incumbent has gained certification from the Payment Card Industry (PCI) Council as being qualified to run assessments against the PCI Data Security Standard.
資安保證官。有多個詞彙用於描述資安保證職位，所有這些職位都專注於驗證正在審查的系統中是否存在控制措施以及是否正常運作。這些職位包括資安保證官、資安合規官和資安稽核員。此類職位的具體示例是PCI 合格資安評估師，其中擔任此職位者已獲得支付卡產業 (PCI) 理事會的認證，證明其有資格針對PCI 資料安全標準進行評估。

Security Risk Analyst: Cyber security is fundamentally little more than a specialist area of risk. As such, a sizable part of any cyber security team will be the Security Risk Analysts, sometimes referred to as a Security Risk and Controls Analysts or in more generic terms as a Cybersecurity Analyst. This is a key area of work for security consultancy services. The involves understanding cybersecurity threats to the business and the impact they may have on business activities.
資安風險分析師：資安從根本上來說只不過是風險管理的一個專業領域。因此，任何資安團隊中相當大的一部分將是資安風險分析師，有時也稱為資安風險與控制分析師，或更通俗地稱為資安分析師。這是資安顧問服務的一個關鍵工作領域。這涉及了解對企業的網路安全威脅及其可能對業務活動造成的影響。

Identity Analyst: Also known as a IAM Security Analyst, this role works with various departments within an organization to help drive access control initiatives in support of internal policies, regulatory compliance, and industry standards. The generic role of Cybersecurity Analyst may also cover aspects of IAM.
身分識別分析師：此職位也稱為身分與存取管理 (IAM) 資安分析師，與組織內各部門合作，協助推動存取控制措施，以支援內部政策、法規遵循和行業標準。資安分析師的一般職位也可能涵蓋 IAM 的某些方面。

Security Assistant: Any security program includes basic administrative processes such as setting up and issuing access credentials, two factor tokens, proximity cards and other such items. Product vendors may specify the role of security administrator as being the person responsible for managing security configuration or support for their product. Security support roles may exist within the cybersecurity team or may be assigned to other teams, such as IT for provisioning credentials.
資安助理：任何資安程式都包含基本的管理流程，例如設定和發放存取憑證、雙因素驗證碼、感應卡和其他此類項目。產品供應商可能會將資安管理員的角色定義為負責管理其產品的資安組態或支援的人員。資安支援角色可能存在於資安團隊內，也可能指派給其他團隊，例如負責佈建憑證的 IT 團隊。

There are too many roles across all the functions involved in cyber security to provide a single picture of the cyber security world, but let's position the relevant roles for the cyber security anatomy on our previous diagram. This will be as follows.
網路安全中涉及的所有職能包含過多的角色，無法提供網路安全世界的單一圖像，但讓我們在之前的圖表上定位網路安全解剖結構中相關的角色。這將如下所示。

This is an operations-centric perspective which shows the key roles for the operational aspects of monitoring and incident response, together with related governance and assurance roles.
這是一個以營運為中心的觀點，它顯示了監控和事件回應營運方面的關鍵角色，以及相關的治理和保證角色。