What is Penetration Testing Types | Black Box, White Box, Gray Box

The typical image of a penetration test is that of a team of high-tech com- puter experts sitting in a small room attacking a company’s network for days on end or crawling through the ventilation shafts to get into the company’s “secret room.” While this may be a glamorous image to use in the movies, in reality the penetration test works in a variety of different (and very nonglamorous) ways.

The first type of penetration testing involves the physical infrastructure of the subject. Very often, the most vulnerable parts of a company are not found in the technology of its information network or the access controls found in its databases. Security problems can be found in the way the subject han- dles its physical security. The penetration tester will seek to exploit these physical weaknesses. For example, does the building provide adequate access control? Does the building have security guards, and do the guards check people as they enter or leave a building? If intruders are able to walk unchecked into a company’s building, they will be able to gain physical access to the information they seek. A good test is to try to walk into a building during the morning when everyone is arriving to work. Try to get in the middle of a crowd of people to see if the guard is adequately checking the badges of those entering the building.

The three types of penetration testing :

1. Black-box penetration testing: (zero-knowledge testing): In order to simulate real-world attacks and minimize false positives, penetration testers can choose to undertake black-box testing (or zero knowledge testing, with no information or assistance from the client) and map the network while enumerating services, shared file systems, and operating systems discreetly. Additionally, the penetration tester can undertake wardialing to detect listening modems and wardriving to discover vulnerable access points, provided these activities are within the scope of the project.
2. White-box penetration testing: (complete-knowledge testing): If the organization needs to assess its security against a specific kind of attack or a specific target, complete information about the organization’s network may be given to the penetration testers. The information provided can include network-topology documents, asset inventory, and valuation information. Typically, an organization would opt for this when it wants a complete audit of its security. It is critical to note that despite all this, information security is an ongoing process and penetration testing gives a snapshot of the security posture of an organization at any given point in time. White-box testing can be done with and without the knowledge of the IT staff. Only the top management is kept in the loop when a test is conducted without the involvement of the organization’s IT staff.
3. Gray-box penetration testing: Gray-box penetration testing is the most common approach to test the vulnerabilities that an attacker can find and exploit. This testing process functions in a similar way to black-box testing. Both the attack team and normal users are provided with the same privileges. The purpose of these tests is to simulate an attack by a malicious insider.

Black Box Penetration Testing

Black box penetration testing, the testers have no prior knowledge of the infrastructure that is to be tested. The tester uses fingerprinting methods to acquire information about the inputs and the expected outputs but is not aware of the internal workings of a system. This test is carried out only after extensive research related to the organization is done. It is carried out from the user’s point of view. Designing test cases is difficult without clear and concise specifications, but it is done once the specifications are complete. This test simulates the process of a real hacker. Black-box testing is quite time-consuming and expensive. It is also known as functional testing.

White Box Penetration Testing

White box penetration testing is also known as complete-knowledge testing. The tester is provided with various pieces of information about the organization before the white-box testing is started. This test simulates the process of the company’s employees. The following information is often provided during white-box testing:

1. Company infrastructure: This includes information related to the different departments of the organization. Information related to hardware, software, and controls are also revealed to the penetration tester.
2. Network type: The network-type information could be regarding the organization’s LAN and the topology used to connect the systems. It could also be information regarding access to remote networks or the Internet.
3. Current security implementations: Current security implementations are the various security measures adopted by the organization to safeguard vital information against any kind of damage or theft.
4. IP address/firewall/IDS details: This information includes details of the IP addresses the organization uses, the firewalls used to protect data from unauthorized users, and other important technical details about the network. The firewall and IDS policies are made available to the penetration tester.
5. Company policies: The various policies that the organization has adopted to carry out business could be made available, depending on the nature of the test. Security policies, legal policies, and labor policies can all be useful to the penetration tester.

Gray Box Penetration Testing

Gray box penetration testing involves a security assessment and internal testing; the process of testing examines the scope of access by insiders within the organization’s network. Both the attack team and normal users are provided with the same privileges, and the purpose is to simulate an attack by a malicious insider. Here, the tester usually is given limited information.

Author : Admin

Share this

Related Posts