Overview of Alternative Methods: Now that you have an idea of what penetration testing is, we need to take a close look at the process that a penetration tester follows outside of what EC-Council offers.
When you are considering a methodology to follow, you must remember some points and ideas up front.
First of all, remember that a penetration test is considered part of a normal IT security risk management process that may be driven by internal or external requirements as the individual situation merits.
Whether an internal or external risk assessment, it is important to remember that a penetration test is only one component in evaluating an environment’s security, but it is frequently the most important part because it can provide real evidence of security problems. The test should be part of a comprehensive review of the security of the organization.
Items you should expect to test during a penetration test include the following:
- IT Infrastructure
- Network Device
- Communication Links
- Physical Security and Measures
- Psychological issues
- Policy issues
Before we get too far, let’s take another look at our penetration tests from the very previous articles you can find in the TechyTalk.Online website namely, Black box, gray box, and white box.
Black-Box Testing: Black-box testing is a type of test that most closely emulates an outside attack and is known as an external test in some circles.
The pentester will execute limited in their information and will typically have only the name of a company to go on with little else. By using many of the technique mentioned in this blog, the attacker will gain information about the target to make their eventual penetration into the company.
Along the way, the attacker will log and track the vulnerabilities on a system and report these back to the client in the test documentation.
The pentester will also attempt to use their knowledge to quantify the impact any loss would have to an organization.
Once the test process is completed, a report is generated with the all the necessary information regarding the target security assessment, categorizing and translating the identified risks into a business context (also known as a risk mitigation plan).
Gray-Box Testing: In this type of test the attacker is given limited knowledge that may amount to all the information in a black box plus operating system or other data.
It is not unheard of for this type of test to provide the attacker with information on some critical but untouchable resources ahead of time.
The idea with this practice is that if the tester has knowledge of some key resources ahead of time, they will look for or target these resources.
However, once one of these targets is found, the tester is told to stop the test and report their findings to the client.
White-Box Testing: A white-box test gives the testing party full knowledge of the structure and makeup of the target environment; thus, this type of test is also sometimes known as an internal test.
This type of test allows for closer and more in-depth analysis than a black or gray box would. White-box tests are commonly performed by internal teams as a means for them to detect problems and fix them before any external party locates and exploit them.
The time and cost required to find and resolve the security vulnerabilities is less than with the black-box approach.
Now that we are expanding our horizons to look at different methodologies that can be used to perform a test, we add to the list of tests that can be executed:
Blind: Blind testing does not require any prior knowledge about the target system, but the target is informed before the execution of an audit. Ethical hacking and wargaming are examples of blind testing.
Double Blind: In double-blind testing, an auditor does not require any knowledge about the target system, nor is the target informed except for key individuals as defined by the client before the test execution.
Black-box auditing and penetration testing are examples of double-blind testing. Most of the security assessments today are carried out using this strategy, thus putting a real challenge on auditors to select the best of breed tools and techniques in order achieve their goal.
Tandem: In tandem testing, the auditor has minimum knowledge of the target system before the test, and the target is notified before the test is executed. Crystal box and in house audits are examples of tandem testing.
Reversal: In reversal testing, an auditor has full knowledge about the target system before the test, and the target is not informed as to how and when the test will be conducted. Red-teaming is an example of reversal testing.