When businesses, healthcare providers, educational institutions, and government agencies hire us to perform penetration testing, our experienced consultants recommend the type of penetration testing (“pen tests”) to be conducted based on our conversations with the clients.
We thought that some of you might be interested in learning about the three different types of pen tests and when each one is most appropriate. (If, on the other hand, you’re looking for content that’s a little edgier, please read our post on “The Dark Magic of the Deepfake.”)
Now, let’s have a quick look at why you should have a pen test regularly. Bear in mind that external and internal pen tests are individual components of an overall security risk assessment, which is required by many security regulations, and also makes good business sense.
Penetration testers are basically white hat hackers. Their job is to emulate the bad guys by attempting to find ways into your network in order to discover security gaps. As such, they acquire a unique perspective on your organization’s IT defenses that routine, automated vulnerability scans cannot.
Modern vulnerability scanners continue to improve and can detect myriad vulnerabilities in known systems. But they can miss vulnerabilities that are specific to a business. A skilled pen tester will employ a range of automated tools and augment them with real-world experience, training, and braining to achieve a comprehensive view of your unique organization.
It’s not uncommon for security weaknesses to be greater than the sum of their parts when exploited in a particular sequence by a savvy attacker. Together, they can pose a considerable risk to your organization. An experienced pen tester has the human ability to connect the dots and to understand individual vulnerabilities in a larger context.
The product of any professional penetration test is a report of findings and recommendations for remediation. Automated scanning tools may suggest general solutions, but a report written by an experienced pen tester will describe remedial actions your organization can take to address its specific security gaps.
If you’re interested in delving a little deeper, this article looks at the pros and cons of penetration testing.
Now that we know the benefits of conducting regular penetration testing of our networks, let’s learn more about the three types of pen tests and the value of each type. (Note: Similar testing is also available for software applications, websites, and other organizational assets.)
Penetration tests, are classified according to (1) how much organizational information is shared with the pen tester at the outset of the assignment, and (2) the level of access the pen tester is granted in order to conduct the testing. These classifications are coded as white, black, or gray box testing.
White box testing refers to the granting of full access to conduct the pen test, and the sharing of complete network and system architecture documentation, network maps, source code, user roles, and any other documentation that may be useful in planning the pen test and analyzing the findings.
While external penetration testing targets the assets that are visible on the Internet (such as DNS, email, or company website), internal penetration testing is equally important because it concentrates on the LAN and various intelligent devices connected to it. Internal testing can help detect malicious or negligent insider activities as well as evidence of criminal hackers who may have embedded in the network.
Black box testing is the opposite of white box testing. In this scenario, the pen tester behaves like a typical hacker in that he or she has no deep knowledge of the network to be tested. The only documentation that is publicly available (such as user manuals or vendor software documentation) is shared with the pen tester. It is probably the most realistic of the three testing scenarios since most hackers have no knowledge of the inner workings of a network as they plan their attack on it—unless they have breached the network and are embedded in it.
As the name implies, gray box testing is a hybrid that blends the best elements of white and black box testing to achieve actionable results in optimal time. Gray box testers usually have some degree of internal network knowledge, including a current network map or system architecture documentation, and have been granted internal access to the network.
In addition, having internal access to the network enables them to test inside the perimeter, thereby imitating a hacker who has enjoyed access to the network for some period of time. Numerous cyberattacks have been perpetrated by embedded hackers, creating significantly more damage than a quick hit-and-run attack.
As we have noted, both internal and external testing are necessary elements of a thorough security risk assessment. White box and gray box testing support these two elements.
If your organization has not undergone an extensive security assessment in several years, a white box testing scenario is a smart move. It can be followed with periodic external scans, or black box testing, in a security maintenance program.
For organizations desiring solid testing in an efficient timeframe, gray box testing may be a good strategy. Before you decide on your own, we invite you to consult with our penetration testing experts to determine which approach makes the most sense for your specific circumstances.
Anyone desiring to learn more about penetration testing, including becoming certified in this skill, is encouraged to visit the Infosec Institute, an excellent resource for information security professionals. Special thanks to Infosec for supplying key content for this article.
EC-Council is also an excellent resource, offering a Certified Ethical Hacker credential that is ideal for professional pen testers who serve as white hats or ethical hackers.
Penetration testing, including both internal and external testing, is a vital component of a thorough security risk assessment. Three types of pen tests are white box, black box, and gray box testing, and each has particular advantages.
An ongoing network security program might employ all three types of testing over a period of several years or more. Before deciding which type of testing is right for you at any given time, we recommend consulting with a professional penetration tester to ensure you derive the greatest value from pen testing in your current state. At 24By7Security, our credentials include Certified Ethical Hacker certification from EC-Council.