Indeed, some shade of grey-box testing is probably the most commonly commissioned.Įh? You never mentioned red before. You might think that this just muddies the testing waters, but actually it can be very effective in mimicking the kind of knowledge levels that many threat actors might have if they have spent any time researching, foot-printing and accessing a system. Grey-boxing falls somewhere, and quite where will depend upon the precise nature of the testing brief as determined by accurate goal alignment (and more of that in just a moment), between full disclosure and zero-knowledge. Have you guessed what grey-box testing is yet? Yep, that's right: a mix of both black and white methodologies. It is very accurate in pinpointing those gaps in security processes that can be exploited by an attacker to both gain an initial foothold and move laterally across systems. It does, however, could lead to far greater engagement times for the testing (and so require bigger budgets), with as much as half of any pen-test exercise being consumed by the recon or discovery phase of the operation. It is the most literal when it comes to replicating real-world attack modes, as neither the well-resourced criminal endeavor nor the average threat actor will have any prior inside knowledge of the target. This means that the pentesters are effectively going in blind with virtually no information about the system disclosed beforehand. This level of collaboration between target (the company) and attacker (testing provider) makes for very effective, and cost-efficient, testing.īlack-box testing is the polar opposite of the white-box methodology, as you would expect. A white-box approach simulates a completed reconnaissance phase, allowing the testers to look for vulnerabilities and attack vector much more efficiently. In the real world, organized criminals and state sponsored actors have the time and resources to spend large amounts of both on attack reconnaissance and adopt a 'low and slow' approach to a targeted attack. While this might sound like a pretty poor way of 'testing' security, that's not so. The important point being that a white-box testing operation demands full-disclosure of relevant information before it begins and co-operation from the company during it. This can include internal network topology, use case and actual source code in some cases. The testers are given full information regarding the target system or application. Sometimes referred to as crystal-box testing, white-box is so-called as the tester gets to see everything pretty clearly. The pen testing devil really is in the detail how much knowledge of the internal structure, algorithms, source code, level of access is disclosed to the testers will determine both how the test is approached and how the results can be interpreted and applied. These ‘boxes’ can be defined as the classification of the level of information disclosed to the testers before an assignment begins. There are three ‘boxes’ that you need to consider: black-box, white-box and grey-box. Which brings me nicely onto the small matter of being better informed about pen testing methodologies and the colors I keep referring to. Being better informed about not only the strengths, but weaknesses as well, of your systems helps build a better overall security strategy. Knowledge really is power, and there's a reason why cybersecurity is also called information security. By choosing the correct type of testing to best align with the sensitivity of the tested application or system your business will be better served when it comes to balancing risk be that costs vs. What pen testing can do, however, is help in identifying and validating misassumptions regarding your security posture. Nobody can guarantee that level of perfection in an imperfect world. Pentesting Knowledge is powerīefore I start digging into the color-coding though, it's important to point out from the get-go that penetration testing alone does not promise to lift your organization into mythical 100% security territory. Which is why I thought it might be useful to set out a color-coded guide to pentesting in an attempt to help clarify the situation. The confusion around pen testing increases when you venture beyond the "simulated cyber-attack to evaluate the health of your security" basics and start digging deeper into different pen test methodologies and outcomes.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |