Nov 7 2012

Types of penetration testing

Author: admin | Category: Featured, Information Security, Penetration Testing | Leave a Comment

If we search in internet for types of penetration testing, we may mainly land up in getting two sources of classification as given below:

The first source classifies penetration testing as “Internal” and “External” types and they talk about the variations of these types of testing based on the information available to the testing team before the testing begins. The second source of classification follows the reverse approach. They classify penetration test based on the information given to test team before starting the test and then the location from which the test is conducted.

According to Sanjay Bavisi, EC-Council, following the second approach is preferable since it removes any chance of misunderstanding about what testing is going to be conducted and where.

In an organization there are hosts which are connected to internet (systems exposed to public) and intranet (systems exposed to internal network). The tests carried out against the devices and systems belonging to the internet are known as “external testing”. On the other hand tests carried out on intranet connected systems are known as “internal testing”. Of-course a complete penetration cycle should encompass both testing. The “variations” of penetration tests are normally classified based on how much information the test team has been given about the organization. The three most commonly used terms for penetration tests are white-box, gray-box, and black-box testing.

White Box Penetration Testing/complete-knowledge testing

In “White box testing”, testers are given plenty of information about the organization’s security measures. It may be in the form of diagrams, documentation of how internal systems work, operate, and are supposed to function. It helps the testing team to gain complete knowledge of the network and systems beforehand. This information is detailed below:

• Type of network devices (i.e. Cisco, TCP/IP)
• Network diagrams
• Web Server details (i.e., Apache/*nix or Apache/Win2k),
• Operating System type (i.e., Windows/*nix),
• Database platform (i.e., Oracle or MS SQL),
• Firewalls (i.e. Cisco PIX) etc.

The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This will in turn help to speed up the process to a great deal and leads to more accurate result. It is best suited to the organization where the budget and time are constraints.

Black Box Penetration Testing/zero-knowledge testing

Here, testing team will not have previous knowledge of the network. The company name or the IP address is known. In other words very little or no information is provided to the testers beforehand. The pen tester has to gain the information through publicly available sources or connections within the organization to attempt to penetrate into the system. Information can be gathered from a number of sources and used in subsequent stages to derive more in depth information useful for simulating an intruder’s attack. Then the test tries to simulate hacking attempts of a hacker from an external source on the Internet. This is in order to prove there are systems with vulnerabilities and to recommend remedial measures to address them.

This test finds issues from an attackers perspective and consequently less prone to personal impact. It is slow and can impact the production time. More over this test can be very risky and great care must be taken on the part of both the client and the consultant to protect each other and themselves. So a clear communication plan and rollback procedure must be clearly established. However some argue that this is the most realistic approach as external hackers often have limited knowledge of the security measures. This model is the most expensive to employ because of the time and resources required to collect the necessary information to facilitate an attack.

Grey Box Penetration Testing/partial-knowledge testing

Generally this refers to a combination of approaches that includes elements of both black and white box testing. Here the tester usually has limited knowledge or information such as host names, maybe a few IP addresses. The key benefit in devising and practicing a gray-box approach is a set of advantages posed by both approaches mentioned earlier.

Let me conclude. The success of every penetration test rests on the experience of the test team. Both the White Box and Grey Box models have a disadvantage in that testers may overlook apparent vulnerabilities in the available information on hand. However, the model to be selected ultimately depends on the organization’s needs and available resources.

References: Computer and Information Security Handbook
Chapter 22 : Penetration Testing
Official Certified Ethical Hacker Review Guide for Version 7.1

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *