- Existing Client?
Login - Contact Us Today +44 (0)330 100 2345 enquiries@encription.co.uk
-
Take a look at our IT security courses, most lead to a recognised certfication.
-
How secure is your organisation?
Find out here:
Read our blog: Privilege Escalation using MySQL User Defined Functions
Follow us on Twitter: encriptionIT: encription limited looking for two PenTest trainees to w...
Penetration Testing, Pen Testing, Information & Network Security
The Objective: Test Approach: Black Box Testing: Limitations of Black Box Testing: White Box Testing: Although many may consider the provision of such information as defeating the purpose of the test, this very much depends on the objectives of the test. Where the objective of the test is to identify security weaknesses in the target, or establish the level of risk associated with these weaknesses and provide a series of recommendations to mitigate or eliminate the risk, then white box testing is a far more effective means of achieving the objective than a black box test. Benefits of White Box Testing: More information: Information Security
The objective of penetration testing, also known as a pen testing, ethical hacking, IT Health Check or ITHC, is to identify security vulnerabilities and weaknesses in the target applications and /or networks, establish the business impact and ease of exploitation associated with each issue identified, and provide appropriate remedial recommendations that should be implemented in order to mitigate the impact of the issues identified. Penetration testing is crucial to information security.
The objective of the pen testing is to establish and verify if there is any weakness in the security of the IT security infrastructure within the scope of the test. There are two approaches to testing the IT security. Here we outline these approaches, their pros and their cons.
A black box test is a test conducted from the perspective of an attacker with little or no information about the target system other than its IP address or URL. The objective of conducting a black box test is to establish the extent to which it is possible for such an attacker to compromise the network security of the target system, given the limited amount of information available. The advantages of this are: This test mirrors the actions of a malicious hacker who has no access to the systems, and no knowledge of them. A test of this nature will accurately reveal the 'threat surface' of the applications as seen from the internet. This provides invaluable information for companies wishing to ensure that network security and information security are at an acceptable and safe level and help to prevent the risks associated with computer misuse.
Although the objective of conducting a black box test is to identify the target’s susceptibility to attack from a third party with limited knowledge of the target, the scope of a black box test may be severely limited depending on the nature of the target and the time allowed. Therefore a black box test will not provide a comprehensive profile of the security of the target. As penetration testing will be time limited, there is the possibility that elements of the target being tested may be missed whereas the malicious hacker will not be under this time constraint and may fully explore and exploit vulnerability. A further limitation of black box pen testing is the potential to lull clients into a false sense of security. For example, a black box test may not be able to compromise the security of a website’s authentication mechanism. The client organisation may therefore believe that the application is secure, however as the application has not been tested in its entirety, this may not be the case. A good example of this is where an authorised user of the application is able to escalate privileges within the system to gain unauthorised access to another user’s private data, i.e. emails. As authorised user penetration testing is outside the scope of a black box test, the test will not have flagged this vulnerability.
White box testing is conducted from a prior knowledge perspective. This describes a scenario where the penetration tester is provided with comprehensive details of the target. This could include, but would not necessarily be limited to the following:
When a penetration tester is provided with comprehensive details of the target and full access to it, they can test the for network security / information security vulnerabilities in its entirety as opposed to focusing on small elements of it, enabling the tester to provide the customer with an accurate profile of the security of the target. If passwords are provided to targets, the pen test team will be able to evaluate the threat to the target from 'within' and test how privileged individuals, such as members of staff, may abuse loopholes in any systems through computer misuse. This approach is more realistic than many would think as the majority of attacks are conducted by individuals or groups that have already acquired enough information about the target to feel confident that they can compromise any security measures in place.
Network Security
Computer Misuse
Penetration Testing
Pen Testing
