- BackTrack 4: Assuring Security by Penetration Testing
- Shakeel Ali Tedi Heriyanto
- 536字
- 2021-04-09 21:20:59
Types of penetration testing
Although there are different types of penetration testing, the two most general approaches that are widely accepted by the industry are Black-Box and White-Box. These approaches will be discussed in the following sections.
Black-box testing
The black-box approach is also known as external testing. While applying this approach, the security auditor will be assessing the network infrastructure from a remote location and will not be aware of any internal technologies deployed by the concerning organization. By employing the number of real world hacker techniques and following through organized test phases, it may reveal some known and unknown set of vulnerabilities which may otherwise exist on the network. An auditor dealing with black-box testing is also known as black-hat. It is important for an auditor to understand and classify these vulnerabilities according to their level of risk (low, medium, or high). The risk in general can be measured according to the threat imposed by the vulnerability and the financial loss that would have occurred following a successful penetration. An ideal penetration tester would undermine any possible information that could lead him to compromise his target. Once the test process is completed, a report is generated with all the necessary information regarding the target security assessment, categorizing and translating the identified risks into business context.
White-box testing
The white-box approach is also referred to as internal testing. An auditor involved in this kind of penetration testing process should be aware of all the internal and underlying technologies used by the target environment. Hence, it opens a wide gate for an auditor to view and critically evaluate the security vulnerabilities with minimum possible efforts. An auditor engaged with white-box testing is also known as white-hat. It does bring more value to the organization as compared to the black-box approach in the sense that it will eliminate any internal security issues lying at the target infrastructure environment, thus, making it more tightened for malicious adversary to infiltrate from the outside. The number of steps involved in white-box testing is a bit more similar to that of black-box, except the use of the target scoping, information gathering, and identification phases can be excluded. Moreover, the white-box approach can easily be integrated into a regular development lifecycle to eradicate any possible security issues at its early stage before they get disclosed and exploited by intruders. The time and cost required to find and resolve the security vulnerabilities is comparably less than the black-box approach.
The combination of both types of penetration testing provides a powerful insight for internal and external security viewpoints. This combination is known as Grey-Box testing, and the auditor engaged with gray-box testing is also known as grey-hat. The key benefit in devising and practicing a gray-box approach is a set of advantages posed by both approaches mentioned earlier. However, it does require an auditor with limited knowledge of an internal system to choose the best way to assess its overall security. On the other side, the external testing scenarios geared by the gray-box approach are similar to that of the black-box approach itself, but can help in making better decisions and test choices because the auditor is informed and aware of the underlying technology.
- PS是這樣玩的:輕松掌握 Photoshop 通關(guān)秘籍
- AI繪畫教程:Midjourney使用方法與技巧從入門到精通
- Photoshop 2022從入門到精通
- Visio圖形設(shè)計從新手到高手(兼容版·第2版)
- Solid Works 2021產(chǎn)品設(shè)計標(biāo)準(zhǔn)教程
- Rhino 6.0中文版入門、精通與實戰(zhàn)
- 24小時全速學(xué)會Photoshop 2021
- ASP.NET jQuery Cookbook
- 計算機輔助翻譯基礎(chǔ)與實訓(xùn)
- Photoshop圖像處理與制作
- 手把手教你學(xué)成Excel高手
- MATLAB 2020數(shù)學(xué)計算從入門到精通
- CAXA軟件應(yīng)用技術(shù)基礎(chǔ)
- 從零開始:CINEMA 4D中文版案例教程
- CorelDRAW X7標(biāo)準(zhǔn)培訓(xùn)教程