We have discussed the channels of testing in the previous discussion; here we will focus on the testing approach or methodology. Security testing has been addressed in the context of software development for quite sometime. In the context of ethical hacking, the security professional has to conduct a security evaluation and test the system for vulnerabilities. This can be approached in different ways.
The concept of black-box testing is based on the assumption that the ethical hacker has no prior knowledge or information about the system. In this sense, black-box testing simulates a true web-hacking attack, beginning with nothing but the organization's corporate name. From here the ethical hacker gathers information about the network and the business from as many outside sources as possible. This can include publicly available information from sources such as web sites and media publications that contain useful information about the business. Social engineering techniques may also be used where information is gathered from unsuspecting employees. This aspect will be dealt in detail in later modules. This is similar to the reconnaissance phase that a malicious attacker would carry out prior to an attack. This gives the ethical hacker an idea of all possible security lapses including policy level lapses.
The ethical hacker then uses scanning tools such as port scanners to aid him in network mapping. The ethical hacker begins probing the network for exploitable vulnerabilities based on a network map created from the initial investigation. This is exactly like the scanning phase of a hack attack. The ethical hacker does everything that a hacker does. Exploiting vulnerabilities is an important part of a penetration test. The ethical hacker tries to exploit them in such a way that they do not cause damage however, sometimes they do. This is taken care of in the legal paperwork drawn during the rules of engagement. While attacks such as denial of service attacks do not have a place in a penetration test; actually breaking in has to be done in most cases to demonstrate the true impact of vulnerabilities discovered. In addition, the ethical hacker recommends counter measures to patch the security hole.
The concept of white-box testing on the other hand is based on the assumption that the ethical hacker knows the system and has full access to system related information. Nevertheless, white-box testing has fundamental similarities in terms of the testing involved. The ethical hacker is given full access to information about the client's organization and network infrastructure from the outset. The ethical hacker has access to all system design and implementation documentation, which may include listings of source code, manual and circuit diagrams. This helps the ethical hacker adopt a structured and formal approach. However, a good ethical hacker will also test the validity of the information provided initially, rather than work under the assumption that it is true.
It is considered by some security experts that the black-box testing closely imitates a real web based attack. However, this need not hold good as script kiddies can easily know details of the operating systems and run scripts to exploit vulnerabilities. More often than not, the hacker is no total stranger to the system. He has access to insider information or may even be an insider. Many organizations are subject to attack from internal sources where full systems knowledge can be assumed.
Another aspect to be considered while testing is that hackers are known to have great patience and immense determination. They may plan and phase their attacks over months which are not the case with an ethical hacker who uses a predetermined methodology to fit inside the time constraint. This methodology can be common knowledge and hence, it may miss out on vulnerabilities that a hacker may otherwise notice.
It is imprudent to assume that a hacker would not adopt a structured approach, and will not continue probing over time until a system is compromised. This is especially true if an organization has external networks which are not publicly listed, as these will not show up at the information gathering stage in a black-box testing and will therefore not be tested. Hackers can stumble across unlisted networks using random scanning techniques and exploit potential vulnerabilities. It must be remembered that any computer connected to the Internet is typically scanned several times a day as hackers search for systems they can compromise.
There is another consideration that comes into play while choosing a method for testing. This is value for money. If monetary resources and time are a constraint, black box testing may not be the best option. This is where an organization may consider internal testing. Also known as grey-box testing, this allows system administrators and network professionals to take time and resources to test the system and detect vulnerabilities. This is called grey box testing because it is quite possible that they are known and unknown aspects of the system.
In short, all forms of security testing can be of value to an organization; however, it is up to the organization to decide what works in its best interests under the given circumstances. A black-box test may highlight how supposedly confidential information is leaked, while a white-box test is likely to dedicate much more time to probing for vulnerabilities and will address the security of all external connections. In security terms, it is more prudent to assume the worst when testing a network, thus addressing all potential vulnerabilities and weaknesses. The case for ethical hacking lies here, as it should be assumed that a hacker does have a full knowledge of the network infrastructure, because if security relies solely on its secrecy then it is as good as nonexistent.
COMMENTS