Testing Security Technology There are many terms used to describe the technical review of security controls. Ethical hacking, penetration test, and security testing are often used interchangeably to describe a process that attempts to validate security configuration and vulnerabilities by exploiting them in a controlled manner to gain access to computer systems and networks. There are various ways that security testing can be conducted, and the choice of methods used ultimately comes down to the degree to which the test examines security as a system. There are generally two distinct levels of security testing commonly performed today: Vulnerability assessment: detailed knowledge in required for the audit. When performing these types of engagements, four classes of penetration tests can be conducted and are differentiated by how much prior knowledge the penetration tester has about the system.
The four types are:
• Red Team/Blue Team assessment
• White Box
• Black Box
Red Team/Blue Team assessment: The terms Red and Blue Team come from the military where combat teams are tested to determine operational readiness. In the computer world, a Red and Blue Team assessment is like a war game, where the organization being tested is put to the test in as real a scenario as possible. Red Team assessments are intended to show all of the various methods an attacker can use to gain entry. It is the most comprehensive of all security tests. This assessment method tests policy and procedures, detection, incident handling, physical security, security awareness, and other areas that can be exploited.
The Red team designate is the attacker and the Blue team is the defence mechanism builder. The two teams sharpen an organisation’s detection and response capability. This is through sharing of intelligence data, understanding threat actors’ TTPs, mimicking these TTPs through a series of scenarios and configuring, tuning and improving the detection and response capability. Penetration tests as part of auditing can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing This assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. White box testing This provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. Grey box testing These are the several variations in between the white and the black box, where the testers have partial information. Penetration tests can also be described as “full disclosure” (white box), “partial disclosure” (grey box), or “blind” (black box) tests based on the amount of information provided to the testing party. Features and Uses Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an “inside job” or after a “leak” of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords. White box techniques involve direct analysis of the application’s source code, and black box techniques are performed against the application’s binary executable without source code knowledge. Most assessments of custom applications are performed with white box techniques, since source code is usually available—however, these techniques cannot detect security defects in interfaces between components, nor can they identify security problems caused during compilation, linking, or installation-time configuration of the application. White box techniques still tend to be more efficient and cost-effective for finding security defects in custom applications than black box techniques. Black box techniques should be used primarily to assess the security of individual high-risk compiled components; interactions between components; and interactions between the entire application or application system with its users, other systems, and the external environment. Black box techniques should also be used to determine how effectively an application or application system can handle threats. Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks is a useful way to develop a technical testing planning.