Testing Security Technology
There are many terms used to describe the technical review of security controls. Ethical hacking, penetration test,
and security testing are often used interchangeably to describe a process that attempts to validate security
configuration and vulnerabilities by exploiting them in a controlled manner to gain access to computer systems and
networks. There are various ways that security testing can be conducted, and the choice of methods used ultimately
comes down to the degree to which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:
This technical assessment is intended to identify as many potential weaknesses in a host, application, or
entire network as possible based on the scope of the engagement.
Configurations, policies, and best practices are all used to identify potential weaknesses in the deployment
or design of the entity being tested. These types of assessments are notorious for finding an enormous
amount of potential problems that require a security expert to prioritize and validate real issues that need to
Running vulnerability scanning software can result in hundreds of pages of items being flagged as vulnerable
when in reality they are not exploitable.
The penetration test is intended to assess the prevention, detection, and correction controls of a network by
attempting to exploit vulnerabilities and gain control of systems and services. Penetration testers (also known as
pentesters) scan for vulnerabilities as part of the process just like a vulnerability assessment, but the primary
difference between the two is that a pentester also attempts to exploit those vulnerabilities as a method of validating
that there is an exploitable weakness.
Successfully taking over a system does not show all possible vectors of entry into the network, but can identify
where key controls fail. If someone is able to exploit a device without triggering any alarms, then detective controls
need to be strengthened so that the organization can better monitor for anomalies.
Security control testing is an art form in addition to a technical security discipline. It takes a certain type of individual
and mind-set to figure out new vulnerabilities and exploits. Penetration testers usually fit this mould, and they must
constantly research new attack techniques and tools. Auditors, on the other hand, might not test to that degree and
will more than likely work with a penetration tester or team if a significant level of detailed knowledge in required for
the audit. When performing these types of engagements, four classes of penetration tests can be conducted and
are differentiated by how much prior knowledge the penetration tester has about the system.
The four types are:
• Red Team/Blue Team assessment
• White Box
• Black Box
Red Team/Blue Team assessment:
The terms Red and Blue Team come from the military where combat teams are tested to determine operational
readiness. In the computer world, a Red and Blue Team assessment is like a war game, where the organization
being tested is put to the test in as real a scenario as possible.
Red Team assessments are intended to show all of the various methods an attacker can use to gain entry. It is the
most comprehensive of all security tests. This assessment method tests policy and procedures, detection, incident
handling, physical security, security awareness, and other areas that can be exploited.
The Red team designate is the attacker and the Blue team is the defence mechanism builder. The two teams
sharpen an organisation’s detection and response capability. This is through sharing of intelligence data,
understanding threat actors’ TTPs, mimicking these TTPs through a series of scenarios and configuring, tuning and
improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common difference is the amount
of knowledge of the implementation details of the system being tested that are available to the testers.
Black box testing
This assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and
extent of the systems before commencing their analysis.
White box testing
This provides the testers with complete knowledge of the infrastructure to be tested, often including network
diagrams, source code, and IP addressing information.
Grey box testing
These are the several variations in between the white and the black box, where the testers have partial information.
Penetration tests can also be described as “full disclosure” (white box), “partial disclosure” (grey box), or “blind”
(black box) tests based on the amount of information provided to the testing party.
Features and Uses
Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an “inside job” or after a “leak” of sensitive information,
where the attacker has access to source code, network layouts, and possibly even some passwords.
White box techniques involve direct analysis of the application’s source code, and black box techniques are
performed against the application’s binary executable without source code knowledge.
Most assessments of custom applications are performed with white box techniques, since source code is usually
available—however, these techniques cannot detect security defects in interfaces between components, nor can they
identify security problems caused during compilation, linking, or installation-time configuration of the application.
White box techniques still tend to be more efficient and cost-effective for finding security defects in custom
applications than black box techniques.
Black box techniques should be used primarily to assess the security of individual high-risk compiled components;
interactions between components; and interactions between the entire application or application system with its
users, other systems, and the external environment. Black box techniques should also be used to determine how
effectively an application or application system can handle threats.
Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks is a useful way to
develop a technical testing planning.