Introduction
In today’s corporate environment, there is no doubt that security is now one of the main issues being addressed. Literally every day, you hear about Cyber hackers attacking into computer systems and serves, stealing everything from passwords to financial information and data. No matter how hard the management and IT teams at these businesses try to combat these types of security breaches, the hacker is always one step ahead. In fact, this can be very much likened to that of a cat and mouse game.
But, the good news is that there is a way a company can find out security weaknesses and vulnerabilities before the Cyber hacker can. This can be accomplished through an iterative process known as “Penetration Testing”, or simply known as a “Pen Test” for short. In simple terms (although the actual testing can be quite complex) a Pen Test examines any weaknesses in the IT infrastructure of a corporation by trying to discover and exploit them, in a safe manner.
Generally, these vulnerabilities can be found in the software itself at these particular points of entry:
- Backdoors in the Operating System;
- Unintentional flaws in the design of the software code;
- Improper software configuration management implementation;
- Using the actual software application in a way it was not intended to be used.
Pen Testing can be accomplished either through manual or automatic processes, and is often targeted
towards the following endpoints:
- Servers;
- Network endpoints;
- Wireless networks;
- Network security devices (this is hit upon the most in an actual Pen Test, which includes the
- Routers, Firewalls, Network Intrusion devices, etc.);
- Mobile and wireless devices;
- Other areas of exposure, such as that of software applications and the code behind it.
However, it should be noted that the actual Pen Test just does not stop at this level. The primary goal is to go as far and deep as possible into the IT infrastructure in order to get to the electronic assets of a corporation. The goal is not to just strike hard the first time, but to also strike even harder covertly at random times as well.
Black Box/White Box/Gray Box Testing
In order to uncover the vulnerabilities which can be found in a Web Application, there are three methods of Pen Testing which can be used, which are as follows:
- Black Box Testing;
- White Box Testing;
- Gray Box Testing.
In a real-world Cyber-attack, the hacker probably will not know all the ins and outs of the IT infrastructure of a corporation. Because of this, he or she will launch an all-out, brute force attack against the IT infrastructure, in the hopes of trying to find a vulnerability or weakness on which they latch onto.
In other words, in this type of Pen Test, there is no information given to the tester about the internal workings of the particular Web Application, nor about its source code or software architecture. As a result, this particular type of test can take a very long time to complete, so very often, the tester will rely upon the use of automated processes in order to completely uncover the weaknesses and vulnerabilities. This type of test is also referred to as the “trial and error” approach.
Conclusions
Our next blog will examine White Box and Gray Box Testing, and the specific Pen Tests that are most commonly done today.