Penetration Testing: thinking outside the (black) box
By Diane Seddon, August 7, 2002.
Perimeter security technology such as firewalls, content filtering and anti-virus protection is paramount to a business's defence against attack but can by no means be assumed to be impenetrable. With an increasing number of companies providing remote network access to employees and even limited access to clients and trusted partners, it is imperative that businesses minimise risk by thoroughly testing their network security.
The provision of penetration testing, also known as vulnerability assessment or e-assurance, is the single biggest use of external security consultants in the UK. Penetration testing involves simulating an attack using tools and techniques available to external hackers and willful insiders to probe for weaknesses and ascertain the potential damage that could be caused. Damage to an insecure network may involve recording and tampering with network traffic, obtaining passwords and gaining administrator access or exploitation of published software weaknesses where patches have not been updated, to name but a few common examples. In real terms, such attacks can lead to loss, theft or alteration of business-critical and highly sensitive data.
Penetration testing can be conducted using one of two approaches: black-box (with no prior knowledge of the infrastructure to be tested) and white-box (with a complete knowledge of the network infrastructure). As might be expected, there are conflicting opinions about the value that each approach will bring to securing the network and ultimately the business assets.
Most penetration testing centres will argue that black-box testing simulates a true web-hacking attack, beginning with nothing but the client's corporate name. From here the evaluator will gather information about the network and the business from as many outside sources as possible. Scanning tools such as port scanners aid in network mapping and publicly available information from sources such as web sites and media publications supply useful information about the business. Social engineering techniques may also be used where information is gathered from unwitting employees. The evaluator then begins probing the network for exploitable vulnerabilities based on a network map created from the initial investigations.
White-box testing has fundamental similarities in terms of the testing involved but assumes a full knowledge of the client's organisation and network infrastructure from the outset. The evaluators are privy to all system design and implementation documentation, which may include listings of source code, manual and circuit diagrams. Adopting a structured and formal approach, a good evaluator will also test the validity of the information initially provided, rather than work under the assumption that it is true. A white-box test can also be used to simulate an attack from inside the company or by ex-employees with a knowledge of the systems.
Although a black-box approach may appear to be the closest mimic of a real web-hacking attack, indeed many evaluators will claim it is the only way to conduct a test, this is not strictly true. Firstly, it presupposes that a hacker does not have any knowledge of your systems, which is not only unlikely but is impossible to prove or disprove. Indeed many organisations are subject to attack from internal sources where a full systems knowledge can be assumed. The DTI Information Security Breaches Survey 2002 found that the larger the organisation, the more likely it is to have a security incident caused by internal activity with 48% of large businesses (defined as over 250 employees) citing such attacks as their worst security breaches. Secondly, a hacker will not be limited to any of the fixed time constraints which may be applicable in a penetration test which has a pre-determined methodology. It is unwise to assume that a hacker would not adopt a structured approach, probing away over time until a system is compromised. Furthermore, there is a chance that vulnerabilities may be missed by adopting a black-box approach. If an organisation has external networks which are not publicly listed these will not show up at the information gathering stage and will therefore not be tested. Any computer connected to the Internet is typically scanned several times a day as hackers search for systems they can compromise. By stumbling across unlisted networks through random port-scanning, a hacker can exploit potentially unchecked weaknesses. With the DTI reporting that incidents of unauthorised access in UK businesses have risen from 4% in 2000 to 14% in 2002, stating that this is "almost certainly" due to web-hacking attacks, it would be imprudent to assume that hackers will only attack through known gateways.
Value for money is also an important consideration. Because of the importance of the information gathering stage, a black-box approach will take longer and therefore cost more. If the project is subject to time constraints (perhaps as a budget issue), as much time may be spent on information gathering as on actually testing vulnerabilities.
In short, both forms of penetration testing can be of value to an organisation, it is simply a matter of which will bring more. A black-box test may highlight how supposedly confidential information is leaked, whilst a white-box test is likely dedicate much more time to probing for vulnerabilities and will address the security of all external connections. In security terms, it is more prudent to assume the worst when testing a network, thus addressing all potential vulnerabilities and weaknesses. That is to say it should be assumed that a hacker does have a full knowledge of your network infrastructure because if your security relies solely on its secrecy then you do not have network security at all.
