Penetration Testing: Thinking outside the Black Box

Perimeter security technology such as firewalls, content filtering and anti-virus protection, is paramount to a business's defense against attack but can by no means be assumed to be impenetrable.

With an increasing number of companies providing remote network access to employees and even limited access to clients and trusted partners, it is imperative that businesses minimize risk by thoroughly testing their network security.

The provision of penetration testing, also known as vulnerability assessment or e-assurance, is the single biggest use of external security consultants in the U.K. Penetration testing involves simulating an attack using tools and techniques available to external hackers and willful insiders to probe for weaknesses and ascertain the potential damage that could be caused. Damage to an insecure network may involve recording and tampering with network traffic, obtaining passwords and gaining administrator access, or exploitation of published software weaknesses where patches have not been updated, to name but a few common examples. In real terms, such attacks can lead to loss, theft or alteration of business-critical and highly sensitive data.

Penetration testing can be conducted using one of two approaches: black-box (with no prior knowledge of the infrastructure to be tested) and white-box (with a complete knowledge of the network infrastructure). As might be expected, there are conflicting opinions about the value that each approach will bring to securing the network and ultimately the business assets.

Most penetration testing centers will argue that black-box testing simulates a true web-hacking attack, beginning with nothing but the client's corporate name. From here the evaluator will gather information about the network and the business from as many outside sources as possible. Scanning tools such as port scanners aid in network mapping, and publicly available information from sources such as web sites and media publications supply useful information about the business. Social engineering techniques may also be used, where information is gathered from unwitting employees. The evaluator then begins probing the network for exploitable vulnerabilities based on a network map created from the initial investigations.

White-box testing has fundamental similarities in terms of the testing involved but assumes a full knowledge of the client's organization and network infrastructure from the outset. The evaluators are privy to all system design and implementation documentation, which may include listings of source code, manuals and circuit diagrams. Adopting a structured and formal approach, a good evaluator will also test the validity of the information initially provided, rather than work under the assumption that it is true. A white-box test can also be used to simulate an attack from inside the company or by ex-employees with a knowledge of the systems.

Although a black-box approach may appear to be the closest mimic of a real web-hacking attack (indeed many evaluators will claim it is the only way to conduct a test), this is not strictly true. Firstly, it presupposes that a hacker does not have any knowledge of your systems, which is not only unlikely but is impossible to prove or disprove. Indeed many organizations are subject to attack from internal sources where a full systems knowledge can be assumed. The U.K.'s Department of Trade and Industry (DTI) Information Security Breaches Survey 2002 found that the larger the organization, the more likely it is to have a security incident caused by internal activity, with 48 percent of large businesses (defined as over 250 employees) citing such attacks as their worst security breaches. Secondly, a hacker will not be limited to any of the fixed time constraints which may be applicable in a penetration test with a pre-determined methodology. It is unwise to assume that a hacker would not adopt a structured approach, probing away over time until a system is compromised.

Furthermore, there is a chance that vulnerabilities may be missed by adopting a black-box approach. If an organization has external networks which are not publicly listed these will not show up at the information gathering stage and will therefore not be tested. Any computer connected to the Internet is typically scanned several times a day as hackers search for systems they can compromise. By stumbling across unlisted networks through random port-scanning, a hacker can exploit potentially unchecked weaknesses. With the DTI reporting that incidents of unauthorized access in U.K. businesses have risen from 4 percent in 2000 to 14 percent in 2002, stating that this is "almost certainly" due to web-hacking attacks, it would be imprudent to assume that hackers will only attack through known gateways.

Value for money is also an important consideration. Because of the importance of the information gathering stage, a black-box approach will take longer and therefore cost more. If the project is subject to time constraints (perhaps as a budget issue), an equal amount of time may be spent on information gathering as on actually testing vulnerabilities.

In short, both forms of penetration testing can be of value to an organization, it is simply a matter of which will bring more. A black-box test may highlight how supposedly confidential information is leaked, whilst a white-box test is likely to dedicate much more time to probing for vulnerabilities and will address the security of all external connections. In security terms, it is more prudent to assume the worst when testing a network, thus addressing all potential vulnerabilities and weaknesses. That is to say, it should be assumed that a hacker does have a full knowledge of your network infrastructure because if your security relies solely on its secrecy then you do not have network security at all.

Diane Seddon is an industry analyst with Corsaire Ltd. (, a U.K.-based independent network security solution provider.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.