Before you arrange or commit to a penetration test, understand that the results are driven by the information the researcher is provided. Leadership and management need to agree on the scope-of-work, objectives and rules of engagement for the organization performing the testing. This process has been neatly packaged into a color-coded system: Black, White or Grey Box testing.
Black-Box testing provides little to no information about the subject organization. The result is more aligned with what a bad actor would likely encounter, meaning the evaluator must look at the organization’s entire technology footprint to gain access or identify vulnerabilities and/or weaknesses. Black-Box testing allows organizations to isolate and correct risks that could be targeted by a bad actor.
With White-Box testing, the subject organization is usually interested in narrowing the scope to a particular platform, application, program and/or area within the technology infrastructure. Evaluators obtain an advanced understanding of the system design allowing for a more robust review of the areas in question. White-Box testing is a honed-specific test, not focused on general access compromise.
Grey-Box testing lands in between. The evaluator is provided partial data from the subject organization related to the target platform and/or general network design. The information needed in advance differs from one test to another. The goal needs to be considered with the resulting disclosure of data supporting that objective. Examples could include a limited network schematic and general architecture of targeted platforms.
Which test is right for your organization? Consider the following…
Penetration testing represents a small part of an organization’s overall security posture. It’s important to understand they are simply a snapshot in time of whatever the test in question was designed to evaluate. A better starting point is a Risk Assessment, which establishes a practical blueprint and baseline of an organization’s security scheme. Penetration tests are often executed after an organization has reviewed the results of a risk assessment and implemented the suggested areas of improvement.
For more information concerning Penetration Tests, Risk Assessments & Security Awareness Training, contact me at 609-689-2339 or firstname.lastname@example.org.