Approaches to Penetration testing or Hacking
Penetration testing which is usually in many circles called Pentest is the process that can be performed for an in-depth security audit or assessment. Pentest can be an independent or just as part of the IT security risk management process which is part of the regular life cycle in the development of software until its final completion. The roadmap that has practical ideas with proven tactics, practices, and guidelines that can be followed in the assessment of the true security posture of a network, system, application, or any combination of both can be themed as the pen-testing methodology.
It is, however, very crucial to understand that information security is an ongoing process in itself, and performing a penetration test is just a snapshot that details your organization’s security posture at the time of the test.
Those familiar with the intrinsic working of computer software and networking will notice that the security of any software product fully depends on two things; the factors related to the IT environment and the specific security best practices which in part will involve the proper implementation of the security requirements, threat modeling, code reviews, performing risk analysis, etc.
Many IT security experts consider Penetration testing as the last yet the most aggressive form of performing security assessment. This form of security assessment must be performed by qualified experts with explicit written permission, with or without the prior knowledge of the target systems or applications
The role of performing the penetration test is to try to deliver an assessment of the components of the IT infrastructure including network devices, physical security, applications, operating systems, etc. The report usually written is the expected outcome of the penetration test intended to address the security weaknesses that have been discovered, potential countermeasures, and finally the remediation recommendations.
Acceptable Approaches to penetration testing
Black box testing
This is also called blind testing where the security expert or auditor who is performing the pen-test is not made aware of any internal or external working of the IT infrastructure, technologies that are being used, or the individuals who are responsible for it. The security auditors during the black-box penetrative test employ their real-world expert skills of hacking with organized and documented test phases to reveal and exploit any vulnerabilities in the target systems.
During this period, the security auditor measures the risk and classifies them according to the threat that is imposed by the vulnerabilities found. The vulnerabilities found could be patched or terminated to stop any unauthorized access to resources. The process of the completed black box test is then documented in a report format that contains all the information found regarding the target’s security position at that time. This also provides categories with translations of the identified risks into a business language that can be understood by non-technical personnel. Black box testing is more costly as compared to other categories of pen-testing.
White Box penetration testing
Security auditors that perform the white box test are fully aware of the underlying technologies and the internal working of the target environment. The tester then can be able to critically evaluate the security vulnerabilities with the most minimal effort, cost, and accuracy. Target organizations find more value in this type of testing than black-box testing since white box testing can eliminate unnoticed internal security threats that may be idly lying in the open. This eliminates outside malicious actors from infiltrating the target organization. The white box testing can be integrated into the regular development life cycle in order to rule out any possible security vulnerabilities at an early stage before such vulnerabilities could be exploited later by outsiders.
Gray Box penetration testing
Partial knowledge of the test environment may be made known to the security auditor before he/she starts the penetration testing. The auditor may be aware of the webserver or internal network and given certain access privileges like escalating privilege on non-privileged accounts. The advantage gray box testing has is the focus since it tends to focus on specific target environments than a generalized security testing which could be large in the target.
