Black Box and Grey Box
Intrusion test or Pen test
Most companies are vulnerable to cyberattacks. Yet, few of them regularly audit their information system in order to discover its security flaws. One of the ways to achieve this is "the intrusion test".
This test, also called penetration test or pentest, involves attacking a system like a hacker would. Among the various ways to conduct a Pentest include Black Box, Grey Box and White Box tests.
Discover these different approaches and take control of your cyber security with HTTPCS!
The Intrusion Test
Or how to test the security of your information system, website or web application.
What is an intrusion test, penetration test or pen test?
According to Wikipédia, « A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed »
The intrusion test, penetration test or pen test puts you in the shoes of a hacker who tries to exploit the security flaws or vulnerabilities of a system. This simulates a computer attack performed by a hacker, some malware or an already compromised system.
It's a way to evaluate the security of a system, a computer network, a website or a web application.
Why perform an intrusion test?
All organizations, regardless of their size, are vulnerable to cyberattacks. Hackers can target any type of website or web application, whether given the nature of the data they store (personal data, banking data ...), to degrade a company's brand image or to conduct attacks of greater scale. It is therefore impossible to guarantee that one website would be completely secure.
In order to prevent these attacks, one of the solutions is to have an intrusion test performed. This test will then:
- List the vulnerabilities of a system or an organisation
- Demonstrate the ability of a hacker to hack the system from the outside
- Test the effectiveness of the intrusion detection tools put in place, if this is the case, as well as the responsiveness of the technical experts during an attack.
- Understand and analyze employees reactions (in the case of social engineering)
The results of the pen test conducted will allow the implementation of countermeasures to correct security vulnerabilities and protect the system.
When and how frequently should an intrusion test be conducted?
A few years ago, the question was whether it was useful to test the security of their website or web application, today it is a matter of when and how often it is necessary to do so.
Of course, the answer to this question differs from one company to another. It seems obvious that a company carrying out financial transactions or an e-commerce site containing a lot of personal and sensitive data has a higher level of risk than a business simply having a so-called "showcase" site, without any member area.
It is recommended to:
- Perform regular intrusion tests, several times a year, for particularly sensitive websites or web applications.
- Conduct a pen test whenever a new version is released or important features are added for weakly sensitive web sites or applications. Any major change could indeed involve new vulnerabilities.
The various ways to perform a pen test
There are three main methods and configurations for completing an intrusion test:
The Black Box pen test
You can't see what's in a box that's completely closed!
The goal of a black box intrusion test, also called pen test, is succeeding to get into a system (the box) without having any prior information, such as a hacker discovering the system for the first time. The pen tester has no knowledge of the environment and, from the outside, tries to find out how to get into the target system as an outside attacker.
When to perform a Black Box test?
Black box tests are most often used on showcase sites (with no member area) because no additional information would be required for the hacker to go further and perform an attack.
Black box tests therefore assess the risks and the kind of information the hacker would be able to obtain and thus to highlight the risks incurred in the case of an attack.
The limits of a Black Box approach
A Black Box test will tend to be longer than if the pentester already had some additional information. It is also possible that he can't get into the system, which does not prove that a hacker couldn't succeed.
The Grey Box pen test
You can see partially what's in the box.
The method known as "grey box" consists in trying to penetrate the system with a limited amount of information on the organization and its information system. This makes it possible to check the vulnerabilities of a system by mimicking a site user or a collaborator of the company having internal access to some information. This could be the starting point of a hacker who would have managed to get access to a user account within the organization.
When to perform a Grey Box test?
In general, during Grey Box test, the pentester is given identifiers and passwords allowing him to go beyond the authentication step. This approach is used in the case of a commercial site or a non-commercial site with a member area or customer area.
The pentester does not start completely in the dark. By having a limited amount of information, he can more easily simulate attacks and go beyond what he could have done in Black Box mode.
The limits of a Grey Box approach
The Grey Box method is most often used in corporate intrusion testing as it is often the most realistic. In fact, the hacker has in most cases some information, or if it is not the case, he will have to find how to access this information and may push his attack beyond an authentication stage.
However, there can never be an absolute guarantee for the ethical pentester that a hacker won't find a new hacking technique and discover an exploitable loophole. This means that even Grey Box tests have limitations although they greatly minimize potential risks.
The White Box pen test
You can see everything in the box!
The White Box approach, as you might expect, is simple: the pentester has full access to all the information about the system, including the source code. In this case, the tester works in collaboration with the technical teams of the organization in order to recover as much useful information as possible. He has access to everything he needs to detect as many vulnerabilities as possible.
When to perform a White Box test?
The White Box method is used when a company wants to be able to detect the slightest flaw and vulnerability in its information system.
The main advantage of the White Box approach is the ability to detect as many security vulnerabilities as possible. By having access to all the desired information, the pentester can thoroughly inspect the system and get to a stage that might not have been reached in a Black Box or Grey Box approach .
The limits of a White Box approach
The only inherent limitations of a White Box mode approach are the required skills of the pentester and the need for a constant hunt for new hacking techniques that appear every day.
Now that you have all the elements to understand these three different approaches, it's up to you to identify which is the most appropriate to perform a pentest within your organization.
It's important to note that these manual penetration tests must be realized from time to time. Unfortunately, they can't guarantee the security of a system all year long: a non-vulnerable system can become vulnerable the next day! This is why it is recommended to perform daily automated audits of an information system to completement manual tests.
the easy-to-use, daily automated intrusion test
Detect security vulnerabilities in your system 365 days a year.
HTTPCS Security, much more than just a vulnerability scanner
Generic Web vulnerability scanners are tools that passively allow you to identify known vulnerabilities of a site or a web application. HTTPCS Security goes further: this new generation vulnerability scanner allows you to highligh vulnerabilities only if they are "exploitable".
How can HTTPCS Security achieve that? Simply by trying to exploit each detected vulnerability, like a hacker would. By simulating an attack, the robot proves that a hacker could actually inject code and retrieve confidential information. This is what we call the false positive zero guarantee.
2 Products for 2 approaches
Basic Security (in Black Box)
The Basic Security package allows you to detect vulnerabilities of a site or a web application. This package allows you to automatically audit your site:
- in Black Box mode, ie without authentification.
- on a weekly basis.
Plus Security (in Grey Box)
The Plus Security package allows you to detect vulnerabilities of a site or a web application. This package allows you to automatically audit your site:
- in Grey Box mode, ie with authentication.
- on a daily basis.
Manual audits, to go further than an intrusion test
Although the penetration test is an effective tool against hacking, it can be complemented by a security audit. This manual audit, performed by cybersecurity experts include an intrusion test, but offer much more!
Complementary to a daily automated vulnerability audit, the manual audit will identify configuration errors and verify employee reactions to assess the cyber security readiness of a company, including at organizational level.