|
The intention of a Black box test is to simulate the behaviour of an Internet Hacker
that starts off with limited information about the infrastructure he or she wishes
to compromise. All enumeration is therefore based around information that can be
found publicly through the Internet and public information forums.
During a Black box Penetration Test, Nettitude will scour news and chat rooms looking
for information about the client’s people and infrastructure. Nettitude will query
social websites such as facebook, linkedin and twitter to try and find information
about the people that work within the client environment. Nettitude will query Internet
registries, DNS, Mail & hosting providers to extract information that could be used
as part of the Penetration Testing engagement. Nettitude will try to enumerate people,
processes, partners and technologies that ultimately come together to influence
an organisations IT infrastructure.
Black box Penetration Testing is a very popular approach to assessing an organisations
information security posture. In most instances, it tends to be a relatively straight
forward process to enumerate an external infrastructure using publicly accessible
material. Nettitude recommends that Black box testing alone does not provide a complete
snapshot of an organisations security weaknesses. Although it may yield similar
results to that of an Internet based hacker, organisations face many other security
threats from trading partners, suppliers, competitors and employees that do have
relevant information about the organisation that could be used in a more structured
attack. For instance, trading partners may have been granted login credentials to
access a procurement or stock management system. Using these credentials, a rogue
employee at one of these trading partners could initiate an attack that would not
ordinarily be identified within a Black box testing engagement.
|
|
Nettitude recommends that organisations carry out a risk assessment, (either prior
to Penetration Testing, or as part of the engagement) to identify where an organisations
threat actors are based. If an organisation believes that it’s most significant
threat is from the Internet, then a Black box test may be highly appropriate. However,
if an organisation believes that its most significant exposure is from Internal
employees or trading partner, it may be more appropriate to conduct a Grey box Penetration Testing engagement that
uses credentials to access infrastructure devices and applications.
If you are considering having a Penetration Test, and want more information about
which type of testing engagement is most suitable for your organisation, please
complete our contact form.
Nettitude has a team of specialists that can offer pragmatic advice and guidance
on how you should scope your security testing engagement. No testing should ever
be approached without careful scoping and guidance and Nettitude prides itself on
delivering high quality advice and guidance at all stages of the testing lifecycle.
|
