Penetration Testing: What Are Black Box, Grey Box and White Box - Which One To Select?
Cybersecurity 101 Series
We have seen customers from Sri Lanka as well as overseas who find it difficult to identify the type of penetration test they need for their business. This blog post attempts to make it simple to select black box, white box, or grey box testing style while discussing some of the common targets for pentesting.
If you are unclear what is penetration testing, we advise to read our blog post around this topic (including vulnerability assessment) which can be accessed here
If you are unclear what is penetration testing, we advise to read our blog post around this topic (including vulnerability assessment) which can be accessed here
Is it only server infrastructure that can consider for penetration testing? Well the answer is No! There are different targets for penetrating testing and the most common ones are:
1. External Infrastructure Penetration Testing
This type of an assessment is targeting internet facing infrastructure. To scope a test, you will need to know the number of internal and external IPs to be tested, network subnet size and number of sites.
2. Internal Infrastructure Penetration Testing
This assessment is targeting assets inside your corporate network. You can consider servers, network devices as the scope for an internal penetest.
3. Web Application Penetration Testing
Although Web pentesting is to target public websites, you can consider some internal web portals also to same test. Techniques to pentest web apps are way different than how you pentest network infrastructure. Usually this takes more time than other pentest targets and that can depend based on the complexity of the web apps and number of input pages it has.
4. Mobile Application Penetration Testing
Mobile app testing has some similarities to Web app testing but the pentest can be focused based on the business use case of the app. Scope of a mobile app test would be number of Android and IOS apps need to test.
5. Wireless Network Penetration Testing
There are chances your organization is still using weak encryption algorithms, Access Points without authentication and many other misconfigurations. Wireless pentest is targeted to uncover such weaknesses in your WLAN infrastructure.
This type of an assessment is targeting internet facing infrastructure. To scope a test, you will need to know the number of internal and external IPs to be tested, network subnet size and number of sites.
2. Internal Infrastructure Penetration Testing
This assessment is targeting assets inside your corporate network. You can consider servers, network devices as the scope for an internal penetest.
3. Web Application Penetration Testing
Although Web pentesting is to target public websites, you can consider some internal web portals also to same test. Techniques to pentest web apps are way different than how you pentest network infrastructure. Usually this takes more time than other pentest targets and that can depend based on the complexity of the web apps and number of input pages it has.
4. Mobile Application Penetration Testing
Mobile app testing has some similarities to Web app testing but the pentest can be focused based on the business use case of the app. Scope of a mobile app test would be number of Android and IOS apps need to test.
5. Wireless Network Penetration Testing
There are chances your organization is still using weak encryption algorithms, Access Points without authentication and many other misconfigurations. Wireless pentest is targeted to uncover such weaknesses in your WLAN infrastructure.
Once you have identified the targets from the above list, it is time to scope the pentest. So how will you decide the scope?
Scope of pentest can vary depending on number of reasons but in general it is based on the original requirement you have such as,
- Get an assurance of control effectiveness > which scope you need to test the effectiveness?
- Launching new products and services > what are the assets involved for new product or service?
- Making significant changes to infrastructure > where did the change take place?
- Utilizing and/or developing custom applications > what are the assets involved?
- Preparing for compliance with security standards > required scope for compliance?
Above points are some of the most common ones among many others to scope the pentest. Now the challenge here is, how much information do we disclose to the party who's conducting the test? This question is not based on the confidentiality of the information provided, but to identify from what perspective the test should be conducted. That's where black box, grey box, and white box testing styles comes in handy.
Black Box
In a black box penetration test, no information is provided to the tester at all. The pentester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most realistic, proving how an adversary with no inside knowledge would target and compromise an organization.
However, due to the extended amount of time required to research the target, black box test is one of the costly options available.
Grey Box
Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter. In a grey box penetration test, only limited information is shared with the tester such as unprivileged login credentials and/or IP address of the target. Grey box testing is often favored by customers as the best balance between efficiency and authenticity, stripping out potentially time-consuming reconnaissance.
White Box
White box penetesting involves sharing full network and system information with the tester, including network maps and credentials. A white box penetration test is useful for simulating a targeted attack on a specific system utilizing as many attack vectors as possible. Usually this type of a test is helpful at the time of product development to uncover required fixes.
In a black box penetration test, no information is provided to the tester at all. The pentester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most realistic, proving how an adversary with no inside knowledge would target and compromise an organization.
However, due to the extended amount of time required to research the target, black box test is one of the costly options available.
Grey Box
Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter. In a grey box penetration test, only limited information is shared with the tester such as unprivileged login credentials and/or IP address of the target. Grey box testing is often favored by customers as the best balance between efficiency and authenticity, stripping out potentially time-consuming reconnaissance.
White Box
White box penetesting involves sharing full network and system information with the tester, including network maps and credentials. A white box penetration test is useful for simulating a targeted attack on a specific system utilizing as many attack vectors as possible. Usually this type of a test is helpful at the time of product development to uncover required fixes.
So, how to start? Get in touch with us. At Nova Corp, we have a team of certified and experienced pentesters having successfully completed more than hundreds of different assignments all over the world.