By Alan Jackson, CISSP
In recent years, the SEC has started to ask firms if they are performing regular vulnerability and/or penetration tests. This has caused confusion in the investment advisory industry, stemming from the fact that computer professionals have different definitions of what constitutes a vulnerability or a penetration test. Some testers describe penetration tests as an engagement where they attack a network persistently until they gain access, while some might target specific applications. Vulnerability tests could be described as purely automated scans or as live social engineering exercises where a person tries to trick an employee into giving the tester access. It is no wonder that investment advisors are confused. In order to give more clarity on this subject, I am going to define three terms that may help you select a vulnerability or penetration tester.
“White box” testing begins after the tester has been given full and complete access to a network. This person is given the names and addresses of servers, and is given a privileged user account during the test. “Grey box” testing begins after the tester has been given information about a network. This information may include a basic end-user account, or a list of employees. Lastly, “black box” testing begins without any access to, or knowledge about, a network. With a black box test, the tester is left to see if he/she can penetrate a network entirely on their own. These definitions are important because white box, grey box, and black box testing each have different objectives and costs. A white box penetration test could cost about $1,500, while a black box penetration test can be closer to $25,000. Furthermore, a cheap white box penetration test may actually give you more useful information than an expensive black box test.
Typically, the purpose of a black box test is to gain access to a network. The tester will continue to attack until they gain the desired level of access. The tester will begin by performing discovery and reconnaissance to determine likely ways of gaining entry. Then the tester will wiggle into a system inch by inch. Once the tester finds a crack in the security, the tester uses their knowledge to gain deeper and deeper access over time. Keep in mind that the tester only needs one avenue in. The tester will continue down a particular path until that path is exhausted, and will only try to exploit another vulnerability when they reach a dead end. To use a simple analogy, if you hired a person to break into your house, that person would stop as soon as they find an open window. Along the way, the tester will try to gain higher and higher privileges until they reach their goal. Each of these steps can be very time consuming. Most black box tests cost $15,000 or more and can take months to complete.
Grey box tests are similar to black box tests, but the tester begins with a limited amount of access to the network. This access is given to help drive down the cost of a black box test. However, the purpose of the grey box test is usually the same as the black box test. The tester is trying to gain a level of access on the network. Giving limited information to the tester allows the tester to skip some of the reconnaissance and access phases of testing.
Finally, white box testing is performed in order to discover a wide variety of risks on your network. White box testing begins with the assumption that an attacker WILL break into your network if they are given enough time and resources. Therefore, the white box test is designed to discover ways that the attacker COULD break in, as opposed to ACTUALLY breaking in. That is why a white box test begins with total access to the network. The white box test assumes that a breach is inevitable. As a result the tester is trying to discover as many cracks in the network as possible. A white box test finds all the ways that a black/grey box tester MAY break in and shows clients how to fill those cracks. Fixing these vulnerabilities makes a real attacker’s job much more difficult. The goal of a white box test is to encourage an attacker to move on to an easier target.
When you are contemplating a vulnerability or penetration test, you should begin with your final objective. What are you trying to gain from the test? If you want to ensure that a malicious agent can’t break into the custom application that you have developed, then hire a black box application penetration tester. If you are trying to discover general technical security holes that you can patch to help you be more secure, then hire a white box penetration tester. If you want a human with experience to analyze the results of the test and make appropriate recommendations, then ensure that the tests are not entirely automated.
Ashland Partners performs vulnerability and penetration tests for our clients. If this is something that you want for your environment, or if you have further questions, we are happy to speak with you. Please contact us with any questions.