Since joining the Info Sec industry and attending a fair number of client sites, tech events, meet ups etc; there appears to be a common pattern emerging when it comes to perceptions surrounding the value of black box and white box penetration testing.
That pattern seems to be one of a “black box is enough” mind set. Possibly because it supposedly simulates how a “real” bad guy would attempt to breach your systems. Ergo, this is perceived to be a more “authentic” real world test of a security posture.
Or is it? An organisation with this mind set is surely projecting an inward facing false sense of security?
A black box test provides you with a one-dimensional attack surface area, potentially grossly underestimating a well-resourced determined attacker. For instance, let’s imagine for a second that a would be bad guy hoovers up the majority of an organisations IP addresses. What if the keys to your castle lie on that other 10% of machines the bad guy couldn’t recognise as belonging to your organisation? If it’s online someone will eventually discover what a previous less informed bad guy could, and push that pain button.
Ying and Yang!?
Only when bundling together White box with rigorous Black box testing, can an organization achieve a holistic view of its applications, networks, and people. how likely it is that attackers will find them, and what it will take to fix the vulnerabilities.
Of course, there’s always sufficient information to launch an attack based on information available in the public domain.
The opinion of DXR as your security partner is it’s best to assume the worst case 100% of the time, and proceed with White box testing from there. For organizations with mature, well-implemented security programs, we deliver bespoke targeted attack simulations that assess capability to respond to varying threats. We also add validity to these engagements by consulting with both our Incident Response and Threat Hunting divisions.
The value you gain from a full security assessment is unparalleled, but can also hinge on the input and co-operation from your organisation too. With full commitment from our clients DXR as an external assessor is able to objectively maximise the validity of any assessment process.
From there we are able to establish the following value for money outcomes;
- Failings of policies and/or controls that have led to vulnerabilities.
- The risk to the organisation from a broader business perspective (bottom lines £££)
- Identifying potential objectives of the bad guys through vulnerabilities discovered.
- Immediate and long-term remediation road maps.
- A change in the organisations mind set when approaching vulnerabilities in the future
Ultimately the reasons for a full security assessment should never be in question. Especially when you compare the ramifications for adopting a one-dimensional “black box is enough” approach.
If you’d like more information around DXR’s approach to Managing Security information please visit www.digitalxraid.com