2 cissp ® Official Study Guide Eighth Edition


White-Box Testing by Full-Knowledge Team



Download 19,3 Mb.
Pdf ko'rish
bet718/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   714   715   716   717   718   719   720   721   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

771
White-Box Testing by Full-Knowledge Team

full-knowledge team
has full access to all 
aspects of the target environment. They know what patches and upgrades are installed, and 
the exact configuration of all relevant devices. If the target is an application, they would have 
access to the source code. Full-knowledge teams perform white-box testing (sometimes called 
crystal-box or clear-box testing). White-box testing is commonly recognized as being more 
efficient and cost effective in locating vulnerabilities because less time is needed for discovery.
Gray-Box Testing by Partial-Knowledge Team

partial-knowledge team
that has some 
knowledge of the target performs gray-box testing, but they are not provided access to all 
the information. They may be given information on the network design and configuration 
details so that they can focus on attacks and vulnerabilities for specific targets.
The regular security administration staff protecting the target of a penetration test can 
be considered a full-knowledge team. However, they aren’t the best choice to perform a 
penetration test. They often have blind spots or gaps in their understanding, estimation
or capabilities with certain security subjects. If they knew about a vulnerability that could 
be exploited, they would likely already have recommended a control to minimize it. A full-
knowledge team knows what has been secured, so it may fail to properly test every possibil-
ity by relying on false assumptions. Zero-knowledge or partial-knowledge testers are less 
likely to make these mistakes.
Penetration testing may employ automated attack tools or suites, or be performed manu-
ally using common network utilities. Automated attack tools range from professional vul-
nerability scanners and penetration testers to underground tools shared by attackers on the 
internet. Several open-source and commercial tools (such as Metasploit) are available, and 
both security professionals and attackers use these tools.
Social-engineering techniques are often used during penetration tests. Depending on the 
goal of the test, the testers may use techniques to breach the physical perimeter of an orga-
nization or to get users to reveal information. These tests help determine how vulnerable 
employees are to skilled social engineers, and how familiar they are with security policies 
designed to thwart these types of attacks.
Social engineering in Pentests
The following example is from a penetration test conducted at a bank, but the same 
results are often repeated at many different organizations. The testers were specifically 
asked if they could get access to employee user accounts or employee user systems.
Penetration testers crafted a forged email that looked like it was coming from an executive 
within the bank. It indicated a problem with the network and said that all employees needed 
to respond with their username and password as soon as possible to ensure they didn’t 
lose their access. Over 40 percent of the employees responded with their credentials.

772
Chapter 17 

Preventing and Responding to Incidents
Additionally, the testers installed malware on several USB drives and “dropped” them 
at different locations in the parking lot and within the bank. A well-meaning employee 
saw one, picked it up, and inserted it into a computer with the intent of identifying the 
owner. Instead, the USB drive infected the user’s system, granting the testers remote 
access.
Both testers and attackers often use similar methods successfully. Education is the most 
effective method at mitigating these types of attacks, and the pentest often reinforces the 
need for education.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   714   715   716   717   718   719   720   721   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish