Page 1235 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1235

they are looking at the target as a black box and have no idea what is
               within the box until they start probing. An attack by a zero-knowledge

               team closely resembles a real external attack because all information
               about the environment must be obtained from scratch.

               White-Box Testing by Full-Knowledge Team A full-knowledge
               team has full access to all aspects of the target environment. They
               know what patches and upgrades are installed, and the exact
               configuration of all relevant devices. If the target is an application,

               they would have access to the source code. Full-knowledge teams
               perform white-box testing (sometimes called crystal-box or clear-box
               testing). White-box testing is commonly recognized as being more
               efficient and cost effective in locating vulnerabilities because less time
               is needed for discovery.

               Gray-Box Testing by Partial-Knowledge Team A partial-
               knowledge team that has some knowledge of the target performs gray-

               box testing, but they are not provided access to all the information.
               They may be given information on the network design and
               configuration details so that they can focus on attacks and
               vulnerabilities for specific targets.

               The regular security administration staff protecting the target of a
               penetration test can be considered a full-knowledge team. However,
               they aren’t the best choice to perform a penetration test. They often

               have blind spots or gaps in their understanding, estimation, or
               capabilities with certain security subjects. If they knew about a
               vulnerability that could be exploited, they would likely already have
               recommended a control to minimize it. A full-knowledge team knows
               what has been secured, so it may fail to properly test every possibility
               by relying on false assumptions. Zero-knowledge or partial-knowledge
               testers are less likely to make these mistakes.


               Penetration testing may employ automated attack tools or suites, or be
               performed manually using common network utilities. Automated
               attack tools range from professional vulnerability scanners and
               penetration testers to underground tools shared by attackers on the
               internet. Several open-source and commercial tools (such as
               Metasploit) are available, and both security professionals and
   1230   1231   1232   1233   1234   1235   1236   1237   1238   1239   1240