Which of the following is the MOST intrusive type of testing against a production system?
A.
White box testing
B.
War dialing
C.
Vulnerability testing
D.
Penetration testing
Explanation:
Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the
system’s security controls to gain access to the system.
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web
application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way,
the process includes gathering information about the target before the test (reconnaissance), identifying
possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be
used to test an organization’s security policy compliance, its employees’ security awareness and the
organization’s ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are
attempting to break in.
Pen test strategies include:
Targeted testing
Targeted testing is performed by the organization’s IT team and the penetration testing team working
together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test
being carried out.
External testing
This type of pen test targets a company’s externally visible servers or devices including domain name
servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker
can get in and how far they can get in once they’ve gained access.
Internal testingThis test mimics an inside attack behind the firewall by an authorized user with standard access privileges.
This kind of test is useful for estimating how much damage a disgruntled employee could cause.
Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the
information given to the person or team that’s performing the test beforehand. Typically, they may only
be given the name of the company. Because this type of test can require a considerable amount of time
for reconnaissance, it can be expensive.
Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or
two people within the organization might be aware a test is being conducted. Double-blind tests can be
useful for testing an organization’s security monitoring and incident identification as well as its response
procedures.
Incorrect Answers:
A: White box testing is a software testing technique whereby explicit knowledge of the internal workings
of the item being tested are used to select the test data. Unlike black box testing, white box testing uses
specific knowledge of programming code to examine outputs. The test is accurate only if the tester knows
what the program is supposed to do. He or she can then see if the program diverges from its intended
goal. White box testing does not account for errors caused by omission, and all visible code must also be
readable. White box testing is used to test the code of an application. It is not used to test the security
controls of a production system.
B: War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually
dialing every number in a local area code to search for computers, Bulletin board systems and fax
machines. It is not used to test the security controls of a production system.
C: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and
vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary
actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as
missing patches or security updates. A vulnerability scan is considered passive in that it doesn’t actually
attempt to circumvent the security controls of a system to gain access (unlike a penetration test).
http://searchsoftwarequality.techtarget.com/definition/penetration-testing
http://www.webopedia.com/TERM/W/White_Box_Testing.html
http://en.wikipedia.org/wiki/War_dialing