White Box Penetration Testing Services

Overview

Serious security flaws have been discovered in products, such as drug infusion pumps, used in hospitals throughout the world.  The security flaws in the drug infusion pumps aka IV Pumps could have allowed attackers to remotely administer deadly doses.

Serious security flaws have been discovered in products, such as drug infusion pumps, used in hospitals throughout the world.  The security flaws in the drug infusion pumps aka IV Pumps could have allowed attackers to remotely administer deadly doses.

As ethical (white hat) hackers, we emulate an attacker by utilizing similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment.  With a White Box Penetration Test, we test a system with "administrator" or "root" level access and knowledge.  This often includes access to architecture diagrams, design documents, specifications, and source code.  A White Box Penetration Test is the most thorough and time consuming.

A White Box Penetration Test is commonly used in the following scenarios:

  • An organization is developing their own product
  • An organization is developing their own software application
  • An organization is integrating several products or applications 

If you are developing your own product or application, accessible over a computer network (wired or wireless), you should have it thoroughly tested to ensure it is not "hackable".  White Box Penetration Testing is extremely important with devices that process, store, or transmit sensitive data and for devices involved with critical infrastructure, such as Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.  White Box Penetration Testing should also be a priority for devices used in healthcare or hospital environments where a compromised device could result in a violation of patient privacy, such as the release of Protected Health Information (PHI), or even become a threat to a patient, such as the compromise of drug infusion pump.

Controls on a SCADA Network in a Nuclear Power Plant

Controls on a SCADA Network in a Nuclear Power Plant

If you are performing systems or product integration, White Box Penetration Testing is equally important, especially if you are responsible for the integration of components from multiple vendors.  We have found numerous bugs and flaws in components that were designed and developed by a supplier for an integrated critical system.

Methodology

We follow a seven phase methodology designed to maximize our efficiency, minimize risk, and provide complete and accurate results. The overarching seven phases of the methodology are:

  1. Planning and Preparation
  2. Reconnaissance / Discovery
  3. Vulnerability Enumeration / Analysis
  4. Initial Exploitation
  5. Expanding Foothold / Deeper Penetration
  6. Cleanup
  7. Report Generation

BENEFITS / RETURN ON INVESTMENT (ROI)

$6.5 million is the average total cost of a data breach

$217 is the average cost per lost or stolen record
— 2015 Cost of Data Breach Study: United States (Ponemon Institute Research Report)

We think it is better to have an ethical hacker find the holes into your enterprise than an adversary or insider.  Our Penetration Testing provides details on exploitable vulnerabilities in a prioritized, tangible manner.  Our report allows you to better understand what your device, application, or system looks like from an attacker perspective.  This helps you prioritize efforts to mitigate risk to reduce breach likelihood or damage.

Our Penetration Testing services also help you meet compliance audit requirements such as HIPAA, PCI DSS, and FISMA.

Deliverable

The White Box Penetration Test Report includes the devices and systems tested, vulnerabilities discovered, steps taken during the assessment, exploitable areas discovered, and prioritized recommendations.  For any systems we are able to exploit, an “Attack Narrative” section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.

Interested in a White Box Penetration Test against your devices, systems, or applications?

Contact Us or use the form below to find out more about our White Box Penetration Test or to schedule a White Box Penetration Test.

Name *
Name
Phone
Phone
Is this an Urgent Request?

Penetration Testing FAQs

What are the differences between White, Black, and GrAy Box penetration tests?

White Box Penetration Test - a penetration test where the penetration tester has "administrator" or "root" level knowledge about and access to a system.  This often includes access to architecture diagrams, design documents, specifications, and source code.  A White Box Penetration Test is the most thorough and time consuming. White Box Penetration Test characteristics:

  • Full Access at Root or Administrator level
  • Documentation intensive
  • Most thorough penetration test
  • Most time-consuming penetration test
  • Typically used during system development or prior to deployment

Gray Box Penetration Test - a penetration test where the penetration tester has "user" level knowledge about and access to a system.  A Gray Box Penetration Test is typically used when you want to test an insider threat or an application that supports multiple users.  The insider threat is tested to see what damage a user (non-administrator) could do to your environment.  Application testing is used to test authenticated user access to ensure a user on an application cannot access another user's data or escalate privileges. Gray Box Penetration Test characteristics:

  • User-level Access
  • Limited documentation provided
  • Fairly thorough penetration test
  • Fairly time-consuming penetration test
  • Typically used to test systems with multiple users or emulate insider threat

Black Box Penetration Test - a penetration test where the penetration tester has little to no knowledge about and unauthenticated or limited access to a system. Black Box Penetration Test characteristics:

  • Unauthenticated Access
  • No documentation provided, other than target IP address or URL
  • Fairly thorough penetration test
  • Fairly time-consuming penetration test
  • Typically used to emulate an adversary with little knowledge about the target

WHAT IS THE DIFFERENCE BETWEEN A VULNERABILITY ASSESSMENT AND PENETRATION TEST?

A vulnerability assessment is less-intrusive than a penetration test.  With the vulnerability assessment, we identify vulnerabilities, but do not exploit them.  A penetration test goes beyond a vulnerability assessment by exploiting vulnerabilities and seeing how far into your environment an attacker can go by taking advantage of system or application vulnerabilities.

What happens if during the penetration test you discover we already have an infection?

This is quite common.  Any existing malware or breaches discovered during the penetration test will immediately result in a cessation of testing and be brought to the attention of the designated Point of Contact (POC). We can help with incident response, digital forensics, and malware analysis.

Is the penetration test performed remotely or onsite?

For an External, Black Box Penetration Test against your internet-facing systems, we perform this service remotely.  For an Internal Penetration Test, we travel to your location and perform this service onsite.  To leverage the fact that we will be traveling to your location, we offer to bundle (at a discount) other services that require us to be onsite with the Internal Penetration Test, such as our Wireless Security Assessment and Physical Security Review.  

RELATED SERVICES