issuhub.com

CEH

(Jeff_L) #1

What Is an Ethical Hacker? 13


Black Box A type of testing in which the pen tester has little or no knowledge of the
target. This situation is designed to closely emulate the situation an actual attacker would
encounter as they would presumably have an extremely low level of knowledge of the target
going in.


Gray Box A form of testing where the knowledge given to the testing party is limited. In
this type of test, the tester acquires knowledge such as IP addresses, operating systems, and
the network environment, but that information is limited. This type of test would closely
emulate the type of knowledge that someone on the inside might have; such a person would
have some knowledge of a target, but not always all of it.


White Box A form of testing in which the information given to the tester is complete. This
means that the pen tester is given all information about the target system. This type of test
is typically done internally or by teams that perform internal audits of systems.


Another way to look at the different types of testing and how they stack up is in Table 1.1.

TA B LE 1.1 Available types of pen tests


Type Knowledge

White box Full

Gray box Limited

Black box None

Do not forget the terms black box, white box, and gray box as you will be

seeing them again both in this book and in the field. As you can see the

terms are not that difficult to understand, but you still should make an

effort to commit them to memory.

In many cases, you will be performing what is known as an IT audit. This process is
used to evaluate and confirm that the controls that protect an organization work as adver-
tised. An IT audit is usually conducted against some standard or checklist that covers secu-
rity protocols, software development, administrative policies, and IT governance. However,
passing an IT audit does not mean that the system is completely secure; in the real world,
the criteria for passing an audit may be out of date.
An ethical hacker is trying to preserve what is known as the CIA triad: confidentiality,
integrity, and availability. The following list describes these core concepts and what they
mean. Keep these concepts in mind when performing the tasks and responsibilities of a pen
tester:


Confidentiality The core principle that refers to the safeguarding of information and
keeping it away from those not authorized to possess it. Examples of controls that preserve
confidentiality are permissions and encryption.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.