Three Different Shades of Ethical Hacking: Black, White and Gray

Corporations and other entities are faced with the unenviable task of trying to defend their networks against various types of intrusive attacks. Although traditional methods of deterrence, (i.e. firewalls, intrusion detection devices, etc.) have their place in this battle, there has arisen the need to utilize specialists who are adept at exploiting both known and unknown vulnerabilities in networks in order to determine the security posture of an organization. These 'Ethical Hackers' have created a niche for themselves in the 'Defense in-Depth' spectrum. This paper seeks to investigate the rationale for using these penetration experts in order to determine the level of security in an organization. Additionally it will examine the underlying philosophy behind choosing one of three possible attack models for the penetration tests: Black Box White Box and Gray Box. Finally each one of these ethical hacking approaches will be discussed.