Challenging Security Limitations: White vs. Black Box Testing & Real Risk

1_briq_haus_ltd_38_special_logo_ad_graphic

I awoke in the middle of the night. It was the witching hour, 3am! Rapidly behind my lowered eyelids pie-graphs and charts explaining esoteric security concepts flashed in sequence, but I was too groggy to retain everything I learned. Why I am chosen for this sort of lucidity, I will never understand. This article is an attempt to best re-create the deeper concepts I received in that vision, but a week has elapsed since that night and therefore I have mostly forgotten everything. I’ll just have to wing it.

White Box Vs. Black Box

The article I have linked above describes the difference between the security, and/or software testing procedure in which internal elements are either known or unknown by the testers. The benefits of knowing the internal workings in a test allow for a more thorough and rigorous approach to each and every individual node or aspect of the subject, whereas a Redteam performing an unknown or Black Box test may not strike upon every single nuance built into the system, but may however come up with something heretofore unknown. The Black Box test is conducted exclusively by third-party security or testing professionals, which is requisite due to their specific insights into security penetration and access. For these reasons, it is considered a “low-level” test which is also known as an integration or unit test. It is conducted, in other words, from the outside working inward.

White Box tests are conducted usually by software developers or some part of the internal staff working on the project or overview. White Box tests are considered high-level tests also called system or acceptance testing. These tests are intended to fully air-tight the system after the beta-testing bugs have been detected and eliminated. The benefits of thorough White Box testing are thoroughness, insofar as the team knows the way the program or plan “should” work and can therefore test against this ideal. An internal team conducting this type of test knows the code (or building scheme; what have you), and therefore possesses an eagle-eye’s view of the entirety of the subject’s workings.

So Which Is Better For Your Company?

Before I answer this question for you, ask yourself:

  1. Do I have an internal team already providing White Box testing?
  2. Are they specifically hired for testing, or did we just divert Sheila and Burt from engineering over there to do another bug-sweep? (Remember what happened in the 1986 film Aliens.)
  3. If you have a specific internal team for testing, are they getting on well with engineering? Do they have a working rapport and are able to comprehend each other effectively leading up to the testing phase?
  4. Did you seek professional consulting from a specialized security Redteam?
  5. If you did not answer YES’ to each of the above questions, you and your company are not necessarily ready for what I am about to reveal to you in the next section.

Attrition Theory

I am not a mathematician however I think you can get behind me on this.

x/a – y/b = (+, – = successful, unsuccessful)

Attrition Theory basically asserts that given company with resources (personnel, training level, security architecture, security equipment, surveillance, etc.) when attacked by competitor (or OpFor) with resources y, a simple subtraction is necessary to determine who is successful in the attack. If the OpFor is willing to invest enough time and resources into their raid on company a, their success will be indicated by the result being a negative number, having taken the amount of invested resources from company into the red.

Is your company ready for your competitor or OpFor to outbid you on your willingness to invest in preventative security measures? Following a breach, it may be too late to save face so insurance, or the ability to clean up after the fact, is just not going to be enough.

Now to answer the question I asked before: Which sort of test is better?

Chew On This

So your internal team designated another internal team to do the testing. Ok. So the engineers got with the testers and did a Power Point powwow. Sure. So then after that you decided you still thought it would be wise to get an outside team to consult. Good. They do their scans and don’t really provide any insight beyond the scope of the White Box team, but good on you for checking. So you’re awesome, right? Invulnerable!

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE has the guts to ask you these hard questions:

  1. How secure is your facility/program in case of a fire drill? Do you have protocols in place to handle securing end-user’s data BEFORE they flee the scene?
  2. What about in case of a REAL FIRE. And are you willing to test this in a non-drill scenario to absolutely ensure your security protocols work?
  3. Is your staff alerted to the higher danger of active shooters, like the scenario recently at YouTube? If so, do you again have a plan in place to protect end-user data from a potential shooter or *gasp* terrorist attack?
  4. What about acts of God like locusts, plague, or you know, floods? Are you guys going to not only get out of the building safe, but will you be able to stop Boris & Natasha from killing Moose’n’Squirrel during the disaster? For the OpFor, luck is when preparedness meets opportunity.
  5. If you didn’t answer ‘YES’ to each of the above questions, you need to contact us at BRIQ | HAUS LTD. SECURITY & INTELLIGENCE and immediately schedule consultation. Our information technology and intelligence community professionals know things that can protect your bottom line, so you can stop worrying about all the hard realisms I just threw at you.

My name is Robert Brooks Authement, owner and operator of Briq Haus Ltd. I think like the bad guys so you and your team don’t have to. If you think these insights can be of assistance to you and your company, please consider me and my team at your service.

kinopoisk.ru

 

Advertisements

The MANIC Mirror: Minimal Integration, Streamlined Function

promo-001

The Days Of Yore

In the days of yore, there was a lot that went into creating an integrated system which can mimic the multi-functionality of today’s smart phones. In this brief article, I will discuss how and why utilizing even a very inexpensive model of smart phone can be applied for incredible results while committing to fieldcraft and security excellence.

But first, a little history. The Universal Serial Bus or USB evolution of system architecture created a massive expansion for computing capabilities, especially in terms of multimedia applications. Evolving from the OG Industry Standard Architecture of motherboard design, the miniaturization and multithreading capability of computer machines was sure to reach an exponential increase. This meant that increasingly shorter periods of time would yield resulting smaller and more capable circuits. ISA moved on to become PCI (Peripheral Component Interconnect) allowing for higher data-streams within the architecture especially reflected in video processing definition. And now in regular implementation is the SCSI (Small Computer Systems Interface) which allows for such communications between internal motherboards and external devices such as tape and disk drives.

Back to USB. The Universal Serial Bus allowed for many, meaning up to 144 daisychained external devices to be connected to the system. Now our computers had eyes, ears, and mouths with which we could interface directly and begin to envision what would come in the future.

The MANIC (magic) Mirror

Minimal Architecture Necessary For Intelligent Cognition is a concept outlined in the white papers by adroit cybersecurity researcher for Pentagon and Department Of Defense, Michael Gagnon. It entails utilizing the very least amount of physical hardware to enable the highest digital functionality of a computer system. As technical as this sounds, it can easily be broken down and translated into intelligence fieldcraft and other business applications.

The smart phone, as I have labeled the MANIC Mirror was most likely introduced to pop-culture in 1935 with the production of Walt Disney’s Snow White. That was a long time ago, way before computers had any chance of being perceived in the way they are presently manifest. Here we see a flat or two-dimensional object which seemingly or magically projects the ability to remote view across great distances and perhaps even time. It also allows for remote communication with an advanced and/or artifical intelliegnce. The magic mirror of old is now a reality, you most likely have one in your hands with which you are reading this article, or perhaps on your desk charging next to your larger computer.

In Security Terms

The MANIC Mirror is an excellent tool, far too often unrealized for it’s full capabilities especially in deployment for security and intelligence applications. Depending on what capabilities your mission specific operation entails, there is most likely “an app for that.”

There are far too numerous applications and implementations in which cheaply purchased and freely configured Android smart phones may be utilized to drastically increase intelligence capabilities while afield. The tiny integrated camera and microphone are much more than just a video intercommunication device, but they are useful in terms of electronic surveillance. A pairing of smart phones can be synchronized to each other for wireless signals transference and spying deployment. The list goes on ad nauseum ad infinitum.

Special use of smart phones must also be considered in terms of systems integration. For example, your $500 surveillance drone will also come with an application which can be freely downloaded to the phone to allow an extended, aerial eye to take flight and expand your operational range up to 1.5 km. That’s without going too far into the budget. These things are truly incredible and are being underutilized and under-realized in the field.

There is a lot more to this, but I don’t want to give away all my secrets. If you are interested in accessing our expertise in operational smart phone deployment, please do not hesitate to contact Briq Haus Ltd. Security & Intelligence. Thank you for reviewing this article.

QuantusNet {Philippines ISP}

quantus_net_experiment

QuantusNet

Wireless Infrastructure | Internetworking | Global Connectivity

Internet As A Service

QuantusNet ‘brings it to the people’ by offering a range of gateway and router products boasting resilience, ease of use, and versatility. Businesses and residences can easily benefit from utilizing our products and installations.

Technical Solutions & Support

QuantusNet boasts a team of expert IT professionals and consultants with a combined experience of over fifty years working in the information business world. Our expertise is rivaled only by our enthusiasm to bring this vision to market.

Speed + Reliability = QuantusNet

We spare no expense and take no shortcuts on our collective roads to success, and by teaming up with strong industry stewards already in position, QuantusNet is already poised for great triumph. A combination of hardware fail-safe, software security, and trained system administrators, QuantusNet shows potential for deployment in a wide variety of government or military applications, alternatively or cumulatively.

Join the TEAM who will bring more and faster internets to the people of the Philippines . . . Partner with QuantusNet!


Operational Draft

  • Partners

Between telecoms in place, IT companies, and government agencies, there are a wide pool of opportunities for which professional business networking will become featured. Marketing is not an activity, it is a lifestyle, and our business intelligence researchers are finding the most viable options and angles for launch into being a strong internet service provider for Filipinos.

  • Marketing & Sales

Between the product, the service, and the package, the business lends mostly to selling itself, however a team of marketing professionals will be in place to “roll out” the final product for deployment at day zero for the launch of QuantusNet.

  • Community Involvement

QuantusNet vows to give back to the community in which it operates by hosting or co-operating musical events, and installing community gardens to make more food locally available. More ideas and ways to give back to the community may be implemented upon further observing the culture in person.

Conclusion

Thank you for reviewing our initial pitch for QuantusNet. Please feel free to follow-up by researching us at http://networks.quantus.biz and you can always contact me with any questions, concerns, suggestions, or offers. Thank you again, our venture will surely prosper.


Robert Brooks Authement — Boss of Operations, QuantusNet

4019 N 5th Rd

Arlington, Virginia 22203

broox.authement@gmail.com

+1 (970) 283-7694