Types of penetration testing

Penetration testing as defined by Wikipedia, is an authorised simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorised parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.

Penetration testing can come in several styles, testing can be against web based applications, internal systems, mobile applications and more recently Internet of Things (IoT) devices and all in between. Depending upon the type of test and number of devices being tested will generally dictate the overall cost of the penetration test.

Black Box

Black box penetration tests are performed with no information from the client, the penetration testing company will be provided a signed engagement form, non disclaimer form and possibly other documentation to ensure that they testing company is properly protected against any tests.

Once started the company will usually only have a name or a starting point to go from, then the testing company will need to uncover information, devices and start to look at ways they can gain a foothold within the business. The testing company may look at domain name information, social media accounts, attempt phishing exercises and scope out the offices in question.

Out of the three type of testing styles the black box testing takes the most amount of work and time, and therefore is usually a lot more expensive.

White Box

White box penetration testing is where the testing company is provided all information, the testing company will have all information for IP addresses, subnets, access to the office (if required). If there is a web application test being performed, user accounts will be provided to testing user access control.

Gray Box

Gray box penetration testing is in-between a black and a Gray box testing, the testing company will obtain some information to help them with the scoping of the tests. The testing company may obtain IP addresses, names and addresses of staff.

Gray box testing takes longer than a white box test, and is slightly more expensive overall.

Generally, the majority of companies will undergo a white box test, if you would like to have a penetration test undertaken, or would like more information, please don’t hesitate in contacting us for more information.