Internal And External Penetration Testing Strategies – Its time to consider kind of testing strategy we’re going to use. And there’s three main testing strategies. They’re called the Black Box test, the Gray Box test, and the White Box test.
Black Box Test
When we take a look at the Black Box test, this is a no knowledge test. It means, we as the penetration tester has no prior knowledge of the target or network. This is going to simulate an attack from an outside attacker, or a hacker. This is only focused on what external people can see and ignores completely the insider threat because we have zero knowledge like an insider would.
This is going to take more time and is much, much more expensive than doing a Gray Box or a White Box test because, we have to spend a lot more time in planning stages, in discovery stages, in enumeration stages as we start figuring out what this network has and what exploits I might be able to use. Penetration Testing Strategies & Certificate
White Box Test
The next one we have is what’s called a White Box test which is all the way on the other side of the spectrum. This is a full knowledge test. I have full knowledge of the network, the systems, and the infrastructure. I may, as part of the contract, be given network diagrams, IP addresses, versions of operating systems, and services they use. If I’m doing a software assessment I might even be given the source code, etc.
This is going to allow me to spend more time probing for vulnerabilities and exploits and less time doing information gathering and discovery. The tester is given support resources from the organization and we’ll talk about each of those support resources in a different lesson and cover them in much more detail.
Grey Box Test
And finally, we have a Gray Box test. And this is where you probably find yourself most of the time. It’s what we call a partial knowledge test. You’re going to have some knowledge of the target. For example, they might tell you, here’s our IP range, so at least you know that you’re attacking us and not some other person.
This can be used also as an internal test to simulate an insider attack with minimal knowledge.