Types of penetration tests

Whenever a penetration tester is assigned to simulate real-world attacks against a target organization, there are usually one of three types of penetration tests conducted: white box, grey box, and black box. Each type will determine what assets are exposed to both an insider threat and an external party, such as a black hat hacker.

A white box test is an easy type of penetration test as a complete knowledge of the target’s systems and network is known prior to the simulated attack. This can be beneficial to the penetration tester as they would have ample information about the target network and can better utilize tools and resources in creating, delivering, and executing payloads that would most likely be successful on the first attempt. However, there is a disadvantage to this type of penetration test. The ethical hacker or penetration tester most likely won’t be looking for any hidden vulnerabilities and systems outside the knowledge that was provided prior to the testing,or for the complete knowledge of the infrastructure of the system.

Black box testing is where no information or knowledge is given to the penetration tester about the target systems or infrastructure. The penetration tester will behave like an actual black hat hacker to gain access into the target. The only information given is sometimes the company’s name or just the website. The ethical hacker or penetration tester will need to do all the hard work to determine the type of organization and its industry, the type of networking and security appliances are within the network infrastructure, its employees, and so on.

Grey box testing is somewhere between white box and black box penetration testing. The penetration tester is give very limited information about the target infrastructure prior to the actual security audit or penetration test.