In this blog article, we describe the different types of penetration testing and various approaches (black, white and grey box) that make up the general range of strategies employed to conduct a penetration test.
There are many different testing methodologies. They are generally categorised into:
What are the different types of penetration testing?
An external penetration test is an authorised hacking attempt against your organisation’s Internet facing servers, such as Web and email servers and ecommerce infrastructure. This test aims to harden the external facing network against attackers attempting to compromise vulnerable hosts from outside your organisation’s perimeter.
Internal penetration testing aims to identify and exploit vulnerabilities from within your organisation’s perimeter defences. Testers are typically given onsite access (similar to the way employees or contractors could connect to an internal environment). They then attempt to escalate privileges and gain access to sensitive information. For certain environments, such as data centres, jump hosts are used to test remotely via your organisation’s VPN access.
BYOD has significantly increased the cyberthreat surface by creating a variable endpoint ecosystem. Employee personal information may be used for social engineering, allowing a cybercriminal to gain a foothold into your organisation, and employee access credentials may be used to attack the portal that the mobile device connects to and compromise sensitive information.
Mobile device penetration testing attempts to bypass authentication on mobile devices including laptops, tablets and smartphones to assess whether stolen or lost devices can be compromised and then used as a pivot to compromise an organisation’s sensitive information. Testing can also assess third party MDM implementations and devices configured with MDM policies.
An insecure Wi-Fi network opens your organisation to a myriad of attacks that could compromise your sensitive information. A Wireless Penetration test aims to detect and exploit vulnerabilities in security controls employed by a number of wireless technologies and standards, misconfigured access points and weak security protocols.
Mobile App penetration testing is an authorised and simulated hacking attempt against a native mobile application (such as Android, Windows and iOS) that aims to identify and exploit vulnerabilities in an application, and the way it interacts and transfers data with back-end systems.
Untested applications remain the most common point of attack on an organisation. Web application vulnerabilities have resulted in the theft of millions of credit cards and compromised sensitive information for organisations and end users. A Web Application Penetration test targets open-source and commercial software and custom web applications to identify and exploit vulnerabilities relating to authorisation, security configuration and data protection mechanisms.
Web application vulnerabilities have resulted in the theft of millions of credit cards and compromised sensitive information.
A Web Service Penetration Test aims to identify and exploit vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to fortify secure data exchange by demonstrating the ways a cyberattack can compromise a web service and gain access to an organisation’s information assets.
Physical & Social Engineering Penetration Testing
Physical penetration testing is the process of identifying and bypassing security controls implemented on buildings, data centres and employee operational security knowledge. All targets and exclusions follow specific pre-agreed criteria. To prevent negative business impacts during testing, the following methods are generally used: tagging unsecured devices, sending an email from unattended devices, identifying and photographing exposed paper documents with sensitive information (in line with the client’s security standards).
Closely linked is: Social engineering penetration testing which replicates how cybercriminals target employees to gain privileged access to protected systems and information by:
- Tailgating – the tester will attempt to follow employees into secure areas.
- Pretexting – the tester will impersonate an employee and attempt to persuade employees to divulge confidential information.
- Baiting – the tester will leave USB keys, infected with malware, inside and outside the building for employees to find and insert into a computer.
A specialised type of social engineering is phishing. It takes only one user to fall prey to a phishing scam for an attacker to gain a foothold in your organisation. A phishing risk assessment and penetration testing service helps you to understand your organisation’s phishing posture and prepare for ransomware and other phishing introduced threats.
A phishing risk assessment and penetration testing service helps you to understand your organisation’s phishing posture.
Baseline Penetration Testing allows you to measure your organisation’s phishing risk. A simulated phishing campaign is sent to all end-users, or just a select control group. By tracking open and click-through rates, the campaign provides key stakeholders with a baseline of the organisation’s phishing risk.
A more advanced Phishing Penetration Test also assesses the performance of the security stack at the desktop/server level and across the inbound and outbound points of the network. These technologies include file extension handling, port filtering, MIMES, type checking, anti-virus, application whitelisting, and proxy filtering.
A red teaming assessment is the process of using all available resources (broad scope) to demonstrate the impact of a targeted cyberattack. This can include identifying and bypassing security controls implemented on buildings, websites, servers, networks or by finding ways to abuse or bypass policy or processes implemented within an organisation. By conducting this type of assessment, you can understand the effectiveness of current security controls and adherence to security policies and procedures in every way that they are exposed to threats.
During a red teaming assessment, testers will mimic the behaviours of a malicious hacker to understand what sort of vulnerabilities exist and what information they may be able to compromise.
Secure code Reviews
Secure code reviews focus on identifying vulnerabilities in application source code that could allow exploitation or abuse.
Testers conduct research on how the application is used on a day-to-day basis, identifying its design and business objectives and the existing security controls that have been implemented. Then, using specialised security source code review software, the source code is analysed to identify application inputs, the attack surface, simple coding errors and vulnerabilities.
The vulnerabilities identified include those that can be identified through web application penetration testing as well as many others. During this stage, a hands-on approach is also taken, not only to confirm valid findings, but to identify possible logic flaws or design failures in the application which cannot be discovered using automated processes. Where required, and if possible, weaknesses identified through the discovery stage can be confirmed through actual exploitation. This allows you to understand your risk level to the most accurate degree.
Which approach: Black, White or Grey Box?
You will discuss the best approach, to meet your organisation’s needs, with your penetration testing provider during the project scoping stage. Your chosen provider will work with you to develop a customised test plan that will identify the objectives, scope, approach, limitations (e.g. avoidance of disruption of business operations) and legal and confidentiality requirements.
All the information that testers require is provided/accessible.
Limited information is provided to testers (e.g. logins)
No information is shared with the penetration testing team, to simulate an attack from a malicious hacker.
This is useful for:
This is useful for:
This is useful for:
Generally, the less mature an organisation’s cybersecurity and information security management program, the less aggressive and the more collaborative the approach. However, an organisation with a more mature program (and an identified high risk of cyberattack) may cycle between black box, grey box and white box approaches along with regular, ongoing vulnerability assessments. In terms of ROI for a new client, the best approach is white box.
Do you forewarn your IT Team?
Another important consideration is whether the management team informs the IT security team about the date and scope of testing. While it is usual for all stakeholders to be informed, there are sometimes specific requirements not to do so, for example, in the case of social engineering penetration testing. A red teaming exercise may use either approach. Borrowed from military terminology, the red team (penetration testing team) can attempt to exploit vulnerabilities either with the blue team’s (IT security team) prior knowledge and collaboration or without. Both methods provide valuable learning experiences for the blue team.
The decision of whether to inform the IT security team, in combination with the approaches and testing methodologies described above, make up the general range of strategies employed to conduct a penetration test.
We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >> In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.
Questions & More Information
Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.