Following a wave of devastating breaches, many firms are looking for better strategies to manage cybersecurity risks. One highly effective exercise is the PenTest.

In this article, we break down the various kinds of Penetration Tests and how to select between them.

What is a Penetration Test?

A Penetration Test is a simulated attack on a digital network, orchestrated by a certified security engineer or group of engineers in order to identify any existing network or application vulnerabilities. As opposed to malicious hackers (known as black hatters), Penetration Testers (white hatters) are carefully trained so as not to cause any damage or alter any data during the exercise. The goal is simply to demonstrate where your weaknesses lie, how severe they are, and the proper methods for mitigation. Furthermore, Penetration Tests can indicate how your infrastructure and security team would cope during a real-life event.

What kinds of Penetration Tests are there?

External
External Penetration Testing attempts to compromise your assets from outside your network perimeter. In order to protect yourself from outside threats, a comprehensive external test will review all internet-facing components (websites, email servers, DNS servers, and so on) for potential security gaps that could allow an attacker to breach the system and gather or damage sensitive data.

Internal
Over two thirds of computer intrusions originate from within the company and can have a disproportionately large impact on a business given the nature of internal trust relationships and access. Inside information gives an attacker an important edge in stealing sensitive information or bringing down critical services. Accordingly, an Internal Penetration Test will attempt to compromise the company from within, and determine the extent and severity of an insider attack. This is a crucial first step in preparing mitigation plans and business continuity procedures.

Black Box
Black box testing refers to testing a system without any prior knowledge of the target. All information is gathered from either public sources, or through preparatory reconnaissance of the client's infrastructure. Black box testing is usually preferred to simulate real life attacks from external hackers.

White Box
White box testing refers to testing a system with shared knowledge of the network or application, in full collaboration with the client and their technical staff. White box testing is usually preferred when simulating internal attacks, where an employee (or group of employees) might exploit well-known flaws in the system or simply leverage their privileged access.

Grey Box
As its name implies, grey box testing is a combination of black and white box testing. Penetration testing is conducted with a limited amount of information on the target(s). This is usually the most cost effective method, both in terms of resources and time, while still retaining the kind of external perspective offered by a black box test.

Which Penetration Test is best for me?

There are many factors to consider when choosing a test. The first thing to determine is the scope of the test. If you're an SMB, for example, you'll have a far smaller attack surface than a large multinational. Smaller surface translates to a shorter test. Furthermore, as a small firm, your main threats will come from social attacks (such as phishing), which are often a precursor to an external black or grey box campaign. These are easily customizable and cheap for hackers to run, and allow them to target a large group of SMBs at once.

Another factor to consider is cost. Quality Penetration Tests don't come cheap, so you'll have to determine your available budget beforehand. For those with a large security budget, running separate black and white box attacks will be the most comprehensive, but grey box tests will usually be the most economical.

Finally, it's important to consider the objective of the test. Are you performing a basic sanity test, a comprehensive pre-launch review, or satisfying certain industry regulations? Companies working in finance or healthcare, for example, may be legally required to choose a particular testing method and scope.

If you'd like help determining the appropriate Penetration Test for your company, contact Silent Breach for your free same-day consultation.


Additional Resources:
What is Attack Surface Management?
Introduction to Vishing
Cyber Due Diligence: In Four Parts