Types of Penetration Testing Flashcards
1
Q
Ermin’s graph:
A
Penetration Testing
v
Announced< >Unannounced
v v
>Black box/Grey box/White box
2
Q
General notes:
A
- multiple tests may be conducted at the same time and all types of tests can be either announced or unannounced
- you might announce a test so that IT employees can grant you access to specific segments of the system to test them individually
3
Q
What does “black box testing” refer to ?
A
Black box testing is when the penetration tester has no prior knowledge of the system they’re attempting to breach.
- Also referred to as “Functional Testing”
Two separate categories:
Blind testing:
- pen-tester has limited information and knows very little to nothing about their target
- an IT employee who’s responsible for maintaining or defending the system is informed of the scope of the tests taking place
Double blind testing/aka/zero knowledge testing:
- neither the penetration tester or the target know anything about each other
- the target is unaware that the test is taking place
4
Q
What does “grey box testing” refer to ?
A
Grey box testing is when the penetration tester has partial knowledge of the system when they’re attempting to breach.
- helps reduces the cost of the penetration test by providing information that you know the tester could acquire (generally information available to the public)
- if you want the most reliable results from the test, it’s best to let the tester do their own thing w/ no prior knowledge. The pen-tester’s report will be the most credible if they manage to breach the system from nothing
5
Q
What does “white box testing”
A
White box testing is when the penetration tester is fully aware and accustomed of the workings of the system/company they’re attempting to breach.
- least reliable results as a whole
- best used for testing individual components of a system
