Penetration testing methods
External penetration tests target the company’s assets available on the Internet, for example, the web application itself, the company’s website, as well as mail servers and DNS servers. The goal is to access and extract valuable data.
During internal testing, a pentester with access to the application behind a firewall simulates an attacker’s attack. A typical starting scenario may be an employee whose credentials were stolen as a result of a phishing attack.
In blind testing, only the name of the target company is reported to the tester. This allows security personnel to see in real time how the actual attack on the application will take place.
In a double-blind test, information security specialists do not have preliminary information about the simulated attack. Just like in the real world, they won’t have time to strengthen their defenses before attempting a hack.
In this scenario, both the tester and the security staff work together and keep each other informed of their actions. This is a valuable training exercise that gives the security team real-time feedback from the hacker’s point of view.