Penetration testing methods
External testing
External penetration tests target the company’s assets available on the Internet, for example, the web application itself, the company’s website, as well as mail servers and DNS servers. The goal is to access and extract valuable data.
Internal testing
During internal testing, a pentester with access to the application behind a firewall simulates an attacker’s attack. A typical starting scenario may be an employee whose credentials were stolen as a result of a phishing attack.
Blind testing
In blind testing, only the name of the target company is reported to the tester. This allows security personnel to see in real time how the actual attack on the application will take place.
Double-blind testing
In a double-blind test, information security specialists do not have preliminary information about the simulated attack. Just like in the real world, they won’t have time to strengthen their defenses before attempting a hack.
Targeted testing
In this scenario, both the tester and the security staff work together and keep each other informed of their actions. This is a valuable training exercise that gives the security team real-time feedback from the hacker’s point of view.