Types of Penetration Test – What is the Difference?

Vulnerability Assessment

Vulnerability Assessments are most often used by organisations when they want to identify the vulnerabilities present in their infrastructure and to get a high-level overview of their security posture. It involves an external approach and is fully automated.

Vulnerability Assessments are useful for companies who do not have visibility or understanding of their security posture. A vulnerability assessment can often be used as the first stage of a larger penetration testing project.

For organisations with legacy infrastructure, it is a quick, cost-effective way to identify and focus on software versions and systems that can be fixed easily.

Penetration Testing

A Penetration Test aims to exploit the vulnerabilities of an organisation’s cybersecurity arrangements before a malicious party does. It uses a combination of automatic and manual techniques to identify issues within the infrastructure, systems and operations.

External Penetration Test

An external penetration test replicates a real-life attack, searching for vulnerabilities that can be exploited by a hacker. This type of analysis aims to target everything Internet-facing. The penetration tester will focus on identifying network vulnerabilities. This can include issues with network services and hosts, devices, web, mail and FTP servers.

Objective Examples: Obtaining internal access to the network

Internal Penetration Test

An internal penetration test aims to identify and exploit internal vulnerabilities. Vulnerabilities can range from misconfigurations through to unpatched software and social engineering. The approach would be similar to an external penetration test, and the process followed would be the same.

Often the aim of this test can be unique to each client. A customer’s objective could be to gain access to a sensitive file or the domain controller with full admin rights, to elevate privileges or to perform an overall security assessment.

This type of test is only possible with access to the internal network either provided by the customer or gained by dropping a device like a dropbox or Raspberry PI onto any open network port, or by exploiting a compromised system i.e. emails.

Objective Examples: Leveraging internal access to obtain access to important assets on the network

Web Application Penetration Test

The web application pen test aims to find weaknesses in applications programmed in-house or out of the box solutions, as well as ill-coded websites.

Web Apps are often vulnerable to many types of attacks that are often possible through the exploitation of misconfigurations in server builds or through bad coding practices. Vulnerabilities are often identified within functions where user input is received, like website search, address fields, file uploads, where SQL queries can be passed to gain access to back end databases. If either of those functionalists are not appropriately secured an attacker could exploit them to upload a malicious document that can create a back door giving a user unauthorised access to the underlying server it is running on.

Due to the world wide web being publicly exposed many websites and online stores come under constant attack. Identifying these vulnerabilities before anyone else can allows remediation actions to take place to secure the web app.

Examples: Brute-force attack, Error handling, SQL Injection and XSS

Social Engineering

Manipulating people into leaking sensitive information and providing an external malicious agent with unwarranted access to a network or a building is considered social engineering. It exploits the gaps in cybersecurity education in organisations and employs psychological persuasion.

The penetration tester will research different aspects of the company and its people, refer to social media and current events, to gain the trust of the host and blend in with the organisation. However, social engineering is not limited to physical infiltration, but can also involve the use of email, social media and calls.

Performing such a test can reveal the gaps in cybersecurity awareness of the organisation’s people and stress the importance of employee training.

Examples: Phishing campaigns, traditional scamming techniques such as authority figure impersonation

Red Team Engagement

A red team engagement is the more advanced version of a penetration test appropriate for companies with mature, well-established security arrangements. Compared to a penetration test, they tend to take longer and often require multiple testers. The main objective is not to find and exploit all vulnerabilities, but instead, it is a targeted attack with a single objective aiming to be completely unnoticeable. Such tests are performed in scenarios where there is an immediate Blue team (Response Team) to stop a Red team (Attackers) in their tracks.

Black-Box Testing

In black-box testing, a tester doesn’t have any information about the internal working of the software system. It is a high-level assessment that focuses on the behaviour of the software. It involves testing from an external or end-user perspective. Black-box testing can be applied to virtually every level of software testing: unit, integration, system, and acceptance.

White-Box Testing

White-box testing is a testing technique which checks the internal functioning of the system. In this method, testing is based on coverage of code statements, branches, paths or conditions. White-box testing is considered as low-level testing. The white-box testing method assumes that the path of the logic in a unit or program is known.