Types of Penetration Tests
| Type | Description |
|---|---|
| Blackbox | Simulates method of an external attacker; no knowledge about the target environment; extensive and time-consuming |
| Graybox | Used in software development environments; execution of software tests with help of test-driven programming; uses aspects of Black- and Whitebox testing |
| Whitebox | Simulates attacks of an (former) employee; extensive knowledge about target environment; uses internal resources (e.g. documentations, policies, etc.) |
Intensities of Penetration Tests
| Level of Intensity | Description |
|---|---|
| Passive | Information on vulnarabilities are only documented. Sniffing of data is allowed. |
| Careful | Exploitation of found vulnerabilities is only done if it can be asured that the target system or environment will not be harmed. |
| Evaluating | Identified vulnerabilities are exploited against pre-defined systems. Before running an attack against a vulnerable system, the penster has to evaluate sucess and possible consequences. |
| Aggressive | Identified vulnerabilities are exploited in every possible way. Crashing of any system (even those that are not a direct target) is an excepted situation. |
Extends of Penetration Tests
Note: The first Penetration Test should always be a complete one.
| Extend | Description |
|---|---|
| Specific | From the very beginning it is defined which systems and components will be tested. Mostly used to test newly added systems in an enviroment where a complete Penetration Test has already been performed. |
| Limited | Usually includes several systems of the same type (e.g. Database Servers, Web Servers, etc.) |
| Complete | Includes the whole IT-Infrastructure including all IT-Systems and IT-Components. Excluded are sysems that are hosted externally and / or by 3rd parties and need dedicated approvals. |