Internal vs. External Assessments and Penetration Testing Options
There are several approaches used in performing security assessments and penetration tests. InteliSecure provides a holistic view of an organization’s security posture by offering many options to evaluate different attack vectors.
Internal vs. External Assessments
Internal and external assessments relate to network/infrastructure and application testing. As you would suspect, the terms refer to the source of the assessment or test’s origin. The source of an internal assessment or test comes from inside the organization and could mimic a malicious insider or well-meaning employee gaining access to, or exposing, sensitive information. External assessments or tests mimic how an external actor would attempt to gain access to sensitive information from outside the organization by targeting their public facing profile and architecture.
White / Black / Gray Box Testing
Penetration testing options include black box, white box and gray box tests.
- White box, or authenticated tests, target the security of your underlying technology with full knowledge of your IT department. Information typically shared with the tester includes: network diagrams, IP addresses, system configurations and access credentials. This type of testing allows for different ‘role-based’ testing, allowing for InteliSecure penetration testers to act as various individuals within, or connected to, an organization.
- Black box, or unauthenticated, tests closely represent a hacker attempting to gain unauthorized access to a system or IT infrastructure to obtain and exfiltrate data. Black box penetration testing evaluates both the underlying technology as well as the people and processes in place to identify and block real-world attacks. InteliSecure testers will not have prior knowledge of your organization and architecture.
- Gray box testing lies between black and white. Testers will have knowledge of some areas but not others. These areas are defined at the start of an engagement.