There are three types of penetration testing in the world of penetration testing that you will come across in your career. They are a black box, white box, and grey box tests. The key point in determining the difference between the lot is what information you are given to perform your attacks.
In black-box testing, you are essentially playing the role of an outside hacker. You are given little to no information about your target. In this instance, you must perform reconnaissance.
You’ll need to compile research about the organization; it’s technology and employees. Beware though, as you still need legal *written* permission from any of the organizations that would be affected by your penetration test. Conducting reconnaissance is many cases is the most time consuming and expensive. Fortunately, a solution exists known as bounty hacking. Services like hacker one have appeared, where freelancers seek out vulnerabilities and report them appropriately. In return, they are paid for their work.
White-box testing, in contrast, is the exact opposite. You are given the most information that you are allowed to have to conduct your testing. In these scenarios, you may still need to conduct reconnaissance, but with less importance. You are given, for example, organizational structure, network mappings, server information, and emails. When you are given some information, it is known as a grey-box test. Acting as an insider threat, you have more knowledge to perform smarter attacking campaigns. As you would guess, it is not as realistic to play an outside organization’s role when given all of the information about an organization and its IT infrastructure. Like wise, you wouldn’t ask for someone to simulate an inside threat and give them no information that they would typically already have.
The type of test that needs to be completed really depends on what the organization needs the test for. Perhaps it is a compliance-based test where it is required by law to conduct one. The most well known is the Payment Card Industry Data Security Standard PCI-DSS requirement 11.3, which applies to any business or organization that uses card payments. Or maybe the organization understands that it’s always under adversary attention, and wants to perform red-team and blue team testing.
Finally, no matter what type of test is being conducted– the necessary agreements and permission must be completed prior to your work! Otherwise, you can face legal battles.