Types of Penetration Testing

Automated vs. Manual

Automated and manual penetration testing can be both used as a means to evaluate an organization’s security controls system. Automated testing has been the mainstream approach adopted by organizations because of the rapid technological changes to provide economies of scale compared to manual one. A thorough manual testing may consist of several weeks with an investment of thousands of dollars, whereas an automated can perform the tests within several hours with reduced costs. This shows that automated tools can be more cost-effective and efficient if conducted properly. Another benefit of automation is that organizations can perform these tests as frequent as they want compared to ethical hacking practitioners who conduct testing only during working hours.

On the other hand, there can be an overreliance and false sense of security on automated tools because they do not guarantee that it will catch 100% of the security gaps in the system and are only as effective as the individuals who programmed and run these tests. In other words, there is a risk that an untrained employee who handles and manages the automated testing can cause more damages to the organization than the expected benefit. Furthermore, an automated testing lacks the flexibility of substituting different scenarios as compared to an extensive manual testing performed by a knowledgeable and experienced ethical hacking practitioner.

An example of a company who performs automated penetration testing is iViz, the first cloud-based penetration testing that provides high quality of services for applications with “on-demand SaaS experience”. The benefits include the use of artificial intelligence to simulate all types of intrusion attacks, a zero false positive with the aid of “business logic testing and expert validation”, the flexibility to conduct a penetration test at any time, no required software or hardware, the scalability and the cost- subscription model. In comparison of Sales-force to customer relationship management, iViz has performed the same transformation to penetration testing.

External vs. Internal

As identified above, testing should be conducted to address the internal and external threats. Internal testing is performed within the organization’s system and simulates what an authorized user or employee could potentially act. On the other hand, external testing attempts to simulate what an external hacker could potentially harm from outside the system. The red team would conduct intrusion attacks on the organization’s network system through the use of the Internet or Extranet25. The red team generally targets the organization’s servers or devices, such as “Domain Name Server, email server, web server or firewalls”. It appears that an internal testing may be more comprehensive because an authorized user can either use the internal or external system to hack into an organization’s information system.

Blind vs. Double-Blind vs. Targeted Testing

In a blind testing environment, the red team is only provided with publicly available information, such as the organization’s website, domain name registry and any other related discussion boards on the Internet. With this limited information, penetration testing attempts to accumulate information to exploit an organization’s security weaknesses. It can reveal information about an organization that it would not have known, but can be more time-consuming and expensive due to the extensive effort to conduct research prior to the testing phase.

In a double-blind testing environment, the blind testing process is expanded in which the organization’s IT and other staffs are not informed beforehand about the intended testing activities. Hence, they are also considered “blind” to the test. In this type of scenario, very limited people within the organization are aware of the testing, and it requires continuous monitoring by the project sponsor to ensure that the testing procedures can be eliminated once the objective has been attained. Furthermore, this test can reveal the effectiveness of an organization’s monitoring, identification and response procedures to incidents.

In a targeted testing environment, the organization’s IT and other staffs are notified about the testing activities beforehand and the penetration testers are provided with network design layout and other related information. This type of scenario may be more efficient and cost-effective because it tends to be less time-consuming than both the blind and double-blind testing. However, it may not offer a “complete picture of an organization’s security vulnerabilities and response capabilities”.