Penetration Testing FAQs

What are the differences between Black, Gray, and White Box penetration tests?

    Black Box Penetration Test - a penetration test where the penetration tester has little to no knowledge about and unauthenticated or limited access to a system. Black Box Penetration Test characteristics:

    • Unauthenticated Access
    • No documentation provided, other than target IP address or URL
    • Fairly thorough penetration test
    • Fairly time-consuming penetration test
    • Typically used to emulate an adversary with little knowledge about the target

    Gray Box Penetration Test - a penetration test where the penetration tester has "user" level knowledge about and access to a system.  A Gray Box Penetration Test is typically used when you want to test an insider threat or an application that supports multiple users.  The insider threat is tested to see what damage a user (non-administrator) could do to your environment.  Application testing is used to test authenticated user access to ensure a user on an application cannot access another user's data or escalate privileges. Gray Box Penetration Test characteristics:

    • User-level Access
    • Limited documentation provided
    • Fairly thorough penetration test
    • Fairly time-consuming penetration test
    • Typically used to test systems with multiple users or emulate insider threat

    White Box Penetration Test - a penetration test where the penetration tester has "administrator" or "root" level knowledge about and access to a system.  This often includes access to architecture diagrams, design documents, specifications, and source code.  A White Box Penetration Test is the most thorough and time consuming. White Box Penetration Test characteristics:

    • Full Access at Root or Administrator level
    • Documentation intensive
    • Most thorough penetration test
    • Most time-consuming penetration test
    • Typically used during system development or prior to deployment

    What is the difference between a vulnerability assessment and a penetatration test?

    A vulnerability assessment is less-intrusive than a penetration test.  With the vulnerability assessment, we identify vulnerabilities, but do not exploit them.  A penetration test goes beyond a vulnerability assessment by exploiting vulnerabilities and seeing how far into your environment an attacker can go by taking advantage of system or application vulnerabilities.

    What happens if during the penetration test you discover we already have an infection?

    This is quite common.  Any existing malware or breaches discovered during the penetration test will immediately result in a cessation of testing and be brought to the attention of the designated Point of Contact (POC). We can help with incident response, digital forensics, and malware analysis.

    Is the penetration test performed remotely or onsite?

    For an External Penetration Test against your internet-facing systems, we perform this service remotely.  For an Internal Penetration Test, we travel to your location and perform this service onsite.  To leverage the fact that we will be traveling to your location, we offer to bundle (at a discount) other services that require us to be onsite with the Internal Penetration Test, such as our Wireless Security Assessment and Physical Security Review.  

    What are some of the common tactics used for Social engineering?

    Example of a fake Facebook page, designed to steal Facebook credentials.

    • Email phishing
    • Phone calls to users or the Helpdesk
    • In-person 
    • Social media
    • Text messages

    Is the social engineering test performed remotely or onsite?

    Typically we perform the Social Engineering Test remotely, unless In-person social engineering is requested.

    What are some of the common tactics used for Phishing?

    Attackers craft phishing messages typically with the following characteristics:

    • Curiosity - the message makes you so curious, you can't help but click on a link or open the attachment
    • Urgency - the message has a sense of urgency, where if you don't "take action" soon, something bad may happen to you, such as your credit card account being frozen
    • Fear - the message elicits fear, causing you to take action, such as a message claiming your computer is infected and infecting other computers and you may be fined unless you "take action"

    What is the difference between phishing, spearphishing, and whaling?

    • Phishing is where a wide net is cast on a large group of users. An example of phishing is a fake LinkedIn invite sent to all users of an organization.
    • Spearphishing is targeted phishing. A subset of users is targeted and the phishing email is more specific than in phishing. An example of spearphishing is a email sent to the IT department, spoofed from the CTO, about the new two-factor password policy (attached as a PDF).
    • Whaling is targeted phishing, but the targets are the "whales" of the organization. The whales are typically the "C Level" users, like the CEO, CIO, CFO, COO, etc., or "VP" level users.

    Is the email phishing test performed remotely or onsite?


    What does a phishing email look like?

    Example of IRS Phishing Email. Notice the "From" and "Reply-To" addresses.

    If phishing is done properly, the email should look very realistic and be hard to tell from a legitimate email. Below is a sample phishing email from the "IRS".  Checking the "From" and "Reply-To" and hyperlinks can be used to reveal the email is not legitimate and is phishing.

    Is Social Engineering or Phishing part of penetration testing?

    Yes, social engineering and email phishing can be used as part of a penetration test.  We prefer to offer our services in a line-item style so you can choose what works for you.  We also do "pure" penetration tests where we use a combination of multiple tactics, such as physical  (tailgating, badge cloning, etc.), social engineering, and technical.  If you are interested in this type of service, please contact us.