COMMON PEN TESTING STRATEGIES:

Commonly used penetration testing strategies:

• External testing: The attack is within organization's network perimeter using procedures performed from outside the organization's systems, e.g., the Extranet and Internet.

• Internal testing: The attack is performed from within the organization’s environment, this test attempts to understand what could happen if the network perimeter were successfully penetrated or what an authorized user could do to penetrate specific information resources within the organization's network.

• Blind testing: The penetration tester tries to simulate the actions of a real hacker. The testing team has little or no information about the organization but instead must rely on publicly available information (such as corporate website, domain name registry, etc.) to gather information about the target and conduct its penetration tests.

• Double blind testing: In this form of testing, only a few people within the organization are made aware of the testing. The IT and security staff are not notified or informed beforehand, and as such, they are "blind" to the planned testing activities. Double-blind testing helps test an organization's security monitoring and incident identification processes, as well as its escalation and response procedures.

• Targeted testing: Target testing involves both IT and penetration testing teams. Testing activities and information concerning the target and the network design are known going in. Targeted tests require less time and effort than a blind test, but typically don’t provide as complete a picture of an organization's security vulnerabilities and response capabilities as other testing strategies.