I. Recognize the fact that a penetration test, or pen test, is performed as part of a full-scale security audit.
II. Highlight that vulnerability testing is usually performed inside the organization’s security perimeter with complete knowledge of the networks’ configuration and operations; pen testing can be conducted in one of two ways—black box pen testing and white box pen testing.
III. Point out that in black box pen testing, or blind testing, the “attacker” has no prior knowledge of the systems or network configurations and thus must investigate the organization’s information infrastructure from scratch. In white box testing, also known as full-disclosure testing, the organization provides information about the systems to be examined, allowing for a faster, more focused test.
IV. Emphasize that a common methodology for pen testing is found in the Open Source Security Testing Methodology Manual (OSSTMM), a manual on security testing and analysis created by Pete Herzog and provided by ISECOM, the nonprofit Institute for Security and Open Methodologies.