Commercial penetration testing is the process of controlled security assessment or audits performed in such a manner as to reveal weakness and vulnerabilities. These processes help expose infrastructure weaknesses which in turn allows a company to implement fixes for these security holes. While this process simulates real world attacks, it is not a random brute force undertaking. In commercial penetration testing there are standards and methodologies that provide a detailed roadmap of practical ideas and proven practices (Halfond, 2011).
Enterprise level penetration testing is an endeavor usually performed by 3rd party consultants. Shifting this testing from internal to external gives an even more accurate result of testing because internal stakeholders may have inside knowledge an attacker will not have or the stakeholder will omit some of the necessary testing due to overconfidence in the system or the desire to avoid finding weaknesses in something they had a direct hand in implementing. This is not to say that there is not a place for internal testing during implementations and maintenance. The important thing to note is that penetration testing is usually the last step in a security assessment plan which is a very aggressive form of testing performed by highly qualified individuals.
"Although there are different types of penetration testing, the two most general approaches that are widely accepted by the industry are Black-Box and White-Box " (Ali, Heriyanto, 2011). Black-Box penetration testing is defined as external testing performed remotely by testers that have no inside knowledge of the infrastructure being tested. This testing employees many of the tools a real outside threat would employee to compromise an enterprise level business. During this testing it is likely that not only will known vulnerabilities be exposed but there is also a good chance that unknown vulnerabilities will be revealed. In this testing it is up to the black-hat auditor to indentify, list and categories each vulnerability. The assessment of the risk is categorized in low, medium and high categories according to the severity of the threat and possible financial loss. The black-hat auditor then takes all of this information and produces a report outlining all of this information for the business (Ali, Heriyanto, 2011).
Conversely to the Black-box testing methods, White-box testing is testing that is done internally. While this may still be a 3rd party auditor they are given explicate information concerning the businesses underlying technologies of the target environment. This allows the auditor to focus efforts on compromising known systems as opposed to the Black-box testing which throws every tool at the process. "The number of steps involved in white-box testing is a bit more similar to that of black-box, except the use of the target scoping, information gathering, and identification phases can be excluded" (Ali, Heriyanto, 2011). With this more refined,...