Penetration Testing or Vulnerability Assessment can take either of two main approaches from a management or birds eye perspective. Essentially the test can be overt or covert, commonly known as Black Box Testing and White Box Testing. These terms originate from the testing of many things in the engineering field, especially software.
Black box testing assumes no prior knowledge of the infrastructure to be tested, and the testers must first determine the location and extent of the systems before commencing their analysis (This stage is quite time consuming and is commonly known as Information Gathering). At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, domain names, phone numbers, e-mail addresses, source code and IP addressing information before they start.
There are several other variations in the middle, which are most common, known as Gray or Grey Box Testing
It really depends on how you look at it, but the pros and cons can be endlessly debated. It is said by many that Black Box Testing closely simulates the actions of a real cracker, and in most cases it is true. The fact remains though that any targeted attack on a system generally requires some kind of knowledge of the system and any inside attacker would be in possession of such information.
Many companies are interested in certain parts of the information gathering stage however, are they leaking information online, are phone numbers, names and other details easily available online? This area has become rather fashionable with the media lately and has been labeled as 'Google Hacking'.
In many cases it is preferable to assume a worst-case scenario and take the White Box Testing approach, this is to hand over all the information they require and assume any savvy, determined attacked would already have all of it. Also bear in mind White Box Testing is a lot more time-efficient so if you have a short schedule it is recommended.
It really depends on what your objective is for the project, your budget and any time constraints you have. Black Box Testing tends to be a lot more time consuming and manpower intensive but is a lot more thorough and seen by some as more realistic. White Box Testing is faster and to the point but doesn't give the sharp edge of a reality based test. After discussing your needs our team of specialists will recommend the best type of test for you and your organisation to meet any objectives you have any to ensure you reach the highest level of security possible within your limitations.