Question: During a penetration test, a tester was able to retrieve credit card numbers. What type of test was this?

A. Vulnerability scan

B. White box test

C. Black box test

D. Compliance audit

Correct Answer: C. 

Detailed Explanations

A. Vulnerability Scan
A vulnerability scan is a passive or semi-active automated process designed to identify known security weaknesses, missing patches, or misconfigurations within a network or application.

The Scope: It relies on a database of signatures (like the CVE list) to flag "potential" risks.

The Limitation: While a scan might report that a database is "vulnerable to SQL injection," it generally does not execute the exploit to prove the theory. In the context of the question, a scan identifies the risk that credit card numbers could be stolen, but it does not perform the actual retrieval of that sensitive data.

B. White Box Test
In a white box test (also known as clear-box or glass-box testing), the tester is provided with full knowledge of the target environment. This includes architectural diagrams, source code, IP addresses, and user credentials.

The Focus: This is often a collaborative effort between developers and security testers to find deep-seated logic flaws or "hard-to-reach" bugs.

Comparison: While a white box tester could retrieve credit card numbers, the scenario in the question describes a "functional" outcome—the act of a tester behaving like an intruder to gain access. White box testing is usually more about "exhaustive coverage" than "simulating an breach."

C. Black Box Test
Black box testing most accurately reflects the scenario of an external adversary. In this methodology, the tester has zero prior knowledge of the infrastructure, source code, or internal protocols.

The Methodology: The tester must perform reconnaissance, enumeration, and exploitation from scratch.

Why it's the Answer: The successful retrieval of specific data (credit card numbers) demonstrates that the tester successfully bypassed perimeter defenses, moved laterally, or exploited an application-layer flaw—exactly what an unprivileged external attacker would attempt to do. This "proof of concept" is the defining characteristic of an active penetration test conducted from a black-box perspective.

D. Compliance Audit
A compliance audit is a formal review to determine if an organization is meeting specific regulatory requirements, such as PCI DSS (Payment Card Industry Data Security Standard) or HIPAA.

The Process: An auditor reviews policies, observes workflows, and examines system configurations to ensure "due care."

The Distinction: An auditor acts as a "check and balance." If they find credit card numbers stored in plain text, they will mark it as a non-compliance finding. However, the auditor does not use "hacking" techniques to exfiltrate the data. Their goal is to verify the existence of controls, not to bypass them via exploitation.

Key Takeaway for the CISSP Exam
Remember: A Vulnerability Assessment tells you a vulnerability exists. A Penetration Test (like the Black Box test described) proves the impact of that vulnerability by exploiting it to gain access to sensitive assets.