Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

What is an External Penetration Test?

A penetration test (also known as a pentest) is a security
assessment that simulates the activities of real-world attackers to
identify security holes in your IT systems or applications.

The aim of the test is to understand what vulnerabilities you
have, how they could be exploited, and what the impact would be if
an attacker was successful.

Usually performed first, an external pentest (also known as
external network penetration testing) is an assessment of your
perimeter systems. Your perimeter is all the systems that are
directly reachable from the internet. By definition, they are
exposed and are, therefore the most easily and regularly
attacked.

Testing for weaknesses

External pentests look for ways to compromise these external,
accessible systems and services to access sensitive information and
see how an attacker could target your clients, customers or
users.

In a high-quality external pentest, the security professional(s)
will copy the activities of real hackers, like executing exploits
to attempt to gain control of your systems. They will also test the
extent of any weaknesses they find to see how far a malicious
attacker could burrow into your network, and what the business
impact of a successful attack would be.

Run external pentests first

External penetration testing assumes the attacker has no prior
access to your systems or networks. This is different to an
internal penetration test which tests the scenario where an
attacker already has a foothold on a compromised machine or is
physically in the building. It usually makes sense to cover off the
fundamentals first and consider internal testing after both regular
vulnerability scanning and external penetration testing have been
done.

How to perform external penetration testing

So how do you go about getting an external penetration test?
Scheduling an external pentest should be as simple as asking your
managed service provider or IT consultancy, and pointing them at
your perimeter systems (a list of domains and IP
addresses/ranges).

An external pen test is normally run on a “Black Box” basis,
which means no privileged information (such as application
credentials, infrastructure diagrams, or source code) is provided
to the testers. This is similar to where a real hacker targeting
your organisation would start from, once they’ve discovered a list
of your IPs and domains.

But there are a few important pointers and due diligence that is
worth bearing in mind when organising your external penetration
test:

  • Who’s performing your test? Are they a
    qualified penetration tester? You can find out more about
    penetration testing certifications and choosing a consultancy in
    the guide on how to choose a penetration testing
    company    [1].
  • How much will you be charged? Quotes are
    normally based on a day-rate, and your job is scoped based on the
    number of days it will take to do the assessment. Each of these can
    vary between companies, so it might be worth shopping around to see
    what’s on offer.
  • What is included? Respectable service
    providers should offer you a proposal or statement of work that
    outlines the work to be undertaken. Look out for what’s in and
    what’s out of scope.
  • What else is recommended? Choose a provider
    that includes checking your exposed services for re-use of breached
    credentials, password spraying attacks, and web application testing
    on publicly accessible applications.
  • Should you include social engineering? It can
    be a good value-add, though this type of testing is almost always
    successful when attempted by an attacker with enough determination,
    so it shouldn’t be a hard requirement if your budget is
    limited.

External penetration testing vs. vulnerability scanning

If you’re familiar with vulnerability scanning, you’ll notice
that an external pentest shares some similarities. So, what’s the
difference?

Typically, an external penetration test includes a full external vulnerability scan[2], but that’s just where
it gets started. All output from scanning tools will be
investigated manually by a pentester to remove false positives, run
exploits to verify the extent/impact of the weakness, and “chain
together” multiple weaknesses to produce more impactful
exploits.

Where a vulnerability scanner would simply report that a service
has a critical weakness, a pentest would try to exploit that
weakness and gain control of the system. If successful, the
pentester will use their access to go further, and compromise
further systems and services.

Pentests deep dive into vulnerabilities

While vulnerability scanners often identify potential issues, a
penetration tester would explore those fully and report on whether
the weakness needs attention or not. For example, vulnerability
scanners routinely report on ‘Directory Listing’, which is where
web servers offer a list of all the files and folders on the
server. This is not necessarily a vulnerability on its own, but it
does need investigation.

If a sensitive file (like a backup configuration file containing
credentials) is exposed and listed by directory listing, a simple
informational issue (as reported by a vulnerability scanner) could
be quickly turned into a high impact risk to your organisation. The
pentester’s job includes carefully reviewing output from a range of
tools, to make sure that no stone is left unturned.

What if I need more rigorous testing?

Some further activities which a real attacker would perform
which are not performed by vulnerability scanners may also be
included, but these vary between testers. Check the proposal or ask
questions before scheduling the pentest if you’d like these to be
in scope. For example:

  • Sustained password-guessing attacks (spraying, bruteforce) to
    try to compromise user accounts on exposed VPNs and other
    services
  • Scraping the dark web and breach databases for known breached
    credentials of your employees, and stuffing them into
    administrative panels and services
  • Web application testing where a self-registration mechanism is
    available
  • Social engineering attacks such as phishing your employees

Pentests can’t replace regular vulnerability testing

Remember that new critical vulnerabilities are discovered daily,
and attackers usually exploit the most serious weaknesses within a
week of their discovery.

Whilst an external penetration test is an important assessment
to take deep look into the security of your exposed systems, it’s
best used as an extra service to complement regular vulnerability
scanning – which you should already have in place!

About Intruder

Intruder[3]
is a cyber security company that helps organisations reduce their
attack surface by providing continuous vulnerability scanning and
penetration testing services. Intruder’s powerful scanner is
designed to promptly identify high-impact flaws, changes in the
attack surface, and rapidly scan the infrastructure for emerging
threats. Running thousands of checks, which include identifying
misconfigurations, missing patches, and web layer issues, Intruder
makes enterprise-grade vulnerability scanning easy and accessible
to everyone. Intruder’s high-quality reports are perfect to pass on
to prospective customers or comply with security regulations, such
as ISO 27001 and SOC 2.

Intruder offers a 30-day free trial of its vulnerability
assessment platform. Visit their website today to take it for a
spin!

References

  1. ^
    how to
    choose a penetration testing company
    (www.intruder.io)
  2. ^
    external
    vulnerability scan     (www.intruder.io)
  3. ^
    Intruder
    (www.intruder.io)

Read more