Anatomy of a Penetration Test Part 1: External Infrastructure

abstract image of a brain and a computer chip

Penetration testing — pen testing for short — does not need to be a full-blown simulated cyber attack. In most cases, a pen test focuses on one or more aspects of your company’s digital assets, but in an open and transparent way. The aim of a pen test may be to uncover security issues in your external infrastructure — your Internet-connected, public assets — or it may focus on a single web or mobile application. It could also look at the way your cloud-based infrastructure is configured (as opposed to the infrastructure itself). A penetration test could be one or all of these things combined, and that depends on what you have, and where the biggest threats are likely to be.

At the more extreme end of pen testing is red teaming, which does aim to simulate a real attack and test your blue team’s capabilities. It is quite possible that if you’re reading this, then you are your company’s blue team, or it may be that you don’t have one… yet! Red team engagements are usually reserved for organisations that are already undertaking regular pen testing, and are confident about their overall security posture. There are plenty of ways of improving security across the board before reaching the red team stage. This includes actions you can undertake internally, as well as services available from trusted partners.

In this blog series, the team and I at Cyber Security Specialists will take you through the various types of penetration testing — what they are, and how they are useful to your business. We will also show you how to best prepare for these security assessments, the kind of information penetration testers require from you (and why they need it), and what you can do on your own to bolster security.

First up, we will take a look at the external penetration test (often referred to as an external assessment). This can be considered the starting point for any organisation that exposes devices to the public Internet. These could be web servers, API servers, firewall appliances, VPN servers — anything that has a public IP address, regardless of how or where it’s hosted.

External Infrastructure Assessment

The penetration tester, who you will already have had a meeting with, will let you know when they begin. Most external assessments commence with port-scanning. This means that each computer system reachable on the public Internet will be checked for which ports are open and accessible. This includes both transmission control protocol (TCP) and user datagram protocol (UDP) ports. You will have provided a list of Internet protocol (IP) addresses ahead of time, and it is these hosts that form the scope of the assessment.

After port scanning, more details about any open ports will be gathered. The pen tester will determine which software is running on any open ports identified, and the versions of the software. If a publicly known vulnerability exists for any of the software observed, this will be investigated further. A good penetration tester will always attempt to exploit any vulnerabilities identified, but only when that can be done safely and without causing disruption. You should expect them to contact you if there is any question over whether an exploitation attempt is likely to cause disruption.

When vulnerabilities are identified, you will receive information either in real-time or at the end of the assessment in the penetration test report, or both. Most penetration testers will typically notify you when they find something deemed to be high risk. It is up to you if you would like to be informed of lower severity vulnerabilities in real-time too.

Pen testing does not stop at finding known vulnerabilities. The tester will investigate anything that seems out of place or does not look right — and if you are thinking this does not sound like an exact science — it is not! Methodology and automated tools work up to a point, but the manual, exploratory approach is also needed. Testers will also look for anything that is misconfigured, and this depends on what they encounter. Anything that poses a security risk now, or something likely to be an issue in the future will be raised, with a score provided based on the perceived risk.

What We Need From You

The following information is required ahead of time, to ensure a report free from caveats:

A list of external hosts that you own and have permission to authorise testing on
Access to key personnel for clarification and information gathering both before and during the assessment
Agreement on the start and end dates of the assessment
Your signed, written permission to test

Why You Need This Type of Assessment

You should assume that your external assets are under constant surveillance from threat actors. The less you expose here, the less chance there is of an (often simple and automated) attack from taking critical services offline. Simple attacks could also lead to bad actors accessing your customers’ data or abusing your infrastructure for other nefarious purposes. External penetration testing identifies weaknesses that attackers from outside your organisation will target and attempt to exploit. By identifying and mitigating vulnerabilities in your external-facing systems, you can help prevent unauthorised access, data breaches, and other cyber threats that originate from the public Internet.

What Can I Do Now?

Start by making an inventory of your external hosts, or checking that your existing lists are up to date. You cannot protect what you do not know about!
Use a well-known and freely available tool like Nmap — “network mapper” — to identify what ports and services you are currently exposing to the Internet.
Perform scanning for known vulnerabilities using automated tools — these tools are often not free but you do not necessarily need to buy them yourself. Consider using Cyber Security Specialists’ CS 360 Managed Service which includes external vulnerability scanning on all plans, plus much more!
Keep the software that exposes services externally up to date; perform regular checks for updates and patches.
Reduce what you are exposing publicly by removing what you do not need, or moving it behind a VPN or firewall rule that allows only trusted hosts.
Schedule regular external penetration tests to supplement the other work you are doing — Cyber Security Specialists provide this as a separate service.

Okay, so you’ve got your external assets locked down — what’s next? I can relax now, right?

Getting your external infrastructure in order is a crucial part of improving your organisation’s overall security so you should celebrate any small wins you’ve accrued so far. Do not stop here though; there’s more work to be done. In the next instalment, we will take a look at web application testing and why anyone with a web app should be doing this, and why it was not covered in your external penetration test!

Cyber Security Specialists are committed to helping you protect your business from cyber threats through comprehensive penetration testing services. Whether you need to secure your external-facing assets, internal network, web applications, or cloud infrastructure, our team of experts is here to assist you. Contact us today to learn more about how we can help you enhance your security posture and defend against cyber attacks.