In the world of Penetration Testing, there are many methods for testing the strength of your company’s defense mechanisms and the controls you have put into place. In a previous article series on Penetration Testing, we did a deep dive into the following kinds of tests:
- Vulnerability assessments
- Web Application testing
- Dark Web monitoring and scanning.
In this article, we will describe yet another form of penetration testing known as External Penetration Testing.
What is an External Penetration Testing?
When people talk about Penetration (Pen) Testing, they often confuse internal testing with external testing. However, there are important differences between the two.
For example, internal Pen Testing looks for vulnerabilities in the internal environment of your business. This typically includes the following:
- Access points (both logical and physical points)
- The Wi-Fi system
- Firewalls, routers, and Network Intrusion Devices.
But with external Pen Testing, the goal is to ascertain weaknesses that may exist from the environment outside of your business. In other words, you want to discover any gaps your lines of defense from the outside going in—gaps that might allow a Cyberattacker to break in.
External Pen testing typically includes the following:
- Source Code testing (especially those of web-based applications)
- Identity Management Testing
- Authentication/Authorization Testing
- The testing of any other client-facing applications—a critical test as today’s Remote Workforce takes a permanent hold
- Testing the integrity of the lines of network communications, especially the Virtual Private Networks (VPN’s)
- The testing of various Session Management systems that are taking place between the server and the client, since you do not want network-based requests to go unfulfilled for an extended period of time
- The testing and examination of any encryption-based systems that are deployed along your lines of defense.
The Four Stages of External Pen Testing
External Pen Testing involves more than hiring a Red Team (ethical hackers who try to penetrate your business from the outside) to throw everything they have at their disposal against your digital assets. Rather, you should take a methodological approach in four major stages.
1) Planning and Reconnaissance:
Shortly after all the contracts and legal agreements have been signed between the company doing the actual Pen Test and your company, this is the first step that needs to be taken. This phase is the information gathering session, allowing the Red Team to get a detailed, holistic view of your entire IT and Network Infrastructure. The Red Team will take time to prioritize what needs to be done first. For example, they will attempt gain a comprehensive understanding of the types of threat variants your business is most vulnerable to by carefully studying the Risk Assessment Analysis that you initially conducted. From here, the Red Team can target the most vulnerable digital assets first. The Red Team can also conduct various online testing exercises to pinpoint additional facets which need to be examined, such as items that did not appear in the Risk Assessment Analysis.
2) Scanning the Targets:
This is the stage where the Red Team will take on the mindset of a real-world Cyberattacker with a nefarious intent. The Red Team will start to hit upon those targets which appear to offer the most prized possessions that can be yielded. This includes such items confidential company documents, Intellectual Property (IP), the Personal Identifiable Information (PII) datasets of both your customers and employees (typically this will be credit card numbers, Social Security numbers, usernames/passwords, and other sorts of banking/financial information), etc. Examples of the targets the team will hit include:
- Servers containing shared resources
- Databases which house mission critical information/data
- Any shared or open parts that exist in your Network Infrastructure
- The location of FTP servers (because usernames and passwords are usually entered in as cleartext here)
- Email servers
- Any outdated or weak SSL certificates which allow the team to deploy malicious payloads that can be used, for example, in a SQL Injection attack.
3) Gaining and Maintaining Access:
Once the weak spots have been identified during Phase 2, the next phase is to attempt to gain access into them and maintain that access for as long as possible. This is usually done by finding and locating “backdoors” that were not previously identified. It is important to keep in mind that a Cyberattacker is not going to find only one way in. They will try to find all possible points of entry, so they can use a combination of them, at infrequent intervals, in order to go undetected.
Once the Red Team has gained access to what they have laid down the objectives for, the final phase in the exercise is to try to further exploit all the weaknesses, gaps, and vulnerabilities that have been discovered and steal the proverbial “Crown Jewels.” It should be noted that the Red Team will try to stay as long as possible in whatever area they penetrate, and they will launch the exfiltration process slowly, bit by bit. Their goal is to avoid detection by the internal network systems by not sending any abnormal behavioral signatures, which would happen if the “Crown Jewels” were being taken out in bigger chunks.
How often should External Pen Testing be done?
In today’s ever-changing Cybersecurity threat landscape, it is very important to conduct External Penetration Testing on a regular basis. However, a recent study by the Ponemon Institute discovered that 33% of organizations do not conduct any type of Pen Testing whatsoever. Of course, this makes them very ripe targets for a large-scale Cyberattack.
So, how often should external Pen Testing be done? Ideally, testing should be conducted on a daily basis, which isn’t feasible for most businesses. Therefore, the recommended frequency is at least quarterly, which will truly mitigate the risks of the latest threat variants that are lurking in the external environment.
Ravi is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas.Tech, Inc. He is also studying for his CompTIA Security+ Certification.