The External Penetration Testing Experts
At CNS we're experts in performing and managing external penetration testing on behalf of our clients. We help evaluate and manage the risk of external attacks through a simple, clearly defined process.
There is more information about our penetration testing services below, however if you'd like to have a chat with one of our experts feel free to call us on 020 7592 8800.
Manual Infrastructure Testing
Virtually all organisations will have at least one internet connection, often several and they will usually be running services on them such as VPNs, email, webmail, webservers etc. All of these are attractive targets to attackers. It is important to understand that organisations are constantly under attack.
Though it should be noted that it might not specifically be the organisation that is targeted. Many attackers will simply scan the internet to identify vulnerable targets and attack them, rather than specific targeted attacks against an organisation (though this still occurs particularly for high profile organisations).
It is vital that organisations understand the level of risk they are exposed to, reduce it where possible and manage the required risks. CNS can help evaluate and manage this risk through an external penetration test.
An external infrastructure penetration test involves a full port scan of TCP and UDP ports of public IP addresses from one of CNS Group's servers. This is followed up by a vulnerability scan of services found to be running on open ports. Vulnerability scans will be first performed with specialist scanners, however if certain services are discovered, other tools and scripts will be applied that are more specific to that service. The scanners we use are capable of finding a number of common vulnerabilities, such as version numbers displaying in services, default passwords, and insecure protocols.
If a host is breached during an external test, for instance if some SSH credentials are found to be weak, testers will not try to further exploit that host or gain access to the internal network. Rather, the vulnerability will be reported to the client immediately, as will any other vulnerability that is considered to be of critical severity.
Once all IP addresses are scanned and services identified, CNS testers will manually connect to each service and test for further vulnerabilities. For instance, if an FTP server is discovered, a tester will attempt a limited brute-force of username / password combinations, based on commonly used values or those relating to the client name. In the case of a web application being discovered, the tester will conduct a small unauthenticated web application test for common vulnerabilities such as SQL Injection of Cross-site Scripting.
CNS will not attempt to perform Denial of Service (DoS) attacks against any host, and will report to the client if any attack unintentionally causes a host to go down.
External Penetration Testing - Process Overview
1. TOR - The Terms of Reference states what penetration testing we will be doing, who exactly will be doing it, when, any exclusions, restrictions, targets etc. This must be in place before testing can commence. This is drawn up following communication between the test leader and the client.
2. Port Scanning - CNS will scan all possible IP addresses within the range given, for all possible TCP and UDP Ports. This scanning will be performed from our specialist servers in a secure data center.
3. Vulnerability Scanning - CNS will scan the IP addresses and active ports identified in the previous step with a number of automated tools. This will quickly identify any simple vulnerabilities, e.g Default Passwords.
4. Manual Identification and Fingerprinting - CNS will connect to open ports and running services that were identified, and attempt to work out the operating system and service versions (fingerprinting).
5. Identification of Outdated, High Risk or Potentially unnecessary services - CNS will look at each service and if it is possible to identify it, will list any that are out of date, of a high risk, or
unnecessary. e.g Old versions of IIS, Telnet Administration Port, Web servers with no content / default content.
7. Identification of Default Configurations - CNS will connect to every open port and service looking for default configurations, such as default passwords on firewalls or default web server installations.
8. Identification of Information Leakage - CNS will connect to every open port and service looking for any information that is being provided, that is unnecessary and could provide an attacker with intelligence on
targets to attack, e.g. internal IP addresses, usernames, or even passwords.
9. Identification of Vulnerabilities - CNS will using all previous stages to conduct a very detailed manual examination of every port and service, identifying and rating vulnerabilities for Likelihood (how easy the vulnerability is to exploit) and Impact (how much damage can be done by a successful exploit).
10. Documentation - CNS will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
11. Quality Assurance - The report will then be passed through our internal QA process where a second senior tester will review the report and the issues identified. The report will then be passed to the testing manager for a final review. The report will continue to go through this process until it is accepted by the team.
12. Report Release - The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
13. Optional Retest - As an optional extra, CNS can conduct further testing to verify any fixes applied.
14. Post Testing Debriefing - CNS will then conduct a debriefing for the client.