About Penetration Testing

What is an External Penetration Test?

External penetration tests assess a business’s network and infrastructure for vulnerability to external malicious attack. The tests are designed to try to gain access into the network and information assets just as a hacker would.

Tests will reveal how easy or difficult it would be for an outside entity to gain access to data through open ports, and insecure settings in hardware configurations and software code.

Why Penetration Testing is Important

Symantec detected over 1,650,000 new malicious threats in 2008, a massive increase of 265% from the previous year. They also reported 75,158 active bot-infestationson computers on a daily basis, an increase of 31% from the previous year.

In 2008, the USA was responsible for inadvertently housing 33% of all command and control servers. Any computer, server or PC, can become a command and control server, simply by having malware installed in them. The USA was also the most targeted country for denial of service attacks, accounting for 51% of the global activity.

Software vulnerabilities also increased in 2008 with 5,491 specific vulnerabilities identified, an increase of 19%. The vulnerability that ranked the highest was Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

PrivacyRights.org identified 383 cases of data breaches with over 83 million identities exposed.

Protecting your data

Malicious attacks on computer systems are increasing daily and it is imperative that your business data and client information is protected.

The biggest vulnerability is that many businesses believe their infrastructure is secure and rely on the expertise of network engineers and software developers to keep it intact. The problem with an in-house approach is getting everyone on the same playing field and then having someone with an all round knowledge oversee the project.

For many businesses, that scenario is either impossible or impractical, and need the expertise of external security agencies to assess the businesses strengths and weaknesses using penetration-testing techniques.

Penetration tests focus on server penetration, router penetration, firewall penetration and operating system installation and maintenance.

Choosing the right penetration testing company

Choosing the right partner to perform the tests is as important as the tests themselves. Understanding the questions you will need to ask will go a long way towards getting the right service.

As a general rule, the information security consultant should hold a minimum of one certification and their testers should be experienced, professional and discrete. The service you choose should provide a complete assessment and relevant information regarding the security of the network and offer unbiased recommendations. Do not choose any existing partner, vendor or supplier, as this will cause a conflict of interest.

Background

Are security assessments their core service?
Can they tailor their services to your specific needs?
Do they have NDAs with vendors? This may prevent them from passing information to you.

Credentials

Are the consultants certified? Certifications include CISSP, PCI, CHECK and CISA.
Is the testing team in-house or outsourced to contractors?
How long has the staff been working in network security/hacking?
What is their confidentiality policy?

Methodology

How would the security assessor approach the project?
Do they use standardized methodology that is comparable to OSSTMM, CHECK or OWASP?

Summary

An external penetration test will highlight vulnerabilities within a business network. The information security provider who conducts the tests will supply a full-bodied report and offer recommendations to secure any flaws in the infrastructure.

Choose consultants and testers who are certified and who do not have conflicts of interest with vendors or other services that may influence their reports.