According to the Verizon Data Breach Investigations Report for 2019, "29% of breaches involved use of stolen credentials" and "52% of breaches featured Hacking". It is often the case that certain internal printers, servers or applications are exposed to the internet by mistake, "let me disable those firewall rules to see if it works then" or "let's spin this VM in the cloud which we will then forget about" being common avenues for this kind of problem. In other situations, a developer might leak a password by mistake, for example in an overlooked commit to a public repository. This can inadvertently allow malicious attackers to gain a foothold into your network, or possibly could result in misuse, unauthorised disclosure or destruction of confidential information.
Every organisation should perform an External Penetration Test, in addition to other security assessments, to ensure that the attack surface exposed to the internet is as small and secured as possible. This type of test is also valuable for businesses to test their intrusion detection and prevention capabilities via their IDS and IPS systems respectively. This type of assessment often finds assets, businesses did not even know they had, so it is a very valuable exercise. Please note that this test can be extended to include social engineering and general testing of the people component in security, for example:
We do not lock ourselves into any particular list and will review your security from the perspective of a real attacker, using manual testing techniques and also automation where needed, but in a controlled fashion and always with your permission. That said, our External Network Penetration Tests are typically aligned to the Penetration Testing Execution Standard (PTES) and NIST SP800-115. Exposed web applications will be tested for high impact issues related to the OWASP Top 10 and the OWASP Testing Guide tests as applicable to the target application. Some examples of this are public. We focus on high impact areas to ensure that critical issues are identified and subsequently eliminated. However, we will always tailor the test to meet your specific needs, for example, maybe your threat model is different and you are worried about a different type of attacker or what your business is trying to protect is simply something not standard, we can help you with that.
Simply contact us, let us know what you need to test. We will revert with some questions to understand the scope, schedule the test and tailor the test to meet your needs, for free. If you want to proceed, we will send you an offer for signing and coordinate the steps together from there.
