External Penetration Testing of IT Infrastructure

External Infrastructure Penetration Testing is carried out based on a global methodology, in accordance with NIST 800-42’s Open Source Security Testing Methodology Manual (OSSTMM), the Guideline on Network Security Testing Information System Security Assessment Framework (ISSAF), and recommendations from the SANS Institute, and EC-Council organizations.

Service Description:

Third-party penetration testing of IT infrastructure is implemented

In the following stages:

Stage 1 – Data collection

• Attempts to gather as much publicly available information on IT infrastructure as possible,
• IP address range identification,
• Identify shared services by scanning TCP/UDP ports along with attempting to obtain information about installed software versions using fingerprinting and banner grabbing techniques,
• Obtain publicly available information about the organization and its infrastructure, for example, by using google hacking techniques, DNS zone transfer, or, in the case of an internal network, by conducting network traffic listening.

Stage 2 – Vulnerability identification

• Vulnerability scanning using automated tools,
• Manual identification of vulnerabilities based on collected information about the versions of software installed on the tested devices in public databases (e.g. Bugtraq, CERT, OSVDB).

Stage 3 – Vulnerability analysis

• Analysis to verify and eliminate potential false positives and identify critical vulnerabilities, which we will keep your employees informed about,
• Attempting to find software code that exploits a given vulnerability – known as an exploit.

Stage 4 – Attempts to exploit vulnerabilities

• Controlled attempts to exploit identified vulnerabilities (in order to minimize the risk of unavailability of IT systems, your employees will be informed of all our attempts).

Features and Specifications:

Penetration testing is carried out on the basis of a global methodology, consistent with OSSTMM (Open Source Security Testing Methodology Manual) studies and best practices in the area of penetration testing.
Controlled attempts to exploit identified vulnerabilities and attempts to execute software code exploiting the vulnerability.
Penetration testing methodology assumes simulation of actions of real computer criminals attempting to gain unauthorized access to the organization’s resources using all possible access channels and penetration techniques. The penetration testing methodology is characterized by a high degree of flexibility by adapting penetration techniques to attack scenarios corresponding to the greatest threats from the point of view of the tested organization.
Regardless of the attack scenario implemented, the methodology assumes the implementation of penetration testing in the following stages:

• Recognition,
• Testing,
• Exploitation (with the Client’s consent).

The methodology involves iterative repetition of steps within new penetration testing scenarios related to privilege escalation or access channel change.
Sample internal penetration testing scenarios can simulate, for example:

• Attempts to access the organization’s internal network by an
  outsider,
• Attempts to take control of an organization’s user station through malware infection,
• Attempts to implement activities using the lost computer of an employee of the organization,
• Attempts by an employee of the organization to bypass security measures,
• Attempts by a guest of the organization (or a contractor) to gain access to the organization.

Customer benefits:

Customers receive a thorough security analysis of their systems, identifying and addressing key vulnerabilities, which increases protection against cyber attacks and improves the organization’s overall cyber resilience.

For whom it is intended:

The service is aimed at organizations of all sizes that need a professional security assessment of their IT infrastructure.

Application examples:

Test scenarios include simulated attacks from the outside, taking control of workstations, operations using lost equipment, and attempts by employees or guests of the organization to bypass security.