Penetration testing – external
External penetration testing simulates an attack against your internal systems from the outside, i.e. our consultant simulates a potential attacker (hacker) who is trying to penetrate your external perimeter from the internet.
The goal of external penetration test is to check the resistance of your external perimeter.
Typical targets for external penetration testing are all your internet-facing assets like webservers, mailservers, firewalls and other network devices.
Phases of testing
This kind of testing includes several steps, such as:
Information gathering to discover from public sources as many details about your infrastructure as possible.
Network scanning and reconnaissance focused on identifying all your internet-facing devices and potential entry points into your internal network.
Next, all the identified devices are tested for known security vulnerabilities using automated tools (e.g. vulnerability scanners, web application scanners and other specialised security tools).
A typical external penetration test is performed in so-called “zero knowledge” mode. It means that we are not provided with any credentials (username, password, certificate, key etc.) or other additional insider knowledge.
The websites that happen to be within the scope of external penetration testing undergo only a basic security assessment; if you are interested in a deep security review of your web application (based on OWASP methodology) please see our Web application penetration testing.
All findings from the previous step are manually verified; false-positives are sorted out; the real security flaws are documented and when possible, we try to demonstrate how they may be exploited.
All findings, together with the proposed remedies, are documented in the final report.
Other types of pentesting
In addition to the above described testing we provide our clients also with many other types of penetration tests – see Penetration testing overview.