Know Your Options: Levels of Service for External Network Penetration Tests

Thinking about hiring a firm to conduct an external network penetration test? What is an external network penetration test and why you need one? Or, have you recently been disappointed with an external network penetration test engagement? At KirkpatrickPrice, our experienced penetration testers want our clients to walk away from each engagement knowing that they are more prepared to combat advancing cyber threats. We are committed to conducting the most realistic, thorough testing as possible because when an attacker compromises your external network, it’s likely that they won’t stop there. They’ll go a step further and utilize social engineering tactics, like creating phishing emails specific to your organization, to further infiltrate your environment. That’s why we recommend knowing your options and understanding the different levels of service available for external network penetration tests.

Choosing Levels of Service for External Network Penetration Tests

Standard – External Network Penetration Test

An external network penetration test provides insight into what an attacker outside your network could exploit. Findings might include:

  • Discovery of open ports, protocols, and services that were accidentally exposed to the Internet
  • Discovery of data leaks, such as excessively open permissions on Amazon S3 buckets
  • Identification and exploitation of old or unsupported systems. These are especially prone to compromise since exploits are more likely to be widely available
  • Identification and exploitation of unpatched or misconfigured systems. On multiple occasions our testers have found systems with remote-code execution vulnerabilities or misconfigurations that allow passwords to be leaked, among other bugs
  • Broken encryption methods (most common on websites, but also for systems like SSH or VPN servers)

Advanced – External Network Penetration Test Plus Social Engineering

A good ethical hacker will want to utilize as many tactics as possible to discover potential vulnerabilities in an external network. That’s why our penetration testers take external network penetration tests to the next level – the advanced level. They don’t feel like they’re delivering on their work until they go the extra mile and use creative ways to exploit your external network. This typically looks like social engineering methods, such as phishing, to make the penetration test more realistic. An external attacker is not just interested in checking the security of your network perimeter and moving on if they don’t find anything – they’re interested in using external-facing systems (such as email) to get directly into the network. When you’re selecting a firm to conduct your external network penetration testing, consider ask them about social engineering. This provides additional value, such as:

  • Measures mentioned for external testing alone
  • Reviewing layers of security – if an employee accidentally gives away a password when phished, does this impact the external security and how?
  • Testing security awareness of employees when it comes to email and phone
  • Evaluation of how well email protection/spam filtering measures and protects users from potentially dangerous content
  • Evaluation of how well endpoint protection protects users

Because hackers are so likely to compromise environments using multiple attack vectors, we highly recommend understanding your options when it comes to levels of service and choosing an advanced level external network penetration test. This extra measure will test to ensure that all potential vulnerabilities are found. 

Case Study: Advanced External Network Penetration Test

Did you know that in 2019, 32% of breaches involved phishing and over 60% of breaches involved the use of stolen credentials? Phishing is one of the simplest and most frequently used attack methods used by malicious hackers. Educating your employees on how to identify and report such emails is essential – and it’s a skill that needs to be thoroughly tested by someone experienced in creating realistic phishing emails. Our penetration testers have executed phishing attempts that have been so convincing that 40% of IT personnel compromise their passwords.

In one engagement, a KirkpatrickPrice penetration tester performed a red team engagement on a casino and resort. In order to gain access to the network, the penetration tester sent out a phishing email that impersonated the casino’s HR department. The email stated that there was a new HR portal that employees needed to log in to and verify their personal information. If they didn’t, the phishing email threatened that a delay in payroll might occur. The penetration tester even went as far as creating a fake HR portal webpage identical to the casino’s brand and linked to it in the phishing email. With the fear of payroll being impacted, many employees (even some HR employees) clicked on the phishing link, allowing the penetration tester to obtain several sets of credentials and utilize a VPN connection to access the network of the casino. From there, they were able to compromise the entire network.

Had this casino opted to only do a standard external network penetration test, it’s likely that the phishing email never would’ve been created and the casino would have no idea that its employees so easily click on a phishing email. Instead, the casino and resort would have only received findings of things like open ports, protocols, and services that were accidentally exposed to the Internet, or unpatched or misconfigured systems, and it would be left vulnerable to more thorough hackers.

Getting the most out of your penetration test comes down to choosing the right penetration tester and knowing your options for the levels of service. If you’re in the process of selecting a firm to conduct penetration testing for your organization, let’s chat more about the different levels of service for external network penetration tests and how we can partner to get you the results you need.

More Penetration Testing Resources

5 Critical Things to Consider When Choosing a Pen Tester

3 Hacks to Get the Most Out of Your Penetration Test

What Should You Really Be Penetration Testing?

Security Awareness Training Requirements: SOC 2, PCI, HIPAA, and More

Validating Fixes 30 Days After Your Pen Test – Our Retesting Policy

Every penetration testing firm has unique processes for conducting penetration tests. While there are standards that influence penetration tests, like the OWASP Top Ten, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES), the truth is not all penetration tests are created equally. When hiring a firm to conduct your penetration tests, having a thorough understanding of their methodologies is imperative. How will the firm you’ve hired help you remediate findings? Will they offer detailed insights and strategies for remediation? Will they re-validate what you’ve remediated? A firm focused on advanced, personal service will do exactly that. That’s why KirkpatrickPrice has a 30-day retesting policy.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s assets, including people, systems, and locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, pen testing firms who are committed to helping their customers get the most out of their investment know that delivering a penetration test report is only the first part of the service. An exceptional pen tester mindset focuses on providing guidance to remediate the findings, and ultimately, help their client improve their security methods.

KirkpatrickPrice’s Commitment to Your Security Needs

When prospects approach us about undergoing a penetration test for the first time, or perhaps they’ve had a bad experience with another penetration testing firm in the past, they’ll question how KirkpatrickPrice’s pen testing methodologies will prepare their organization against the advancing threats of today’s cyber landscape. It’s simple. We use tried-and-true methodologies that have helped keep our clients secure, including:

  1. Information Gathering
  2. Reconnaissance
  3. Discovery and Scanning
  4. Vulnerability Assessment
  5. Attack and Exploitation
  6. Final Analysis and Review
  7. Implement the Remediation Guidance
  8. 30-Day Retesting Period

Benefits of Retesting

KirkpatrickPrice is well aware that the security of your organization is not something to take lightly. This is why when we conduct our quality, thorough pen testing services, we do everything possible to help you get the most out of your engagement, including providing free resources, access to Information Security Specialists, and a 30-day retesting period to test the changes you make after the engagement concludes. What are the benefits the 30-day retesting policy?

According to KirkpatrickPrice pen tester, Stuart Rorer, “The 30-day retesting policy provides our clients with the ability to have any issues, previously discovered in the pen test, reassessed to see if the remediations have been effective.” This means that when you remediate vulnerabilities over this 30-day retesting period you could:

  1. Save your organization from a costly, embarrassing data breach
  2. Demonstrate your organization’s commitment to security
  3. Prove to stakeholders that you’re willing to do everything possible to protect their investments
  4. Ensure the security of a product before you take it to market
  5. Give your customers peace of mind

For those who may argue that 30 days post-exploitation isn’t enough to remediate vulnerabilities, Rorer makes a critical point: “Having a pre-determined test window also provides the client with a level of accountability, and helps set a timeline goal to have issues remediated. The longer the vulnerabilities remain present, the more likely they can be exploited.” In addition, many compliance frameworks require that you remediate high findings and also test your system after any significant changes.

The 30-day retesting policy at KirkpatrickPrice is optional, but we encourage all of our clients to take advantage of the benefits of re-testing, implementing changes, and validating the security of their networks and systems. After all, a data breach is only a matter of when, not if, it will occur. Make sure your organization receives quality, thorough pen testing services – talk to an expert today. We’re here to help!

More Penetration Testing Resources

What Should You Really Be Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

5 Critical Things to Consider When Choosing Your Pen Tester

Testing Physical Security Measures Through Penetration Testing

When you think about how penetration testing is performed, do you think about testing physical security measures? While many people believe security breaches only happen on the technical side of an organization, they can also start in your physical environment. You may find it surprising to know that some of the most advanced security attacks originate from an area as simple as a garbage can. Items such as bank statements, credit card offers, personal letters, magazines, and receipts are just a few items found in the trash that can give a hacker the info they need to launch significant security attacks on a person or organization.

It may be easy to think of a hacker sitting in a dark room somewhere, spending hours trying to break through your firewall and using malware to compromise your systems, but that’s not the only way malicious individuals initiate security attacks. To protect your secure information, your organization must pay attention to both its technical security and physical security, and consider incorporating social engineering and physical security testing into penetration testing engagements.

How Can Your Organization Protect Sensitive Information from Security Attacks?

There are many ways physical security plays a role in the protection of sensitive information. To make sure your organization is as secure as possible, you can take these important steps towards securing your physical assets:

  • Trash cans should be placed in an open area that’s visible to personnel, or maybe even in a guarded area, so that anyone who might try to breach your physical security via information in the trash will be caught. Do you shred items that contain personal or sensitive data before going into the trash to protect that information from being pieced together?
  • Proper policies and procedures should be in place so that employees are well-trained on appropriate security actions for daily activities. Whether that looks like locking doors, keeping security badges on at all times, or requiring all visitors to remain with employees in secure spaces – making sure that every employee understands what is expected of them is important in keeping your data secure.
  • Identifying all network entry points is a good practice to prevent wrongful persons from accessing your organization’s systems. Ethernet ports in open areas prove to be tantalizing access points for malicious individuals.
  • Security cameras are a great deterrent from hackers who look for easily accessible entry points hidden from view. Part of your organization’s physical security measures should be placing security cameras in areas where secure information is received, processed, and discarded.
  • Locking secure documents in drawers is a good practice to implement, but these locked areas must also be monitored. A common tool hackers use in physical security attacks is a CH751 key. This key has the greatest likelihood of unlocking simple locks such as those in desk drawers, storage containers, and even elevators, which means securing your documents in a locked filing cabinet isn’t enough. These areas must be monitored at all times.
  • It’s not uncommon for hackers to slip into your office space unnoticed as everyone leaves for the day. KirkpatrickPrice penetration testers have even waited in office building bathrooms to stake out the best time to enter secure areas and locate security vulnerabilities. Making sure that your office building is secure at all hours of the day is important to protect yourself from security attacks.
  • A practice as simple as auto-locking computers when employees step away from their desk is vital for your organization’s physical security. It only takes a few seconds and an open USB port for hackers to breach your system and install malware.

These practices are just a handful of ways your organization can be proactive in securing assets against security attacks. How can you be sure your current procedures have covered all avenues of entry into your systems? That’s where penetration testing comes in. Through the various types of penetration testing, your organization can gain greater assurance that you have secure practices in place.

Why Penetration Testing Makes a Difference for Physical Security

Penetration testers use the same tricks hackers use in malicious security attacks when they are testing your systems for vulnerabilities. They know that your organization’s physical security is the first line of defense against hackers. That’s why they use tactics such as picking locks to reach areas that are supposed to be off-limits, cloning badges of unsuspecting employees, and scouting out employee workstations to find the right moment to compromise it. At KirkpatrickPrice, our penetration testers perform skilled social engineering and physical security tests to locate vulnerabilities that your organization may be missing.

As an information security firm, we often hear from our clients that they have an internal penetration testing team but aren’t interested in a third party conducting tests on their systems. Would you choose to test your own building for fire safety or would you rather receive a fire safety report from a Certified Fire Protection Specialist? Of course, you would choose to have an expert test your safety features to be sure you’re protected against any serious threat of a fire. In the same way, it’s important to have a third-party penetration tester involved in hunting for vulnerabilities within your system, both technically and physically.

When a penetration tester engages in an onsite visit, they are able to recognize physical security weaknesses and help you mitigate your risks. Instead of hoping your security practices will stand against a hacker’s ill intent, you can make sure you have the right procedures in place with a penetration test. Contact KirkpatrickPrice, today, to learn how our expert penetration testers can test your security controls and locate your vulnerabilities to help you prevent any security attacks!

More Penetration Testing Resources

5 Information Security Considerations to Make Your Startup Successful

Avoiding a Pen Testing Mishap: What Are You Really Paying For?

3 Hacks to Get the Most Out of Your Penetration Test

Stages of Penetration Testing According to PTES

What is the Penetration Testing Execution Standard (PTES)?

The Penetration Testing Execution Standard, or PTES, is a standard that was developed and continues to be enhanced by a group of information security experts from various industries. PTES provides a minimum baseline for what is required of a penetration test, expanding from initial communication between client and tester to what a report includes.

The goal of PTES is to provide quality guidance that helps raise the bar of quality for penetration testing. The standardization of penetration testing procedures helps organizations better understand the services they are paying for and gives penetration testers accurate direction on what to do during a penetration test.

The 7 Stages of PTES

The standard is organized in sections that define what should be included in a quality penetration test.

PTES defines penetration testing in seven phases:

  1. Pre-Engagement Interactions: Penetration testers will prepare and gather the required tools, OS, and software to begin the penetration test. The required tools vary depending on type and scope of engagement but will be defined by a quality penetration tester at the start of any penetration test.
  2. Intelligence Gathering: The organization being tested will provide the penetration tester with general information about in-scope targets, and the tester will gather additional details from publicly accessible sources. This step is especially valuable in network penetration testing.
  3. Threat Modeling: Threat modeling is a process for prioritizing where remediation strategies should be applied to keep a system secure. PTES focuses on business assets, business process, threat communities, and their capabilities as key elements of threat modeling.
  4. Vulnerability Analysis: Penetration testers are expected to identify, validate, and evaluate the security risks posted by vulnerabilities. This analysis of vulnerabilities aims to find flaws in an organization’s systems that could be abused by a malicious individual.
  5. Exploitation: This phase of a penetration test involves the exploitation of identified vulnerabilities in an attempt to breach an organization’s system and its security. Since the vulnerability analysis phase was completed in a quality manner, the next step is to test those entry points into the organization that are weak.
  6. Post-Exploitation: After the testing is complete, the penetration tester must consider the value of the compromised machine and its usefulness in further compromising the network.
  7. Reporting: An executive-level and technical-level report will be delivered covering what was tested, how it was tested, what vulnerabilities were found, and how the penetration tester found those weaknesses. The report should provide your organization with helpful guidance on how to better your information security practices.

The main segments of PTES provide a detailed dive into the purpose and expectations of penetration testing. For many organizations, the ins and outs of penetration testing are confusing. Because of standards such as PTES, you can get a better idea of what to expect when a penetration tester hunts for your organization’s vulnerabilities.

PTES influences the penetration testing methodology of many auditing firms across the industry. It’s through these standards that information security experts can develop a well-working, quality system that detects your greatest vulnerabilities and reports on ways to improve your information security processes.

At KirkpatrickPrice, we understand that keeping your data secure is important to your organization. That’s why our expert team of penetration testers work hard to stay up to date on industry standards, so you can focus on increasing the security of your organization. Contact us for more information on our quality penetration testing.

More Penetration Testing Resources

The 7 Stages of Pen Testing

Penetration Testing Steps for a Secure Business

Finding and Mitigating Your Vulnerabilities Through OWASP

What is Wireless Penetration Testing?

How NIST SP 800-115 Informs Information Security Practices

What is NIST?

The National Institute of Standards and Technology, or NIST, is an organization that is part of the U.S. Department of Commerce and has the goal of being a leader in innovation and technology by providing fair standards and solutions.

The core competencies of NIST are measurement science, rigorous traceability, and development and use of standards. These core competencies influence the reliability of the information produced by the organization. As a giant in the industry, NIST has an opportunity to provide quality principles that can be used by organizations to develop secure information security practices and perform security testing.

NIST publishes documents that can be helpful in developing further strategies and methodologies that are used by information security specialists. NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, is one of these documents that is used in planning and designing proper security processes and procedures.

When it comes to penetration testing, NIST SP 800-115 is a valuable guide that can be used to influence the methodologies pen testers use when testing for organizational vulnerabilities.

NIST Special Publication 800-115 and Penetration Testing

NIST SP 800-115 is an overview on the key elements of security testing. It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies.

This guidance includes:

  • Security Testing and Examination Overview
    • Policies
    • Roles
    • Methodologies
    • Techniques
  • Review Techniques
    • Documentation Review
    • Log Review
    • Ruleset Review
    • System Configuration Review
    • Network Sniffing
    • File Integrity Checking
  • Target Identification and Analysis Techniques
    • Network Discovery
    • Network Port and Service Identification
    • Vulnerability Scanning
    • Wireless Scanning
  • Target Vulnerability Validation Techniques
    • Password Cracking
    • Penetration Testing
    • Social engineering
  • Security Assessment Planning
    • Developing a Security Assessment Policy
    • Prioritizing and Scheduling Assessments
    • Selecting and Customizing Technical Testing and Examination Techniques
    • Determining Logistics of the Assessment
    • Developing the Assessment Plan
    • Addressing Any Legal Considerations
  • Security Assessment Execution
    • Coordination
    • Assessment
    • Analysis
    • Data Handling
  • Post-Testing Activities
    • Mitigation Recommendations
    • Reporting
    • Remediation

The detailed guidance provides necessary explanations for many major components of security testing. Because of NIST SP 800-115, your organization can trust qualified audit firms to perform security testing that complies with a set of guidelines that is accepted across the industry.

The NIST SP 800-115 guidance is useful in providing structure to information security testing, but it is not meant to be a substitute for proper security procedures and processes.

Instead, NIST SP 800-115 should be helpful in testing that your organization’s security controls are as secure as you expect them to be. For that reason, penetration testers gravitate to the principles taught in NIST SP 800-115 when developing their testing, as it gives clear guidance for seeking out vulnerabilities.

To learn how you can benefit from penetration testing in your organization, contact KirkpatrickPrice today!

More Pen Testing Resources

Guide to 7 Types of Penetration Tests

What is IoT Penetration Testing?

Penetration Testing Best Practices Webinars