External Network Penetration testing
Jumbo System’s external network penetration testing and security assessment utilizes a risk-based approach to manually identify critical infrastructure vulnerabilities that exist on all Internet-accessible services within scope. The primary goals of this assessment are to:
- Provide management with an understanding of the level of risk from Internet-accessible services.
- Provide recommendations and details to facilitate a cost-effective and targeted mitigation approach.
- Create a basis for future decisions regarding information security strategy, requirements and resource allocation.
Why Perform Penetration Testing?
- To execute a real-world attack on critical infrastructure and understand the level of risk that exists at a single moment in time.
- To complement your automated scanning appliance to better identify and validate all security vulnerabilities associated with your Internet-facing environment.
- To understand the level of risk for your organization compared to similar companies. Penetration Testing Process
Penetration Testing Scope
Jumbo Systems tests externally-facing network systems and services for vulnerabilities attributable to:
- Software flaws
- System configuration settings
- Network-layer password weaknesses.
The devices tested include those that are accessible via public IP addresses, such as:
- Firewalls
- Routers
- DNS and other external services including servers on your DMZ
- Remote access services such as dial-up modems and IPSec endpoints.
All externally-reachable services will be identified and documented. Disruption to operations will be minimized.
Performing this assessment on a regular basis will also help address specific regulatory requirements, such as FFIEC/GLBA, HIPAA/HITECH, NERC, and PCI DSS requirement 11.3.1.
Penetration Testing Methodology: External Networks
This assessment begins with a process of data collection and network reconnaissance to learn as much as possible about the network topology and its hosts (see the Jumbo Systems Penetration Testing process). Next is the enumeration phase, in which each component of the network is analyzed to extract details about its operating system, service types, protocols supported, and configuration parameters. From this point, several paths exist to system or data compromise. Exploiting known or suspected software vulnerabilities, manually discovering a configuration flaw in the service, or identifying a weak password will result in a successful penetration. As the assessment process climbs the Jumbo Systems Penetration Testing process, the risk level for issues identified also escalates.