External Pen Testing

Velvis

Velvis

Well-Known Member
Reaction score
44
Location
Medfield, MA
How does an external pen test work? Do you provide them with the static IP's and they look for vulnerabilities in the modem/firewall?
Is there a way to do this without a 3rd party?
 
It's narrow in scope than a full internal test. But...external test...done from the perspective of the attacker that doesn't have much knowledge of your internal system, nor existing access to it (else..the attacker would be launching from the inside).

Scan of all public IPs of your network(s).
Scan of all ports that are open/forwarded...and full fingerprinting of what is listening...and then full auditing of what is listening, and...then simulated attacks on it, spraying, bruteforce, various exploit tools, see what patching it still needs, or if any locking down of services has been done. And see what can be found/discovered...by various attacks.

And...a more thorough one will include a full phishing simulation against all staff (because..that is also external..email)...see which staff "click on links".
Staff on social media...info shared.
Staffs email addresses....pwned list...compare those passwords against current internal ones.

Staff have company data on BYOD phones? Those get included.

Mobile laptop fleet? That too!

Remote access?
On prem mail server?
VPNs?
RDG (remote desktop gateway)?
ANYthing sticking out of the firewall?

ANY cloud services? M365? Google Workplace? SaaS hosted programs? Those get included too!

Credentials, security of passwords, MFA..MFA methods, etc.

Offsite backup?

Basically....ANYthing company related that steps outside of the main office.
A very in depth look.....
A list of vulerabilities/weaknesses found...any data found....
A list of..."You need to improve THIS, THAT, and THE OTHER.
And...you come up with a POAM (plan of action and milestones)
 
YeOldeStonecat said:
And...really best done by an independent 3rd party that....lives and breaths this...is trained in it. It's...not a quick thing.
Click to expand...

I agree, but also recognize that for SMBs this service is too pricey (at least in my area) to justify just a "casual" use in an attempt to harden security. If they need it for their cyber insurance, then they have to pay regardless, but if they are just trying to be proactive, it would be nice to have a tool built for this purpose (casual use), as opposed to the full megillah scans intended to meet regulatory compliance.

ShieldsUp! is the only one I know of and that just scans for open ports. I suppose that's something.
 
"casual use"...sure I agree. But many of our clients are the type of business that...really many need it, either due to cyber-insurance, or...many are non profits and have a "board" that simply wants to get it done, to minimize the risk of breach. We have some local town government clients that need to get it done also...because all local gov's around our area have to..it's being provided to them.

There are tons and tons of "port scan" sites out there..we have one at Speedguide.net https://www.speedguide.net/scan.php
BUT...this is only a sliver of a pubic hair of a small fraction of a "pen test". The fact that you have open/forwarded ports on the firewall is not an issue. HOW WELL you have internal resources that those open/forwarded ports point to....is the start of the conversation that the pen test wants to engage in.
 
Velvis said:
How does an external pen test work? Do you provide them with the static IP's and they look for vulnerabilities in the modem/firewall?
Is there a way to do this without a 3rd party?
Click to expand...
Some context is needed. Is it a statutory requirement? Did a manager/owner get a phishing email about ransom for a video "recorded" of the "pleasuring themselves". Was it some stupid meme running around social media

If it's statutory or typical for a type business it's very important that the pen tester be credentialed and have the proper insurance policies in place.

If it's something else, as @YeOldeStonecat said, there's options that'll do port scanning of a destination. Personally I like NMAP. There's Shields Up which has been around

At the end of the day many sites which might have needed a pen test in the past don't, or need other tests, because everything is at a colo. In other words no port forwarding at all.
 
YeOldeStonecat said:
And...really best done by an independent 3rd party that....lives and breaths this...is trained in it. It's...not a quick thing.
Click to expand...
When you say someone who "lives and breaths this"; Do you mean someone who ONLY does pen testing? I run a cybersecurity consulting firm, and I was thinking about learning this craft as an extra income source.
 
Fred Claus said:
When you say someone who "lives and breaths this"; Do you mean someone who ONLY does pen testing? I run a cybersecurity consulting firm, and I was thinking about learning this craft as an extra income source.
Click to expand...

A company that focuses on audits. And, IMO that should not be the MSP that manages the client...conflict of interest and would certainly be biased.

Businesses that process credit cards are all having to go through at least basic port scans (which is..just a wee tiny fraction of a pen test) by their credit card processor. Which certainly determines their clearing rates. A good tight secure properly separated and PCI compliant network will allow the business to get lower clearing rates from their cc processor. A poorly setup network will have the business incurring...high rates...because they're more at risk.
 
YeOldeStonecat said:
A company that focuses on audits. And, IMO that should not be the MSP that manages the client...conflict of interest and would certainly be biased.

Businesses that process credit cards are all having to go through at least basic port scans (which is..just a wee tiny fraction of a pen test) by their credit card processor. Which certainly determines their clearing rates. A good tight secure properly separated and PCI compliant network will allow the business to get lower clearing rates from their cc processor. A poorly setup network will have the business incurring...high rates...because they're more at risk.
Click to expand...
Good to know. Maybe we shouldn't offer that as a service. Seems like a fun hobby though.
 
Fred Claus said:
Maybe we shouldn't offer that as a service.
Click to expand...

I wouldn't say that, necessarily. But if you are going to offer it, make sure you are fully (or as fully as possible) trained in the required steps and how to read what the client may be required to do by an outside entity.

But, even if you were to become the best pen tester in the world, it's folly to be the pen tester for your own MSP clients, as there exists a clear conflict of interest. It is to your personal advantage (or at least it could appear so) to state that your MSP clients "pass muster" whether they do or not.

It's about compartmentalizing classes of customers so conflict of interest, or the appearance of possible conflict, does not exist.
 
YeOldeStonecat said:
A company that focuses on audits. And, IMO that should not be the MSP that manages the client...conflict of interest and would certainly be biased.

Businesses that process credit cards are all having to go through at least basic port scans (which is..just a wee tiny fraction of a pen test) by their credit card processor. Which certainly determines their clearing rates. A good tight secure properly separated and PCI compliant network will allow the business to get lower clearing rates from their cc processor. A poorly setup network will have the business incurring...high rates...because they're more at risk.
Click to expand...
Are you referring to accepting credit cards via an actual swipe machine? or would this apply to a company accepting card payments over the phone and then entering them into a website for payment?
 
We far more often see local swipe devices....but there are a few that do website entries (including our own office, we use SyncroMSP as our RMM/PSA/Billing, so...we have customers CC info there.

Many of our clients are PCI DSS Level 2...so they have quarterly SAQs we do for them (Self Assessment Questionnaire)
 
You must log in or register to reply here.

Similar threads

HCHTech
How to disable laptop screen when connecting a docking station with TWO monitors in Windows 11
Replies
9
Views
329
HCHTech
HCHTech
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
256
Markverhyden
Markverhyden
frase
AD Lab testing environment
Replies
0
Views
208
frase
frase
HCHTech
What's the deal with Acumera firewalls?
Replies
2
Views
304
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Local storage for pictures with external access.
Replies
17
Views
725
sapphirescales
sapphirescales
Back
Top