External penetration tests are one of the most common tests we perform. An external penetration test is often the starting point for any company that is trying to understand their risk. With numerous compliance regulations either requiring external penetration tests or “highly recommending” them, we get to perform a lot of them. As such, we decided to throw together this blog to let you know what an external penetration test is, what steps are involved, give you an idea of the costs associated, how to avoid problems that may occur, and finally how to improve your results. So let’s dive in.
What is an External Penetration Test?
Simply put, an external penetration test emulates an attacker on the Internet trying to break into your organization. As such, an external penetration test is primarily concerned with your perimeter security. This type of test answers questions such as:
- What systems and services are accessible from the Internet?
- Is any of the software on my perimeter out-of-date or vulnerable?
- Is there any sensitive information that can be gathered from open source intelligence?
- Can a user’s password to email or VPN be guessed?
For more detailed information about what an external penetration test is, check out this article we wrote about it.
What is the Typical Methodology for an External Penetration Test?
As a general rule, whenever you are having security testing performed, it is really important that there is a methodology being used that is based on a published industry standard. A methodology is a general plan of action that an engineer will go through when conducting a test. Similar to a pilot before he takes off, a penetration tester will go through a checklist to ensure everything is ready for takeoff. For something like a penetration test, your methodology ensures that testing is performed in accordance with predefined rules and standards and your security is assessed holistically based on those standards. Although the exact steps, types of attacks, and details will differ from test to test depending on what services are listening, etc., the same basic steps will be performed. When you are evaluating different penetration testing firms, make sure you look over their methodology.
Our methodology is based on industry-recognized standards such as NIST SP 800-115 and Payment Card Industry (PCI) testing guidance. One of the things that differentiates a good penetration test from a “check-the-box” type of assessment is the amount of manual testing above and beyond an automated scan that is involved. This is, after all, what really separates an external penetration test from a vulnerability scan. As such, our external penetration testing methodology has a lot of manual processes baked in, such as open source intelligence, threat modeling, and steps to quantify the risk of any vulnerability found.
What is Not Included in an External Penetration Test?
An external penetration test revolves around assessing the risk of an outside attacker, but a network-based attack is not necessarily the only way an external attacker can make their way into your network. Specifically, there are two other areas that usually need to be looked at but are not included in a basic external penetration test. First, no matter how much time and money you spend on locking down the listening services on your perimeter, if one of your employees clicks a link they’re not supposed to, an attacker can gain access to your internal network and bypass all those security controls. This is known as social engineering and is a separate type of engagement. For more information about social engineering and what we offer there, check out this blog.
The second area that is not necessarily covered by an external penetration test is web applications. I say “not necessarily” because an external penetration test does evaluate any web applications we find on your perimeter for vulnerabilities. The primary difference is that, during a web application penetration test, we will request credentials so we can evaluate the web application from an authenticated perspective. This aspect of testing is really necessary to understand the true risk associated with a particular application and is not include in a basic external penetration test. Authenticated web application penetration testing is critical because it helps answer questions like can one user see another users data, can a user elevate their permissions to an administrator, and so on. We wrote a blog on the difference between the two here.
What Can Go Wrong During an External Penetration Test?
An external penetration test, by default, is a tactical assessment. The engineer performing the assessment is emulating an adversary that is trying to break-in to your organization. As such, things can go wrong. With that being said, we are very experienced in performing external penetration tests and know what to avoid to prevent problems from arising. Our goal is to evaluate your risk as realistically as possible without causing any disruptions. If you want more detailed information on what go wrong and the best ways to avoid running into those types of problems, check out this article.
How Much Does an External Penetration Test Cost?
Unfortunately, the answer to this is “it depends.” There are a lot of factors that go into pricing, such as size of your perimeter (# of live hosts), time restrictions for testing windows, retesting, etc. Here is a guide that explains the various factors. In general, if you are a small company that has less than 10 IP addresses on your Internet perimeter, this should cost around $3,500. On the other hand, if you have a larger Internet presence, say around 50 IP addresses, that price would be closer to $8,000. A key point when you are scoping your penetration test is that we only charge for hosts that have services listening, so if you know that answer, you’ll get the most accurate cost.
What are Some Ways You Can Improve Your Results?
Whether you are required to have an external penetration test in order to meet a regulatory requirement, a third-party is asking for you to have it done, or you are just trying to better your security posture, you probably want as few critical findings as possible in your report. Not to worry, we created a list of 5 things you can do to improve the results of your external penetration test. In general though, for an external penetration test, you want to try to reduce your attack surface as much as possible, eliminate weak and default passwords, and patch everything!
Hopefully this guide was helpful for you as you consider an external penetration test. Please check out our blog for more valuable resources, as there was a lot of detail we didn’t cover here, such as why scope is so important, how often you should have penetration testing performed, and what reports to expect as output. If you have any questions, feel free to shoot us a message and we would love to talk through it with you. Also, if you are ready to get started, drop us a message on our contact us page.