External Infrastructure Testing

We specialise in external or public-facing infrastructure testing to uncover vulnerabilities in any server or service accessible from the Internet. Focusing on the operating system level (rather than web applications), our process includes meticulous information gathering, host discovery, port and service scanning, vulnerability analysis, and extended manual testing. 

We then deliver a comprehensive report complete with an executive summary, recommended fixes, and a debrief session that ensures you have a clear roadmap to address security holes. High-risk issues are identified and reported immediately, helping you safeguard your organisation.

What is it? 

External or public-facing infrastructure is defined as all the servers and services that are reachable from the Internet. Network infrastructure covers the services offered at an operating system level but would not, for example, include web applications.

The internet-facing infrastructure includes:

One or more firewalls that provide protection against Internet-borne threats and are used to restrict access

Servers that provide various services, such as web servers, email servers, and so forth

These are generally considered to be the most ‘at risk’ from an attacker or malware, as it is near impossible to restrict access to the hacker while granting access to the genuine prospective client requiring your services.

As a rule, the more functionality a server or network delivers, the more likely it is to be attacked. As functionality increases, the opportunity for misconfiguration and vulnerability increases. Hence, a website running a complex transactional web application is far more likely to be vulnerable to security flaws than your upstream router. The core of any penetration test should include your public infrastructure, but do not forget that there are other routes into your network.

 Areas of Testing

Information gathering

This is a passive activity that seeks to discover information about the target.

Host discovery and identification

Determining what hosts are visible and what operating systems they are running. An attacker would do this in order to better target an attack.

Port and service scanning

This involves actively testing the hosts to determine what ports are open and what services they are offering. For example, a web server would likely present 80/TCP and 443/TCP upon which a web application is running.

Vulnerability analysis

This phase of testing determines what, if any, vulnerabilities are present on the targets. Using automated scanners to assess the targets quickly and accurately, a picture is built up of the target’s security posture.

Extended manual testing

Once automated scans have been completed, each discovered issue is manually tested to verify whether or not it exists. This phase may, if appropriate, also include exploiting any issues to see how far an attacker would be able to get.

Vulnerability and extended manual testing will explicitly identify where security holes lay and remove false positives. When applicable, other methods will be utilised.

Testing

We will assess and thoroughly test all internet-facing servers within the scope. Any security issues identified will be highlighted, and appropriate recommendations will be made to ensure all risks are appropriately minimised. Any high-risk issues, or ones that could be exploited easily, will be reported immediately as they could pose an imminent threat were they to be discovered by an attacker.

Reporting 

A report is written detailing the processes carried out, and the issues found. Generally, this will contain a prioritised list of vulnerabilities discovered grouped by functional area. Remediation advice will be provided, both in terms of an immediate fix and any defence-in-depth measures that could be taken to mitigate risk. Attack-chains, alongside their impact, will be documented. Any higher-level findings that can be abstracted from the testing will be provided. Any architectural or design weaknesses will be highlighted so that these can be avoided in the future. Finally, an executive summary is produced to allow the most severe issues to be communicated quickly to stakeholders.

CHECK Testing

In some cases, testing may need to be conducted under the NCSC CHECK scheme. When this occurs, certain requirements must be met: 

Testing led by a CHECK Team Leader – Infrastructure (CTL INF) 

On large or complicated tests, the CTL may be supported by one or more CHECK Team Members (CTM).

It is important to consider whether testing will need to be conducted under the CHECK scheme at the scoping phase.