PROFILING

External Attack & Penetration

Essentials

External Penetration Testing tests the security surrounding externally connected systems from the Internet, as well as within a Corporate Network. Controlled tests are used to gain access to Internet resources and ultimately to the DMZ which is an internal network; by going through and around firewalls from the Internet. External Penetration Testing involves the finding and exploitation of actual known and unknown vulnerabilities from the perspective of an outside attacker.

External Penetration Testing attempts to breach the target as an unauthorized user with varying levels of access, as listed below. This is sometimes referred to as “ethical hacking”.

Casual hacker who infiltrates a client’s systems
Dedicated hackers who pursue specific information and work with inside information (e.g., knowledge provided by a current or terminated client employee) and via information gathered through open source intelligence.

For example, attackers typically attack remote services such as web mail systems, VPN and Citrix portals. SecureState uses these same techniques to “brute-force” logins and passwords to gain access to sensitive information.

External Penetration Testing involves the finding and exploitation of known and unknown vulnerabilities
External Penetration Testing detects weaknesses in a system or network that could allow host compromise

Benefits

External Penetration Testing must be conducted to achieve compliance with a multitude of regulations and standards that industries face; including, the Payment Card Industry Data Security Standard (PCI DSS). Additionally, External Penetration Testing detects weaknesses in a system or network that could allow host compromise. External Penetration Testing also tests an organization’s external monitoring and Incident Response (IR) capabilities.

Expertise

SecureState’s Profiling Team is comprised of nationally renowned ethical hackers. The team’s background includes military intelligence, law enforcement, big 5 consulting as well as financial institutions. Our team is constantly working to stay at the forefront of penetration testing and security assessment technology as well as business trends through training, education, and speaking. Members of SecureState’s Profiling Team are regularly asked to speak as subject matter experts on penetration testing at all of the major security and hacker conferences; including, Defcon, ShmooCon, OWASP AppSec DC, Hackers on Planet Earth, DerbyCon, Toorcon, Notacon, and Black Hat USA.

Get Scoping Questions Now!

Fill in your details and you can download a FREE questionnaire to ask your vendors.

Your Name

Your Phone

Your Email

Your Company

We will not share or distribute your email to anyone. It will be used solely to contact you about the service you have inquired about.

Did You Know?

External Penetration Testing tests an organization’s external monitoring and Incident Response (IR) capabilities
Penetration Tests are not Vulnerability Assessments
Penetration Tests should be performed at least once a year and after any significant application modification or network upgrade
Penetration Tests should follow industry standard testing methodologies
Penetration Tests are an important part of any security program

Our Approach and Methodology

The SecureState Profiling Team are well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES and NIST 800-115. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement:

In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information with both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.

Phase II – Discovery Analysis / Footprint Creation:

The next step is to create an Internet profile or “footprint” of computer addresses and other information regarding the client’s Internet connected systems, while taking an “unknown presence” and reducing it to a specific range of domain names, IP network ranges and host systems.

Phase III – Service Enumeration:

Specialty tools are used to programmatically “ping”, or map a client’s existing Internet presence. Next, a “service scan” is initiated to identify listening service ports, in order to determine the type of operating systems and applications in use. Detailed configuration and user information is obtained for each system, and the computer addresses acquired during Phases I and II are programmatically scanned.

Phase IV – Application Layer Testing:

A limited manual testing of any web applications encountered is conducted to look for common web application vulnerabilities, such as SQL injection.

Phase V – Exploitation:

All identified vulnerabilities will be assessed as to the likelihood of exploitation, and we actually do exploit the vulnerabilities.

Phase VI – Post Exploitation:

The Post Exploitation Phase includes pillaging, penetrating further into the network, documentation and erasing any remains we might have left behind.

Phase VII – Reporting:

As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management, a narrative body which details major findings and a detailed findings section aimed at the technical staff. Additionally, we provide a closing call and high level executive presentation to summarize the penetration test as well as provide an opportunity to ask questions about the engagement.

What Makes Us Different

SecureState uses a team-based approach for all Penetration Tests
Utilizes proprietary Vulnerability Linkage Theory (VLT) to achieve a greater attack
Demonstrates proprietary tools to Clients during Penetration Testing
Publishes our own Exploits, Zero Days and Tools to the Information Security Community
Profiling Team members are known as experts in Penetration Testing worldwide
Profiling Team members are frequent speakers at national and world-wide security and hacking conferences; such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
Conducts all external Penetration Tests from our state-of-the-art hacking facility in SecureState’s world headquarters; a DOD cleared facility
SecureState has the capability to perform secure remote Internal Penetration Tests using the latest Penetration Testing technology
Provides a secure two-factor authentication web portal for access to Penetration Test results
Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments to compare your company to your industry peers from a security perspective

Related Services

Downloads

External Attack and Penetration

We Can Help You

Generate New Image

Enter the code from above.