Customers often have questions about their upcoming external network penetration test. Many times our analysts are asked: What systems will be affected? Will this disrupt my business? What information do you need? This blog article aims to answer those questions and alleviate any potential client concerns.
Before the Pentest
Prior to starting an external penetration test, SecurIT360 analysts perform several checks with customers. First, we will confirm customer access to the SecurIT360 share file platform. This platform is used to communicate findings and share sensitive data securely. All information sent over this platform is only accessible by SecurIT360 staff and the client representative. Repeat clients should be familiar with this platform and will likely be asked to confirm their access, while new clients will have an account created for them.
Another step that typically occurs during the week before an external penetration test is confirmation of the client’s public IP ranges and cloud resources. This ensures that our analysts target the correct assets. The customer can provide the IP ranges listed in CIDR notation or with their corresponding subnet masks.
During the Pentest
On each day of the penetration test, an analyst will reach out to the client representative in an email that details the work to be done that day. The typical process for an external penetration test at SecurIT360 occurs in three steps: recon, attacking, and reporting. During the recon and attacking phases, the analyst will remind you to contact them if you receive any alerts from your Security Operations Center (SOC) or Managed Security Services Provider (MSSP). This gauges their responsiveness to the attempts made by the analyst to access your network or systems.
It’s important to understand that we do not perform any attacks designed to harm your systems. In fact, we take every precaution to avoid negatively impacting any services or systems in scope. Password sprays are done in intervals and are designed not to lock accounts. On occasion, password policies or an incorrect login attempt by an employee may result in a locked account. If your organization has a password policy that locks user accounts after a predetermined number of incorrect attempts within a certain time frame, it is important to communicate this to the Securit360 team. At any time, the client may email the analyst to pause or stop the attacking process.
A common concern from customers is that an external penetration test may throttle internet bandwidth or disrupt payment systems. This is simply not the case with our external process. The external attack process at SecurIT360 is specifically designed to not interfere with daily operations or cause a Denial of Service. If an analyst is able to pivot into the internal environment, the analyst will stop, and the customer is alerted. Likewise, if a critical vulnerability is discovered during the testing process, the client is alerted immediately to correct the vulnerability.
Reporting & Follow up
Depending on the scope of the network and the number of findings, the analyst will typically issue a draft report the week following a penetration test. We then ask the client to review the report and communicate any questions or concerns back to the analyst. When all the client’s concerns have been addressed, a final report is issued.
Often, clients will seek help remediating issues discovered during testing. Following a penetration test, our team will work with yours to understand and mitigate vulnerabilities. We will also issue an attestation form that states the work that SecurIT360 performed without detailing the vulnerabilities found on your network. These attestation forms are often required for compliance.
The goal of an external penetration test is to identify gaps in your external network, demonstrate the risk they present, and help inform you how to best close those gaps. Our mission as the Offensive Security Team at SecurIT360 is to find the holes before the bad actors do and help you secure your network. If you have any further questions about our external penetration testing process, please reach out to our team, and we would be happy to answer.