Internal and External Infrastructure Testing
Stable infrastructure is a key to stable business. Due to constant changes, security and stability are key elements that allow you to focus on business.
Each company’s infrastructure changes regularly. It is not only new servers but also new users, new connections and new authentication methods – each new component extends the attack surface and increases the number of potential attacks.
An infrastructure is a vast ecosystem of multiple components – proper functioning of each of them depends on the configuration of the connections.
Types of Infrastructure Tests
1. Internal Penetration Tests – focused on determining an internal attack surface – bypassing network access control, compromising internal servers and escalating privileges. An attacker can be both an anonymous person or an employee.
2. External Penetration Tests – focused on determining an external attack surface – public DNS configuration, all hosts exposed to the internet and services published on those servers. Here, an attacker comes from the outside.
Often the emphasis is placed on web applications security, while skipping infrastructure that guarantees their proper operation.
Steps of Infrastructure Security Tests
In a typical case, an infrastructure security test is performed in the following steps:
1. Acquiring resources that will be tested.
2. Threat modeling – security analysis aimed at determining possible attack methods and most significant consequences.
3. Establishing priorities, exclusions and dependencies.
4. Performing tests. A client is informed on an ongoing basis about identified key vulnerabilities.
5. Reporting and analysis.
6. Consultations on how to remove the vulnerabilities.
7. Verification of the correct removal of vulnerabilities.
What we deliver after completing infrastructure security tests
The result of security tests is a report. It contains a summary for the management team, a list of servers and services that have been tested, a detailed description of each vulnerability with proposed corrective actions and a list of recommendations, i.e. methods to increase system security.
Why Securing?
Our infrastructure security testing is something more than an automated vulnerability assessment. We use the scan results to perform manual exploitation and attacks with the highest impact identified in the threat modeling session. Provided that enough time is reserved for the test, we attempt to identify 0-days in custom software, perform extensive dictionary attacks on passwords and pivot across different subnets and servers.
DORA compliance
Internal and External Infrastructure Testing performs an important function incompliance with DORA principles. It aligns with DORA’s principle of maintaining security across the entire operational landscape.
How to get a quote for your project?
Please book a call with our specialist or write to us to get a quote for infrastructure security testing. To assess the size of your infrastructure and the effort required to cover all attack vectors according to your expectations, we perform a scoping meeting or send you a quick questionnaire.
