Internal and External Infrastructure Testing
Each company’s infrastructure changes regularly. It is not only new servers but also new users, new connections, and new authentication methods – each new component extends the attack surface and increases the number of potential attacks.
An infrastructure is a vast ecosystem of multiple components – proper functioning of each of them depends on the configuration of the connections.
Infrastructure tests can be divided into:
1. Internal Penetration Tests – focused on determining an internal attack surface – bypassing network access control, compromising internal servers and escalating privileges An attacker can be both an anonymous person or an employee..
2. External Penetration Tests – focused on determining an external attack surface – public DNS configuration, all hosts exposed to the internet and services published on those servers.Here, an attacker comes from the outside.
Often the emphasis is placed on web applications security, while skipping an infrastructure that guarantees their proper operation..
In a typical case, an infrastructure security test is performed in the following steps:
1. Acquiring resources that will be tested
2. Threat modeling – security analysis aimed at determining possible attack methods and most significant consequences
3. Establishing priorities, exclusions and dependencies
4. Performing tests. A client is informed on an ongoing basis about identified key vulnerabilities
5. Reporting and analysis”
6. Consultations on how to remove the vulnerabilities
7. Verification of the correct removal of vulnerabilities
What do we deliver after completing infrastructure security tests?
The result of security tests is a report. It contains a summary for the management team, a list of servers and services that have been tested, a detailed description of each vulnerability with proposed corrective actions, and a list of recommendations, i.e. methods to increase system security.
Our infrastructure security testing is something more than an automated vulnerability assessment. We use the scan results to perform manual exploitation and attacks with the highest impact identified in the threat modeling session. Provided that enough time is reserved for the test, we attempt to identify 0-days in custom software, perform extensive dictionary attacks on passwords, and pivot across different subnets and servers.
Please contact us to get a quote for infrastructure security testing. To assess the size of your infrastructure and the effort required to cover all attack vectors according to your expectations, we perform a scoping meeting or send you a quick questionnaire.