An external penetration test is a method of evaluating a computer system or network protection using a simulation of a directed attack from the generally accessible networks that simulate the Internet intruder’s behavior (both with and without social engineering).
The goal of the test is to find system vulnerabilities that could appear as a result of a faulty configuration, technical and programming errors, and operational faults in the processes and technical control tools.
External penetration testing services will minimize the risks related to the presence of system vulnerabilities that would allow an intruder to obtain access to confidential, financial, or other unprotected information by searching for potential weaknesses and simulating an attack from the Internet network.
The report on the external penetration testing will include the following information:
- Information on the discovered vulnerabilities and their severity
- A list of vulnerabilities with a description of the problem and a method of its reproduction
- Recommendations for raising the current level of security of the information system
- Scripts developed in the testing process
- Pentest results
In order to increase business effectiveness, quality of service, and client loyalty, a large insurance company developed a new version of the corporate portal with a personal account for its clients.
A personal account allowed clients to independently receive information on current services, enable new services, and receive consultations. The developed portal was also directly connected to the CRM system of the company so that support services operators could consult the client on different questions in one window.
The company’s management was set with the task of conducting a portal security analysis before launching the website. Many vulnerabilities were discovered, among them opportunities for intruders to collect personal user data and enable them to do a switch of the portal log-in page.
The most severe vulnerability was that after the free registration in the portal, the intruder could carry out a series of actions that would allow him or her access to the client base, which is assigned to a specific manager serving those clients. The information susceptible to theft included the full name of the clients, passport information, and interaction history with that client.
- Information analysis regarding the system, its users, and their goals
- The conducting of a pentest
- Analysis of the discovered vulnerabilities and their severity
- Writing of scripts and exploits and their practical use with a record of application results
- Nessus Vulnerability Scanner