If you have never had a penetration test conducted on your environment, our hope is that you would seriously consider having one completed soon. Penetration testing is about finding where the vulnerabilities lie in your security that a threat actor may be able to exploit. You can have a penetration test conducted on your external perimeter, internal defenses, or even your web applications. Each test has its own tools and methodologies, but the goals are all the same: find out how to bypass existing controls to compromise the environment.
To keep things simple, today, we want to cover an external penetration test and steps you can take to make the process easier for you and your team.
Before you reach out to a company to have them conduct an external penetration test, you need to define exactly what is being assessed. Typically, an external penetration test will cover all the publicly accessible IP addresses that your company owns or leases. In most cases, these are the public IP addresses of your security system, websites, web application firewall (WAF), or other externally facing resources.
An important thing to note is that you are not testing a public IP or URL that is part of a SaaS platform like xyz.salesforce.com or something similar; the IP addresses should be part of your organization’s domain.
When you have the list of public IPs compiled, review the list with your internal team and/or managed service provider (MSP) for completeness. The finalized list is what you will be providing to the penetration testing company. A respectable penetration testing organization is going to check the registration of those addresses to ensure you have the authority to test what you provided.
A critical and sometimes overlooked piece is establishing key points of contact and communication methods in the event of an emergency for both your team and the penetration testing company! Once you have shared the necessary information and received their contact details, you can sit back and relax while they go to work.
During the penetration test, you should expect to see traffic emanating from the penetration testing organization. This is normal behavior, and you may want to flag or allow-list those source IP addresses to reduce alert fatigue.
Once the testing has been completed a meeting should be held to distribute the findings, discuss the finding details, and present potential remediation steps or improvements your organization can take to reduce your company’s external exposure.
If your organization is looking to assess its external security posture, our expert team is here to help. Click here to learn more about our penetration testing services and take the first step toward strengthening your defenses.
