External Penetration Testing
External Penetration Testing involving attacking the security of a computer system or network of computing devices, from an external or public source by using the same tools and techniques that a hacker or outside attacker would use. The purpose of this test is to determine what systems a motivated attacker could access with zero knowledge of the system from an external source, only using or leveraging public available sources of intelligence.
Since most Internet-facing systems are used by the corporate IT group, this typically involves testing the perimeter controls that protect Internet-facing corporate IT assets. In some cases, we have found SCADA and ICS infrastructure that were Internet-facing, so care must be taken during External Penetration tests to ensure that mission-critical corporate IT and SCADA operational systems are not harmed in the process. Although no two penetration test projects end up following the same path, we do tend to follow the typical cyber attack cycle when conducting external penetration tests. These tests are normally limited to a finite time window, usually less than 2 weeks in duration.