An External Penetration Test identifies security weaknesses and strengths of the client's systems and networks as they appear from an external perspective, operating outside the client's security perimeter.

Key focus points during External Penetration Tests include:

• Identifying NOS and application vulnerabilities on high asset value / high risk externally facing systems eCommerce. Mail, Web, FTP, & DNS Servers

• Identifying NOS and application vulnerabilities on high asset value / high risk externally facing systems eCommerce. Mail, Web, FTP, & DNS Servers

• Identifying protocol and network infrastructure vulnerabilities (clear text passwords, sniff-able network segments, poorly configured routers, firewalls, RAS, VPN devices, SNMP vulnerabilities, etc)

• Identifying Application level vulnerabilities, specifically web applications (ZX site scripting, SQL Injection, cookie hijacking, hidden text exploits)

• Identifying System Security issues (excessive / non-essential services, patch management issues, application versioning issues)

The Pivot Point test team will deliver an External penetration Test and Analysis Report that contains an executive security overview, details the processes / methodologies used, identifies and prioritizes vulnerabilities, recommendations for risk mitigation, and full detail / output of all data acquired during the test. The report will be delivered in bound hard copy format, via secure email (PGP preferred) or via SFTP.

To ensure that the business objectives of the Penetration testing is fully achieved, the Perspective, Impact, Stealth, Intensity, Scope, and Point of Origin are client defined to ensure that the Penetration Testing fully meets the business objectives of the engagement.

Typically we assume one or a combination of three perspectives:

• Black Box (aka Zero Knowledge) - our team assumes the role of a malicious external user, with no previous knowledge of your network structure or security plan. The black box perspective most closely simulates a malicious external user exploring your externally accessible infrastructure

• White Box (aka Full Knowledge) - our team assumes the role of a malicious external user, with access to some level of detail of your network structure and security plan. This scenario is not typically utilized

• Gray Box (aka Limited Knowledge) - our team assumes the role of malicious external user with some knowledge provided as part of the test to protect certain systems/reduce the project scope, or simulate the role of an malicious external user working with a malicious internal user

For each engagement (often defined to a system / segment level) the "allowable" impact of the penetration test is defined. Typically one or more of the following Impact postures are assumed:

• LI - our team concentrates it efforts on gathering information (systems, OS's, Key Applications, Version & Patch levels, etc.) This information is correlated against known vulnerabilities, but no exploits are actually performed. This posture is typically only assumed for a limited number of "high risk" targets (e.g., a critical extranet application, VPN infrastructure)

• MI - our team attempts all identified exploits except Denial of Service attacks. This posture is the most common posture assumed for Penetration Tests

• HI - our team attempts all identified exploits including Denial of Service attacks. This posture is generally assumed when an organization has reason to believe that it may be targeted by a malicious user. It is also used as a means of testing an organizations Incident Response capability

Typically one of the following Stealth postures is assumed:

• Quiet - our team assumes the posture of a typical malicious user. We are neither intentionally furtive nor noisy during our testing. We do not make any efforts to hide our ongoing activities. This posture is most typically used during normal investigate Penetration Testing or to assess Incident Response Capability in organizations whose CMM is low in this area

• Stealth - our team assumes a stealth posture during the testing period. Foot-printing operations are done with the assumption that all ports are firewall filtered (e.g., packet fragmentation used), that Network Intrusion Detection Systems are in place (e.g., packet fragmentation, signature alterations, scans spread over longer periods of time), and that monitoring is in place. This posture is most typically used during Penetration Testing for organizations with well developed Security Infrastructures and Incident Response Capability

• Secret Ops - our team assumes a covert posture during the testing period. In addition to the typical stealth operations, additional efforts are made to hide the testing, for example, scan locations are spoofed and rotated, logs are altered to remove evidence, and indirect scanning methods (e.g., idles can) are leveraged. This posture is most typically used during Penetration Testing for organizations with well developed Security Infrastructures with a high risk posture

Internal Penetration Tests are often further scoped by Business Objective, Data Classification, Audit Objectives, Device Segmentation, Network Segmentation, Business Unit Segmentation, and other mechanisms. The number of potential scoping options is unlimited but may include:

• System Specific (e.g., FTP Server)

• Application Specific (e.g., eCommerce Application)

• Data Specific (aka, internal Database which is accessed by a DMZ application)

Typically one of the following Intensity postures is assumed:

• Investigative - our team assumes the posture of a "typical" hacker. Our Penetration test is done with the same curiosity as that of a typical hacker. In the event that intriguing or easy compromises do not appear in the amount of time that a typical hacker might extend, we assume that the typical hacker would have moved on to easier opportunities and move on to other challenges. This posture is typically assumed if an organization wants to gain a quick assessment of their overall security posture

• Tenacious - our team assumes the posture of a "determined" hacker (e.g., a disgruntled employee). Our Penetration test is done with an increased fervor, level of effort, and tenacity. More aggressive forms of hacking including dumpster diving, war dialing, war driving, and social engineering may be employed, dependent upon the clients' objectives. This posture is typically assumed if an organization wants to gain a truer assessment of their overall security posture

The Point of Origin is another means of further defining the scope of a Penetration Testing engagement.

• Single - our test team is limited to a Single Point of Origin for the Penetration test. For example, in a Capture the Flag engagement, our Point of Origin might be the Internet, that is fire walled from the data we are trying to capture. In the vent that our test team can not cross the firewall, the Penetration Test is terminated

• Multiple - our test team is allowed Multiple Points of Origin during the Penetration test. Using the same Capture the Flag example from above, after determining that our test team could not access the target data, our point of origin would be moved to a semi-trusted LAN segment that houses the data and our efforts would resume. The advantages of a Multiple Point of Origin engagement are that it better reflects the reality of ever changing security postures:

• New exploits are identified on a daily basis, accordingly, the firewall may be easily compromised the next day, and the security posture of the secondary segment would not have been validated in a Single Point of Origin engagement

• An actual malicious user may gain access on a network segment other than the one chosen in a Single Point of Origin engagement