The external company network could provide hackers access to internal critical systems
How much data of your organization can be found online? And can old data be used to break into applications and systems? Yes, that's possible. Old unused domains that are still accessible online can be used by hackers to gain access to other (critical) IT-systems.
When assessing the security of an organization's network, it is important to understand the breadth of attack risk. A single forgotten host or web application in the network can often be the first foothold for an attacker. With an (external) company network security test you can map the security of all publicly available organizational data.
Additional option: it is also possible to test the security of the internal network. For this purpose, a security expert visits the company location to investigate the internal network for vulnerabilities and security risks.
The focus of a company network security test is primarily on the external collection of information specific to the organization's network footprint and services. Open-source intelligence from social networks, email addresses, search engines and document metadata is used for the purpose of developing a social engineering attack, for example.
What is included in a company network test?
- Identifying domains and IP addresses that belong to, or have a relationship with, the organisation.
- Identification and exploration of IT-systems and services.
- Investigation of possible attack vectors for hackers.
- Open-source research into other, often unstructured, online business information available to hackers (e.g. indexed by search engines and existing on websites).
Which deliverables can you expect?
- Insight into weak links and vulnerabilities in the IT-infrastructure.
- Understanding of which information is easily available to a potential attacker/hacker.
- Overview of which business systems and services are all available online.
- Find out if there are certain hosts and servers that are publicly accessible that shouldn't be.
Passively Mapping the Network Attack Surface
By using open source intelligence (OSINT) techniques and tools, it is possible to map the Internet-connected networks and services of your organization, without actually sending requests (or a few standard requests) to the targeted network. Open source intelligence (OSINT) is defined as the derivation of intelligence from publicly available sources.
This means that an attacker can map a comprehensive analysis of your network infrastructure and technologies without actually sending requests. You will therefore not be aware that your network has been explored.
Identifying Hosts and Related Domains
Identifying all known hosts for an organization allows us to continue to dig deeper for more systems and hosts. Upon deeper examination of all discovered IP addresses (ASN), we may be able to find other hosts of interest in the network. Identifying related domains will lead to the discovery of more hosts.
With a single web server, the actual Open Services (such as SSH, HTTP, RDP) are attack points. However, if all virtual hosts running on the server are discovered, the web applications running on one of the virtual hosts are also potential attack options..