An external penetration test is also called an External Security Test (EST). During these penetration tests, our security experts try to simulate the behaviour of a malicious third party who has no previous knowledge of your Information System (IS) and who tries to access it or divert sensitive information from the outside. At the end of this audit, our experts will present the vulnerabilities they identified and the most appropriate fixes to secure your business application, your site or your Information System that was this assignment’s target.
An External Security Test? But why?
Often, businesses underestimate the extent of their Information System and, therefore, their vulnerabilities. With the digital transformation, the multiplication of interconnections and technologies, hackers have more entry points, and you should leave nothing to chance to avoid any penetration into your system or application which could lead to data theft, malicious exploitation of your resources, or other risks to your business.
During an External Security Test, our experts highlight all your platforms’ sensitive points, whether they are hosted by your company or by a service provider, to provide you with the actions and best practices to put in place to fully secure them.
NBS System’s expertise in IT security
years of experience
+ 250 clients in IT security
Creator of CerberHost
Creator of Naxsi
How is an External Security Test conducted?
This type of assignment breaks down into three main phases:
Contractualisation & scoping
For our IT security consultants, it is vital that the project is well scoped from the start. Whether it is the legal terms (contractualisation) or the technical scope (system/application to audit), we must build the project together to make sure it goes well. We must not neglect the first kick-off meeting that will match up your needs and technical challenges with your production and security constraints and fully scope the service.
During an EST, our experts try to act like a hacker would by getting around your security systems and exploiting any flaws in your system. These pentests are generally conducted using the “black box” method, or “blindly”.
A black box test is a test where our security experts have no access to information before the test: no source code, no login details and no technical information about the system being audited.
However, in certain cases, ESTs can be conducted using the grey box method (especially for systems that require authentication). Some information must then be shared with our experts in IT security such as customer/employee access, technical information about the software, and some source code passages.
Once the type of test that meets your needs has been determined, our consultants can then get to the heart of the matter and begin their search for vulnerabilities to exploit. Our experienced experts test your system’s resilience just like a real hacker would, the difference being they won’t stop at the first flaw they find: their goal is to be as exhaustive as possible to present you with a clear vision of your system or application’s security status.
Results and recommendations
Your main objective when ordering a penetration test is to obtain the test results. That’s why our experts document each stage of the assignment to give you the greatest detail of their actions and results.
They will be shared with you in a report that is more or less detailed depending on your needs, and they will come with recommendations for the most appropriate corrective measures to improve your system’s security and reduce its exposure to hacking risks.
Our experts can also present this report before a committee of your choice (for example, the board of directors) and monitor the implementation of the fixes mentioned in the report.
When should you perform this type of audit?
Since IT security or, to be more exact, the IT hacking market has shown heavy growth over the past few years, most of our clients conduct these penetration tests regularly, usually every two or three years at most. After that, most fixes made after the previous test will no longer be effective.
Who conducts these IT security tests?
Our security unit is made up of two teams, each with its own speciality. Everyone regularly takes on the role of SecOps to support our clients in operational security assignments, which allows them to stay familiar with production and your needs.
The team available to you is specialised in running security tests and audits and has acquired significant experience in this field thanks to the many services it has provided for our clients. The other team is dedicated to innovative projects and produces open source IT security tools such as NAXSI, Snuffleupagus and PHP Malware Finder. While staying up to date with the latest developments in offensive and defensive security, it shares its discoveries and the results of its monitoring of technology with the team that tests your systems’ resilience to give you the best possible protection, even against the latest attacks and trends.
Where is the penetration test conducted?
By definition, External Security Tests are performed from outside your business. Our experts are used to being away from your premises during the assignment. However, if you need it, our consultants can break this rule and come to your offices for their audit. However, they will make sure not to use your internal network and to respect certain rules of compliance.
Deontology & ethics at NBS System
All information (data, vulnerabilities found) gathered during the penetration test will be given back to you. They are completely confidential and will never be exploited outside the context of the test. They will never be shared with third parties and will only be known to your teams participating in the test and NBS System’s security experts. This also concerns the report that we send you at the end of the audit.
Contact our salespeople to find out more!