The Secret Benefits of Booking External Penetration Testing Before Q4

It’s May 17^th. Do you know how many records have been breached in 2024? This may sound like a public service announcement from the 1980’s, but the sad answer is that over 5.1 billion records have already been compromised—and we’re not even halfway through the year. While there is no silver bullet to thwart attackers, a significant number of attacks could have been prevented if the breached organizations had regular external penetration testing. Let’s dive into the attack trends we’re seeing and the secrets to maximizing your risk reduction with penetration testing.

What is Penetration Testing?

Penetration testing is when ethical hackers simulate an attack to test your network for security gaps. It can be all-encompassing or broken into internal and external penetration testing or even smaller subsets. Let’s quickly review the differences. External penetration testing simulates attacks from outside your organization, replicating tactics malicious attackers may use to breach your environment. This type of assessment focuses on vulnerabilities in your internet-facing assets, such as web applications, mail and FTP servers, cloud environments, and exposed network infrastructure.

An internal penetration test mimics an attack from within your organization’s network. It aims to evaluate the effectiveness of internal security measures and your network’s resilience against potential insider threats or attacks that leverage employee access to your network (phishing is a common root cause).

Penetration testing goes further than automated scans. It enables ethical hackers to string together several attack tactics and identify critical gaps that automated testing often misses. The gold standard for penetration testing is regular (annual is considered the minimum baseline), comprehensive testing that includes both internal and external penetration testing. Today we’ll focus on external penetration testing, but stay tuned for our upcoming blog on internal penetration testing!

The 3 Most Common Security Gaps in External Penetration Testing

What are the most common errors our LMG Security team finds while conducting external penetration testing? Read on and then check your network (or contact us for help) to ensure you don’t have these common security gaps.

• Not setting up Multi-Factor Authentication (MFA). We frequently find that while MFA is often required for remote users, many in-office users don’t set up MFA because they are in a trusted location and figure they won’t need it. But they are vulnerable if they are breached through a phishing scam or travel for vacation. “I’ve conducted a number of external penetration tests where I found in-house users with a weak username and password that don’t use MFA. If our penetration testing team guesses a weak username and password, they can set up the user’s MFA account and create credentials that enable a full takeover of their account,” stated Tom Pohl, penetration testing team manager at LMG Security. “We can then often leverage that with Entra ID setups and get into Azure configurations to exfiltrate ALL the user accounts and a plethora of data.”
• Slow software patching. Pohl shared, “Breaches are often caused by one missing patch or failing to confirm the patch was implemented correctly. Unless you patch software vulnerabilities immediately, you leave the door open for attackers.” If you are not using continuous attack surface monitoring and you don’t have a strong patch management program, you are at a much higher risk of being breached by a zero-day attack or software vulnerability. While there are a lot of high-profile vulnerabilities, Pohl shared that the three software categories that have the most frequent vulnerabilities are file transfer software packages, remote access software, and firewalls. So, prioritize checking these programs for patches!
• Allowing egress out of your network. “When we do external penetration testing, we think like an attacker and we check what traffic is allowed out from the network to the internet,” stated Pohl. “If an organization has weak egress filtering and allows outbound SMB traffic or permits users to connect to TCP 445 leaving a gap open to the internet, our team can send an email that, if opened, convinces the computer to connect to our penetration testing team. We can then capture the user’s password hash and then expand our access throughout the network.” Ensure you are regularly scanning for open ports and closely monitoring your egress filtering.

Why You Should Not Wait Until Q4 For Your Penetration Testing

Q4 is always the busiest time for penetration testing—most organizations wait until the end of the calendar year. There are a few key reasons why sooner is better. Read on for more details.

• You likely need external penetration testing multiple times a year. With attackers using continuous automated scans to find vulnerabilities, you should book external penetration testing after ALL major network changes. This includes adding new systems, web apps, cloud instances, and more. One simple open port can cause a breach. Adding additional external penetration testing, even if it’s a small scope, to your regular comprehensive penetration testing schedule can help you uncover backdoors and misconfigurations before an attacker exploits them. “All too often, organizations discover that one of their network changes was not as secure as they thought it was AFTER it causes a data breach,” stated Pohl. “You should conduct at least a limited amount of retesting immediately after every major network change to ensure you have not opened up a new vulnerability—don’t wait for your regular penetration test.”
• Your cloud environments should be checked frequently with external penetration testing or a cloud configuration review. The cloud is a high-priority attack target and is prone to misconfigurations. Researchers from IBM found that a staggering 82% of breaches last year involved data stored in the cloud. Since cloud configurations are dynamic and change frequently with new features, to implement security updates, or to accommodate your organization’s changing needs, this creates a heightened risk of misconfigurations and security gaps. With 98% of organizations using two or more cloud providers, and 31% of those using four or more, this multiplies your risk. You can dramatically reduce your risk with periodic, targeted external penetration testing after any major cloud changes or updates.
• Better annual planning and budgeting. Many annual cybersecurity budgets and priorities are created in September and October. If you only have annual penetration testing and wait for Q4, you won’t be able to include any recommended remediation or cyber maturity improvements in your budget.
• With Q4 being the busiest time for penetration testing, unless you book early you may not be able to schedule your preferred dates. Moving your penetration testing earlier in the year often gives you more flexibility to choose your testing dates.

We hope you have found these external penetration testing tips and trends helpful! As you can see, there are many reasons why external penetration testing is crucial to your security and should be more than an annual end-of-year checkbox. Stay tuned for our upcoming blog on internal penetration testing trends, and please contact us if you’d like help with technical testing, advisory services, cybersecurity solutions, or training.