Externally accessible IT infrastructure offers attackers an easy target that can be evaluated with little effort and without risk. Hackers can exploit vulnerabilities in exposed servers, services and applications to extract data, take over systems and then launch attacks on the internal network. A penetration test of the externally accessible IT infrastructure uncovers vulnerabilities in the public attack surface of any organization and enables effective protection of external services and resources.

The penetration test of an external IT-Infrastructure comprises the following test components, depending on the scope, depth of investigation and chosen approach:

• Passive and active information gathering measures
• Checking the patch level of externally accessible services and applications
• Vulnerability scans of all exposed systems, services and applications
• Manual verification of automatically identified vulnerabilities
• Manual penetration testing of selected systems and services
• Post-exploitation scenario for selected systems

Internal IT infrastructure forms the backbone of any organization and often houses the most critical data and systems. Although it may be protected from external threats by firewalls and security systems, it can still be compromised by insider threats, social engineering or by exploiting vulnerabilities in exposed systems. A penetration test of the internal IT infrastructure simulates attacks carried out from within the network or by an attacker who has already gained access to the network. This helps to identify vulnerabilities that can be abused to extract sensitive data, compromise systems or gain control of critical infrastructure.

The penetration test of an internal IT infrastructure comprises the following test components, depending on the scope, depth of investigation and chosen approach:

• Penetration testing of the network infrastructure through spoofing and man-in-the-middle attacks, among others.
• Testing the segregation of network segments and the effectiveness of access control mechanisms
• Vulnerability scans of all internal systems, services and applications
• Checking the patch level of internal systems, services and applications
• Manual verification of automatically identified vulnerabilities
• Manual penetration test of selected systems and services
• Post-exploitation scenario for selected systems

Client and server systems are a central element of modern, digitized companies. Employees use client systems for working in the office, home office or in the field to complete their tasks. Internal server systems process data, provide services and applications and enable the technical mapping of company processes.

Penetration tests of employee notebooks in a company-wide standard configuration are just as much a part of a target-oriented security strategy as cyclical penetration tests of particularly critical server systems.

CERTAINITY offers penetration tests of “standalone” client or server systems in various scenarios:

• Attacker has physical access to switched-off system
• Attacker is on the same network as the system that is switched on
• Attacker has access to a switched-on system with a standard user without administrative authorizations

An Active Directory (AD) and an associated Windows domain infrastructure enable the digital management of resources. Due to the nature of AD and its complexity and extensive functionality, secure configuration is not trivial. Hackers repeatedly succeed in taking over entire organizations and causing major damage by exploiting AD vulnerabilities. A regular penetration test of the AD infrastructure makes a direct and fundamental contribution to the security of any organization.

The penetration test of an internal AD infrastructure comprises the following test components, depending on the scope, depth of investigation and chosen approach:

• Automated vulnerability scan of the AD configuration
• Manual verification of automatically identified vulnerabilities
• Manual penetration test of selected systems, services and applications within the domain infrastructure
• Domain privilege escalation from standard user to domain/enterprise administrator
• Checking the administration and authorization concept

Cloud infrastructure is becoming increasingly relevant as many companies outsource their services to the Cloud or modern start-ups are founded “Cloud native”. Due to the lack of physical access to systems, more applications are likely to be accessible via the Internet and Cloud providers have to provide public APIs, thereby increasing the attack surface.

Even though renowned Cloud providers invest heavily in their security, various aspects of a Cloud infrastructure are still in the hands of the customer. What is considered “security of the Cloud” and “security in the Cloud” changes depending on the service model: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS). An insufficient understanding of this shared responsibility model often leads to vulnerabilities that attackers can exploit to compromise the infrastructure. In addition to this complexity, Cloud systems are not immune to the vulnerabilities of traditional infrastructure.

Depending on the scope and service model, CERTAINITY offers the following test components for Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP):

• Cloud configuration check according to industry standards (e.g. CIS benchmark) and own best practices
• Penetration test of the Cloud infrastructure (data and control plane)
• Evaluation of the role and authorization concept (AWS IAM, Entra ID und Cloud IAM)

Containers are modern infrastructure components that enable applications and their dependencies to be packaged and executed in an isolated environment. They are a fundamental building block of modern software and scalable micro architectures, in which sometimes hundreds of containers run and interact with each other in a cluster.

In addition to all the advantages that such an architecture brings, the additional complexity of the container orchestration allows for misconfigurations and vulnerabilities that attackers can exploit.

Depending on the scope, the following components can be part of a security assessment for containers and orchestration solutions such as Kubernetes and OpenShift:

• Analysis of container images to identify potential container escapes
• Evaluation of the cluster control plane according to best practices
• Penetration test of the cluster isolation, starting from a compromised container

Clusters are often part of a Cloud infrastructure or the basis of an application and interact with additional systems outside the cluster. CERAINITY recommends the integration of a container / cluster assessment with other fitting security assessments.

Continuous Integration (CI) and Continuous Delivery (CD) are two core components of modern and agile software development that automate the development, testing and deployment of applications. CI/CD also helps to roll out software updates and security patches as quickly as possible. However, CI/CD pipelines require high permissions for automation and can directly influence important core components and productive environments. This makes them an attractive target for attackers, who can exploit a lack of isolation and security procedures to take over entire applications and environments.

Depending on the connected systems and the integration and delivery tools used, a CI/CD assessment includes:

• An evaluation of the permission and approval concepts.
• An evaluation of the runner isolation
• An analysis of the separation of development, staging and production environments. In case case that a CI/CD pipeline also manages Cloud resources through Infrastructure-as-Code (IaC), the security assessment can be combined with a Cloud assessment.