We had an interesting call with a new client the other day. He knew he needed a network penetration test, but wasn’t sure what the scope of the test should be.
To help answer the question “What should we test?”, we discussed what his network looked like, what his concerns were, why he wanted a network penetration test, and so on. During the conversation, a related question came up: “Should we scan just known live IP addresses, or the company’s entire IP block?”
Most ISPs provide business customers with a small block of IP addresses, figuring you’ll need several. For example, a common configuration is what’s called a /29 cidr block, which is a block of 8 IP addresses. One of these IPs is generally for the router. If another is used for the network address and a third for the broadcast address, that leaves five IPs you could potentially assign to devices (e.g., a firewall) and/or services.
Initially, the client noted that just a couple IPs in his company’s block were in use, so why scan them all? I explained that it’s good practice to check everything that could be live. We hope to find only what we expect to be there. But we frequently discover forgotten devices, services someone put on the Internet that IT wasn’t aware of, and so on. Many times, these “surprises” reveal previously unknown security risks.
I went on to tell a story about a different client in a basically similar situation. This client also asserted that only a couple of his IPs were in use. But he decided to have us scan the entire block anyhow.
Sure enough, we found two surprises on those “unused” IPs. One was a long-forgotten phone system, which exposed things to the public Internet that probably shouldn’t have been. Next was an FTP server that was setup to exchange files with a client and hadn’t been needed for years.
Having heard this cautionary tale, our new client had us scan his company’s entire IP block as well. The happy ending for him was there were no surprises. The benefit? Peace of mind, which he thanked us for during the readout call.
It’s a good feeling to know you’re secure.
Want to know if your organization would benefit from a network penetration test? Contact Pivot Point Security to talk over what’s involved, what you get from the process, and whether your business has sufficient “security maturity” to make good use of the information that such testing provides.