Work sample · Security

External security
assessment sample

Subject Musterfirma AG (fictional) Scope External footprint only Method Passive & non-intrusive
What this is: a demonstration report built around a fictional Swiss SME, showing the structure and methodology of an external assessment. It illustrates how scope is defined, which resources are examined, and how findings are reported. A real engagement is always performed only with the asset owner's written authorisation, and covers only what is in the agreed scope.

1. Scope & methodology

Every assessment starts by agreeing what is in scope and confirming written authorisation for it. For this sample, the scope is the organisation's public-facing footprint only.

In-scope resources

ResourceWhat was examined
Primary domainmusterfirma-example.ch, DNS records, mail configuration
SubdomainsPublic subdomains discovered via passive enumeration
Web serverHTTP(S) responses, security headers, TLS configuration
Mail serviceSPF, DKIM and DMARC policy records
Exposed servicesInternet-reachable ports and service banners
Public dataBreach databases, code repositories, indexed documents

Approach

The assessment follows a standard external-reconnaissance sequence, each step feeding the next:

  1. Reconnaissance, map the public footprint: domains, subdomains, IP ranges, published contacts.
  2. Service identification, determine which services are internet-reachable and their versions from banners.
  3. Configuration review, check DNS, TLS and email-authentication records against current best practice.
  4. Exposure analysis, look for forgotten hosts, leaked data and unnecessary attack surface.
  5. Reporting, rate each finding by severity and translate it into a concrete, prioritised action.

All steps here are passive and non-intrusive: only publicly observable information is used. No exploitation, no password guessing and no load is placed on any system.

2. Executive summary

The external footprint of Musterfirma AG was assessed on the domain musterfirma-example.ch and its public services. Overall posture is reasonable but improvable: the website and certificates are well maintained, while email protection and one legacy subdomain need attention. None of the findings indicates an active compromise, they are doors that should be closed before someone tries them.

1
High
2
Medium
2
Low
3
Passed areas

3. Findings summary

AreaWhat it means for the businessResult
DNS configurationWhether your domain records can be abused or leak internal detailsOK · 1 note
TLS / certificatesWhether connections to your site are properly encryptedOK
Email securityWhether criminals can send email that looks like it comes from youAction needed
Exposed servicesWhat ports and services are reachable from the internet2 findings
SubdomainsForgotten systems still online under your name1 finding
Public data footprintCompany data visible in breaches, code repos or documentsMinor

4. Findings in detail

F-01 · Email securityHigh

Domain can be spoofed, DMARC not enforced

What was found
SPF exists, but the DMARC record is set to p=none and DKIM is not configured for the main mail stream. In practice: anyone can send email that appears to come from @musterfirma-example.ch, and receiving servers are told to deliver it anyway.
Business risk
This is the technical foundation of CEO-fraud and fake-invoice attacks against your customers and suppliers, one of the most common and expensive attack types against Swiss SMEs.
Recommended fix
Enable DKIM signing in Microsoft 365, then move DMARC to p=quarantine and finally p=reject after a 2–4 week monitoring period. Effort: ~2 hours plus monitoring. No user impact when staged correctly.
F-02 · Exposed servicesMedium

Remote management interface reachable from the internet

What was found
A remote-access service on the office firewall responds to the whole internet instead of being restricted. The login page also reveals the product name and firmware version.
Business risk
Internet-exposed management interfaces are continuously scanned and brute-forced by automated attackers; a single weak or reused password would grant access to the office network.
Recommended fix
Restrict management access to a VPN or a fixed IP allow-list, enforce MFA on the account, and update the firmware. Effort: ~1–2 hours.
F-03 · SubdomainsMedium

Forgotten legacy subdomain still online

What was found
alt.musterfirma-example.ch serves an old website copy on outdated server software, with a TLS certificate that expired five months ago.
Business risk
Unmaintained systems accumulate known vulnerabilities and are attackers' preferred entry point, and an expired certificate under your name damages trust.
Recommended fix
Decommission the host and remove the DNS record; if the content is still needed, migrate it to the maintained web server. Effort: ~1 hour.
F-04 · Public data footprintLow

Staff email addresses in old data breaches

What was found
Four company email addresses appear in publicly known third-party breaches from previous years (external services, not your systems).
Business risk
If any of these old passwords were reused for company accounts, they could still work. Breached addresses also receive more targeted phishing.
Recommended fix
Confirm the affected users have rotated passwords, verify MFA is enforced for all mailboxes, and brief the four users on targeted phishing.
F-05 · DNSLow

DNS record reveals internal hostname scheme

What was found
A public DNS entry exposes an internal naming convention, giving an attacker a head start when mapping the network.
Recommended fix
Rename or remove the record; keep internal names in internal DNS only. Effort: minutes.

5. Prioritised action plan

#ActionFixesEffortUrgency
1Enable DKIM, stage DMARC to enforcementF-01~2 h + monitoringThis month
2Restrict firewall management to VPN, add MFA, update firmwareF-02~2 hThis month
3Decommission legacy subdomainF-03~1 hThis quarter
4Password rotation check + MFA verification for breached accountsF-04~1 hThis quarter
5Clean up revealing DNS recordF-05MinutesConvenient

6. Boundaries & authorisation

The assessment uses passive and non-intrusive techniques only: public DNS and certificate data, standard service identification, and open breach databases. No exploitation, no password guessing, no load is placed on any system. Checks are only ever performed with the domain owner's written authorisation, and this report is delivered confidentially to the owner alone.

Want this for your own domain? contact@borsux.com ← All documents