Internal vs External Penetration testing

Internal vs external penetration testing

September 3rd, 2021 Posted in Penetration Testing

A penetration test is a point in time assessment of your company’s security posture. In the battle against cyber attackers, penetration tests are an invaluable tool, helping you to identify and remediate potential vulnerabilities that leave your organisation open to breach.  

More than this, though, penetration tests are a form of assurance. They validate that security risks are being managed. For this reason, penetration tests are often requested as a prerequisite by third-party suppliers and contractors.  

Industry standards like Cyber Essentials and the IT Health Check Scheme also mandate penetration tests for compliance and accreditation. While the GDPR doesn’t specifically require them, it does emphasise that organisations need:  

“a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”  

In other words, organisations should engage in regular vulnerability scanning and penetration testing of their systems. 

It’s clear that penetration testing is important – but a penetration test isn’t a one-stop-shop. There are many types, each of which focuses on uncovering vulnerabilities in different parts of your IT infrastructure, systems, and applications.  

In this blog, we’ll explain two of the most common types: internal and external infrastructure assessments. If you want a deeper overview of penetration testing and all its different types, we suggest you read our guide here. 

What’s an internal penetration test?

As the name suggests, an internal penetration test focuses on testing the infrastructure and devices inside of your network perimeter. These tests look for vulnerabilities that could be exploited by a would-be attacker, who has already managed to get inside your IT infrastructure. Examples of these types of attackers could be disgruntled members of staff or attackers who have successfully got a foothold within your infrastructure via an externally exposed vulnerability, malware, or using stolen user credentials. 

Internal penetration tests vary in scope; they can either focus on testing your internal network, hosts, applications – or all of the above, depending on your specific needs and concerns. The testers’ role is typically to see what they can access and how far they can move laterally across the environment. They may try to access file servers, databases, and systems and will seek to escalate their user privileges to the admin level to see which systems they could take control of.  

The test usually starts with a reconnaissance, where the tester uses mapping tools to determine the workings and layout of your internal infrastructure, and how its computers and servers interact.  

The tester will then move through the target infrastructure looking for exploitable vulnerabilities. Common tactics used include brute force attacks to compromise employee accounts; exploiting network protocols to gain illegitimate access to endpoints and running malicious code that exploits known software vulnerabilities. Sometimes a tester may find a list of system passwords saved in plain text on one system which provides access to other systems.   

On completion of the test, the tester will write up their report, setting out their findings, vulnerabilities found, recommended remediation steps, and their overall risk assessment for the target systems. A wash-up call is then scheduled to talk the client through the test and answer any questions.  

While these tests help to identify internal vulnerabilities, it’s important to note that they aren’t the same as a mock cyber-attack scenario. This kind of assessment is called a red team assessment. These mimic a real-life attacker by using a combination of tactics, techniques and tools to access target systems or data.   

While the goal of an internal penetration test is usually to uncover as many exploitable vulnerabilities as possible, the goal of a red team assessment is to evade detection and harvest sensitive data. For more information on red team assessments vs penetration tests, read our blog here 

What’s an external penetration test?

An external pen-test focuses on testing your perimeter systems, which consist of internet-facing infrastructure and applications. These systems are your most vulnerable, as they are exposed and out in the open – making them easily visible to cyber attackers.  

The goal of an external penetration test is to discover vulnerabilities within your external-facing systems and services. External testing is vitally important because anything exposed to the internet will be constantly scanned for vulnerabilities by attackers of all kinds – including those with limited sophistication. 

The tester will look at your external systems from the outside-in, just like a cyber attacker would. They will try to find as much open-source intelligence as possible, to help them understand the layout of your organisation and identify suitable tools, tactics, and techniques to use. 

From there, the tester will use a range of tools, including vulnerability scanners, to discover exploitable vulnerabilities within your external infrastructure. Once this is done, the tester will then seek to exploit these vulnerabilities, to see how far they can get into your systems and networks.  

At the end of the test, the tester will provide their report and attend a wash-up meeting, as with internal testing.  

One common query with external testing is whether the tester’s IP address should be whitelisted on your intrusion prevention system for testing purposes. Ultimately, this comes down to the objectives of the test and the budget available.  

In the real world, an attacker will have unlimited time to evade the IPS. Once they do evade detection, they will seek to exploit the same vulnerabilities a tester would find in an external penetration test. 

If you want to test the performance of your IPS or defences more widely, such as during a red team assessment, it makes no sense to whitelist. If you want to understand what vulnerabilities could be exploited if an attacker does evade detection (whether by luck or by talent) then you’ll get more value from a time-limited engagement if the tester’s IP address is whitelisted.  

What’s right for my business?

Regular penetration testing is an important piece of the cyber security puzzle for all organisations. We recommend conducting a full-scale penetration test, including both internal and external penetration testing, at least annually.  

In the case of any significant changes to internal or external infrastructure, you should also conduct the relevant tests before the new systems go live in our view. This is to ensure that any new assets do not leave you vulnerable to attack.  

As well as penetration testing, we also advocate that companies deploy regular vulnerability scanning. This is because new vulnerabilities are being found by the day, so staying on top of patch management and remediation is critical.   

Need help?

If your organisation needs help running an external or internal penetration test, we’re here to help. We can assess your environment and run a full test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat. 

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).