Internal Penetration Testing vs External Penetration Testing: Why You Need Both

Internal vs. External Pen Testing Graphic

Regular penetration testing provides a key pillar in your ongoing cybersecurity plans. But penetration tests come in many forms, and vendors often put their own spin on describing their work. In simple terms, penetration testing involves a team of ethical hackers proactively looking for exploitable vulnerabilities in your web applications, computer systems and networks. Their job is to identify your security gaps before a hacker does and compromises your system.

To ensure you’re picking a pen test that meets your needs, use this blog to understand the purpose and value of internal penetration testing and external penetration testing. Attacks can come from any direction, so your testing has to probe for weaknesses that come from both inside and outside of your environment.

Internal Pen Testing

Most organizations focus on the perimeter in their security work. But the most significant overall threat comes from those with direct access to an organization’s data. Even well-intentioned people are often easily manipulated and prone to mistakes. Many times, what happens at the host level goes unmonitored, and many organizations aren’t aware of what is entering or leaving their networks. Common misconfigurations can lead to full network compromise. All of that makes internal pen testing a critical part of your security strategy, even if your external pen testing seemed secure.

If your business has a file sharing system without a password, for example, you should re-evaluate who has access to various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack, whether by an employee with malicious intent or a loyal employee who unknowingly gives their login credentials to a hacker.

The expansion of work-from-home policies has created a new range of internal vulnerabilities to test. That may be private networks such as home WiFi, smartphones, cable and streaming services. Connecting your organization’s network to any of those channels could open it up to external threats.

A threat actor who manages to get in through one of these channels rarely attacks right away. They may move about and gather private data by observing from within. During this quiet period, they may collect data to use later or sell to others. Hackers could lurk in your system for weeks, months or longer if proper internal auditing, patching and testing are not performed on a regular basis. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. A breach of Starwood Hotels discovered in 2018 had gone undetected for four years.

During internal pen testing, the assessor tries to find out just how much damage a threat actor or employee could do from the inside the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. Hackers often pull this off by exploiting relaxed policies that focus on convenience rather than necessary mitigations.

The tester will often use less important, easier-to-compromise systems as a channel for getting to more secure areas with higher levels of protection and more sensitive data and controls. Internal pen testing can also include privilege escalation, malware spreading, information leakage and other malicious activities.

Internal pen testing methods include:

  • WiFi Networks
  • Firewalls
  • Employees
  • Computer Systems
  • Mobile devices
  • HVAC
  • Cameras
  • Physical access

External Pen Testing

This tests security programs by looking at anything with external access, including any device with a public-facing service, IP or URL such as a web application, firewall, server or IoT device. A pen tester may also try to gain access to external-facing assets such as e-mail, file shares, or websites. The pen testers simulate the work of an attacker who, depending on their motivation, may utilize a vulnerability or chain multiple vulnerabilities together in order to gain access to sensitive data. In various parts of the Internet, hackers sell or trade information on zero-day exploits (those not listed in known vulnerability databases) for these purposes.

External pen testing methods include:

  • IDS/IPS Testing – This examines whether Intrusion Detection Systems and Intrusion Prevention Systems are doing their job of analyzing network traffic and packets for known cyberattack signatures.
  • Segmentation Testing – This checks whether networks are properly separated to keep an attack from pivoting from one to the other.
  • Manual Testing of Identified Vulnerabilities – Here a tester tries to exploit the vulnerabilities that are widely known in the hacking community. This is a key step, considering that an estimated 60% of breaches involve vulnerabilities for which patches are available.
  • System Screening/Port Screening/Service Scanning for Vulnerabilities – These automated tests essentially look for doors left open into your network.
  • Checking Public Information for Leakages – You’d be surprised how many lists online publicize which companies have been hacked. A good pen tester checks those sources to see if your company’s name appears there.
  • Foot-printing/Banner Grabbing – These are methods of gathering information from a system in order to launch attacks against it.
  • Open Source Intelligence (OSINT) reconnaissance – Pen testers can find a surprising amount of useful information just by looking for clues in social media, websites, etc.
  • Social Engineering – About 80% of all breaches gain access through social engineering, so a true test of your security should include phishing and vishing (bogus phone call) tests.
  • PCI, HIPPA and Other Compliance-based Testing – Many frameworks have specific pen testing requirements organizations must meet to achieve compliance.

During the process, a pen tester gathers information on open ports, vulnerabilities, and the company’s users. Then they attempt to leverage that information for various attacks such as brute forcing passwords, phishing attacks, and precise operating system and service attacks.

The external pen test should reveal any areas that may be compromised and exploited to gain access to your network. The organization should also use the pen test as an opportunity to verify their current process for detecting anomalous activity. In other words, did your defenses pick up what the pen tester was trying to do and stop them?

Once a perimeter is breached, a given pen test’s rules of engagement may allow for using further attacks to gain access to internal network assets, often referred to as pivoting or lateral movement.

Plan Your Pen Testing Approach

Choosing the right security path for your business is not always simple, and there is no “standard” penetration test that works for every organization. No matter how large or small your organization, HBS can customize a solution that provides value to your organization.

If you’re interested in learning more about the type of pen test that will work best for you, contact HBS today.

Editor's Note: This post was originally published in May 2020 and has been updated for accuracy and comprehensiveness.

Never miss a story

Get the latest technology insights from HBS, right in your inbox.

By entering your email, you agree to receive HBS emails and agree to our Terms & Conditions and Privacy Policy.

author avatar
Carly Westpfahl