An original article from Alpine Security.
Many organizations ask us to perform an internal penetration test against their internal environment (inside the firewall). They may have heard that this is a good thing to do or think it is required for compliance. The reality is that very few organizations are mature enough to need an internal penetration test. An internal vulnerability assessment usually provides a better ROI. This post explains the main differences between an internal network penetration test and an internal vulnerability assessment. The intent of the article is to help you make an informed decision on which is best for you.
What is an Internal Penetration Test?
An internal penetration test, often called an internal network penetration test or internal black box (unauthenticated) penetration test, is where we connect a device to your internal network. We typically connect our laptop, if we do the test in person, or we send you a small form computer, that allows us to conduct the test remotely.
Internal Network Penetration Test Key Points
Objectives: Determine the risk to your organization from an unauthorized or infected device on your internal network.
Type of Test: Unauthenticated (Black Box).
- The penetration tester only has network level access. The tester does not have a user account to any of your systems
- Access could be via wireless or wired
Threats Emulated: rogue, malicious, or an infected device.
- Threats can be intentional, such as someone planting a rogue device on your network or unintentional, such as a user connecting their phone to your corporate wireless network.
- A visitor plugs their laptop into your network
- An employee connects their cell phone to your corporate wireless network
- A malicious intruder leaves a device behind during a visit
- A third-party system that you attach to your network, such as an IOT device that is infected with malware
Automated or Manual: Automated tools are often used to identify vulnerabilities. Manual methods are often used to exploit vulnerabilities or check for default credentials.
Limitations: Small slice of internal vulnerabilities.
- The penetration test is not designed to identify every vulnerability and all vulnerabilities cannot be identified with unauthenticated access. It’s intent is to identify those possible via unauthenticated methods, exploit the vulnerabilities, and expand a foothold.
- Intrusive. A penetration test is much more intrusive than an internal vulnerability assessment. This is often problematic on internal environments, where many systems may be off-limits.
Outputs: A report that shows all the vulnerabilities we were able to discover, which ones we were able to exploit, exploitation steps, risk ratings, and remediation guidance.
Success Criteria (Penetration Tester Perspective): The penetration tester was unable to gain access to critical systems or critical data.
Examples of Success from Penetration Tester Perspective:
- Access to HVAC system for entire hospital (typically default credentials on web admin interface)
- Domain Admin for entire organization (typically a vulnerability on a domain controller that is exploitable)
- Access to sensitive scanned files (typically a printer with default credentials)
- Access to email archival system (typically a vulnerability or default web admin credentials)
What is an Internal Vulnerability Assessment?
An internal vulnerability assessment is an authenticated (credentialed) assessment. We connect a device to your internal network. We typically connect our laptop, if we do the test in person, or we send you a small form computer, that allows us to conduct the vulnerability assessment remotely. If your environment is in the cloud, we can install our tools on a cloud instance and run the test from there against your private cloud environment.
Internal Vulnerability Assessment Key Points
Objectives: Determine vulnerabilities and misconfigurations on your internal environment. These include vulnerabilities and misconfigurations, such as the following:
- Unpatched operating systems
- Unpatched applications
- Misconfigured or unnecessary services installed or running
Type of Test: Authenticated (credentialed). For an internal vulnerability assessment, the assessor typically has admin-level credentials for the assessment.
Threats Emulated: none. Although no threats are emulated, the internal vulnerability assessment identifies all the vulnerabilities that an attacker could exploit.
Automated or Manual: Automated tools are primarily used for the internal vulnerability assessment.
Limitations: Untrue depiction of risk. A vulnerability assessment will identify all vulnerabilities, but will not provide a true depiction of risk, like a penetration test. A vulnerability assessment looks at each system independently and assesses the risk for that particular system. A penetration test looks at the entire internal network and assesses risk from that perspective.
Outputs: A report that shows all the vulnerabilities and misconfigurations on operating systems and applications. The report should also include a risk rating of the discovered vulnerabilities, along with remediation steps.
Success Criteria: Accurate, authenticated results.
Which is Right for You?
We do not want to sell people what they don’t need. Our goal is to help make you secure. If you have a mature patch management and vulnerability management process, you should ask for an internal network penetration test. If you do not have a patch management and vulnerability management process, you should ask for an internal vulnerability assessment.
To sum this up, you should ask for:
Internal Vulnerability Assessment if you do not have a mature patch management and vulnerability management process. The Internal Vulnerability Assessment will provide you the best ROI.
Internal Network Penetration Testing if you have a mature patch management and vulnerability management process and want to test the effectiveness of this process.
Contact IMEC with questions.