External & Internal Infrastructure Penetration Testing - What's the Difference?
Securing your organisation using policies and technical controls is critical; however, unless these controls and policies are regularly tested, an organisation cannot determine or monitor their effectiveness. It seems as though every week there is a new cyber attack reported which may affect just one organisation, or multiple organisations simultaneously.
Penetration testing is an essential component for assessing the effectiveness of an organisation’s information security program.
Infrastructure penetration tests simulate attacks against specific network assets to determine business risk and financial impact should a vulnerability be identified and exploited by an attacker. At Secora Consulting, we carry out tests on a wide variety of infrastructure types, the most common being External and Internal Infrastructure tests, which we are going to discuss in this blog.
External Infrastructure Penetration Test
External penetration testing is a practice that assesses the externally facing assets of an organisation.
During an external penetration test, the assessor attempts to gain entry into the internal network by leveraging vulnerabilities discovered on the external assets. Alternatively, the tester may attempt to gain access to privileged data through external facing assets such as email, websites and file shares.
During the test, Secora Consulting will perform reconnaissance on the in-scope assets, gathering intelligence on all assets in scope. This intelligence can include open ports, vulnerabilities, information on your organisation that may be available online, and general information about the organisation's users for password attacks.
We will undertake a comprehensive and systematic approach, using realistic attack vectors your organisation might be subjected to, in order to determine how a malicious attacker could externally compromise your network and critical systems.
Internal Infrastructure Penetration Test
Internal penetration testing continues the assessment by helping to identify how far an attacker can laterally move laterally through your internal network. An attacker could gain access to your internal network in numerous ways, either by breaching the external network, obtaining a copy of staff login credentials, or in some cases the attacker could be a staff member intentionally or unintentionally performing malicious activities.
During an internal penetration test, Secora Consulting’s testers will either leverage the exploited host computer/machine from an external penetration test, or use a testing host computer/machine or laptop on the inside of the network to conduct the assessment.
Internal reconnaissance and attacks are launched from this initial point. While a poorly secured domain control may lead to total control of the network at this point, most tests require multiple attack paths to achieve their testing objectives. This method often includes exploiting less-important systems, and then leveraging information found on these systems to attack the more mission-critical more important systems in the network.
We use our proven methodology to identify how susceptible your organisation is to a breach across your internal network. We will evaluate how a malicious attacker or rogue staff member could internally compromise your network and critical systems.
How Can We Help You?
Conducting a penetration test on your organization's infrastructure will allow you to have a clear understanding of where your vulnerabilities lie and whether your current controls and procedures are working.
We recommend carrying out a combined external and internal penetration test to replicate attacks which could be conducted by malicious attackers.
Our infrastructure penetration tests offer an effective and thorough way to evaluate your external and internal networks, highlight, explore and exploit any vulnerabilities and assess the impact such attacks could have on your business.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.