So what's the difference? With an external assessment, the penetration testers should be simulating the attacks that an attacker outside of your organization would be performing. They will be looking at perimeter defenses, exposed services, and anything that will gain them a foothold into the network from the outside. Often, an external test is validating that the security controls put in place at the perimeter are actually effective.
An internal penetration test tends to be more scenario-based, focusing on the biggest fears that the company faces, such as an internal employee going rogue, an internal machine getting compromised with a remote access Trojan, or an attacker physically gaining access to the network and plugging in his machine. Will the attacker be able to gain access to critical databases or trade secrets? What call do you dread receiving from your CSO at 2 a.m.?
These are the types of questions that internal penetration tests try to answer. Unfortunately, more often than not, experienced penetration testers show how easy it is to realize these fears once they gain internal access to the internal network.
Dark Reading spoke with several professional penetration testers to get a better understanding of the most common types of vulnerabilities they find in internal tests, why they are the most common, and the risk they pose to enterprises. The top issues include unpatched systems, open file shares or information stores, and lack of proper network segmentation.
"Many times, organizations will focus on externally facing applications and systems, relegating internal systems to the 'catch up and patch when they can' category," says Kevin Johnson, senior security consultant at Secure Ideas.
Considering the number of client-side zero day vulnerabilities in Java, Adobe Acrobat, and Flash that keep showing up, this may seem surprising. Johnson says that it's often based on the failed assumption that the systems are internal, so an attacker can't reach them. "But this idea couldn't be further from the truth," Johnson says. "Disgruntled employees or attackers who have gained access to the network can use these vulnerable systems to elevate their access or [to] compromise sensitive data."
Chris Sanders, an InGuardians senior security consultant, concurs that unpatched systems are definitely a problem. He says he regularly finds vendor-provided solutions that include a Web-based front-end riding on top of the vulnerable version of Apache Tomcat or JBoss. "When presented to clients at the end of the test, they are shocked to find these technologies exist on their network, not realizing it was part of a product they purchased," Sanders says.
The presence of open file shares or information stores are also a gold mine for attackers. Several security professionals interviewed for this article say they find a wealth of information stored on file servers with poor access control. Many of the items they find include password lists, database backups containing sensitive information, and documentation about internal systems. Not only is this data valuable from the perspective of showing the risk of open shares to the client, it also gives the penetration tester more information and clues on where to dig deeper into the network.
File servers aren't the only juicy information stores when it comes to internal tests: SharePoint and Wikis provide plenty of valuable information, as well. "When we perform internal tests, we often find that the permissions are either completely exposed or available to more people than they should be," Secure Ideas' Johnson says. From there, he uses the open permissions to steal files and documents with everything from passwords and connection information to credit cards and personal information.
The lack of proper network segmentation is a recurring theme among the findings of these penetration testers. More often than not, once on the network, they have free reign to move about as they wish. InGuardians' Sanders says that high-value assets often have no logical separation from user workstations or other low-value assets. "Once one asset is compromised, it's incredibly easy to move laterally to target higher profile systems," he says.
Why is network segmentation so important? "Today there is still more focus on the perimeter than on internal network segmentation. Network engineers don't realize that one successful social engineering or client-side attack could mean 'game over' once the attacker has that foothold," Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers -- and even himself -- perform once inside a target network, he says.
All of the top vulnerabilities found by the penetration testers fall within basic IT security fundamentals: system patching, principal of least privilege (and related access controls), and proper network segmentation.
Is it time for companies to get back to the basics and stop trying to buy the next hot security product that promises to solve all of their problems? It sure seems that way.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.