I wondered what people want to know about penetration testing (pentesting) so I checked, according to Google a lot of people are searching in order to better understand the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer if your organization is not required by regulation or compliance to have a penetration test done. There are plenty of reasons to have a pentest, or red team assessment, done on your organization’s system. A few examples are, compliance, protecting users, keeping customer data secure, finding vulnerabilities, and overall keeping the enterprise secure.
What Good is an External Pentest?
Today’s enterprise network is no longer an enclosed and controlled environment, not like it may have been just a few years ago. Think about all of the reasons that things are no longer contained and controlled. Consider the following: How many sanctioned cloud services are in use? How many servers are hosted by AWS or Azure? Can the users bring in their own devices? Can these devices access any enterprise data? Even just email. I am not going to drive you into a state of paranoia by continuing this line of questioning. However, I am sure you’ve begun to see what I’m talking about.
Since our once solid walls are in a much different state now there really isn’t a better reason to have your network tested via an offensive assessment. A penetration test, or other similar assessment, will take a deep and systematic look as this border. An external assessment is designed to specifically look at the assets that face the internet. External systems are anything that has a public IP or has traffic routed to it via a public IP. By examining all of these systems from the perspective of an attacker a pentester looks for holes, soft spots, and other weaknesses before a real criminal does. This is one of the most effective ways an organization can get the jump on the bad guys and keep themselves, and their customer’s data safe.
So, What About the Internal Pentest?
Regardless of how much we appreciate our employees, the authorized users of the enterprise’s systems. No matter how much trust we have to place in them a lot of major breaches happen from inside the network. The attacker’s method of gaining this access can vary widely. Something as simple as a successful phish of one employee could get them access to a system that sits inside of the enterprise network. Or, maybe they dropped a raspberry pi or cracked the Wi-Fi. Attackers are by no means restricted to only breaching the perimeter from the web. All of this is not even considering an actual malicious insider.
Most enterprise networks are not new, they have been around for a long time, there are a lot of systems that have gone through the networks over the years and some are just missed. Chances are pretty good that some of these systems are missing patches, have misconfigured web servers, or a pantheon of other issues that could allow an attacker to gain a foothold. An internal pentest will have the assessors scan, probe, attack, and report on their findings. This report will lay out the vulnerabilities found as well as details of their severity and likelihood so that system admins can begin to remediate or mitigate the issues.
Basically, it comes down to this: most networks have been in place for a relatively long time, hundreds, or many more, systems have been life-cycled out, but there are always exceptions. There’s almost always a few systems that were deemed “critical” or “too expensive to replace” or were delayed in remediation efforts as a project underway at the time was for that system or apps replacement. Projects falter, costs change for equipment, and the criticality of a system may well have changed. Or, if it is critical perhaps it is time to update/upgrade it so it is more secure and reliable.
A penetration test is a good opportunity to begin from a clean state to prioritize issues and fixes. They also provide a very good and powerful wake-up call to executive leadership that may have been pushing these types of changes off. Regardless of the reason, and the situation, there is rarely a time that a pentest won’t help to make everything more secure, and give a fresh perspective on things that may have gotten stale or fallen through the cracks over time.