Internal penetration testing is a comprehensive security test of all systems related directly and indirectly to your business. This is a particularly thorough form of testing, and often goes outside the ambit of what might usually be expected in web application security testing.
Internal penetration testing, explained
This type of testing effectively imitates the methods used by hackers when attempting to penetrate your security system. There are multiple levels of penetration testing, and security consultants need to adapt the tests to match on-site technology.
Internal penetration testing relates to security vulnerabilities within a system. As distinct from external penetration testing, which probes vulnerabilities in relation to accessibility of sensitive systems from the outside, internal penetration testing deals with vulnerabilities between internal systems.
This is no academic process. A weak point in the system can be used to access multiple parts of that system. Full system security is supposed to have internal, as well as external security safeguards. A person accessing your system through an employee interface or similar routine method may be able to access areas which should be off-limits. Because most systems are typically accessed by a large range of people, it is important to ensure that internal security is watertight.
It is absolutely necessary that your internal security is as good as you can make it, because this is a critical security level with direct access to sensitive information.
Internal penetration testing methods
Security testing includes a range of possible forms of internal access to information. It may for example be possible to access information directly from the business database including personal information, account numbers etc. , or indirectly using a "backdoor" approach through another system or application.
One of the primary problems with internal security is that most companies use off-the-shelf systems and software, many of which have known vulnerabilities. These systems are quite easy for hackers to subvert, particularly if the software hasn't been upgraded or their security updated. Many types of software upgrades are also required patches which may or may not be installed, and the un-patched software can also involve significant security vulnerability.
Security consultants must test each aspect of internal security, and do it very thoroughly. Security checks may include such basics as firewalls, passwords and other seemingly simple issues but you should know that vulnerabilities in these areas can be fatal and seriously compromise system security all by themselves.
Ongoing penetration testing issues
While internal penetration testing and other forms of penetration testing do provide comprehensive checks technology changes rapidly, and so do methods of breaking into security systems. Best practice is to conduct penetration testing once every six months which ensures that security consultants can apply current methodologies to their testing.
Perhaps most importantly, engaging a security consultant for penetration testing is also very useful in getting immediate support and advice when you need it. Even the best IT people only have a limited amount of knowledge in this area, and it's always advisable to get expert assistance in these fields.
This is a guest post by Erik Weisz. Erik is an Australian freelance writer and journalist. He writes extensively in Australia , Canada, Europe, and the US. He’s published more than 500 articles about various topics, including Web Application Security and Penetration Testing
Talkback and comments are most welcome
Understanding Penetration Testing Methodology
Minimize Impact of Online Intelligence Searches
Digging for information with Open Source Intelligence
5 Ways to fail a Social Engineering Pen-Test
5 biggest mistakes of information security