Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?
First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data.
[stextbox id=”grey” caption=”Example of a Common Finding – Compromised Web Server” color=”000000″ ccolor=”000000″ bcolor=”dcdcdc” bgcolor=”dcdcdc”]
A web application server with sensitive customer and cardholder data can be compromised.
Our internal penetration testing often exposes the ability to compromise a web application server from inside the firewall.
The entry point is usually a host accessible through default credentials. From there we can get JMX console access and view the microkernel of the JBoss application server.
If full control over the JBoss application server can be obtained, we can then start or stop services as well as deploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR file and embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPA server and spawn a shell.
From there a user account can be created and added to the local administrators group in order to maintain access to the server and use it as a jump point for further testing.
Once this user account is created, a fully interactive session can be established by using RDP to connect to the server. Once connected, its possible to dump the password hashes of the local user accounts.
Any user with physical access to the corporate network can access sensitive customer PII (personally identifiable information) and cardholder data without authorization credentials.[/stextbox]
The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:
- What confidential info might an employee obtain by gaining access to your internal HR database
- What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?
- What information could a rogue employee exploit?
- Can partner companies that have network level connectivity access more internal resources than you intended?
An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it’s important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test.