Is an Internal Penetration Test Now More Important Than an External Pen Test?

The status quo for community financial institutions when it comes to penetration tests and vulnerability assessments seems to be to scan for internal vulnerabilities and do a penetration test on the firewall(s).  This has been engrained for years in the minds of Information Security Officers and Network Admins as "best practice" for the security of their network.

And while this approach isn't a bad one, it's a bit outdated and it fails to address the fact that most threats today are parachuting directly inside the network via phishing emails, malvertising, or other treats that completely circumvent the perimeter.  Hackers aren't trying to break their way through the firewall, they are going over or around it.

The end result is that the annual External Pen Test results look IDENTICAL year in, year out, and the internal vulnerability test has a few changes here and there.  Especially in a simple network, where externally facing devices are very limited.

But neither of these tell the financial institution what would/could actually happen when an attacker gains control of one of their workstations or servers.  Which, as I said earlier, is the more likely scenario.

The IPT
That is where the Internal Penetration Test (IPT) comes in.  This test simulates an attack from within the network if a malicious actor were to gain a foothold on an internal asset (which can be what happens when an employee opens that attachment they weren't supposed to!).

One of the great things about an IPT is that, if done properly, it holistically tests vulnerabilities, passwords, network config, and internal monitoring controls.  A good IPT can take moderate risks on a vulnerability scan and, through a series of hops and pivots, can PWN (hacker slang for "own", or take control of) the network.

And I promise you will learn things about your network that you cannot gain from a vulnerability assessment alone.

What about the EPT?
So does this mean that the EPT is no longer needed?  No, I'm not saying that.  Perimeter security is still very necessary in the layered security model.

What I am suggesting is that financial institutions take a risk-based approach to work an IPT into the audit rotation (if even just to give it a try).  If you've had no major changes to your external facing devices, you have a simple network, your recent EPT results have been clean, and your external vulnerability scan shows only "low" or no vulnerabilities, it might be time to reduce the frequency of the EPT and use the savings to budget for an IPT.

Some things to consider
If you are thinking about having an Internal Penetration Test done, here are some things to consider:

• It is difficult to effectively automate an IPT (from what I've seen), this means a human being, trained in ethical hacking, should be conducting the test, not a machine.
• This is not just a scan.  I repeat:  IT'S NOT JUST  A SCAN. The test should actually be exploiting vulnerabilities, not just reporting them.
• Consider leaving all internal controls, like log monitoring, IPS/IDS, and AV in place to see how well they work in stopping an internal attack.  Disable them as the tester reports being unable to go any further.  This tells you what controls work, but also gives you meaningful IPT results.
• Go with a reputable firm that specializes in security testing.  Ask to speak to references on what the deliverables are.

Final Thoughts
Including an Internal Penetration Test in your audit program is becoming more important in the new cyber landscape.  I personally believe that it is more valuable than an External Pen Test in that the attack vector is more likely, AND the results can be much more informative, especially in simple networks with limited external exposure.

It's important for banks and credit unions to understand that an IPT should be part of their information security toolbox and that they become aware that it is an essential test to truly understand their exposure to the new threat landscape.