An internal penetration test is an analysis performed by IT security experts whose aim is to test a local network’s security strength and identify an application or system’s vulnerabilities. Also known as an Internal Security Test (IST), it allows you to obtain recommendations for effective corrective actions to implement.
Why carry out an internal penetration test?
Every second, your company is potentially vulnerable to malicious acts against your applications, your networks, your website or web application and your overall Information System (IS). Measuring your exposure to cyber threats and identifying the actions to take to reduce risks are levers that penetration tests enable you to activate.
Currently, an estimated 80% of Information System penetrations come from the internal company environment. By performing penetration tests and considering them from the point of view of an employee, service provider or hacker inside your network, you identify your sensitive areas so you can reinforce them, considerably reducing potential attacks.
You may be wondering why you should have this type of test carried out by an external service provider? For penetration tests, a person within the company will have knowledge of the application, possibly leading to errors in judgment. For example, an employee might not test a feature, believing its importance to be negligible, while an external service provider will test the application methodically. With his/her experience gained through the various environments encountered during previous assignments, they will get more relevant and comprehensive results.
Setting up an Internal Security Test: our methodology
The Wi-Fi test
Before beginning the Internal Security Test, you can choose the Wi-Fi test option. This analysis of your wireless network (which is carried out upstream of the penetration test and without our experts benefitting from any information) is used to analyse its strength. This way, our consultants can guide their investigations during the test that follows.
The following elements, in particular, are studied during this audit: your Wi-Fi network’s level of encryption, its restrictions and the possibilities of bypassing them, and the partitioning between the Wi-Fi network reserved for your employees and that open to your visitors.
In general, our experts perform the penetration test or Internal Security Test (IST) in the following way:
Connecting to the application or system to be audited
There are several different ways to connect to your system, depending on your requirements or wishes.
Generally, these tests are carried out in grey box mode, but they can be executed in black box mode.
Performing a grey box test: explanations and reasons
A grey box test is a penetration test carried out by our experts as part of a standard authentication simulation: an employee connecting to your network or an application (web or business) through a referenced user account using legitimate access information (username and password).
This scenario simulates situations in which an employee natively accesses the zone to be audited.
Black box testing: an entirely different goal
Black box penetration tests are “blind” audit situations in which no access or information is disclosed to our experts. In this context, our consultants attempt to detect vulnerabilities in your system that someone outside your company could exploit simply by connecting to your LAN network (via a wired connection or your “guest” Wi-Fi network) or using a company computer made available to him/her, etc.
This scenario simulates situations where a third party temporarily connects to your company’s network (a service provider, partner, visiting customer, etc.).
Putting the application to the test
Overall, the goal of all security tests (internal, external, etc.) is to search for and identify security flaws in your systems. More technically, these flaws can result in:
- A settings or configuration error in your software
- An uncorrected flaw
- A lack of awareness on the part of your employees
- … and many other problems.
Once these vulnerabilities have been identified, our consultants put all their knowledge and experience into action to take maximum advantage of your system’s weaknesses. Their goal? To hijack as much sensitive information as possible or to achieve the goal initially envisaged in the contractual arrangements of the IST (to take control of a workstation, to block legitimate employee access, etc.). The more vulnerabilities they find, the better you will be able to protect your information system or web infrastructure, and the less likely it will be that hackers will be able to compromise you.
Delivering the results
You will receive an audit report in accordance with your needs. Our experts’ report can range from a summary intended for a management committee to an extremely detailed report for technical teams. Of course, a combination of the two is possible.
In all cases, recommended corrective actions will be provided in this deliverable, and, depending on your needs, our security experts can support and assist you in monitoring the implementation of these corrective actions.
When should an Internal Security Test be carried out?
While it is wise to perform ISTs at all times throughout your company’s and your IT projects’ life, some key moments require increased vigilance and are great opportunities to test and identify possible flaws:
- A new application rollout;
- The implementation of a new network protocol;
- The launch of a website;
- A suspicion of penetration or malicious acts;
- An implementation or improvement of IT security policy.
Where are the teams during the IST?
Right by your side!
Our consultants will need to perform this internal penetration test on your premises alongside your teams since this is an internal security test.
Does the internal resistance of your IS concern you?
Contact our teams to find out more about our services!