SlideShare a Scribd company logo

How An Internal Penetration Test Can Help Your Organization

Redspin, Inc.
Redspin, Inc.

Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one.

Technology
1 of 2
Download to read offline
How an Internal Penetration Test Can Help Your Organization Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3 rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data. Example of a Common Finding – Compromised Web Server Finding A web application server with sensitive customer and cardholder data can be compromised. Narrative Our internal penetration testing often exposes the ability to compromise a web application server from inside the firewall. The entry point is usually a host accessible through default credentials. From there we can get JMX console access and view the microkernel of the JBoss application server. If full control over the JBoss application server can be obtained, we can then start or stop services as well as deploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR file and embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPA server and spawn a shell. From there a user account can be created and added to the local administrators group in order to maintain access to the server and use it as a jump point for further testing. Once this user account is created, a fully interactive session can be established by using RDP to connect to the server. Once connected, it’s possible to dump the password hashes of the local user accounts.
Impact Any user with physical access to the corporate network can access sensitive customer PII (personally identifiable information) and cardholder data without authorization credentials. The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:  What confidential info might an employee obtain by gaining access to your internal HR database  What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?  What information could a rogue employee exploit?  Can partner companies that have network level connectivity access more internal resources than you intended? An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it's important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

Recommended

Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsHappiest Minds Technologies
 
An overview of network penetration testing
An overview of network penetration testingAn overview of network penetration testing
An overview of network penetration testingeSAT Publishing House
 
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...McCann Investigations
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
How to choose the right penetration testing company
How to choose the right penetration testing companyHow to choose the right penetration testing company
How to choose the right penetration testing companyPenetration_Testing
 
Programación rapida pc585_pc1565
Programación rapida pc585_pc1565Programación rapida pc585_pc1565
Programación rapida pc585_pc1565Sigurta Ltda
 
M 4, hauz khas
M 4, hauz khasM 4, hauz khas
M 4, hauz khasrajuhansda
 

Recommended

Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsHappiest Minds Technologies
 
An overview of network penetration testing
An overview of network penetration testingAn overview of network penetration testing
An overview of network penetration testingeSAT Publishing House
 
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...
IT Network Security & Penetration Testing In Houston, Dallas, Austin, San Ant...McCann Investigations
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
How to choose the right penetration testing company
How to choose the right penetration testing companyHow to choose the right penetration testing company
How to choose the right penetration testing companyPenetration_Testing
 
Programación rapida pc585_pc1565
Programación rapida pc585_pc1565Programación rapida pc585_pc1565
Programación rapida pc585_pc1565Sigurta Ltda
 
M 4, hauz khas
M 4, hauz khasM 4, hauz khas
M 4, hauz khasrajuhansda
 
Bajaj allianz-responce
Bajaj allianz-responceBajaj allianz-responce
Bajaj allianz-responceVenkataReddy Gopavaram
 
ประวัติส่วนตัว
ประวัติส่วนตัวประวัติส่วนตัว
ประวัติส่วนตัวlinnoi
 
RETIREMENT PLANNING
RETIREMENT PLANNINGRETIREMENT PLANNING
RETIREMENT PLANNINGBHAKTI RASAL, CFP®
 
ประวัติคอมเเนน
ประวัติคอมเเนนประวัติคอมเเนน
ประวัติคอมเเนนNoi Nueng
 
Pengesahan js
Pengesahan jsPengesahan js
Pengesahan jsdendoworld
 
Ti nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpointTi nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpointDary Cobeña
 
Photo shop
Photo shopPhoto shop
Photo shopTiago Tavares
 
Gasparzinho rosani
Gasparzinho rosaniGasparzinho rosani
Gasparzinho rosanielisangelafleite
 
Fork.c
Fork.cFork.c
Fork.cKarthic Rao
 
Anexo 41
Anexo 41Anexo 41
Anexo 41JOSE
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 

More Related Content

Viewers also liked

ประวัติส่วนตัว
ประวัติส่วนตัวประวัติส่วนตัว
ประวัติส่วนตัวlinnoi
 
ประวัติคอมเเนน
ประวัติคอมเเนนประวัติคอมเเนน
ประวัติคอมเเนนNoi Nueng
 
Ti nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpointTi nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpointDary Cobeña
 
Anexo 41
Anexo 41Anexo 41
Anexo 41JOSE
 

Viewers also liked (10)

Bajaj allianz-responce
Bajaj allianz-responceBajaj allianz-responce
Bajaj allianz-responce
 
ประวัติส่วนตัว
ประวัติส่วนตัวประวัติส่วนตัว
ประวัติส่วนตัว
 
RETIREMENT PLANNING
RETIREMENT PLANNINGRETIREMENT PLANNING
RETIREMENT PLANNING
 
ประวัติคอมเเนน
ประวัติคอมเเนนประวัติคอมเเนน
ประวัติคอมเเนน
 
Pengesahan js
Pengesahan jsPengesahan js
Pengesahan js
 
Ti nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpointTi nicole karolina_gema_powerpoint
Ti nicole karolina_gema_powerpoint
 
Photo shop
Photo shopPhoto shop
Photo shop
 
Gasparzinho rosani
Gasparzinho rosaniGasparzinho rosani
Gasparzinho rosani
 
Fork.c
Fork.cFork.c
Fork.c
 
Anexo 41
Anexo 41Anexo 41
Anexo 41
 

More from Redspin, Inc.

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security riskRedspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineRedspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felonyRedspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationRedspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 

More from Redspin, Inc. (20)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

How An Internal Penetration Test Can Help Your Organization

  • 1. How an Internal Penetration Test Can Help Your Organization Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3 rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data. Example of a Common Finding – Compromised Web Server Finding A web application server with sensitive customer and cardholder data can be compromised. Narrative Our internal penetration testing often exposes the ability to compromise a web application server from inside the firewall. The entry point is usually a host accessible through default credentials. From there we can get JMX console access and view the microkernel of the JBoss application server. If full control over the JBoss application server can be obtained, we can then start or stop services as well as deploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR file and embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPA server and spawn a shell. From there a user account can be created and added to the local administrators group in order to maintain access to the server and use it as a jump point for further testing. Once this user account is created, a fully interactive session can be established by using RDP to connect to the server. Once connected, it’s possible to dump the password hashes of the local user accounts.
  • 2. Impact Any user with physical access to the corporate network can access sensitive customer PII (personally identifiable information) and cardholder data without authorization credentials. The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:  What confidential info might an employee obtain by gaining access to your internal HR database  What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?  What information could a rogue employee exploit?  Can partner companies that have network level connectivity access more internal resources than you intended? An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it's important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM