Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one.
How An Internal Penetration Test Can Help Your Organization
1. How an Internal Penetration Test Can Help Your
Organization
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3 rd party
assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an
effective security strategy and an ineffective one. With that in mind and a number of possible assessment
approaches available, what benefits can be gained from an internal penetration test?
First, since security terminology is often misunderstood, let’s first define internal penetration testing. An
internal pen test is a very specific scope of work where a security engineer connects to your internal network, or
portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive
organizational resources. In an internal pen test the security engineer is network level connected but has no
other credentials, such as a user account on the domain or on a corporate software application. Such a test can
be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done
remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain
unauthorized access to internal systems and data.
Example of a Common Finding – Compromised Web Server
Finding
A web application server with sensitive customer and cardholder data can be compromised.
Narrative
Our internal penetration testing often exposes the ability to compromise a web application server from inside
the firewall.
The entry point is usually a host accessible through default credentials. From there we can get JMX console
access and view the microkernel of the JBoss application server.
If full control over the JBoss application server can be obtained, we can then start or stop services as well as
deploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR file
and embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPA
server and spawn a shell.
From there a user account can be created and added to the local administrators group in order to maintain
access to the server and use it as a jump point for further testing.
Once this user account is created, a fully interactive session can be established by using RDP to connect to the
server. Once connected, it’s possible to dump the password hashes of the local user accounts.
2. Impact
Any user with physical access to the corporate network can access sensitive customer PII (personally
identifiable information) and cardholder data without authorization credentials.
The results of an internal penetration test typically demonstrate what information or other assets might be
exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating
further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen
test is not designed simply to expose risk from external hackers. There are a number of internal risks as well.
Here are some other important considerations:
What confidential info might an employee obtain by gaining access to your internal HR database
What about vendors or visitors who are allowed on your internal network by an employee, and/or they
are left alone in a conference room where they plug into a live Ethernet port?
What information could a rogue employee exploit?
Can partner companies that have network level connectivity access more internal resources than you
intended?
An internal penetration test can help answer these questions and educate others in your organization about this
kind of risk. With limited resources to work with, it's important to clarify what your organization wants to
accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most
important benefits of an internal penetration test.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM