There is a broad consensus in the modern age of cyber security, that the question is not if you are going to be hacked, but when. With this in mind, it has never been more crucial to add resilience to the internally accessible infrastructure of organizations.
A penetration test of internal infrastructure is the counterpart to a penetration test of external infrastructure. Often, these tests are performed in succession of each other, in order to obtain a better picture of the overall security level. It also provides the penetration tester with a better understanding of an organization’s infrastructure, which in turn creates a penetration test with more sophisticated attacks.
A penetration test of the internal infrastructure provides organizations with an up-to-date overview of the IT infrastructure’s vulnerabilities. The goal of the penetration test is to discover and disclose any publicly known vulnerabilities in the internally accessibly hosts (clients, servers, IoT and/or network devices). This is done by primarily using automated tools that will scan the infrastructure in order to detect any weaknesses. Depending on the scope of the engagement, the penetration test can also look at network security (network segregation, encryption and more).
A penetration test of internal infrastructure might sound like a long and pricy engagement, but this is rarely the case for most medium-sized organizations. Depending on the number of hosts, the test usually requires only 2-3 days of testing.
The deliverable consists of a single commercial-grade report that will contain a non-technical section for the C-suite members of the organization, as well as a technical section that will provide in-dept details regarding the vulnerabilities that were observed. Lastly, all vulnerabilities will be manually scored with a risk-assessment (CVSS or Low/Medium/High/Critical), in order to assist the organization with the priority of remediating each one.