Home Editor's Picks Internal Security Testing and External Penetration Testing

Internal Security Testing and External Penetration Testing

Internal Security Testing and External Penetration Testing

By Edward J. Hawkins, II
Contributor, InCyberDefense

In the world of information technology (IT) security, one of the most important functions that can be performed is testing the security controls that have been put into place. These tests are conducted from two points of view: internal and external.

These different perspectives allow an organization to identify any gaps in their security and develop the necessary compensating controls. A compensating control may be a policy that dictates how information is handled within an information system (IS) or a firewall rule that specifies what Internet traffic can enter the organization’s network. The teams involved in conducting these tests are highly trained and specialized in various aspects of internal and external testing.

However, any IT security testing must be performed with the written permission of a system owner. This type of document provides a legal framework for the people conducting the tests.

Internal Security Testing

Internal security testing comes in one primary form: the vulnerability assessment. This type of testing uses a database of known security flaws to determine whether any of them exist within the system or network. This view of the environment is critical because it allows a system and/or network owner prioritize a mitigation strategy.

However, internal security test results do not accurately represent the overall security of a system or network. Internal testing typically negates most security controls that have been put into action and should not be confused with Blue Team activities.

External or Penetration Testing: Red and Blue Teams

External testing, which is also known as penetration testing, goes beyond the vulnerability assessment by attempting to compromise an organization’s security controls. These tests are conducted by either Red and Blue Teams, a Red Team, or a single security professional.

However, before penetration testing is conducted, you MUST ensure that only the systems that need to be tested are identified and/or have non-disclosure agreements (NDAs) in place. External testing may expose trade secrets, personally identifiable information (PII), personal health information (PHI) and other sensitive information.

The Role of a Blue Team

A Blue Team is a group of security professionals who are defense-oriented and are employed by an organization for one of two reasons:

  • To respond to an event (e.g. a security breach)
  • To improve the current security

In some cases, a Blue Team may be hired as part of a Red Team collaboration to determine if any vulnerabilities exist following an assessment. In this case, the Blue Team would conduct a vulnerability assessment, fix any security issues based on the Common Vulnerability Scoring System (CVSS) and then monitor the environment for any Red Team activities.

The Role of a Red Team

Red Teams are what most people think about when they hear about penetration testing. These individuals are highly trained in the compromising of an IT system or network. However, that does not mean those individuals are highly skilled in the technical compromising of a network or computer system.

On a Red Team, every team member has a role on the team. These roles are based on a specific security skillset that the member has, such as application security, network security, social engineering, and physical security. The goal of each team member is to use their skillset to test their client’s systems.

Red Teams Often Use Social Engineering

One of the most effective methods of gaining compromising information is to ask for it, which is known as social engineering. Social engineering involves convincing a victim or client to perform some action or provide secret information that they would not willingly provide otherwise.

When social engineering is in use, the Red Team leverages human behavior to gain their “unauthorized” access to a system or network. Most people want to help their fellow humans solve a problem.

A Red Team will also take advantage of the Common Vulnerabilities and Exposures (CVE) list. This list is a collection of known vulnerabilities in IT products.

Getting on a Blue or Red Team

Becoming a professional tester comes with some hurdles, but it is not an unattainable goal. One necessary element is a degree in computer science, computer engineering or electrical engineering. These degrees provide a foundational understanding of computer software and hardware.

Entering this profession also requires an understanding of computer networks. Comprehending how information flows between computers is different than knowing how that information is coded.

While there are certification courses in testing methodologies, tools, and techniques, I would not recommend them until you have mastered the basic knowledge behind them. These courses are typically taught by professionals who may use confusing technical jargon.

Becoming a certified tester is also an option that shows that you have met the requirement to be a successful tester. Keep in mind, however, that passing a test does not equate to practical experience.

The last thing to do is to get hired by an auditing company, which can be difficult. However, if you have taken the time to learn the basics and then go beyond them, working as a professional tester can be a rewarding career option.

Pay Attention to the Legalities of Security Testing

If you want to pursue a career in security testing, be sure to have a good understanding of the legal framework involved in this testing. Making a mistake while conducting a test (such as thinking you were in the client’s system and being in someone else’s) could result in legal actions being taken against you.

Always act in an ethical manner as well. You are testing systems by attempting to invalidate the security controls, which means you may gain access to information that is not supposed to be publicly known.

In addition, document everything. The final report for the client requires you to document every action you take and the tools and options you use, and the results. For example, if you were to use the network status command for Windows, netstat, and you wanted to see all the current active connections, you would use the options a, n, o, with the full command line entry being netstat -ano. The report should reflect the tool being run, its options, and the results.