Many new clients approach us to request an external penetration test. During the scoping discussion, however, it often quickly becomes clear to us: what the client actually needs is an internal test. In this article, we want to clarify what an external penetration test can actually achieve and when an internal test would make more sense.
A Typical External Test
First, it is important to understand what a penetration test is really about. The underlying goal is to protect the client’s sensitive data. A penetration test contributes to this goal by identifying existing vulnerabilities so they can be remediated.
In an external penetration test, we assess the client’s exposed services, in other words, the systems in the client’s network that are reachable from the outside. At first glance, this appears to be the most sensible test, since an attacker would also strike from the outside.
When we perform an external penetration test, we often see a very similar picture. The client has hardly any services exposed externally. All critical services are only provided within the internal network, or cloud services are used directly. In some cases, the only thing we can see from the outside is a VPN tunnel into the internal network.
In such a case, we naturally find few or no vulnerabilities, and we certainly cannot reach the internal network. So the client is well protected, right?
Unfortunately, that is a false assumption, because exposed server services are not the only way for an attacker to get into the internal network. The human factor is even more important.
Other Ways Into the Internal Network
Phishing emails are now the most common entry point for cyberattacks, and that is also reflected in the typical click rates we see in our phishing campaigns. In particularly “successful” phishing campaigns, it can absolutely happen that more than half of the workforce clicks on a malicious link.
Even in the best-trained workforce, sooner or later someone will fall for a phishing email. That is simply part of human nature and cannot be avoided entirely.
In addition, it is important to understand that a penetration test is only a snapshot in time. Attackers now react to new vulnerabilities within days or even hours and target potential victims accordingly. A penetration test that took place months ago is of course of little value then.
The Internal Network as the Focus
In today’s IT security landscape, you have to plan for the possibility that an attacker will eventually gain access to the internal network. The level of IT security within the internal network therefore needs to be just as high as it is for exposed services.
This so-called defense-in-depth principle can be illustrated with the following analogy: even if you have built a fence around your house, you would still always lock your front door.
In our internal tests, however, we usually see the exact opposite. Instead of a locked door, we tend to find a wide-open barn door. If a company has never conducted an internal penetration test before, we honestly expect to take over the entire network on the first day of testing.
The reasons are always the same: insecure default configurations in Windows, legacy issues from 20 years of IT operations, poor password handling, or missing updates.
When we identify these vulnerabilities and present them in a structured report with practical remediation recommendations, we can provide the client with significantly more value than with an external test.
An external penetration test can be an important part of your IT security strategy, especially if you expose many server services to the outside. For the vast majority of clients, however, testing the internal infrastructure provides by far the greatest value and should be prioritized.
In a scope meeting, we are happy to work with you to determine which type of penetration test is the best fit for your organization.