Penetration testing or pen-testing as it is sometimes called features two distinctly different methods of execution, internal and external. Understanding the differences between internal and external penetration testing is important so that you can use the method that is best suited and properly evaluate the results.
External pen-testing is the traditional, more common approach to pen-testing. It addresses the ability of a remote attacker to get to the internal network. The goal of the pen-test is to access specific servers and crown jewels within the internal network by exploiting externally exposed servers, clients, and people. Whether it’s an exploit against a vulnerable Web application or tricking a user into giving you his password over the phone, allowing access to the VPN, the end game is getting from the outside to the inside.
This is the approach taken to simulate an attacker on the inside. While the testing is in many ways like external, the major difference between internal and external penetration testing is that with internal it is assumed the attacker already has access. Or, perhaps they have gained access through means inside the system.
An attack from the inside has the potential to do far greater damage compared to an outside or external attack because some of the protection systems have already been bypassed and in many cases, the person on the inside has knowledge about the network itself. This means they understand where it is located and know what to do right from the start. This provides them with a strong advantage over an external threat.
There are three methods to perform above penetrations: Automated, manual and hybrid.
Automated: Using a set of tools that can simulate different types of attacks, this type has three major advantages: it’s fast, lower costs will get the low hanging fruits. There is one major disadvantage: cannot “see” unexpected systems behavioral by using “fuzzing” techniques that can later be used to create other types of attacks such as buffer overflow & other types of code injections.
Manual: In this case using tools that are configured & written every time differently, so testing is done deeply, this method has one major advantage: getting more weakness that an attacker may find and exploit. There is one major disadvantage: takes a longer time at higher costs.
Hybrid: This method takes the best from both methods; getting the low hanging fruits faster plus other hidden attack vectors using the manual method at a reasonable cost.
The results of the pen-testing, both internal and external will paint an accurate picture of the security of your computer system. The report will provide insight into what can be done to change obvious weaknesses and what steps to take which will help ensure proper security is performed in the future. While no computer system can be made invulnerable, the chances of successful penetration from either external or internal threats can be reduced considerably with the proper pen-testing.