Successfully reported this slideshow.

How An Internal Penetration Test Can Help Your Organization


Published on

Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one.

Published in: Technology
  • Be the first to comment

How An Internal Penetration Test Can Help Your Organization

  1. 1. How an Internal Penetration Test Can Help YourOrganizationEvery IT department faces the challenge of having to apply limited resources (headcount, technology, 3 rd partyassessments) against a plethora of potential security risks. Choosing wisely is often the difference between aneffective security strategy and an ineffective one. With that in mind and a number of possible assessmentapproaches available, what benefits can be gained from an internal penetration test?First, since security terminology is often misunderstood, let’s first define internal penetration testing. Aninternal pen test is a very specific scope of work where a security engineer connects to your internal network, orportion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitiveorganizational resources. In an internal pen test the security engineer is network level connected but has noother credentials, such as a user account on the domain or on a corporate software application. Such a test canbe conducted on-site with the engineer working from a conference room with an Ethernet drop, or doneremotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gainunauthorized access to internal systems and data.Example of a Common Finding – Compromised Web ServerFindingA web application server with sensitive customer and cardholder data can be compromised.NarrativeOur internal penetration testing often exposes the ability to compromise a web application server from insidethe firewall.The entry point is usually a host accessible through default credentials. From there we can get JMX consoleaccess and view the microkernel of the JBoss application server.If full control over the JBoss application server can be obtained, we can then start or stop services as well asdeploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR fileand embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPAserver and spawn a shell.From there a user account can be created and added to the local administrators group in order to maintainaccess to the server and use it as a jump point for further testing.Once this user account is created, a fully interactive session can be established by using RDP to connect to theserver. Once connected, it’s possible to dump the password hashes of the local user accounts.
  2. 2. ImpactAny user with physical access to the corporate network can access sensitive customer PII (personallyidentifiable information) and cardholder data without authorization credentials.The results of an internal penetration test typically demonstrate what information or other assets might beexposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolatingfurther, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pentest is not designed simply to expose risk from external hackers. There are a number of internal risks as well.Here are some other important considerations:  What confidential info might an employee obtain by gaining access to your internal HR database  What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?  What information could a rogue employee exploit?  Can partner companies that have network level connectivity access more internal resources than you intended?An internal penetration test can help answer these questions and educate others in your organization about thiskind of risk. With limited resources to work with, its important to clarify what your organization wants toaccomplish as you embark on any type of security assessment. We hope we’ve clarified above the mostimportant benefits of an internal penetration test. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM