Note from the Editor: This blog is part 2 of a 10-part series entitled, “Everything you need to know about an Internal Penetration Test.” To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
This blog looks at the differences between an External vs Internal Penetration Testing. Our goal is to provide the information you need to choose between these two types of penetration tests based on their value to your organization. Of course, the easy answer would be, “Why not both?” And in a perfect world that would probably be the best approach, but we don’t live in a perfect world. So, the answer is based on an organization’s budgetary constraints and the expected value from either assessment.
Comparing the Internal vs. External Penetration Testing
External
An external penetration test is designed to test the security of your organization’s internet perimeter. A penetration tester will be emulating an external attacker attempting to gather sensitive information, gain unauthorized access to internet-accessible applications, or break into your internal network. For most organizations, an external attacker is one of the most significant threat vectors that they face. An external penetration test can help evaluate vulnerabilities and the subsequent risk.
Internal
On the other hand, an internal penetration test looks at the security controls within your network. In this assessment, the penetration tester is assessing your susceptibility to the threat of a malicious insider. Or, an attacker that has already gained a foothold on the network, through social engineering or some other vulnerability. This is an often overlooked threat vector for organizations. But it is also one that can have the most widespread and severe impact in a breach scenario.
Let’s look at the important factors when comparing which of these assessments may be right for you:
Cost of Internal vs. External Penetration Testing
The cost is often a significant driver for organizations trying to decide between an external vs internal penetration test. If money is not a factor, you should be doing both on an annual basis. But that’s not realistic for a lot of organizations.
External
An external penetration test can cost anywhere from $3,000-$8,000 in most cases. The cost is based on the number of live hosts on your perimeter. Which means an IP address with at least one open port accepting inbound services.
Internal
Similarly, an internal penetration test can range from $5,000-$15,000. This cost is based on the number of live hosts/servers/devices on your internal network. As you can see, internal penetration testing is usually a more expensive option, given the significant increase in attack surface and different methodology it requires.
It’s important to note that you shouldn’t stop reading here. While cost is certainly an important factor in deciding between internal or external penetration testing, it should not be the only factor. Value and return on investment are two other critical components to consider.
Expected Value of Penetration Testing
External Testing
There is definitely value in both an external and an internal penetration test. The right choice for your organization really depends on the questions you are trying to answer. If you’ve never had any sort of penetration testing done before (a vulnerability scan does not count), it’s probably a good idea to get your feet wet with an external penetration test. This can help identify any serious risks that should be addressed first. Further, conducting an external penetration test can give assure you don’t have any gaping holes that need to be addressed immediately. Likewise, if you’ve got limited security/IT resources and/or an immature technology program in general, it may not make sense to have an internal penetration test done if you can’t manage the remediation process using the results.
Internal Testing
Now if you are an organization that has had an external penetration test performed for the past five years and you’ve got a good handle on what’s on your perimeter, it may be time to branch out and start looking at the internal network. Similarly, if your company doesn’t have any live hosts on the perimeter that accept inbound services and your only window to the internet is the NATed traffic leaving your firewall, it may not make much sense to have an external penetration test performed.
The internal network is the next big step in the maturity of your security program. An internal penetration test can provide you much needed direction for that security roadmap. Social engineering is more prevalent and more sophisticated than ever, and as such, you have to consider the threat of an attacker that is already on the network. In fact, if you’re having trouble convincing executive leadership of this to get funding for an internal penetration test, maybe a social engineering engagement can help highlight this risk a little more and show just how easy it is to get a foothold on a network.
Other Decision Factors
In any case, there’s often a lot of factors that go into choosing between an external vs internal penetration test. We’re really only scraping the tip of the iceberg here by discussing cost and value, which are probably the most significant factors but definitely not the only factors. Compliance, for example, may be another driving force here. Depending on the compliance standards you need to follow, they may encourage or require you to have both of these assessments performed on an annual basis. If you’re having trouble deciding between the two, please give us a call and we’ll go over your specific case to help make the right decision for your organization.
About the Author:
JR, Director of Penetration Testing at SIG, holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
