Close this search box.

Internal vs. External Penetration Testing Discussed

Avatar photo
Art Ocain


What Does Penetration Testing Do and Why Is It Important?

Everyone says an organization should conduct a penetration test. But some companies don’t care about it. Some people are not sure how often to a conduct a penetration test. Let’s just step back and go over why should a company be serious about a penetration test.

A penetration test gives you really a look at reality. We can say that there’s 20,000 vulnerabilities on your network, but really what does that mean? A penetration test really validates that a threat actor can actually get in and see inside your network. It shows really how far the attacker could get because it is an attack simulation.

By performing a simulated attack on your network, you gain insight into how much access to internal data an attacker could obtain. This presents powerful perspective that can help make better decisions in protecting against real-world threats.

There are different types of penetration tests. There’s external penetration tests and internal penetration.  Yes, I think there’s real validity to both types. A lot of people really focus on just the external. That’s really an old school mentality, because doing just an external test assumes there’s no other way into your network. Let’s look at what the two types are.

External Penetration Tests

An external penetration test is the test that can help identify vulnerabilities in your system that could be exploited from the outside. It does not address the risk of an attacker gaining access to your network through other means. Conducting only an external penetration test is not sufficient to adequately protect your network from potential threats.

For instance, an attacker could use stolen credentials to access your network through a virtual private network (VPN) or could leverage a phishing attack to obtain valid login credentials. Alternatively, an attacker could successfully infiltrate your system through a back door or by exploiting a vulnerability in your Exchange Server using a brute force attack. To properly safeguard your network, it is important to not only conduct an external penetration test, but also conduct an internal penetration test.

An external penetration test is certainly valuable for discovering vulnerabilities in web servers, Exchange Servers, and other network components that may have been overlooked. However, it does not provide a full picture of security risks as the assessment is restricted to what an outside attacker can see from beyond your perimeter. An external penetration test is missing 90% of the picture.

Internal Penetration Tests

Why have the internal penetration test? An internal penetration test is actually more relevant these days because most attacks aren’t just happening because a brilliant hacker is hacking your specific website or server. Most of the time an attack happens, it’s because the attacker has your credentials. They’ve actually phished you and they’re getting in through your VPN. The attacker is getting in through your remote desktop. They’re actually able to get into your network. So, when we say they are “hacking in”, they’re really just logging in right. That exactly the new way of hacking is logging in.

How do they get to log in? Let’s say I stole your credentials, and I did some research and found out that okay is a valid host and I can try VPNing to that or I do a DNS reconnaissance and I find out how I can remote in. Or I find some service that I can log in as a user through. Whether it’s you know some web service, SharePoint, or whatever and I can gain access to your network as a user with those creds.

Once I’m in as that user, that is when the internal penetration test matters. An internal penetration test can discover how far I could get. If you’re following best practices, most of your users aren’t administrators so you’re logging in with a normal user. So if I’m logged in with a normal user, how far in my in your network can I do go what kind of devastation can I create?

The internal penetration test is not only for logged in users, but also important for other vulnerability. Let’s say somebody did come in through an unpatched vulnerability and you know from the external got into your network. Now what can they see and what they can affect once they’re in your network. Once they’ve you know actually gained foothold in your network, what are they able to do? That’s really where the internal and test is important.

Get Started for Free

Airiam is providing a free internal penetration test to organizations to demonstrate the vulnerabilities present in their systems. By identifying these gaps, companies can take action to address them using their own resources and technology, or by utilizing Airiam’s cyber resilience solutions such as AirGuard™ for managed security or AirCTRL™ for IT management. By taking proactive steps to identify and address vulnerabilities, companies can improve their overall cyber resilience.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

We Hired a Hacker

Hiring a Hacker Security is not an option anymore. While operations in many IT organizations went against security (1)(2) for years, it is now obvious that security needs to be at the beginning of every process. A hacker is a serious threat. Threats ar
Avatar photo
Anthony Lewis
>>Read More

What is Multi-Factor Authentication and Why Should Your Company Use It

What is Multi-Factor Authentication? In today’s digital age, security is more important than ever. With the increasing number of online transactions and access to sensitive information, it is crucial to have a secure authentication process in place. Th
Avatar photo
Andy Gritzer
>>Read More

Find the Best Cybersecurity & IT Services in Huntsville, Alabama

Find the Best Cybersecurity & IT Services in Huntsville, Alabama Cybercrime is rising, and businesses (big and small) are under attack. Once upon a time, securing your business meant buying a padlock and security camera. Now, it’s investing in cybe
Jesse Sumrak
>>Read More