Network penetration testing is a preventative strategy that tests how easily a hacker can gain access to confidential information to ensure your organisation is secure. There are two types of penetration testing, internal and external, and it is essential to understand the difference between these tools. So, what is the key difference between internal and external penetration testing?

Internal penetration testing simulates an attack on your security system from someone who already has access (an inside attacker). However, external penetration testing simulates an attack from someone outside your organisation who must start from scratch to gain access (an outside attacker).

Read on for a more in-depth explanation of the differences between internal and external penetration testing. We will also cover penetration testing examples, methodologies and how to choose the right testing method for your organisation.

Jump to section:

• What Are the Differences Between Internal and External Penetration Testing?
• Internal vs External Penetration Testing Examples
• How to Choose Between Internal and External Penetration Testing?
• Internal and External Penetration Testing Services By Obsidian Networks

What Are the Differences Between Internal and External Penetration Testing?

There are several key differences between internal and external penetration testing. However, both are essential preventive strategies that are vital to ensuring your organisation remains secure from all forms of attack.

Internal vs External Attacker

The main difference between these two types of penetration testing is whether the simulated attack comes from inside or outside of your organisation:

• Internal penetration testing simulates an attack from an inside attacker. This could be a member of your organisation, such as an employee or contractor, or an external attacker who has already gained access to some of your systems.
• External penetration testing simulates an attack from an outside attacker who has no previous access to your security systems and must start from scratch to gain access.

Aims

External and internal penetration testing have different aims which is why they are both essential preventative tools:

• Internal penetration testing aims to identify what further access an attacker could gain if they already have access to your internal network. This includes identifying vulnerabilities within your organisation’s servers, devices and workstations, and looking at the security of internal databases and applications.
• External penetration testing aims to identify the vulnerabilities in your organisation’s external assets, networks and systems. This includes assessing the effectiveness of security systems, such as firewalls, and identifying weaknesses in internet-facing applications, including web and email servers.

Scope

Internal and external testing offers organisations varying levels of scope and both are vital to ensure the security of all your systems:

• External penetration testing only tests if attackers can gain access through online methods and therefore only internet-facing systems, sites and applications are tested.
• Internal penetration testing focuses only on internal networks and systems available to an inside attacker with some level of prior access.

Internal vs External Penetration Testing Examples

Because the scope and aim of internal and external penetration testing are different, they will involve different tests and methodologies to assess the security of your systems.

Examples of Internal Penetration Testing

During an internal penetration test, testers will test all internal systems, applications and devices, including:

• Computers, workstations and portable devices
• Servers
• Wireless networks
• Access points
• Firewalls
• Cameras
• Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)

Examples of internal penetration testing methods include:

• Password strength testing
• System fingerprinting
• Port scanning
• Finding and exploiting vulnerabilities
• Administer privileges escalation testing
• Manual vulnerability testing
• Database security controls testing
• Network equipment security controls testing
• Internal network scans to find known Trojans
• Third-party security configuration testing

Examples of External Penetration Testing

During an external penetration test, testers will test all external or internet-facing systems, including:

• Web apps
• Mobile apps
• Networks
• Network devices
• Routers
• Sub-domains
• Login systems
• Firewalls

Examples of internal penetration testing methods include:

• IDS/IPS testing
• Password strength testing
• Testing for weak cryptography
• Manual testing identified vulnerabilities
• Checking for public information and other information leakages
• System scanning
• Port scan and fingerprinting
• Error control tests
• Firewall and ACL testing
• Data breach tests

How to Choose Between Internal and External Penetration Testing?

Internal and external penetration tests cover different areas of your security systems and how different attackers might exploit any vulnerabilities. Below we will look at the reasons for choosing each type of penetration test to help you decide.

When Should You Choose An External Penetration Test?

An external penetration focuses on outside threats to your organisation’s networks and simulates real-world attacks from the perspective of an outside attacker. Here are the benefits of choosing external testing for your organisation:

• Most common type of threat. External penetration tests focus on external threats, which are the most common as they can come from anywhere worldwide.
• Protect your internet-facing systems. External systems, such as your website or email server, are usually the most vulnerable as they are connected to the internet and are typically the first victims of an outside attack.
• Identify significant security issues. If you have never had any form of penetration testing done before, an external test can help identify any major security issues with your internet-facing systems.
• Prevent unauthorised access. By identifying vulnerabilities with your outside-facing systems you can prevent future attackers from gaining unauthorised access.
• Simulates a real-world attack. External penetration tests simulate a real attack from a hacker helping to identify your system’s vulnerabilities.
• Reduce the risk of data breaches. External testing can significantly reduce the risk of data breaches by improving your external security systems. Data breaches can be costly and harm customers’ perception of your organisation.

When Should You Choose An Internal Penetration Test?

An internal penetration focuses on internal threats to your organisation’s security. These could be internal attackers, such as employees, former employees or contractors, or external attackers who have previously gained access to some of your internal systems. Here are the benefits of choosing internal testing for your organisation:

• Insider threats are often ignored. Many organisations do not consider the threat of insider attacks, despite the fact that these reportedly account for nearly 60% of all data breaches.
• Considers both malicious and non-malicious insider threats. Not all inside threats are malicious and some stem from human error, such as an employee incorrectly storing data or clicking on a phishing link in a work email.
• Simulates a real-world attack from an insider threat. An internal test gives you real-world insight into what an inside attacker could accomplish if they already have access to some of your systems. This offers a completely different perspective from an outside attacker.
• Examine your access controls. Internal penetration testing can help you understand if your access controls are working effectively and if privileges can be escalated by an inside attacker.
• Post-breach analysis. If an external attacker has already gained access to your internal systems, an internal test can help identify which information the attacker can access.
• Tests if internal attackers can gain access to sensitive information. Internal penetration tests can help you identify which data is vulnerable and if any sensitive data can be breached.
• Tests the security of session management and authentication systems. Regular internal testing ensures that the authentication mechanisms of your web applications are robust enough.

Conclusion

Because internal and external penetration tests cover different aspects of your organisation’s security systems, it is generally recommended to perform both tests. This will ensure that both your internal and external systems are secure and you are protected from both inside and outside threats.

Regular external and internal penetration testing will help you:

• Comply with regulations. Regular penetration testing can help organisations comply with GDPR and other regulations, such as The Payment Card Industry Data Security Standard (PCI DSS) which is designed to increase the security of card transactions.
• Identify vulnerabilities in all your systems. Combining both types of penetration testing will ensure that all your internal and external systems are secure from all types of potential attacks.
• Mitigate risks and avoid the repercussions of cyber-attacks and data breaches. Taking your organisation’s cyber security seriously reduces the risk of attacks and the associated damage to your reputation and financial repercussions.

Internal and External Penetration Testing Services By Obsidian Networks

At Obsidian Networks, we’re providers of the Cyber Essentials certification and have been performing penetration testing for our clients for the last 20 years. Our experts are fully versed in the latest hacking techniques and methodologies ensuring complete protection for your organisation.

Both internal and external penetration testing can be conducted to ensure compliance with various compliance requirements, such as:

• PCI-DSS
• IT Health Check
• ISO 27001
• NHS Data Security and Protection Toolkit

If you’re looking for comprehensive penetration testing for your organisation, our internal and external testing should be your first choice. Get in touch with a member of our experienced team to start improving your organisation’s security.

Internal and External Penetration Testing FAQs

Can an Internal Penetration Test Be Performed Remotely?

Yes, internal penetration tests can be performed remotely through a secure virtual machine. This removes the need for the cyber-security firm to be at the same physical location as the client.

Will Internal and External Penetration Testing Affect My Business?

Typically most clients don’t notice anything during the network penetration process. However, there might be minor disruption as the testing process could slow down your networks. At Obsidian Networks, we always schedule penetration testing at a convenient time for your business.

How Is Confidentiality Maintained During Penetration Testing?

All data uncovered through the penetration testing is subjected to complete confidentiality. Nothing is recorded or stored in any way. At Obsidian Networks, our internal and external penetration report provides all the information you need about your system’s vulnerabilities, without including any potentially sensitive data.