Penetration Tests: A Brief Guide to the Differences between Internal and External Testing

It’s important for any modern business to know how secure their systems are. If there are any gaps in your defences, your business, your staff, and your customers could be at risk. That’s where penetration testing comes in. Also known as pen testing, this is basically where cyber security experts like the team at Nettitude will attempt to make their way into a company’s systems using known methods of breaking in, thereby highlighting gaps in the security if and when they are able to—always at the company’s invitation, of course. Pen tests come in two types:

Internal Penetration Testing

This is where a security expert attempts to acquire data from within a company’s system over its LAN or Wi-Fi networks to see how secure they are from the perspective of employees of the company—or even just people who have physical access to its buildings.

The tester enters the system without any special access privileges to see whether someone who is physically present could acquire the credentials necessary to steal sensitive data, such as research documents, company financials, or customers’ payment information.

As they try to acquire this information they will also attempt to circumvent any data loss protection in place and cover their tracks for a full view of how secure the organisation is.

External Penetration Testing

External testing is carried out to model cyber attacks the way we usually imagine them—a hacker trying to worm their way into the system over the internet. While internal testing determines whether those in your systems can access anything they shouldn’t be able to, external testing shows whether people who shouldn’t enter your systems can be kept out.

This means testing firewalls, Intrusion Detection Systems, and other measures in place to prevent unauthorised entry to the system, as well as how secure the interactions between various applications are.

Pen testing can also be carried out with different levels of information about an organisation’s system architecture on the part of the tester, so you can get an idea of how very specific types of would-be hackers might attempt to compromise your security. Remember that regular testing of your security systems is a requirement to meet the Payment Card Industry Data Security Standard, so it’s important not to neglect it.