Over the last few months there has been a significant increase in the number of clients requesting Safecoms to conduct penetration tests of their internal networks. This has been interesting from two perspectives.

First, it is always intriguing when there is a marked upturn in demand for a particular service. The services that clients request from specialist organisations like Safecoms serve as a barometer of what is exercising the minds of those charged with managing the security of corporations and government agencies in Australia. Why the increased interest in internal penetration testing?

Second, what have we - and our clients - learned from conducting more of these tests? What issues have come up? And what are people doing about addressing those issues?

What Is An Internal Penetration Test?

To start with, let's ensure we have a common definition of what internal penetration testing involves. There are basically three different types of test that can be undertaken in combination or as a series of separate activities.

Two types of test involve the tester being given physical access to the internal network. The key difference between these two types of test is the level of access that the tester is given. In one scenario they are given a typical user account, which may allow them e-mail and file server access; in the other only access to a network port is made available.

In the first of these two (i.e. where the tester is essentially put in the position of a normal employee), the tester is then required to use the same techniques that a rogue user would employ to escalate their privileges with a view to gaining unauthorized access to systems and data with a view to compromising their availability, confidentiality and integrity.

In the second, the tester is in the position of an attacker who has gained physical access to the network but who has no credentials. This essentially simulates a scenario where someone has managed to "socially engineer" their way into a building (e.g. posing as a cleaner), and then seeks to gain unauthorised access to systems and data.

There is a third type of test designed to test the impact of "second stage" attacks - i.e. attacks that stem from a failure in another security layer. In this test the tester is placed on a DMZ network segment, but not given any valid network credentials, essentially simulating the position an attacker would find themselves in if they had managed to compromise an Internet-facing system.

Why Do It?

The increasing use of internal penetration tests (of various types) reflects the fact that virtually all of the published surveys, and the anecdotal evidence around the info sec community, suggest that an increasing number of incidents are occurring entirely inside the perimeter. Faced with this realisation, it therefore becomes increasingly important to determine the level of risk associated with potential compromises of the internal network.

What is causing this increase in the number of incidents occurring inside the perimeter? A number of different phenomena are at work here.

First is the issue of rogue employees. Since time immemorial, organisations have had to face up to the fact that there will be staff who put their fingers in the till. Nowadays - particularly as the computing skills of the work force are becoming increasingly sophisticated - organisations must deal with the information age's equivalent of the fingers in the till. Also, in addition to the handful of employees with agendas of personal gain through fraud and theft, organisations face the classic threat of disgruntled employees. Whereas historically such an individual may have engaged in furtive acts of vandalism or made hoax calls to cause the workplace to be evacuated, a single user may now potentially bring an organisation to its knees, for a number of days, by entering a few well chosen commands.

Secondly, hackers are increasingly resorting to social engineering techniques to obtain access to organisations - because these techniques work. Several recent studies have shown how alarmingly easy it is to persuade a user to disclose their user name and password, effectively putting the hacker in the position of an authenticated user in most organisations. In addition to using social engineering techniques to obtain logical access to the internal network, hackers are also using social engineering tricks to gain physical access to the building, often by posing as cleaners or maintenance workers.

Thirdly, the hacking community is increasingly making use of ever more sophisticated spyware and rootkits. If an attacker can manage to get these onto a user's PC or laptop then the hacker can effectively gain access to the internal network.

Fourthly, as the profile of the typical hacker continues to shift - from that of the script kiddie, purely out to achieve a level of notoriety, toward the more sophisticated criminal with significant skills - incidents of successful breaches of perimeter defences by hackers increase. Many organisations, particularly those such as financial services likely to attract the attention of serious criminal hackers, are now taking it as a given that at some point a hacker will succeed in breaching their perimeter defences from the internet and will effectively be able to compromise a host within the DMZ. From this point, an attacker is likely to direct their interest toward launching attacks on the internal network. Even the script kiddies are starting to pose more of a threat, as the increased sophistication of freely available hacking tools is enabling many of these individuals to fumble their way into relatively secure establishments.

What Does The Internal Penetration Test Achieve?

In a nutshell, the results of an internal penetration test identify the vulnerabilities that could be exploited by the attacker who starts out as an authenticated user (i.e. the employee or the hacker who has socially engineered a user's log on credentials), or who has obtained access to the network - either through physical access to a machine connected to the internal network, or by exploiting a weakness in the external perimeter.

As with the more traditional external penetration test, these findings allow the organisation to take appropriate remediation steps, with a view to minimising the damage that will occur if such an attack takes place. It should also be noted that internal penetration testing (particularly those that focus on attacks from DMZ segments) make the results of external tests more relevant, as they enumerate some of the potential implications associated with a successful penetration of the external perimeter.

Safecoms' experience has been that in the majority of organisations that have commissioned an internal penetration test, what has been revealed is a "hard shell / soft core" scenario. In other words, security initiatives have been focused on securing the perimeter to keep attackers out, but significantly less attention has been paid to securing against the attacker who is on the network or inside the DMZ. While this can be very effective at preventing an initial compromise, it can make it easy for a successful attacker to escalate a small victory into a very serious problem for the victim.

Typically, the remediation program that follows an internal penetration test will focus on improving the patch management process, hardening servers, and addressing the issue of network segmentation. These disciplines will go a long way in addressing the majority of the issues that are generally found in an internal penetration test, and will cause the organisation to take a major step forward in managing its risk.

Nick Gifford
Managing Director

If you would like to find out more about this topic or any of the issues raised in this article, or if you are interested in internal penetration testing for your organisation, please call the Safecoms team on 02 8234 4000 or email us at info@safecoms.com.au