External vs Internal Penetration Testing – How to Choose With a Limited Budget

This week we’re going to look at the differences between an External vs Internal Penetration Testing. Our primary goal will be to give you the information you need to be able to choose between these two basic types of penetration tests based on their value to your organization. Of course, the easy answer would be, “Why not both?” And in a perfect world that would probably be the best approach, but we don’t live in a perfect world so the answer to that is usually based on an organization’s budgetary constraints and the expected value from either assessment.

Comparing the Two Assessments – External vs. Internal

An external penetration test is designed to test the security of your organization’s Internet perimeter. A penetration tester will be emulating an external attacker attempting to gather sensitive information, gain unauthorized access to Internet-accessible applications, or break into your internal network. For most organizations, an external attacker is one of the most significant threat vectors that they face, and an external penetration test can help evaluate vulnerabilities and the subsequent risk here.

On the other hand, an internal penetration test looks at the security controls within your network. In this assessment, the penetration tester is assessing your susceptibility to the threat of a malicious insider or an attacker that has already gained a foothold on the network, through social engineering or some other vulnerability. This is an often overlooked threat vector for organizations, but one that can have the most widespread and severe impact in a breach scenario.

Let’s look at the important factors when comparing which of these assessments may be right for you:

Cost

The almighty dollar is usually a significant driver for organizations that are comparing and trying to decide between an external vs internal penetration test. If money wasn’t a factor, you should really be doing both on at least an annual basis. But that’s not realistic for a lot of organizations. An external penetration test is scoped based on the number of live hosts on your perimeter (an IP address with at least one open port accepting inbound services), so it can range anywhere from $3,000 – $8,000 in most cases. Similarly, an internal penetration test is also scoped based on the number of live hosts/servers/devices on your internal network. This type of assessment can range from roughly $5,000 – $15,000. As you can see, internal penetration testing is usually a more expensive option, given the significant increase in attack surface and different methodology it requires.

It’s important to note that you shouldn’t stop reading here though. While cost will most certainly play a role in the decision between an external vs internal penetration test, it should not be the sole basis of a decision. The value and return on investment you see from these two assessments may make the increased cost of an internal penetration test much more appealing, for example.

Expected Value

While there is definitely value in both an external and an internal penetration test, the right choice for your organization really depends on the questions you are trying to answer with the assessment. If you’ve never had any sort of penetration testing done before (a vulnerability scan does not count), it’s probably a good idea to get your feet wet with an external penetration test that can help identify any serious risks that should be addressed first. It can give you a little peace of mind to know that you are not the lowest hanging fruit on the Internet and that you don’t have any gaping holes that need to be addressed sooner rather than later. Likewise, if you’ve got limited security/IT resources and/or an immature technology program in general, it may not make sense to have an internal penetration test done if you can’t manage the remediation process using the results.

Now if you are an organization that has had an external penetration test performed for the past 5 years and you’ve got a good handle on what’s on your perimeter, it may be time to branch out and start looking at the internal network. Similarly, if your company doesn’t have any live hosts on the perimeter that accept inbound services and your only window to the Internet is the NATed traffic leaving your firewall, it may not make much sense to have an external penetration test performed. The internal network is the next big step in the maturity of your security program and an internal penetration test can provide you much needed direction for that security roadmap. In an age where social engineering is more prevalent and more sophisticated than ever, you have to consider the threat of an attacker that is already on the network. In fact, if you’re having trouble convincing executive leadership of this to get funding for an internal penetration test, maybe a social engineering engagement can help highlight this risk a little more and show just how easy it is to get a foothold on a network.

In any case, there’s often a lot of factors that go into choosing between an external vs internal penetration test. We’re really only scraping the tip of the iceberg here by discussing cost and value, which are probably the most significant factors but definitely not the only factors. Compliance, for example, may be another driving force here. Depending on the compliance standards you need to follow, they may encourage or require you to have both of these assessments performed on an annual basis. If you’re having trouble deciding between the two, please give us a call and we’ll go over your specific case to help make the right decision for your organization.