An internal penetration test, also called an Internal Security Test (IST), analyses your company’s internal network.
Most breaches come from within a vulnerable system. That’s why our consultants’ goal is to test your Information System’s (IS) resilience in the same conditions as experienced by your company’s employees and service providers or even a hacker who gained access to your network.
Why perform a TSI?
Nearly 80% of penetrations come from inside your ecosystem, whether voluntarily or as the result of negligence or lack of knowledge. That’s why it is important to take this internal threat into account. Companies often forget it, but it is a major part of securing a system.
There are many possible motives:
- Industrial espionage
- Employees, service providers or guests may seek to harm you or get revenge
- Employees, service providers or guests may lack knowledge of the risks or consequences of certain actions
In terms of IT security, NBS System is
21 years of experience
+ 250 clients in IT security
Creator of CerberHost
Creator of Naxsi
How is an Internal Security Test conducted?
The project is broken down into several stages:
Defining the scope
You and our consultants define the scope of the environment to be audited according to your needs. This can range from analysing a certain brick of your IS (for example, the resilience of your Wi-Fi’s security) to a complete audit of all the hardware, software and processes that make up your IS.
Drafting the scenario type
ISTs can be conducted in different ways depending on the level of information shared with our experts ahead of the audit.
“Grey box testing” is a test where our security experts are authenticated on your application via a user account like your employees, service providers, clients, or other legitimate profiles.
Unlike grey box tests, black box pentests are conducted without access details or information being shared with our consultants. In this case, our security experts will implement an audit scenario where they only have access to an Ethernet port to connect to your local network (LAN) or to one of your company’s PCs without having a username and password.
Conducting the audit
During penetration tests, our IT security experts connect to the application or system to be audited like your employees or legitimate partners would. Once connected, our experts put the application to the test to find vulnerabilities in the system to try to get around them, exploit them, and obtain sensitive information.
Delivering the results and recommendations
Each penetration test results in a report sent to you that shares all the items collected, the flaws or workarounds identified, and the attacks and mechanisms used during the service.
This deliverable can be provided to the board of directors and to technical teams in charge of the platform and its security and is comprised of:
- A summary of the service rendered and the results gathered
- A description for technicians of the vulnerabilities that details the technical aspects related to each vulnerability found
- A description of the type of error committed for each problem identified
- Recommendations to guide you in implementing effective fixes
The report will provide all the information the reader needs to be able to reproduce the proof of concept (POC).
Wi-Fi test: an additional test ahead of the IST?
An (optional) Wi-Fi test can be done ahead of the Internal Security Test to take the audit further. This initial phase analyses your wireless network’s resilience without any prior information about it.
During this audit, your Wi-Fi network’s level of encryption will be studied as well as the possibilities of working around these restrictions and the effective separation between the “guest” and employee Wi-Fi networks.
The Wi-Fi audit’s results can help guide the Internal Security Test’s investigations.
When should you perform this type of audit?
A penetration test can be done at any time in your Information System’s lifecycle to assess its level of security.
However, we recommend that you conduct a penetration test before it goes into production. By correcting flaws before it is released, you limit your platform’s exposure and reduce the chances that a hacker can compromise your system!
Without getting into an attitude of constant suspicion and paranoia, it is important not to neglect your employees, partners, or guests’ possible involvement in exploiting vulnerabilities in your systems. We also recommend implementing an IST after a suspicious event or strange, malicious or resentful behaviour from members of your company.
Who conducts these security tests?
NBS System’s security unit is made up of 10 experts split into two teams, each with its speciality. Some of our consultants are available to you to test your Information System’s resilience through audits and penetration tests, and the others work on Research & Development projects to stay up-to-date with the latest changes in the IT security field. In particular, they produce innovative open source projects like the application firewall NAXSI, PHP Malware Finder and Snuffleupagus.
All our security team members are regularly assigned to the role of SecOps to stay familiar with your issues. They support our in-house teams and clients in operational security assignments and understand the reality of production.
Where is the penetration test conducted?
In your offices!
Whatever the exact scope of the audit and the type of scenario (grey vs black box), our experts must conduct the penetration test in your facilities given that it’s an internal IT security test.
Deontology & ethics at NBS System
All data gathered during the penetration test will be given to you at the end of the test, and no data will be saved. Of course, this data is totally confidential and will not be shared with any other party, and the audit report will only be available to you and our security team. The vulnerabilities found will never be exploited outside the security test context.
Contact our salespeople for more information about this service