Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
What is the control?
An internal penetration test involves trying to break into systems inside your internal network. This is often done under an “assumed breach” approach whereby the penetration testers are given general access (the same as a typical unprivileged user/employee) to the internal network to see what data and systems they can gain access to.
This is due to the reasonable assumption that an external perimeter will eventually be breached, or that the threat may come from an insider that already has access to the network.
Why should I have it?
Vulnerabilities on the internal network can allow systems to be exploited by inside threats or attackers that have managed to get inside your network perimeter.
Systems that can fall through the cracks of regular IT processes, and therefore potentially missed by IT run vulnerability scans and other operational processes, are often quickly discovered by so-called red teams (penetration testers) looking to find all possible avenues to achieve their goal of gaining deeper access to infrastructure, systems, and data.
Knowing that internal systems can stand on their own is critical because your external perimeter cannot prevent all attacks over time. It is also an important and effective (due in part to the red team’s different perspective and motivation) method to assess the effectiveness of your processes in providing information assurance to your systems and to your and your clients’ data.
Ensure that your network security policy includes regularly performing penetration tests against internal infrastructure under an “assumed breach” scenario (giving the testers access to the internal network).
Typically, such tests are conducted once per year but you may wish to perform them more frequently if you have significant changes to your infrastructure or as part of important infrastructure or application development projects.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.