22) Does your organisation conduct regular penetration tests of its internal systems where the test assumes perimeter controls have been compromised?
Answer yes if your organisation conducts regular penetration tests of your internal IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. The test should assume that perimeter controls have been compromised, for example that a legitimate internal user’s credentials have been stolen and re-used. The test should assess a threat actor’s ability to reach assets and information, including opportunities to elevate privileges to gain access. The results of the tests can inform improvements to IT systems and infrastructure, for example improved subnet segregation and role access privileges and controls. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
What is the control?
An internal penetration test involves trying to break into systems inside your internal network. This is often done under an “assumed breach” approach whereby the penetration testers are given general access (the same as a typical unprivileged user/employee) to the internal network to see what data and systems they can gain access to.
This is due to the reasonable assumption that an external perimeter will eventually be breached, or that the threat may come from an insider that already has access to the network.
Why should I have it?
Vulnerabilities on the internal network can allow systems to be exploited by inside threats or attackers that have managed to get inside your network perimeter.
Systems that can fall through the cracks of regular IT processes, and therefore potentially missed by IT run vulnerability scans and other operational processes, are often quickly discovered by so-called red teams (penetration testers) looking to find all possible avenues to achieve their goal of gaining deeper access to infrastructure, systems, and data.
Knowing that internal systems can stand on their own is critical because your external perimeter cannot prevent all attacks over time. It is also an important and effective (due in part to the red team’s different perspective and motivation) method to assess the effectiveness of your processes in providing information assurance to your systems and to your and your clients’ data.
How to implement the control
Ensure that your network security policy includes regularly performing penetration tests against internal infrastructure under an “assumed breach” scenario (giving the testers access to the internal network).
Typically, such tests are conducted once per year but you may wish to perform them more frequently if you have significant changes to your infrastructure or as part of important infrastructure or application development projects.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
