Why You Need Internal Penetration Testing: Cloud Security Is More Than Skin Deep...

It’s not just your external IT environment, but also internal networks and applications that must be secured against breaches. While external penetration testing has become common practice, compliance with the Payment Card Industry Data Security Standard (PCI DSS) also requires the lesser-known internal penetration testing. Internal pen testing should be performed at least annually, and following any significant modification or upgrade to applications or infrastructure.

Internal pen testing needs to be standard practice

External pen testing highlights potential breaches coming from outside, such as attacks on exposed web applications. Internal pen testing mimics an attack from inside your organisation’s internal networks and applications and assesses its potential impact. There are two main types of internal cyber-attack patterns:

• An attack by a malicious individual with access to your Ethernet network, internal server or even a workstation. It can be even more devastating when the attacker already knows where to find sensitive organisational information. Internal pen testing is the only way to identify any vulnerability to attack from within.

• The release of a new application and its interaction with operating systems and processes can introduce security holes. Internal pen testing exposes potential vulnerabilities due to improper software and hardware configuration, or application perimeter defence susceptibility. Because installation of new software and changes to system configuration alters the whole system environment, scheduled internal penetration tests are essential to sustaining IT security.

Individuals with ‘insider’ access, and updating applications, are common situations that carry a potential risk of a security breach. For this reason, internal pen-testing needs to become routine, alongside external pen-testing.

Even SAP users of shared business-critical applications – such as Enterprise Resources Planning (ERP), Human Capital Management (HCM) and Supply Chain Management (SCM) – are finding security gaps to be a common issue. These gaps often arise from the lack of visibility in SAP and uncoordinated internal security procedures, without proper security strategies in place. This is why routine internal pen testing is strongly recommended for SAP users.

Another scenario would be when an attacker compromises one of the server in your cloud environment and there is a communication channel open between the cloud environment and your network (e.g VPN tunnel). An attacker could use that as an entry point into your network.

Cyber security issues with cloud computing

Cloud computing has exploded into the mainstream, and has evolved to a preferred solution for data storage, service on-demand and infrastructure. Many organisations use shared, multi-tenant environment cloud services, which is where the issue of cyber security arises. There are several challenges to securing cyber assets within the cloud.

Who is responsible for cloud security?

First, it’s important to consider who is responsible for cloud security. There have been several incidents of breached cloud environments by cyber attackers. High profile attacks include those on iCloud, Target, Home Depot, Sony Pictures and the United States Internal Revenue Service. All these attacks took place due to loopholes in public, private and hybrid clouds through various attack vectors. In these instances, the Cloud Service Providers (CSPs) cannot be blamed exclusively for the security breaches.

It’s a common misconception that CSPs are solely responsible for the cyber security of information in the cloud. In fact, responsibility also falls to the organisation itself. It is your obligation to ensure that what you upload to the cloud is secure – whether it’s customer information, platform and internal applications, internal network, access management and data encryption. CSPs are really only responsible for securing the basic infrastructure that supports the Cloud. Internal penetration testing should, therefore be applied to your cloud environments as well.

How internal penetration testing works

Internal networks and applications

• Detailed information about the network and applications is collected using ‘white box’ techniques. Potential security weak spots are identified through DNS queries and traffic analysis. A full fledged vulnerability assessment is also performed before exploit phase.

• An attack is executed by exploiting the weak spots, to gain unauthorised access to active directories, databases, web applications and network services. The organisation’s critical assets are then located by mimicking a real breach scenario, demonstrating how devastating an insider attack can be. Common targets for insider attacks are social security numbers, electronic payment card numbers, employee personal information and an organisation’s proprietary information.

• A detailed test report highlights any vulnerabilities that need to be addressed.

Internal pen testing your cloud environment

Internal pen testing for in-house infrastructure can be performed by a highly skilled internal IT team or a trusted third party service. Pen testing a cloud environment is, however, somewhat different.  Many CSPs don’t allow pen testing because they have multi-tenant platforms and the test may compromise the security of other user organisations.

Here are the alternatives for internal pen testing cloud environments:

•  Negotiate and obtain your CSP’s permission for a pen test, although it may limit the testing of internal applications and data.
• CSPs usually carry out their own cloud pen testing for compliance with security standards. You can request a copy of these results, along with any related technology audit reports, and consolidate with your own pen tests.
• Alternatively, a pen tester can exploit a system or application, and use that as a pivot point for further test attacks on other applications and systems. This allows ethical hackers to attack from the insider’s point-of-view. This type of testing is usually allowed by CSPs with Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) models. Because pen testing can affect the configuration of Software-as-a-Service (SaaS) models, CSPs with SaaS may not permit pen testing. In other words, pen testers need to take extra care when exploiting their own IPs, ports, instances and applications to avoid violating their CSP’s terms and conditions.

Summary

Internal penetration testing is equally important as external penetration testing. It allows your organisation to find – and address – potential vulnerability to cyber-attack by malicious insiders. It is also essential to apply pen testing to internal applications, whether they’re on-premises or in a cloud environment.

It’s important to understand the limitations and types of pen tests Cloud Service Providers allow, and to seek authorisation before performing them. Security of applications and data in the cloud is still a process that needs meticulous planning and constant vigilance.