Internal penetration testing is a method of evaluating the protection of the computer systems or networks of the customer by simulating the actions of the intruder who is trying to break in from the internal network of the organization. This intruder can potentially be an associate of the organization, a representative of the contractor, or customer.
The goal is to find system vulnerabilities that could appear as the result of faulty configuration, technical and programming errors, and operational faults in the processes and the technical control tools.
This process will minimize the risks related to the presence of system vulnerabilities that can allow an intruder to gain access to confidential, financial, or other unprotected information by searching for potential vulnerabilities and simulating an attack from the internal network of the organization.
The report on the internal penetration testing contains:
The modernization of the technological systems of an oil refinery caused the demand for confirming the adequate level of security functions. One of the main goals was to confirm a high safety level of the automated system of production.
During our security testing, we received access to the closed segment of the network through the work station of the operator, who had simultaneous connections to different segments. This allowed us to find the secure server with specialized software for process system management. After acquiring preferred rights, we were able to intercept the control signals. As a vulnerability demonstration, we wrote a script that allowed us to control the ventilation and cooling system screens. An attack on more critical systems was not conducted due to the high risk of destabilizing production.
The customer arranges a work station in the organization’s local network with a set of privileges equivalent to those of the most probable intruder. The roles of users and operators, or roles with an expanded set of privileges, are typically chosen to act as potential intruders.
Penetration testing can be conducted both with or without notifying the internal services of the organization. A stealth attack mode can also help to uncover the reaction coordination between the internal services and the accuracy of conducting IS incident reaction procedures.