When we talk about computer attacks, we often think of an activist or a criminal sitting in front of his screen on the other side of the world… while half of the attacks involve internal actors, according to the Insider Threat Report 2018. In fact, 58% of respondents confirmed that they had suffered a cyberattack related to the internal threat. Protecting yourself from the inside against these attacks is therefore just as important as defending yourself from the outside.
During an internal security audit, penetration tests are conducting from inside the company or sometimes through a VPN. Most of the time, pentesters go to the company’s buildings, bring their equipment and put themselves in the shoes of an internal attacker.
Why conduction an internal audit
Internal pentest enables you to evaluate the risk for your internal network to be compromised. This involves detecting incorrect configurations, identifying internal vulnerabilities that can be exploited by an attacker and measuring the consequences on the internal network if a machine were compromised. Then, solutions are recommended, so that the flaws can be corrected.
Differences with an external audit
The first difference is that more elements can be tested from within an organisation. The external attacker has only a limited view of the internal network of its target.
The second notable difference is that the profile of the attacker is not the same. Any employee and staff related in a way or another to the firm and its premises (providers, suppliers, guests, etc.) might be, intentionally or not, at the origin of an attack or of a leak of sensitive data. Their access to the company’s internal network is a potential risk.
The third difference is that additional social engineering attacks are possible, such as dropping USB keys. You can by the way read this article which details USB attacks.
When preparing an internal security audit, the first step is to define the attack scenario. Will the pentesters put themselves in the shoes of an intern, an employee or a visitor? Will they have access to a wired or wireless connection? Will they have access to a guest only network or to the network used by employees? Several scenarios can be chosen to carry out the most exhaustive possible audit.
Once on site, the pentester starts to map the network, listing all accessible servers, proxies, routers, workstations or other hosts. Even a printer can be used for malicious purposes by intercepting documents being printed, for example.
Then comes a more detailed identification of the servers. It is necessary to determine their type and role in the network. After that, pentesters scan the ports of all the hosts they have found to look for services that are being used. The network users are also enumerated.
After the port scan, the versions of the services and operating systems used are studied. The pentester looks for those that are no longer up to date or no longer maintained. Not updating your equipment means exposing yourself to known and often documented vulnerabilities, therefore to proven attacks.
The audit goes on by listening to traffic on the network with a packet analyzer like Wireshark. Some communication protocols are not secure but still used. Likewise, Wi-Fi communications must be encrypted to ensure that the data sent is not readable by an attacker. Encoding methods such as WEP (Wired Equivalent Privacy) and some versions of WPA (Wi-Fi Protected Access) are easily cracked.
The pentester then controls that the different networks are hermetically sealed from each other. For example, in the guest areas there may be forgotten Ethernet plugs that are linked to the corporate network, cancelling the utility of dedicated Wi-Fi.
Once all vulnerabilities have been listed, pentesters begin to exploit them and focuses on the most representative or interesting ones from an attacker’s point of view.
From the service versions, they might find the default login and passwords for the different services and hosts. It often happens that these are not modified. By intercepting traffic network (with for example ARP Poisoning), valid credentials are sometimes obtained.
Default passwords and passwords collected by sniffing are tested. Targeted attacks against vulnerable hosts are launched to gain privilege in the network and to retrieve sensitive data. Other attacks are launched in order to see after the end of the audit if they have been detected by the company’s network defence system.
What to do after the audit?
Once the audit is completed, the first thing to do is to correct flaws that have been detected, i.e., make updates, replace systems that are too old to be kept, ensure that applications and have access only to what they need on the network. The permissions of everyone must be carefully managed and they must be made aware of cybersecurity.
Ideally, a network monitoring system (IDS / IPS) should be set so that suspicious activities, such as port scanning, can be noticed and blocked.