IT Infrastructure comes in many different shapes and sizes and so does a good penetration test. Depending on how you operate and who your potential threat actors are will determine what infrastructure penetration testing your organisation needs.
Most organisations carry most of their cyber risk with unknown that's from across the Internet. This is solely because of the sheer quantity of potential attackers that you are exposed to when connected to the Internet. An external-only penetration test can be used to start a cyber security programme because it starts with the most prolific threat. If you haven't done much testing before, this is a really good place to start because, in most cases, it's a nice bite-sized chunk to help youget your head around how the process works, what the results look like and what you need to do about the information when you receive it.
Any penetration test is an activity that attempts to break into (or penetrate) a given set of systems. An external penetration test specifies that the systems in-scope for testing are the ones that are exposed to the Internet. Typically this activity just relates to the infrastructure in place to run systems such as email services, VPNs and remote access facilities as well as the servers that run web sites.
Internal penetration tests assess two things: what happens when (not if - because it will happen) an attacker gains access to your internal network; and, what happens if an employee turns rogue. It involves probing some, or all, of the systems that live on the inside of your organisation's network perimeter. Often companies have done an "OK" job of protecting themselves from attack over the Internet, internally however, is often a completely different story.
Internal penetration tests are usually fairly unconstrained, both in terms of what can be attacked, but also in terms of what the goal is. It is up to us, the consultant hacker, to work out what is the most sensitive and important to the organisation. Don't worry though, we always treat the information we find with sensitivity, for example, we only take the minimum amount of data to be able to show the outcomes in our reports, and if we put this data in our reports the data is always anonymised.
These internal penetration tests are the most likely place for interesting "chained" vulnerabilities to be found which can lead to some significant concerns. A chained vulnerability is where one minor vulnerability, leads to another minor vulnerability, which might lead to yet another minor vulnerability, but in total, the minor vulnerabilities equal a big vulnerability.
One very important element of cyber security is correct network segregation / segmentation. This is because it is desirable to stop a successful attacker from being able to spread around the inside of your network. This is most effectively completed by simply separating the network so that it is not possible to communicate with areas that there is no legitimate requirement for. This work is similar to wireless network assessments, as commonly, one part of a wireless assessment is proving that it is difficult for guests using your wireless networks to access the internal network. These two activities help show defence-in-depth.