The first phases of a pen test are commonly referred to as vulnerability assessments or vulnerability tests; they focus on identifying weaknesses without exploiting them, and they are often performed as their own service as well. A vulnerability test should not be confused with a vulnerability scan, which is an automated process, and less sophisticated.
Though only some companies are required to have annual pen tests in compliance with industrial regulations, pen testing should be one of the first services considered for any company who wants to improve their cybersecurity. They are excellent tools in making a business aware of what’s at stake in the event of a cyberattack. If you and your business are concerned with how secure your networks are, these tests will help to inform you about existing vunerabilities.
Internal vs External Tests
External pen tests are generally performed first, and help a company understand what a cybercriminal can achieve with no prior access to the network. They generally focus on breaching vulnerabilities discovered on external assets – this includes email, websites, and online file shares.
An internal pen tests is sometimes performed after an external pen test is completed and seeks to examine what damage a hacker can inflict if they were to have access to the network. Often this involves exploring insider threats, such actions that can be performed by employees, either intentionally or unintentionally. Generally, these inside attacks are more harmful to organizations, since it’s assumed that the attacker already knows their way around the network.
An internal pen tests is sometimes performed after an external pen test is completed and seeks to examine what damage a hacker can inflict if they were to have access to the network. Often this involves exploring insider threats, such actions that can be performed by employees, either intentionally or unintentionally. Generally, these inside attacks are more harmful to organizations, since it’s assumed that the attacker already knows their way around the network.
Corporate vs Home Networks
In the past, testing was usually performed only on corporate networks, but with the rise in remote work, it has become increasingly important to understand the vulnerabilities brought by employees' home networks. For this reason, it is recommended to perform external vulnerability tests for employee networks in order to provide visibility in the new threat landscape of remote teams and mitigate these threats as much as possible.