For decades community banks have been under constant barrage from unrelenting legions of cyber threats, hell-bent on attacking any vulnerability that can be exploited in order to gain access to sensitive information.

As a result, financial institutions have fortified their network perimeters with sophisticated security controls to repel incoming cyber attacks.  These defensive strategies are highly effective at protecting the institution from threats that originate outside the firewall.  However they offer little protection for the zones within the network that are most susceptible to malicious activity – the internal infrastructure behind the firewall. 

 

Research Reveals Insider Threats Pose A Clear and Present Danger

Ever since several high-profile research firms began conducting annual data breach and fraud studies in the mid-2000s, the data has indicated that financial institutions are far more likely to experience a significant data breach originating from an internal threat rather than an external source.  Despite the consistent results, many institutions continue to commit a disproportionate amount of resources towards protecting the network from external threats than shielding the internal network from data leakage.

A 2010 study conducted by the Verizon Business RISK team, in cooperation with the United States Secret Service,(1) found that the percentage of breaches stemming from an internal threat doubled between 2008 to 2009.  The vast majority of those incidents were the result of deliberate and malicious activity in which confidential data was either exfiltrated or money was embezzled from the company.  One of the most alarming conclusions the study found is that 85% of these internal attacks were not even considered “highly difficult”; more than half of the data theft crimes were carried out by employees in low and mid-level positions.

When armed with this information, most organizations will probably agree that a “rogue user” who has authentic privileges and on-demand access to their internal systems poses much more of a clear and present danger than an external hacker that is separated from a system by several layers of complex security.  Since the evidence that a majority of successful attacks originate behind the firewall is overwhelming, isn’t it just common sense to perform periodic testing on these high-risk zones? 

 

 

A Balanced Testing Strategy Provides a Better Overview of Security

In order to manage threats to the enterprise and adhere to compliance regulations, financial institutions must have a comprehensive security strategy that can battle both internal and external threats. 

Most organizations consider External Penetration Tests (EPTs) to be a primary weapon in their security arsenal and perform the tests at regular intervals.  EPTs are conducted from a hacker’s point of view, mimicking real-world methods a hacker would use to exploit vulnerabilities in a network, compromise security controls and access confidential data.  Although EPTs yield extremely valuable information, an organization cannot properly assess their network’s risk exposure or the likelihood that an existing vulnerability may be compromised without testing the internal perimeter in a similar manner.

An Internal Penetration Test (IPT) is performed to exploit vulnerabilities that exist behind the firewall and assess the impact that a successful compromise would have on the system.  Depending on what systems and controls an organization wishes to evaluate, internal penetration tests can be conducted either from a hacker’s point of view or from the vantage point of a malicious employee.  

Examples of scenarios that call for conducting an internal penetration test from a hacker’s point of view include (a) evaluating the likelihood and potential impact of an attack via a rogue access point prior to deploying an extensive wireless system, and (b) assessing the risks associated with allowing 3rd Party vendors to access restricted network resources.

IPTs performed from the vantage point of a “rogue user”, or a malicious employee, usually involves allowing the tester to have a standard network account and the same network privileges as a typical employee.  From this level of access, the objective of the test is to determine how far privileges can be escalated, as well as what confidential information may be insufficiently protected.  This practical approach resembles a real-world scenario that demonstrates how a typical employee can use relatively low-tech means to access and exfiltrate sensitive data.

Internal penetration tests essentially pick up where external tests leave off, allowing the organization to gain a more complete view of its security posture.  IPTs also help the organization fortify its internal security by identifying security gaps caused by improper configurations, file permissions, excessive user privileges and access levels, methods of exfiltrating confidential information outside the perimeter, and ways users can circumvent technical controls. 

Just as important, testing the internal systems will help validate that the existing controls actually work as intended.