If you know me, you know that I regularly preach the need for full scope penetration testing (internal and external with physical, digital, and social engineering attack methods). If I do not think and act as the bad guys do, I will likely miss attack vectors they may not.

I have done numerous external-ONLY penetration test assessments over the years. Many were very limited in scope and prompted by some compliance requirement or by a member of leadership who read about a breach and then decided to “have a look at our external network”.

These have some value of course, but often miss the largest areas of risk for an organization. Many breaches come from within the network perimeter. They often occur as a result of poorly trained staff freely volunteering information such as credentials to the network or access to restricted areas. Other times they come from disgruntled employees or contractors exploiting massive internal weaknesses and vulnerabilities and social engineering tactics. External-only testing does nothing to expose these risks.

That being said, I have performed many of these limited scope external tests and I am continually amazed at something that often occurs. Many times, the result of these test are some fairly alarming findings. These findings are on hosts that are supposed to be the most secure face of the network. They are public facing and ostensibly demonstrate the most secure surface of the network. The thing that alarms me is that the majority of the time, there is a rush to remediate these findings alone. No further assessment is performed and these findings do not seem to prompt further examination. If these findings exist on the most secure portion of the network, doesn’t it stand to reason that the remainder of the network harbors even greater vulnerabilities and poses even greater risk?

On the rare occasion that these findings prompted the organization to look deeper into their internal network and beyond at their other security controls and training, the results found on the external testing paled in comparison to the risks identified inside.

This is the “Tip of the Iceberg” syndrome. Where we see a bit of ice on the surface, we can be fairly certain it is indicative of a huge mass of ice (risk) submerged and out of sight.