Internal Vulnerability Assessments, External Vulnerability Assessments and PenetrationTests – The Differences

by Karl Wood

At Vala Secure, we conduct Internal Vulnerability Assessments, External Vulnerability Assessments and Penetration Tests as part of our security test offerings. All institutions are at risk of cyber-attacks, but financial organizations are at particularly high-risk. Financial and other enterprises must invest substantial resources to protect their network and systems. If network systems aren’t secure, vital data and systems can be accessed, and an organization is vulnerable and in danger of data and financial losses. Reported as one of the most trusted providers by consumers1, banks and other financial businesses cannot afford to put their reputation and hard-earned customer trust at stake. An attack can happen from anywhere, not only from an external attacker who want to access sensitive information or disrupt a company’s operation, but also from an internal source. Anyone with a device on the network could potentially knowingly or unknowingly cause harm. This is why several different types of system tests are needed, and Vulnerability Assessments and Penetration Tests are the most effective ways to ensure that your network systems are secure. I’m often asked about the differences and benefits of each type of testing. Each one is critical, so I’ll describe each in detail.


Internal Vulnerability Assessment

Internal Vulnerability Assessments evaluate information technology systems from the inside. This type of assessment alerts of potential vulnerabilities on the internal network that could be used by someone with access to internal devices. This includes authorized users of the network and anyone who can access the network from a device such as a laptop, workstation, printer or mobile device. We conduct the tests from a scanning device connected to your network. At a base level, we conduct the scan of all connected devices unauthenticated. However, most of our clients require an authenticated scan which includes administrator credentials and allows for deeper insights. The scan is usually conducted during business hours when all devices are available, and each device is within the network’s range. The scan identifies the vulnerabilities from necessary patches and updates to misconfigurations in the systems and devices. The generated reports are a valuable tool for your organization’s management and security team. They show the effectiveness of the patch management program and identify weaknesses in workstations, servers and other device configurations. The reports provide direction to shore up any potential challenges and reduce risks on the internal network.


External Vulnerability Assessment

External Vulnerability Assessments evaluate the risks of your organization’s network on the external IPs and domains. We conduct the scans after peak hours when the evening back up processes and other business functions have completed. Each IP and domain are scanned. The application identifies the system vulnerabilities including outdated software, end of life devices, misconfigurations and more. This assessment is crucial because it allows your management and the security team to patch or correct any problem before a malicious attacker accesses the network's sensitive areas. Deliverables once the assessment is complete include a listing of detected devices, potential challenges and next steps to mitigate risks.


Penetration Test

Penetration Tests go a step further than the External Vulnerability Assessments. The aim of the penetration tests is to gain unauthorized access through exploitation and emulating the actions of a malicious hacker. By attempting to exploit systems, Penetration Tests allows your company to understand your current network security situation, potential breach points and unauthorized access to the environment. The tests provide a rare snapshot into the unthinkable but real-world potential for hacker activity on your gateway. Like the External Vulnerability Assessments, Penetration Tests are conducted from outside of your organization’s network on external IPs and domains. We typically conduct these scans after business hours. On completion, a list of the detected vulnerabilities, modules that were successfully run and credentials obtained will be provided. Additionally, exploit reports will show the services discovered. Your team can leverage this information as a roadmap for future improvements to prevent hacks of secured information.


At Vala Secure, we recommend conducting these assessments and tests at least annually, but we can accommodate more frequently as needed. We might consider higher frequency depending on the complexity of your network, regulatory requirements of your industry and your appetite for trending data. Most importantly to note, these assessments and tests are imperative after replacing or reconfiguring network hardware. If you are unsure or need more clarification on the various assessments and tests, reach out and let’s discuss further.


1McCarthy, Niall. “The Institutions Americans Trust the Most and Least in 2018.” Forbes, 29 June 2018.