Where a Vulnerability Assessment is a more passive and analytical process, Penetration Testing is an active attempt to break through network defences (ethical hacking), focusing attack attempts on the network, web applications and other organizational applications and entry points. This is a damage-free exercise used only to test whether security measures are sufficient against a simulated real-world attack.
To uncover the information (public or private) an attacker can gain from an organization via an attack originating externally, this External Penetration Exercise will be conducted without any internal access ‘assistance’ to simulate exploits against Internet-facing digital assets (e.g. web applications, web servers, network endpoints, VPN, e-mail servers). The majority of hacking attempts are simulated by this external test.
To simulate ‘insider attacks’ (e.g. guests entering the organization’s physical boundaries, including wireless range, malicious staff or other insiders, and even the scope of access an attacker gains once the external defences are breached), this Internal Penetration Exercise is performed within the premises. The focus is on workstations, internal applications, access controls, domains and internal documents in order to identify vulnerabilities in sensitive information and controls.
Thank you for your enquiry.