Security Assessments:  Internal vs. External Weighing The Options

1 July 2019

Scott Goodwin Senior IT Security Analyst

The number and severity of cyberattacks on organizations across all industries has increased almost exponentially over the past few years. Unfortunately, this means that many organizations are losing a fair amount of time and money facilitating recovery efforts. The most effective way for an organization to protect itself from cyberattacks is by building and implementing an Information Security program. As with any business process, it is critical to weigh the costs and benefits associated with building an InfoSec program before making a riskbased decision on how and where to dedicate resources.

Just taking the initiative can be difficult, however, as navigating the information security landscape can be a daunting task due to the myriad of available service offerings. Vulnerability Assessments, IT General Control Reviews, IT Audits, Penetration Tests, and Continuous Security Monitoring are just a few examples of assessments that an organization might want to perform in order to identify and remediate security weaknesses. Often, organizations will need to work with a qualified third party to perform these assessments. Despite the complicated nature of the InfoSec space, there is one important distinction that should not be overlooked when determining which type of assessment to perform: the concept of internal versus external assessments. They each have their own strengths and weaknesses, and each is designed to identify security weaknesses from a distinct perspective.

The Internal Assessment Generally Includes: Internal Vulnerability Assessment and IT General Controls Review Internal assessments provide a view of your organization’s information security posture – from the inside. This usually entails a team of information security professionals physically coming onsite to perform a variety of tasks which may include security scans of your internal systems, an interview with your IT team to see if your processes meet industry best practices, and a review of the physical security of your environment. As an example, here at OCD Tech, we offer an internal assessment that generally involves multiple vulnerability scans of the internal network. This also includes several hours of interviewing internal IT and Security personnel to see if and how the Center for Internet Security Top 20 Critical Security Controls have been implemented within the organization. While this is a time-consuming process, it reveals technical vulnerabilities as well as governance, risk, and compliance weaknesses. Because of the effort associated with an internal assessment on behalf of the organization and service provider, this is most often a point-in-time assessment which is undertaken annually.

The key point for internal assessments is that it requires on-site access to your systems and personnel, and depending on the scope of the engagement, it may require a significant effort on the part of the organization. From a technical perspective, an internal assessment reveals vulnerabilities in your desktops, laptops, servers, and networked devices which can only be “seen” from the internal network. This means that in order to exploit these vulnerabilities, the attacker would generally need physical access to the environment or remote access via a hacked Wi-Fi network or stolen credentials.  An internal assessment is also useful in identifying those vulnerabilities and security weaknesses that a malicious insider or disgruntled employee may be able to exploit to steal or destroy data. While an internal assessment will provide a huge value to the organization, it cannot identify risks or address threats which originate from outside of the organization.