The majority of organisations have some kind of LAN or Local Area Network connecting their computers and resources so they can be shared over the network.
You can consider this your Internal network, all the workstations, laptops, switches, printers and other devices inside your office that are only accessible within that network.
External devices are those accessible over the Internet, or the public portion of your network. Generally in this category you will find servers such as Web Servers (HTTP), Mail Servers (POP3 and SMTP) and DNS servers. These are called External Resources and are generally classified as higher risk than those inside the organisation as they are exposed to the Internet.
What we often find when auditing or assessing is companies do have secure External Resources and have put a lot of effort into perimeter defenses and controls with Firewalls, Intrusion Detection/Prevention and DMZs (Demilitarized Zone) setup for externally accessible servers.
But what they overlook is internal security, privilege segregation and separation of duties.
Around 50% of information security incidents occur INSIDE the organization, they don't come from outside the perimeter so it is actually extremely important that you ensure your internal security architecture is well designed and properly implemented.
Which makes sense really, the people inside your organization already have access to the network, it's likely they know the layout of the network and they will, to some degree, understand the security architecture being used.
You have to take into account disgruntled or criminal employees, industrial espionage and other malicious activities as industries move towards knowledge based business, information is valuable.
As for business risk, internal attacks tend to be a lot more expensive than external attacks:
"Oracle quotes a study by the Computer Security Institute (CSI) which concluded that the average insider attack cost the target enterprise approx. $2.7 million, compared with $57,000 for the average outside attack." - Source
NSS recommends a thorough check of both Internal and External resources, things can be done from the perspective of an employee by using a Whitebox Testing approach (more on Blackbox vs Whitebox Testing). You can go one step further where the NSS experts are given a normal login ID of a user and then proceed to test the network from that perspective to see if they escalate their privileges to an administrative level.
Most organizations do like to have both an Internal Test and External test carried out, we can perform both tests concurrently if you wish according to your timescale and network availability (we generally perform the External tests during the quietest hours as a precaution).
External Tests can be conducted remotely from our offices in Malaysia, India or US and Internal Tests need to be conducted onsite at your facility.