A penetration test is a technical term for risk analysis of IT systems. Specifically, it means a deliberate and targeted attack on the IT infrastructure or individual applications of an affected party in order to find out the basic security level and potential security gaps. The tester puts himself in the position of a potential attacker and usually carries out extensive attacks on the system, e.g. with the means of a hacker, to learn about weak spots.
Penetration is often carried out on behalf of and with the consent of companies that want to protect themselves as comprehensively as possible against attacks on their IT infrastructure or applications. This is done either within the framework of so-called bug bounty programs or within the framework of individual contractual agreements.
Cyberattack on behalf of the client
If you want to know how well your networked systems are armed against cyberattacks, you have to put yourself in the shoes of the potential attacker. That is why our security experts carry out attacks on the network on behalf of the customer.
Identify and check technical vulnerabilities
The goals of a hacker attacking a network are just as varied as his methods. Compromising systems, stealing confidential information, or affecting the availability of services are just a few examples. By putting themselves in the role of attackers and adopting their mindset and attack methods, cybersecurity specialists can most reliably identify and check technical vulnerabilities and then derive targeted countermeasures.
The scope and depth of a cyber security penetration test can vary greatly depending on the company. Typical test areas are security barriers such as a web application firewall, web-based applications, containers, their interfaces (API), and servers. Configuration errors and vulnerabilities are made visible through intensive attack tests.
Penetration tests are to be distinguished from similar terms in the field of IT security:
• Vulnerability Scans: automatic without individual adaptation.
• Security scans: automatic, test results are verified manually, but there is no uniform method.
What is checked during an effective penetration?
Pen tests can be performed for many IT applications:
• Database servers, web servers, mail servers, file servers, other storage systems;
• Packet filters, virus scanners, firewalls;
• Web applications, containers;
• Network interfaces such as routers, gateways, switches;
• Telephone systems, wireless networks (WLAN, Bluetooth);
• Building security systems, building control;
A guide for penetration tests in the area of web applications is provided by the non-profit OWASP Foundation.
What types of penetration tests are there?
Internal Pen Test
This type of penetration test analyses what happens when employee data is stolen or a so-called inside job is perpetrated. The test, therefore, assumes an attack using data that is available to employees.
External Pen Test
This is the classic model of a penetration test. Here, an attack is simulated by hackers who had no prior access to user access but only have access to the company’s website and the systems used via the Internet. This also includes targeted overloads of the external connection through DDoS attacks.
This method does not require any precise agreements. The service provider receives the company’s name and consent, but no further input. This allows the IT security experts to react to access attempts in real-time without knowing the exact procedure of the penetration testers in advance. This model is suitable, for example, to obtain an objective assessment of one’s own IT security from a third party with expertise.
Another variant is the double-blind test. The difference to the blind test is that the responsible IT experts in the company are also not informed. This allows the team’s ability to react or, for example, the execution of an incident response plan to be practiced and evaluated under real conditions.
What are the risks of security pen testing?
The worst-case scenario is that companies end up with dubious pen test providers who use the knowledge gained for criminal activities. Conceivable, for example, would be the sale of information on vulnerabilities in hacker forums or the unauthorized extraction and storage of data. This makes it all the more important to check the references of the chosen service provider.
Penetration tests are not supposed to cripple a business, but human errors can happen here too. Incorrect agreements, vague wording in the order, or misunderstandings are all possible scenarios that could be responsible for a system failure. Another classic: If maintenance of the system is running parallel to the penetration test, this can influence the test considerably. In this case, agreements between all involved departments and external service providers (remote maintenance) are essential. Exception: In double-blind tests, an unforeseen attack is desired.
Both sides should make absolutely sure to define the scope of the test objectives precisely. Furthermore, the client must ensure that these agreed objectives are the property of their own company without exception and in a legally separable manner. Anyone who inadvertently attacks and/or cripples a third-party cloud service or web application could be in serious legal trouble.
Penetration tests conducted in good faith without the consent of the service provider could be considered a real cyberattack under criminal law. Before proceeding with the test design, the rights to all components must be checked. This includes hardware (servers), software (applications), and other networks (cloud services and interfaces).
Pentest or IP stresser?
If you search the internet for a stress test for your own IT, you will quickly come across so-called IP stressors. These service providers offer to simulate DDoS attacks for a small fee. However, utmost caution is advised here: many operators operate in a legal grey area. If it is not checked at all precisely which domain is being attacked on behalf of, then service providers are not only acting highly unprofessionally but are also committing criminal offenses.
Whether IP stressors are working legally or are in fact disguising criminal booter services (DDoS for hire) is often not so easy to see through as a buyer. Websites are deliberately designed professionally and optimized for search engines so that from the outside they appear to be a respectable business model. Unfortunately, this is often just the polished entrance to a dark basement.
Pentests are also based on a completely different idea compared to legal IP stressors: instead of simulating a blunt DDoS attack, an individual test is designed with the customer that includes several levels and IT risk factors. In the case of DDoS attacks, for example, this can mean the use of several different attack techniques across all layers, whereas IP stressors usually only offer pure volume attacks (layers 3, 4). The fact that pen tests are in a different price range should therefore not unsettle you.