A penetration test is a commissioned, authorized, planned, and a simulated cyber attack on a company or a public sector institution. The goal is to identify and eliminate previously unknown points of attack before hackers can use them to steal intellectual property or other sensitive data or otherwise damage an organization.
But how does a penetration test work? In order to carry out a penetration test, an IT security analyst needs the express order of the customer and coordinated information. The color theory of pentesting reveals something about the requirements with which the security analyst is confronted. If he does not receive any further information, it is a so-called black box test; it is considered the most realistic form of an external attack. In a white box test, the service provider receives basic information about the system that it is supposed to be penetrating, as well as – ideally — the IT security concept with the documentation of the associated IT infrastructure. This option is often about exploring theoretical scenarios in order to be on the safe side in an emergency. If only a certain part of the possible information is made available in advance, experts often speak of a gray box test, a hybrid of the two preceding. Since the pentesters simulate the actions of a group of attackers, they are often referred to as the “red team”. If not only the answer of the protective mechanisms and security measures is in the scope of the test, but also the speed and competence of the client’s security experts are under scrutiny, they are often referred to as the “blue team”.
Most tests are between the two extremes and depend on the needs of the customer.
A distinction must be made between three main pen-tester attack methods:
- The attack on the network;
- Social Engineering;
- The physical attack.
Which method is used depends largely on the client’s goals and the desired gain in knowledge. The penetration test that is currently most frequently commissioned is an attack via the network.
A pen-test is usually roughly divided into five phases:
- Preparation (coordination of test objectives, scope, test methods, and devices);
- Obtaining information (document viewing, Google hacking, network recording, port scans);
- Analysis & attack selection (research for suitable exploits, detailed network analysis, hash cracking, coordination of further attacks);
- Verification tests (exploitation of vulnerabilities, circumvention of security measures and active intrusion, man-in-the-middle attacks, post-exploitation);
- Final analysis (evaluation and documentation of the results, management summary, and presentation, a listing of weak points, recommendations for countermeasures.
The actual penetration testers usually begin with a tool-based scan of the network. Tools such as Nessus, Metasploit, and the Burp Suite provide the information required for system and application analysis. The current vulnerability of:
- Firewalls, web servers, and Remote Access Services (RAS) for remote maintenance;
- Connections such as WLAN or cellular technologies;
- Web servers are particularly easy to attack from outside due to their numerous functions (e-mail, FTP, DNS, and others) and their easy accessibility.
The identified weak points are then specifically attacked or penetrated. The results of the simulated attack and the recommendations on how to close the vulnerabilities and harden the system even better are summarized in a final report.
A pentesting – like all other security tests, by the way — is a snapshot of the company’s resilience. It, therefore, makes sense to subject your IT security measures to regular effectiveness checks; at least once a year is a good idea. It makes sense to hire providers who can provide changing teams because other people find other mistakes.
The results obtained by a tester from this service can form the basis for developing a Security Awareness Program that is as focused as possible on the problem areas identified during testing. This service can also be useful in verifying the effectiveness of the customer’s current Security Awareness Program.