Penetration tests
For more IT security in companies

Penetrationtest
  • Is your company already sufficiently protected against hackers?
  • Are you looking for professional support in finding security vulnerabilities?
  • Should a suitable penetration test be carried out for your company?
Penetrationtest
  • Is your company already sufficiently protected against hackers?
  • Are you looking for professional support in finding security vulnerabilities?
  • Should a suitable penetration test be carried out for your company?
"I am convinced that there are only two types of companies: those that have been hacked and those that will be. "

Robert Mueller, former FBI director

What is a penetration test?

Penetrationstests

The term penetrationtest or pentest refers to the targeted intrusion into the network or system of a company by an IT specialist. The implementation of a series of measures is intended to identify internal and external vulnerabilities. This prevents hackers from gaining access to your IT.

The simulation of a real attack attempt clearly reveals the existing security holes. In addition, the existing threat potential for the company becomes clear through the initiated white hacking. The simulated attack on the system shows what improvement potential is possible for your IT security. Concrete security measures are thus recognized and applied.

A penetration test or penetration hacking must be performed by IT specialists with experience. This will highlight any gaps in the security network and eliminate the risk of a real, successful hacker attack.

What a penetrationtest can do

A penetration test is not a general attack attempt. Rather, it is strongly individualized to the system under test. A pentest tuned in this way completely exploits the detected vulnerabilities. This makes it clear which concrete data is at risk. The possible damage caused by a hacker attack is detected.

The risk potential is recorded and compiled in a final report. There it is shown which attempts had success and which did not. Furthermore, the already secured areas of the system are shown. The weak points detected by the penetration test serve as the most important information. Concrete recommendations for action are provided to close the respective security holes.

Penetration tests sometimes go beyond the technical side. One of the biggest weak points in a company are its employees. With so-called social engineering methods, employees are tested and the human weak points are identified. Because even with this procedure a hacker can gain access to the system. This can happen independently, no matter what technical security measures have been taken before.

Penetrationtest Augsburg
Robert Ehlert

Robert Ehlert

Many companies choose to perform several different penetration tests. This ensures that the infrastructure is protected as completely as possible against attacks. We would be happy to put your systems through their paces.

 Be part of it! 

What are the reasons for a pentest?

Check infrastructure

Unfortunately, investments in a secure IT infrastructure and trained personnel are no guarantee that a hacker attack will be survived without problems. A pentest can be used to identify the actual security in the context of a simulated attack. In addition, it is possible to react to the potential threat.

Fulfilling legal obligations

Companies, especially the management, have a direct responsibility to ensure adequate IT security. In the worst case, a failure to do so can lead to personal liability. Penetration tests are suitable measures to technically secure the company. The risk of a hack is minimized and the legal responsibility is fulfilled.

Detect threats

IT systems are becoming more and more complex, which means that the demands on security measures are constantly increasing. Criminals are constantly looking for weaknesses that they can use to their advantage. Pentests reveal the weaknesses of the system even before a hacker attack. As a result, your company is no easy prey for criminals.

Protect your image

If a hacker attack has taken place, not only the internal damage has to be taken care of. Because hacker attacks often end up in the headlines of daily newspapers. This leads to an enormous loss of trust towards customers, partners and the public. Such a loss of reputation can be avoided by a penetration test.

Data protection

Every company must pay close attention to protecting the sensitive data of employees, customers or its own products. Data theft does not only lead to financial damage. Legal regulations, such as the GDPR, make companies liable if collected data is not adequately protected. Penetration tests identify deficiencies in data protection.

Perform risk management

Pentests simulate worst case scenarios, which allows risks to be identified and realistically classified. Planning and budgeting is simplified through more targeted risk management. Risks can be countered in a structured way.

"Companies put millions of dollars into firewalls. They waste their money by not considering the weakest link in the security chain: the users and system administrators."

Kevin Mitnick, computer security consultant

Penetrationtesting: The different approaches

There are different approaches that can be simulated in a penetration test. The HOW depends significantly on the information available to a hacker in the run-up to an attack attempt. Accordingly, a distinction is made between three approaches: Black Box, Grey Box and White Box.

Black Box

The most realistic scenario is called the Black Box Pentest. In this pentest, the ethical hacker has no prior knowledge of the IT infrastructure. Like a real hacker, he must find his way around the system himself. He finds out the weak points based on his attack attempts.

With such a pentest hacking it can happen that security holes remain undiscovered. Often it is not possible to process the complete infrastructure within the given test period.

Grey Box

In the Grey Box Pentest scenario the pentester knows some necessary information. Furthermore the areas to be tested are specified. Other areas of the system are not considered at all.

This is the most common scenario in a penetration test. Without knowledge of the entire system, certain targets are systematically attacked.

In order to successfully implement this pentest approach, all areas of the system should be progressively reviewed.

White Box

Even more effective and special is the white box pentest scenario. The penetration tester is provided with all necessary information about the IT infrastructure. This includes full knowledge about servers, applications, operating systems or which ports are or should be open.

In contrast to the Black Box Pentest, this variant is rather unrealistic, although much more effective. The test can be carried out quickly and thoroughly with the appropriate attack methods.

Penetration testing: The right positioning

In a penetration test, the location or WO from which the targeted attack attempt is to take place is decisive. The positioning decides about the chosen attack methods. A distinction is made between external and internal pentests.

Cyber Security Breach Hacking Laptop

External penetrationtests

External vulnerabilities are used to attempt to gain access to the internal system network. Furthermore, e-mails, web pages or data releases can represent ways to access the internal data.

A common variant is the collection of company information. This can be done through open ports, vulnerabilities or user information.

The external penetrationtest reaches its goal with the access to the system. Then an internal pentest can follow.

Internet Cyber Security

Internal penetrationtests

An attacker has bypassed the security barriers or an insider already has access to the company. Now it is a question of which internal attack points are available.

This raises the question of what the hacker can do with his access. Examples of this would be switching between networks. Furthermore the interception of internal communication can be simulated.

An internal penetration test is completed as soon as administrative access is available. This has taken control of the company's most important information.

"Security systems must always win. The attacker, on the other hand, only has to do it once."

Kevin Mitnick, computer security consultant

Types of penetrationtests

A pentest can look very different. In addition to the different approaches and positioning, the type of penetration test is also important. The question arises, WHAT should be tested. 

IT infrastructure penetrationtest

The focus is on checking vulnerabilities of servers, firewalls and VPN accesses

Penetrationtesting for applications

In this scenario, web applications such as web shops and mobile apps are tested. Special focus is placed on functionality, process flow and security controls.

Social engeneering

Pentesters try to access confidential information by manipulating employees. Techniques such as phishing e-mails and telephone calls are used. But a targeted approach cannot be ruled out either.

Physical penetrationtest

Physical barriers such as door locks, sensors and cameras are tested here. Pentesters check whether unauthorized access to important areas such as server rooms is possible.

WLAN Penetrationstest

A company's WLAN networks are checked for weaknesses in configuration, encryption procedures and passwords.

Configuration penetrationtest

This type of test aims to check the current configuration of various system components. It helps to ensure that the current and future infrastructure is in line with industry best practices.

The procedure for a pentest

In order to achieve the best result, each penetration test is supported by a concrete procedure. All relevant procedures are clearly defined in advance. Our plan comprises 7 steps. For you as a customer, this procedure leads to the best results. In order to get a first overview, you can orient yourself by our 7-point plan.

Before the test

1. Define the scope of the project

Conditions and objectives are defined in advance of a pentest. First of all, client and service provider must agree on the type of penetration test. It must be clear which part of the system or whether the entire network is to be tested. The positioning and the chosen approach are then defined. 

A pentest can cause delays in day-to-day business. Therefore it is important to choose the test period. 

In addition, the customer must create backups for his systems in advance. Alternatively, an equivalent test system can be selected for implementation. 

2. Provide important information

Depending on the approach chosen, some information may need to be available before starting the test. In the case of a black box test, no prior information is necessary. The pentester, just like a real hacker, has to act in the most realistic case without any knowledge about the internal IT.

A grey box test requires some specific information. Only a certain part of the system is checked.

Most of the information and the most elaborate preparatory work is done in a white box test. The tester needs a complete knowledge of the IT infrastructure.

During the test

3. Perform vulnerability analysis

In the first phase, during a pentration test, the white hacker attempts to identify initial vulnerabilities in the network, system or application. 

In order to gain access to the internal network, other means such as e-mails, websites or data sharing are also possible. But also publicly accessible information (Open Source Intelligence) is checked. For example, whether passwords of the company have already been leaked.

4. Exploit security gaps

First the pentester completes the vulnerability analysis. The system is accessed via security holes that are discovered. 

If the unauthorized access has succeeded in passing the security barriers, it depends on the previously made agreements. The penetration tester can try to access other connected systems or intercept the internal communication. 

A pentester has usually reached its goal as soon as it has administration rights. He is therefore in possession of access to all information of the company.

After the test

5. Remove traces

After completion of the penetration test, all traces of the test must be removed. All scripts used and traces of the pentester are removed. Hereby the systems are not exposed to unnecessary dangers.

6. Create the report

All steps of the test are documented in detail. The aim is to provide the customer with an easily understandable, clear insight into the procedure and the results. The following points must be included in the report:

  • All current vulnerabilities and associated risks
  • Which attacks were successful and which data could be captured
  • Proof of Concept (PoC): Evidence of successful attacks and instructions on how to reenact them.
  • Recommended steps to close the vulnerabilities 

7. Final discussion & evaluation

In a concluding conversation, customers can ask questions again. Any ambiguities are cleared away. Frequently, the service providers also offer support in repairing the weak points found.

Conclusion on penetrationtests

A Penetrationtest is an optimal procedure for uncovering weak points in IT security and taking appropriate countermeasures. Thus you are protected against hacker attacks at the right time. By choosing suitable tests and the right service provider, you are on the safe side.

Pentests should be carried out regularly as a fixed component in the IT security concept of a company. External partners can check the IT and your systems more effectively. The reason is that your own IT department is too familiar with the internal system. Small things are quickly overlooked, which can lead to serious damage.

In addition, a penetration test should be performed by an expert. Qualified White hackers can better understand the thinking of criminal hackers. They see security barriers and systems as a kind of challenge. Through experience and competent action, even the smallest security vulnerability will be detected.

Often companies see such tests as an unnecessary investment to protect their systems and data. However, the decisive advantage is overlooked.

We apply best security practices that companies can incorporate into their processes - whether it's taking stock of IT, programming or evaluating information. This win-win situation makes a penetration test profitable and increases the ROI.

Arrange a free consultation appointment now for a penetrationtest
Your contact person
Robert Ehlert
Robert Ehlert


Your contact for penetration tests. Let us arrange an appointment for you.

ADDRESS
new direction Cyber Security GmbH
Piechlerstraße 3-5
86356 Neusäß
Germany

Phone
+49 (0) 821 5 43 70-00

E-Mail
info@ndcybersecurity.de

en_USEnglish
de_DEDeutsch en_USEnglish