Penetration test

What is a penetration test?

A penetration test (in short “pen test”) is a comprehensive security analysis of one or more IT systems (e.g. shop systems, database servers, Android/iOS apps or the entire company network).

For this, we attempt to penetrate the defined target systems within a controlled scope (e.g. via points of attack determined as part of a vulnerability analysis) in order to estimate the damage of a possible attack. This is done by a manual examination of the target systems by a team of selected experts.

By customising a wide range of factors, such as starting point, scope and information base, this type of test can be attuned perfectly to your threat scenario.

What is a penetration test?
Why is a penetration test useful?

In the wake of digitalisation, new IT systems are continuously being set up and old “analogue” systems are being replaced by them. Existing systems are being increasingly connected to each other. While business processes are generally becoming simpler and more comprehensible as a result, securing these systems against cyber attacks is also becoming increasingly relevant.

With a comprehensive penetration test, you can gain an in-depth understanding of the security level of the target systems and even detect vulnerabilities that attackers can use to cause considerable damage (e.g. via ransomware attacks, data leaks, defacing, etc.). This is one reason why regular pen tests are becoming required more and more often in order to meet legal or compliance requirements.

Why is a penetration test useful?

Course of a penetration test

  • Reconnaissance

    In the reconnaissance phase, information about the asset is gathered, e.g. about the technologies in use, the associated business processes or the authorisation concept.

  • Assessment

    Using the gathered information, an initial security analysis is conducted and a methodology for performing the manual analysis is devised.

  • Exploitation

    Using our expertise, appropriate tools, creativity and persistence, we put the target systems to the test in order to gain a picture of the current level of security that is as complete as possible.

  • Analysis & reporting

    After the pen test follows one of the most important parts: The analysis of the vulnerabilities found and the preparation of the results in our pen test report. This also includes pointing out concrete recommendations for action and a presentation of the results, in which we explain our approach step by step.

Wrap-up and conclusion

At the end of the penetration test, you will receive a detailed report on the attacks carried out and the vulnerabilities exploited. Finally, questions can be clarified and lessons learned can be discussed in a presentation of the results.

Before you can finally implement the newly gained insights, the final step of the pen test is the so-called “house cleaning”. In this process, you should remove the user accounts, configurations, etc. that we created during the pen test and reset the network to its original state.

  • Manual security assessment of your application/IT system
  • Maximum test coverage
  • Often necessary due to legal or compliance requirements
  • Customisable to threat scenario

Pen tests are particularly advisable before the initial release or after major changes to your systems. Examples of this could be a major update in your own application or the purchase of new third-party software.

Furthermore, it can be advisable to repeat penetration tests at regular intervals so that newly discovered attack techniques are also covered.

These terms describe the information basis of a penetration test. While in a so-called white-box penetration test a tester has access to all available resources (e.g. system architecture/data flow diagrams, network plans or even the source code of an application), in a black-box penetration test an attacker without any prior knowledge is simulated.

A mixed form is the grey-box pen test, in which only selected (e.g. easy-to-obtain) information is made available.

In general, it makes sense test to provide as much information as possible for a penetration, as this almost always significantly increases the efficiency of the test. Therefore, with a few exceptions, we advise conducting a white-box or grey-box penetration test.

Instead of a black box penetration test, it can also make sense to conduct an attack simulation in which a realistic attack on the company is simulated.

In contrast to a penetration test, a vulnerability assessment is predominantly automated.

In this way, an overview of existing issues and the security level of the system in question can be obtained efficiently and cost-effectively.

However, some types of vulnerabilities can not be detected very well (if at all) by automated scanner solutions, which is why a full penetration test is recommended at regular intervals.

A penetration test is never more than a snapshot of the current state and thus unfortunately cannot guarantee that the tested system will not be vulnerable again in the near future (e.g. through an update or a newly published vulnerability).

It is therefore advisable to carry out such a test on a regular basis and to integrate further security analyses into your business process in order to continuously monitor the security level of your assets.

Get in touch

Curious? Any more questions? Call us, write a mail or book a meeting with one of our consultants right away!

Newsletter

Would you like to stay up to date? Sign up for our newsletter: