“A penetration test is a simulated cyber-attack against ideally all components and applications of an IT system to check for exploitable vulnerabilities.”
In fact, almost two-thirds of all companies are victims of cyber-crime. The idea of a Penetration test is to check and then secure the IT System precautionary.
Either leading to the validation of security guarantees regarding risk assessment or to discovering vulnerabilities that impose a risk to the client and need to be secured.
External penetration tests target the systems of a company that are accessible on the internet, e.g., a web application, the company website, email servers and more. The goal is often to gain access and extract valuable data or to take control of the system.
An internal test, on the other hand simulates an attack from inside the company network. This is not necessarily simulating a rogue employee. A cunning attacker might also gain access to this privileged part, e.g. by Social Engineering or Phishing.
In Closed-box testing, a tester is only given the externally accessible IP-Range of the client, that is being targeted. The tester simulates the typical external attacker without any further information, nor privileged access.
In an Open-box Test, the tester is provided information of the internal structure. Often access to the source code of critical applications is given to the tester as well. This can be used to simulate a rogue employee or enable testers to cover parts of the systems, that otherwise would be too time-consuming to explore for the tester.
In the following we describe the typical stages of the most common external (Closed-box) Penetration test.
The goals and objectives of the penetration test will be defined at first.
It is essential that the client and tester define the goals of the penetration test together, such that both parties have the same understanding of the objectives and targets. The common objectives of a penetration test are the following:
In the first technical step the tester will scan the defined target, typically the company network. The goal is to discover the externally accessible services. Using automated scanning tools, the tester can further identify outdated software and check for publicly disclosed vulnerabilities. After completing the scan, the tester will have an overview of the exposed services and can consider possible attacks.
Attacking is the most critical step that must be performed with due care. By attacking the system, the tester will verify the identified potential vulnerabilities of the scanning phase. Depending on the agreed objective, the attacker will aim not to harm the productive system but at the same time reveal whether the attacks impose actual risks. Recovery procedures for critical system must be in place to prevent unintended harm. The limitations of the testers capabilities have to be balanced, considering risks of harm by testing and the possibility of overlooking critical vulnerabilities and risks.
Evaluating the vulnerabilities and attacks, the tester is now able to assess the identified security risks. Vulnerabilities can be categorized and rated by risk and exploitability. Additional the tester can provide recommendations, typically suggest updates or a necessary change in configuration. Since a penetration test is limited in scope, aggressiveness, and time it is important for the tester to transparently disclose the scope and limitations of the test. This enables the client to genuinely assess the security and guarantees obtained by the test.
Finally, the objectives, scope, procedures, and findings will be reported. Ideally the report follows the same structure as the test itself. Starting with the agreed objectives and scope in the first step and followed by the scanning methodology, tools, and results. The evaluated findings can then be listed in order of risk priority, followed by the recommendations and ending with the conclusion.
A report should focus on the following parts:
A penetration test can be used as an assessment of the current IT-security grade of the company. Due to the rapidly changing nature of technology advancement, security and risk assessments must be seen as continues processes. Just like the underlying soft- and hardware beneath, they require regular updates. Therefore, it is recommended to test the company infrastructure on a yearly basis, ideally with state-of-the-art attacks and defences from unbiased experts of the field.
© 2021 Scheer GmbH
Necessary cookies enable basic functions and are required for the proper functioning of the website.
Statistics Cookies collect information anonymously. This information helps us understand how our visitors use our website.
Marketing cookies come from third party providers, these collect information to play out targeted content.
In order to display content from video platforms and social media platforms, cookies are set by these external media.