Penetration Test: Putting IT Security to the Test

In 2019, 75% of companies were affected by at least one IT security problem - trending upwards for years. Cybercrime has become professionalised and has long since become a profitable line of business for gangs targeting small and medium-sized enterprises. A solid security infrastructure forms the basis for minimising points of attack. Another important tool is penetration testing - a tool that is used relatively little in Germany. We explain what a penetration test is and how it helps companies protect themselves against attacks.

What are Penetration Tests

Beim Penetrationstest geht es um die systematische Überprüfung eines Netzwerks auf Sicherheitslücken. Diese Sicherheitslücken können technischer, aber auch organisatorischer Natur sein. Daher ist oft nicht nur die Überprüfung der digitalen Infrastruktur Teil des Pen Tests, sondern auch eine Untersuchung der physischen Infrastruktur. Dazu versuchen Sicherheitsspezialisten vor Ort in das Netzwerk einzudringen - zum Beispiel mit Social Engineering.

How does a Penetraion Test Work?

In a penetration test, the tester behaves exactly like a potential attacker. This is also the strength of this measure: In the pentest, one assumes the worst case: A well-informed attacker tries to penetrate the company's system. In doing so, the attacker basically uses all available means, as long as they do not affect the rights of a third party, for example, third-party servers. An implementation concept of the Penetration Testing Execution Standard (PTES).

Which Vulnerabilities are Exploited during Penetration Testing?

Often, however, professional pentesters don't even have to bring out the big guns to gain access to the system.

• A frequent weak point is careless users. You don't need a complicated technique to profit from them as an attacker.
• Similarly, attacking via the physical wire is not an easy task. An attacker could simply break through the casing at certain points (for example, a publicly accessible underground car park) and literally gain access to the line - as was impressively demonstrated at SLA 2017.
• But software is also a popular point of attack - especially publicly accessible areas in the form of web shops, platforms or employee login pages.

Why Tenetration Testing is an Important part of Corporate IT Security

First and foremost, of course, penetration tests help to uncover security gaps in the infrastructure and get clues for the solution. But the pentest has other advantages that go beyond uncovering security gaps. In the study by CGI "IT Security for Industry 4.0", the importance was once again underlined.

Create User Cyber Security Awareness

Regular pentests help to ensure that employees do not neglect important security measures out of habit. Over time, a certain routine always sets in for all employees - the handling of passwords becomes more careless or certain compliance rules are no longer followed. Through pentesting, you can always challenge employees and teach them to be on their guard. Our Security Assessments offer full protection.

Capture Structural Problems

Sometimes security gaps do not result from a human error, but are caused by structural weaknesses - these include, for example, understaffing in the IT department as well as gaps in the process descriptions or in the compliance guidelines. These structural weaknesses are easier to detect in practice than in everyday business, where a certain degree of operational blindness is normal.

Identify Staff Weaknesses

In pentests, a major point of attack is always the negligent employee who does not protect his password, uses a bad password or discloses critical information on the phone without realising it. In the pentest, you identify the need for training for individual employees who have behaved critically in tests.

Critically Review Security Routines on a Regular Basis and keep them up to Date

Security requirements change dynamically as attackers' technologies improve. Regular pentests help to keep the security architecture up to date and to subject the processes to a critical review on a regular basis.

Penetration Test: Conclusion

Penetration tests are an important component of a modern IT security infrastructure. They are a tool to identify gaps in IT security and to create a secure infrastructure in the long run. Pentests should be carried out regularly in order to keep user awareness constant and also to be prepared for new attacks.

Many companies shy away from pentests, but they are like an insurance policy: it is better to do them without an emergency occurring than not to do them and then be affected by an attack. Compared to the potential damage caused by a security vulnerability, the effort for regular pentests is limited.