Pentest for IT Infrastructures

What is Infrastructure Penetration Testing?

An infrastructure penetration test provides your organization with a security analysis of the effectiveness of your internal and external security systems . As a basis for secure applications and communication, systems and infrastructures as well as network security must not be neglected. This guidelineapplies to companies of all sizes, especially for critical infrastructures (KRITIS). Advanced knowledge of server operating systems, transport encryption and infrastructure configuration enables our pentesters to find security gaps in your IT infrastructure and apply problem solutions. For this purpose, manual as well as automated scans are performed, evaluated and appropriate countermeasures are initiated.

Find IT Security Vulnerabilities with an Infrastructure Pentest from turingpoint.

The pentest for infrastructures is planned, performed and evaluated by our specially trained security engineers according to recognized standards.

We audit your network security and protect your assets from internal and external attackers!

Infrastructure components such as server systems, web servers, operating systems, general network protocols, VPN systems, Active Directories (AD), IoT devices (Internet of Things), WLAN networks, databases and firewalls can be tested.
Virtualizations or containerization are often part of the modern infrastructure. During configuration and implementation, errors can lead to new vulnerabilities or degradation of the security level. We also offer pentesting for virtualization environments.
In IT security, there are many guidelines that must be adhered to. In case of non-compliance, these usually do not represent a vulnerability in the classical sense. We also check existing compliance guidelines or adapt our security recommendation for your company.

We carry out safety analyses based on recognised standards and guidelines.

Our processes are adapted to the practical guidelines for pentests of the Federal Office for Information Security (BSI).
We have developed a comprehensive final report that provides an optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Testing Guide. Alignment with OSSTMM and PCIDSS is also possible upon request.

Higher Network Security with standardized Infrastructure Pentests

As a general rule, the longer our consultants spend examining your infrastructure and checking network security, the more meaningful the results will be. If you have special requirements, we will be happy to make you an individual offer.

COLLECTION OF INFORMATION
There are direct and indirect methods of search engine search and education. Direct methods refer to searching the indexes and the related content from the cache. Indirect methods refer to the collection of sensitive design and configuration information by searching in forums, newsgroups and website advertisements.
FIREWALL TEST
Firewall rules and policies control the data traffic between LAN and Internet. With the help of these rules the own network can be closed off restrictively against external influences - and this without affecting the generally required Internet traffic. At the same time, faulty rules can also create new weak points. It is therefore advisable to test, monitor and control the rules continuously.
PATCH MANAGEMENT
There are direct and indirect methods of search engine search and education. Direct methods refer to searching the indexes and the corresponding content from the cache. Indirect methods refer to the collection of sensitive design and configuration information by searching forums, newsgroups, and website advertisements.
VPN ANALYSIS
Even if high-quality encryption is normally used today, a misconfiguration in the server can lead to a weak encryption - or in the worst case no encryption at all - being enforced, allowing an attacker to gain access to the supposedly secure communication channel.
PRIVILEGES ESCALATION
This is usually due to an error (bug) in the operating system or software. Mostly needed is also program code that performs the escalation. Mostly a privilege escalation is used to get root rights. Such tools (possibly in connection with certain actions) are called exploits.
NETWORK MANIPULATION
An attacker exploits features of the infrastructure to carry out attacks on network objects or to cause a change in the normal flow of information between network objects. Most often, this involves manipulating the routing of messages so that they are directed at an entity of the attacker instead of arriving at their actual destination.
Active Directory (AD)
We use graph theory to uncover the hidden and often unintended relationships within an Active Directory environment. In this way, highly complex attack paths can be identified that would otherwise be very difficult to detect.
IOT DEVICES (INTERNET OF THINGS)
The methods for evaluating security and the hardening measures in the environment of IoT (Internet of Things) devices are by no means exclusive mechanisms that can only be found in this area. They are rather the application of various measures at the software, operating system and network level to ensure information security.

Final Report of the Infrastructure Pentesting

We have developed a comprehensive reporting format that provides optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Mobile Security Testing Guide.

Our report is prepared according to recognized standards and includes a management summary, a technical summary and recommendations for action. The evaluation of the findings is based on the CVSS 3.0 standard.
Our detailed reporting format not only shows which vulnerabilities were identified during the pentest, but also which attack vectors were tested. This allows you to understand our work in an optimal way.
The final report is individually prepared and delivered both as a classic PDF document and in a special HTML format. In the dynamic HTML format, content and vulnerability findings can be filtered, sorted and exported to other formats.
In a joint final meeting, we discuss the details of the report with you and, if necessary, support you in eliminating the identified weaknesses.

Procedure of the Infrastructure Penetration Test

Pentests carried out by us are an agile process and are carried out in close consultation with the customer. The focus of the entire process is to review your network security and analyze the entire infrastructure.

Kick-off

The preparation of the pentest takes place in the context of a kick-off meeting with the technical and organizational responsible persons of your company. The framework conditions to be tested are specified, necessary user accounts and access routes are agreed, contact persons and escalation routes are defined and the pentest is discussed in detail together.

Manual & Automated Research

Our security engineers try to collect as much information as possible. Based on this information, analysis strategies are developed to identify possible attack vectors. These attack vectors of your networks are then examined for vulnerabilities in extensive tests.

Manual Exploitation

Here we try to exploit the identified vulnerabilities in order to gain access to the target systems, using new or existing exploit writings by our pentester, depending on the respective service or technical environment. Potential vulnerabilities can turn out to be false positives. Only verified vulnerabilities are included in the final report and are classified according to their criticality in accordance with CVSS 3.0.

Report

We have developed a comprehensive reporting format that provides optimal insight into our work and its results. It consists of a business risk analysis, management summary and a comprehensive test and vulnerability description. The criticality of the weaknesses and recommendations for action are described in detail.

Remediation (Optional)

We are happy to reassess the security weaknesses of your IT infrastructure to ensure that the defense mechanisms have been implemented correctly. It is important to us that our recommendations are implemented, therefore process activity is always free of charge.

Free Verification (Optional)

We are happy to re-examine the security weaknesses to ensure that the defense mechanisms have been implemented correctly. It is important to us that our recommendations are implemented, so this process activity is always free of charge.

Final Meeting & Certification (Optional)

In the final meeting, all critical points in the results report are discussed and all questions are clarified. Finally, we will be pleased to present you with a certificate as proof for your customers.