What kind of pentest do I need?

A pentest must be performed with the right objective and scenarios in order for it to be beneficial.

Pentest definition

A pentest is a security test in which a so-called "pentester" attempts to penetrate a computer system or network, for example, in order to check its security and uncover any existing vulnerabilities. This test is often performed by companies to ensure that their systems and networks are protected against external attacks. A pentest also uses various techniques and tools to check the system's security for possible vulnerabilities and improve it if necessary.

What types of pentests exist?

The dimension must be clear in order to find the right one in the multitude of scenarios

The different types of pentests are classified as Black Box, White Box or Grey Box. But how can this classification help in deciding the right pentest?

Mit der Art des ausgewählten Pentest werden gewisse Ergebnisse vorgegeben. Je nachdem, für welches Szenario man sich entscheidet, ist auch schon die Richtung und das Ergebnis des Pentests eingegrenzt. Weitere Faktoren, die die Wahl des Pentests einschränken, sind der ökonomische Nutzen (Aufwand, Kosten) und die Realitätsnähe der Szenarien. Ziel sollte es sein, beides zu optimieren.

In addition to the classification of pentest into white-box, black-box and grey-box scenarios, there are other types and designations that we would like to discuss in the following section for the sake of completeness.

We would like to advise you personally if you have specific questions about penetration testing for your company

Types of pentests

An external pentest (also called external pentest) is a security test in which the pentester attempts to penetrate a company's network and systems from the outside. The counterpart is the internal pentest, where the attack is to be simulated by an insider. Internal pentests are often used, for example, to penetrate an employee's email account (phishing attack).

A blind penetration test (also known as a closed-box penetration test) is a form of security testing in which the testers have no information about the system or network under test. They begin the test with no prior knowledge and attempt to uncover potential vulnerabilities and security holes. This type of pentest can be considered more realistic, as in real life it is possible that attackers have no information about the target and therefore have to sneak their way into the system.

A DoS (Denial of Service) test is a security test that attempts to overload a target system by bombarding it with a large number of requests. The purpose of this test is to check the stability and robustness of the system and to determine how it reacts to such a load.

A network pentest is a security test that uncovers potential vulnerabilities and security gaps in the network infrastructure. The entire internal infrastructure is assessed, checked for security risks and action measures are developed to close any identified security gaps. A network pentest is suitable for companies of all sizes, since nowadays almost all companies work with sensitive data and process or send it via the internal network, for example.

An application penetration test (sometimes also referred to as an app penetration test or simply app testing) is a type of security test that aims to uncover any vulnerabilities and security risks that may exist in an application (e.g., a computer program or mobile app).

These tests are performed by experts who try to attack the system in the same way a hacker would (also called "ethical hacking"). The goal is to verify the security of the application and ensure that it has no vulnerabilities that could be exploited by hackers. Unlike other types of penetration testing that focus on the entire network or system, an application penetration test specifically targets individual applications and attempts to identify and fix vulnerabilities in those applications.

Social engineering is a special form in which attackers try to obtain confidential information from people by getting them to voluntarily grant them access to corresponding information. This can be done in various ways, for example, by the attackers posing as trustworthy people (e.g., as employees of a company or as service providers) and thus persuading the victims to reveal confidential information such as passwords or access data to them. In social engineering, attackers usually do not need technical skills. Instead, they use their skills in psychology and social influence to deceive victims and elicit confidential information from them.

This can also happen indirectly via phishing attacks, among other things, which is why so-called phishing simulations are also used more frequently in penetration testing. Employees should also be regularly sensitized to such attacks through awareness training.
In addition to

In addition to the types of pentests mentioned, there are countless other classifications. These include cloud penetration testing, client penetration testing and red teaming. We would be happy to advise you individually on the sensible use of pentests for your company.

Using pentests in a targeted and effective way

What is the difference between a pentest and a vulnerability assessment?

Penetration testing and vulnerability analysis are two different types of security testing, both of which are used to identify vulnerabilities in a system or, for example, in a network environment. The main difference between the two approaches is that penetration tests actually attempt to access and target these vulnerabilities to determine whether they actually pose a security risk, while vulnerability assessments are limited to simply detecting vulnerabilities.

Typically, penetration testing is performed by security professionals (known as pentesters) who attempt to attack the system in the same way a hacker would, while vulnerability assessments are often performed by internal IT teams who regularly monitor the system and identify and remediate vulnerabilities. In general, penetration testing provides a higher level of security because it actually actively attempts to exploit vulnerabilities and determine if they pose a security risk.

Solutions require priorities, the pentest alone is not enough

Once the pentest has been carried out with the objective and the right scenarios by the commissioned pentesters, a list of weak points is obtained. However, this mere list has not solved a single problem, nor has it provided any advice. In order to respond well to vulnerabilities in corporate IT, they must first be prioritized, because of course not all problems can be fixed at once. To do this, the risks that are frequent and have a large impact should be prioritized (e.g., using the Eisenhower matrix). A well-dimensioned pentest can provide this prioritization for the most part. The goal should be to fix the most realistic, costly and damaging scenarios to the business first. So you have to think about which areas in the company are vulnerable, which of them are particularly important and become aware of the serious threats and risks you are exposed to. To do this, it is essential to know your own requirements.

The most important thing, however, is to react to the results of the pentest and take action. If I remain passive after the pentest and do not change anything in the company to ensure greater IT security and close my own security gaps, then any pentest, no matter how comprehensive and cost-intensive, will be ineffective.

Your journey with OHB Digital Services

Benefit from the knowledge gained from space travel for your business. OHB Digital Services GmbH has been a reliable partner for secure & innovative IT solutions for many years. We are part of one of the most successful space and technology companies in Europe. With our products and services, we support you, among other things, in digitizing your business processes along the value chain and in all security-related issues. Please feel free to contact us.

Learn more about penetration testing and how it can be used for your company

Does this sound interesting for you and your company?
Then get in touch with us.