We are also happy to advise you personally if you have specific questions about penetration testing for your company
Nikolas Rösener
Security Expert
- cyber-security@ohb-ds.de
- 0421220950
The world is increasingly networked and no company can do without the Internet. This is why IT security affects every company without exception. However, every company is different and therefore has different requirements and prerequisites for its own IT security. Pentesting can be used to expose and eliminate security gaps in your own company. But what exactly is a pentest and which type of pentest is the right one?
A pentest is a security test in which a so-called "pentester" attempts to penetrate a computer system or network, for example, in order to check its security and uncover any existing vulnerabilities. This test is often carried out by companies to ensure that their systems and networks are protected against external attacks. A pentest also uses various techniques and tools to check the security of the system for possible vulnerabilities and improve it if necessary.
The different types of pentests are classified as black box, white box or gray box. But how can this classification help in deciding on the right pentest?
Certain results are predetermined by the type of pentest selected. Depending on which scenario is chosen, the direction and result of the pentest is already limited. Other factors that limit the choice of pentest are the economic benefit (effort, costs) and the realism of the scenarios. The aim should be to optimize both.
In these scenarios:
the pentesters have no insider knowledge or prior knowledge of the company
a situation is simulated in which unknown persons from outside attempt to penetrate the company's IT infrastructure
focus on obvious problems, but vulnerabilities can also be easily overlooked, such as the intern scenario (internal threats)
In these scenarios:
the hackers have extensive knowledge of the company's IT infrastructure, are or may even have been part of the company (staff)
even more obscure vulnerabilities can be uncovered thanks to the full view of all systems
However, the result of the pentest and the prioritization of IT vulnerabilities often bears little relation to real threats and pentesters may increasingly lose their "neutral view" in the future as well
In these scenarios:
the pentesters have some insight and prior knowledge of the company
scenarios can be simulated in which, as is often the case in reality, no clear distinction can be drawn between internal and external threats
In addition to the classification of pentests into white box, black box and grey box scenarios, there are other types and designations that we would like to discuss in the following section for the sake of completeness.
An external pentest (also known as an external pentest) is a security test in which the pentester attempts to penetrate a company's network and systems from outside. The counterpart is the internal pentest, where the attack is simulated by an insider. Internal pentests are often used, for example, to penetrate an employee's email account (phishing attack).
A blind penetration test (also known as a closed-box penetration test) is a form of security test in which the testers have no information about the system or network to be tested. They begin the test without any prior knowledge and attempt to uncover possible vulnerabilities and security gaps. This type of pentest can be considered more realistic, as in real life it is possible that attackers have no information about the target and therefore have to sneak their way into the system.
A DoS (Denial of Service) test is a security test that attempts to overload a target system by bombarding it with a large number of requests. The purpose of this test is to check the stability and robustness of the system and to determine how it reacts to such a load.
A network pentest is a security test that uncovers potential vulnerabilities and security gaps in the network infrastructure. The entire internal infrastructure is assessed, checked for security risks and action measures are developed to close any security gaps identified. A network pentest is suitable for companies of all sizes, as nowadays almost all companies work with sensitive data and process or send it via the internal network, for example.
An application penetration test (sometimes referred to as an app pentest or simply an app test) is a type of security test that aims to uncover any vulnerabilities and security risks in an application(e.g. a computer program or mobile app).
These tests are carried out by experts who attempt to attack the system in the same way as a hacker would (also known as "ethical hacking"). The aim is to check the security of the application and ensure that it has no vulnerabilities that could be exploited by hackers. Unlike other types of penetration tests that focus on the entire network or system, an application penetration test specifically targets individual applications and attempts to identify and fix vulnerabilities in those applications.
Social engineering is a special form in which attackers attempt to obtain confidential information from people by persuading them to voluntarily grant them access to such information. This can be done in various ways, for example by the attackers posing as trustworthy persons (e.g. as employees of a company or as service providers) and thus persuading the victims to disclose confidential information such as passwords or access data. Attackers generally do not need any technical skills for social engineering. Instead, they use their skills in psychology and social influence to deceive victims and elicit confidential information from them.
This can also happen indirectly via phishing attacks, which is why phishing simulations are often used in penetration testing. Employees should also be regularly sensitized to such attacks through awareness training.
In addition to the aforementioned types of pentests, there are countless other classifications. These include cloud penetration testing, client penetration testing and red teaming. We would be happy to advise you individually on the sensible use of pentests for your company.
The formulation of a clear objective is a basic prerequisite for the success of the pentest and also makes sense from a time and economic perspective. You need to consider what you want to achieve with the pentest. The goal can range from "simply seeing the weak points" to "recognizing where the biggest business-relevant problems lie in the company". Is the priority the protection of sensitive data from third parties or protection against a business failure due to cyber attacks, or is the focus on fulfilling legal obligations or quality management?
In fact, it is often worthwhile not only deciding on a single scenario from the three categories, but also taking a look at the possibilities of the scenarios in the other two categories. For example, selecting a pure black box scenario carries the risk of not even uncovering internal sources of danger. In many companies, it is very obvious problems that reveal these scenarios. New interns or student trainees in the company often unintentionally or unknowingly gain access to all of the company's sensitive data. Another common danger is a lack of sensitivity on the part of employees when dealing with passwords. However, such scenarios are often not considered in black box pentests. A carefully selected scenario that covers a realistic middle ground between black box and white box can reveal both in this case. It therefore always makes sense to select both a black box pentest scenario and a social engineering pentest.
It is usually too time-consuming and often too cost-intensive to test a company's entire IT infrastructure and carry out all kinds of pentests. It is therefore helpful to check in advance which area is most vulnerable and where the greatest damage could be done to the company. Once you have carefully decided on a suitable pentest, ideally 20% of the testing effort can cover 80% of the security gaps according to the Pareto principle.
Penetration testing and vulnerability assessment are two different types of security testing, both designed to identify vulnerabilities in a system or, for example, a network environment. The main difference between the two approaches is that penetration testing actually attempts to access and exploit these vulnerabilities to determine whether they actually pose a security risk, whereas vulnerability assessments are limited to simply uncovering vulnerabilities.
Typically, penetration tests are performed by security professionals (called pentesters) who attempt to attack the system in the same way a hacker would, while vulnerability assessments are often performed by internal IT teams who regularly monitor the system and identify and fix vulnerabilities. In general, penetration tests provide a higher level of security as they actually actively try to exploit vulnerabilities and determine whether they pose a security risk.
Once the pentest has been carried out by the commissioned pentesters with the right objectives and scenarios, a list of weak points is produced. However, this list alone does not solve a single problem, nor does it provide any advice. In order to be able to respond effectively to vulnerabilities in the company's IT, these must first be prioritized, because of course not all problems can be resolved at once. To this end, the risks that are frequent and have a major impact should be prioritized (e.g. with the help of the Eisenhower matrix). A well-dimensioned pentest can provide most of this prioritization. The aim should be to fix the most realistic, most expensive and most damaging scenarios for the company first. It is therefore necessary to think about which areas of the company are vulnerable, which of these are particularly important and to become aware of the serious dangers and risks to which you are exposed. To do this, it is essential to know your own requirements.
However, the most important thing is to react to the results of the pentest and take action. If I remain passive after the pentest and do not change anything in the company to ensure greater IT security and close my own security gaps, then any pentest, no matter how comprehensive and cost-intensive, will be ineffective.
Use the knowledge from space travel for your business. OHB Digital Services GmbH has been a reliable partner for secure & innovative IT solutions for many years. We are part of one of the most successful space and technology companies in Europe. With our products and services, we support you in the digitalization of your business processes along the value chain and in all security-related issues. Please feel free to contact us.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Turnstile. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information
