The world is increasingly connected, and no company can do without the Internet. That is why IT security now affects every company without exception. But every company is different and accordingly has different requirements and prerequisites for its own IT security. With pentesting, the security gaps in your own company can be exposed and eliminated. But what is a pentest which pentest is the right one?
The dimension must be clear in order to find the right one in the multitude of scenarios
The different types of pentests are classified into black box, white box or gray box. But how can this classification help in deciding on the right pentest?
Certain results are given with the type of pentest selected. Depending on which scenario you choose the direction and the result of the pentest are already narrowed down. Other factors that limit the choice of the pentest are the economic benefits (effort, costs) and the realism of the scenarios. The aim should be to optimize both.
Use the scenarios in a targeted manner
The phrasing of a clear goal is a basic requirement for the success of the pentest and also makes sense from a time and economic point of view. You have to think about what you want to achieve with the pentest. The goal can range from “just seeing the flaws” to “identifying where the biggest business problems in the company are”. Is the priority here on protecting sensitive data from strangers or on protection against operational downtime due to cyber attacks, or is the fulfillment of legal obligations or quality management in the foreground?
In fact, it is often worthwhile not only to decide on a single scenario from the three categories, but also to take a look at the possibilities of the scenarios in the other two categories. An example: Choosing a pure black box scenario bears the risk of not discovering internal sources of danger at all. In many companies it is very obvious problems that these scenarios reveal. New interns or working students in the company often accidentally or unknowingly gain access to all of the company's sensitive data. Another common danger is a low level of sensitivity on the part of employees when dealing with passwords. However, such scenarios are often not considered in black box pentests. A carefully chosen scenario, which covers a realistic middle ground between black box and white box, can reveal both in this case. It therefore always makes sense to select both a black box pentest scenario and a social engineering pentest.
It is usually too time-consuming and often too cost-intensive to test the entire IT infrastructure of a company and to carry out all kinds of pentests. It is therefore helpful to check in advance which area is most vulnerable and where the greatest damage could be done to the company. If you have carefully decided for a suitable pentest ideally 20% of the test effort, according to the Pareto principle, can cover 80% of the security gaps.
Solutions require priorities; the pentest alone is not enough
If the pentest has been carried out with the objective and the correct scenarios by the commissioned pentesters, a list of weak points is obtained. However, this mere list does not solve a single problem, and it is still a long way from providing advice. In order to be able to react well to weak points in the company's IT, these must first be prioritized, because of course not all problems can be resolved at once. For this purpose, the risks that are frequent and have a major impact should be prioritized (e.g., with the help of the Eisenhower matrix). A well-sized pentest can for the most part provide this prioritization. The goal should be to fix the most realistic, costly, and business damaging scenarios first. So you have to think about which areas in the company are vulnerable, which of them are particularly important and become aware of the serious dangers and risks you are exposed to. For this it is essential to know your own requirements.
The most important thing, however, is to act to the results of the pentest and take action. If I remain passive after the pentest and do not change anything in the company in order to ensure more IT security and to close my own security gaps, then even the most comprehensive and cost-intensive pentest is ineffective.
Your journey with OHB Digital Services
Use the knowledge from space travel for your business. OHB Digital Services GmbH has been a reliable partner for secure & innovative IT solutions for many years. We are part of one of the most successful space and technology companies in Europe. With our products and services, we support you, among other things, with the digitization of your company processes along the value chain and with all security-related issues. Please contact us.