A Pentest Security audit helps identify existing security issues and evaluate the current security measures taken by an organisation to defend itself against cyber attacks.
Insurance companies are requiring pentests and vulnerability assessments to reduce the remaining risk. Hence, some IT departments need to get regular outside audits to sharpen their defences.
What is a Pentest?
The word “Pentest” is an abbreviation of “Penetration Test“. This is an examination of the internal and / or external cyber security of an organisation. The tests performed are intended to spot weak areas of the variety of systems (e.g., Webserver, Firewalls, Servers, DMZ, SIEM, Proxy Server, PBX ) used in a company. This investigation might also look at alternative Systems and applications (e.g., Cloud, virtual Server, Thin clients, IoT, M2M).
The objective of such pentest is to improve the cyber security and reduce the likelyhood of dangerous security breaches.
Types of Pentests
When you look at the different network environments of an organisation, you need to consider the type of pentest to be performed. You can use Online Pentests and lab-based Pentest technology.
Furthermore, you can chose the level of information shared with a pentest audit team: White Pentest, Grey Pentest or Black Pentest. A black test means that the client does not provide any deep level of information about their infrastructure. A white test would require the client to share a lot of information about their security, network and policies.
In order to check an internal network one needs to be given access to that network segment. This either happens by having a team on site or by allowing via VPN access to the network. In such case, the lab based technology will access the network via VPN and perform its research.
Pentests require a structured approach
A security audit must be performed in a well planned and structured way. If a test is done without a clear path, critical risk areas will be overlooked or insufficiently checked.
This could result in an area of high risk remaining hidden in the dark. Hackers would then spot that weakness and use it to the hurt that organisation.
Hence, a variety of internal and external network segments must be part of the audit.
The level of security can therefore only be thoroughly checked, when there is a plan that follows a clear workflow. This is where checklists for each type of system helps avoid gaps or forgetting parts of a specific penetration test sequence.
Pentest in Germany
Although we have teams based in Munich and Düsseldorf it is possible to perform Pentests as remote or inside a regional location of a client.
Since we train our own cyber security experts we will eventually have local teams based in Berlin, Stuttgart, Frankfurt a.M., Hanover and Hamburg.
As we cooperate with other organisaion performing Pentests in Germany and world wide, we can help corporations and Holdings with multi national networks.
Our partner locations are:
- Austria (Wien & Linz),
- the Netherlands (Amsterdam & Utrecht),
- United Kingdom (London, Liverpool, Edinburgh) and
- Poland (Warschau)
In America we have cooperations partner in Canada (Vancouver & Toronto), USA (FL, TX, CA) and Columbia.
Pentest BSI - Standards
The Bundesamt für Sicherheit in der Informationstechnologie (BSI) has developed a range of guides, recommendations and security standards. This also includes the so called IT Grundschutz Katalog.
BSI has also made a range of good suggestions on how to perform a Pentests. For very special situations the IS-Penetrationstest and IS-Webcheck must be completed.
Since every country and jurisdiction follows their own regulations it is sensible to perform a general pentest and a country specific examination. It is necessary to make sure each audit is matching the current theat scenarios and the organisational characteristics. The risk profile is often an indicator of how severe an attack might escalate.
What is the typical flow of a Pentest
A pentest follows clearly defined objectives upon which the scope is set. The rules of engagement state what is allowed to be part of the simulated attack.
From here, a project team must list what kind of systems (e.g., Webserver, Proxy, Exchange Server, Database, WordPress) will be part of the test and which IP ranges will be looked at.
The threat scenario sets the potential objectives of an attacker. Based on such, cyber security forensic auditors will develop the attacker’s profile. This describes the mindset, motivation and endurance of an attacking party.
A black pentest leads to following the strategy of attackers who gradually chart the infrastructure of an organisation and evaluates where their highest chances are of bypassing all set security measures.
As soon as the pentest starts revealing organisational weaknesses and each successful step closer to the organisations inner circle – the report will grow with detail.
In some cases a client might want to test if it is actually possible to enter the organisation and get into the deepest areas of their IT infrastructure. Thereby the evidence of a successful breakin will help proof of how far an attacker will reach into the organisation.
Usually a security system should alert the organisations security teams of an intruder. This is no guarantee that a SIEM or SOC will be able to detect or even repell an attacker.