As an independent body, they conduct a penetration test, pentest for short, on behalf of companies to analyze the IT or corporate infrastructure for potential vulnerabilities that could severely impair confidentiality, integrity, and availability. The aim is to find out how well a company or its software is able to fend off internal and external attacks. The vulnerabilities uncovered here are attacked in the same way as would be done by actual criminals.
Pentests are also important when checking various standards such as ISO certifications or privacy and NIS directives, to clearly identify whether companies comply with these requirements. The scope, tasks and objectives are discussed in detail and approved by the client before each test.
A company can have many different kinds of vulnerabilities. There may be physical vulnerabilities such as open doors or no access restrictions. Human vulnerabilities can be exploited by social engineering attacks that are sophisticated to a greater or lesser extent. Technical vulnerabilities enable intrusion into the corporate network due to a lack of IT and OT security measures.
How is a pentest performed?
A pentest is carried out in several stages. First, information is gathered to identify potential targets or points of attack. Details are collected about access points, employees (who could be worthwhile targets) and technical applications and systems. This information is either made available directly by the customer or is compiled through own research using common search engines, various social media channels, or special search engines.
In a second step, further information can be gathered on the basis of the data obtained. Server systems are scanned for open ports and vulnerabilities while web applications are analyzed using a proxy. All vulnerabilities found by the scanners are checked manually and discarded as necessary. In case of physical assessments, research using Google Maps is conducted, on-site checks are carried out or office appointments are scheduled at this point in time.
As a next step, the collected information is analyzed, vulnerabilities that have been detected are actively exploited, or phishing campaigns are developed and realized. For such a social engineering attack, credible contents are created to get the tested employees to enter their access data at a fake login. Competitions of any kind are especially suitable for this purpose. During the physical security check, lunch breaks and smoking breaks are used to enter the building together with other employees. Once arrived, the goal is to find a suitable network port to connect a smuggled-in third-party device to the network. This device enables remote access to the company’s network, either via the company’s network itself or a built-in LTE modem. Technical vulnerabilities are verified manually and often exploited using tools. The initial way into the company’s network or the application is usually the biggest challenge.
Depending on the mission, the next step is trying to expand initial rights on the systems and to acquire others, in order to achieve the desired outcome. The aim is to get domain administrator rights, to gain access to secure systems or to find particularly sensitive personal data.
All changes to the systems are documented during the entire test period. This can refer to stored files, installed programs or added users. After the work has been completed, all changes will be reversed to the extent possible.
At the end of each project, a comprehensive final report is drawn up, sent securely to the client and presented upon request. The report is the most important document of each test. It describes all measures taken and activities performed as well as vulnerabilities and recommendations in detail. Risks are assessed using the traffic light system and rated according to a scale from low to high. Social engineering campaigns are anonymized in the report to avoid drawing conclusions about affected employees. Such attacks must be approved by the works council, incorrect behavior may not result in negative consequences for employees.
The management summary provides a compact overview of the problems discovered. It should help the respective management to quickly and easily understand the situation and to introduce corresponding measures. Pentests also help the management to determine whether internal and external policies are being correctly implemented and complied with.