In the field of IT security, a penetration test, or pentest for short, is a desired, commissioned test for vulnerabilities in IT infrastructure. As such, it is the legal counterpart to a criminal hack.
Every unauthorized intrusion is referred to in technical jargon as a penetration. A pentest is designed to examine a client’s system (network, server, computer) for possible vulnerabilities by simulating unauthorized access.
Access to sensitive data is a particular consideration here. The aim of the test is to minimize the risk of cyberattacks through new knowledge because the results provide information about deficiencies in IT security. However, the elimination of these deficiencies is not part of the penetration testing, but is usually the responsibility of the commissioning company.
The scope and depth of a professional IT expert’s penetration test can vary greatly depending on the company. Typical test areas are security barriers such as a web application firewall, web-based applications, containers, their interfaces (API) and servers. Configuration errors and vulnerabilities are made visible through intensive attack attempts.
Penetration tests should be distinguished from similar terms in the field of IT security:
Pentests can be carried out for many IT applications:
This type of penetration test analyzes what happens if employee data is stolen or a so-called inside job is carried out. The test therefore assumes an attack using data that is available to employees.
This is the classic test model. It simulates an attack by hackers who only have access to the company’s external website and the systems used via the internet. This also includes targeted overloading of the external connection through DDoS attacks.
This method does not require any precise agreements. The service provider receives the name and consent of the company, but no further input. This allows the IT security experts to react to access attempts in real time without knowing the penetration tester’s exact approach beforehand. This model is suitable, for example, for obtaining an objective assessment of your own IT security from a third party with expertise.
Another variant is the double-blind test. The difference to the blind test is that the responsible IT specialists in the company are also not informed. This allows the team’s ability to react to an incident, for example, or test the execution of a response plan under real conditions.
Every service provider probably has its own procedure, but there are typical phases and frameworks that are used in the industry. Here you can find a detailed guide from the Federal Office for Information Security (in German).
In the first phase, the pentest is designed – specifically for the individual customer.
The design of the test is developed using this information. The BSI offers a scheme to classify six important test criteria more precisely. These are aggressiveness, scope, information base, approach, technique and starting point.
This phase starts the search for one or more vulnerabilities that allow access. Precise documentation of the procedure is particularly important here. The code is observed at the level of the individual applications.
In the third phase of a pentest, the systems are bombarded with everything that was defined in the test design. The goal is now to gain access via the vulnerabilities found in step 2. Possible attacks are:
If access is successful, the test has the task of exploring all penetration possibilities because this is exactly how cyber criminals would proceed.
At this stage, the aim is to check whether access can be maintained permanently (persistent). The aim of most cyberattacks is to gain access that remains undetected for as long as possible (advanced persistent threat).
During this time, the appropriate malware can be loaded at leisure. Resourceful hackers work their way from unit to unit until they have reached the level where the most sensitive data is stored or from where they have as much control as possible over the company’s IT systems.
It often takes time to reach this depth. A penetration test is therefore used to check how quickly the spread can take place and when relevant security systems sound the alarm.
The results are based on detailed documentation of all actions during the check. Once test phases 2-4 have been completed, the observations and conclusions are usually compiled in the form of a report. The following information is presented in this report:
Some pentesters also prepare recommendations for action for their customers.
Companies and organizations should proceed with the utmost caution when making their selection. Similar to providers for physical security in the company, experience and trust are important factors in this line of work.
Pay particular attention to qualification and certification when making your selection. A contract with clear service level agreements is also important. A contract should definitely include the following points:
The German Federal Office for Information Security (BSI) provides a list of certified providers for penetration tests. The test must not be started until the client has given its approval.
The right approach is important for deriving tasks: Every penetration test is only a snapshot of the state of IT security. A few days or weeks later, a similar test could be completely different.
The reason is because new updates and patches are constantly being released by providers that secure existing vulnerabilities. At the same time, new vulnerabilities emerge.
Which tasks follow from a completed pentest depends entirely on the results:
A list of priorities should be derived from the report in order to eliminate vulnerabilities as efficiently as possible.
The worst-case scenario is that companies end up with dubious providers who use the knowledge gained for criminal activities. This could include, for example, selling information on vulnerabilities in hacker forums or the unauthorized extraction and storage of data. This makes it all the more important to check the references of the chosen service provider.
A pentest should not actually paralyze the business, but human error can occur during the test. Incorrect agreements, vague wording in the order or misunderstandings are all possible scenarios that could cause a system failure.
Another classic problem is if system maintenance is being carried out at the same time as the test, as this can have a significant impact on the result. Coordination between all departments involved and external service providers (remote maintenance) is therefore essential. The exception, of course, is double-blind tests, where an unforeseen attack is desired.
Both sides should ensure that the scope of the test objectives is precisely defined. Furthermore, the client must ensure that these agreed objectives are the property of their own company without exception and are legally separable. Anyone who inadvertently attacks and/or paralyzes the cloud service or a web application of a third-party provider could get into serious legal trouble.
A penetration test carried out in good faith without the consent of the service provider could be considered a real cyberattack under criminal law. Before starting the test design, the rights to all components must be checked. This includes hardware (servers), software (applications) and other networks (cloud services and interfaces).
Anyone searching the Internet for a stress test for their own IT will quickly come across so-called IP stressers. These services offer to simulate DDoS attacks for a small fee.
However, extreme caution is required here. Many of these companies operate in a legal gray area. If it is not checked exactly which domain is being targeted, then service providers are not only acting highly unprofessionally, but are also committing criminal offenses. Whether IP stressers are working legally or are actually disguising criminal booter services (DDoS for hire) is often not so easy for buyers to see through.
Websites are deliberately professionally designed and search engine optimized so that they appear to be a respectable business model from the outside. Unfortunately, this is often just the polished entrance to a dark cellar.
A penetration test is also based on a completely different idea compared to legal IP stressers: instead of simulating a blunt DDoS attack, an individual pentest is designed specifically with the customer to cover several levels and IT risk factors.
In the case of DDoS attacks, for example, this can mean using several different attack techniques across all layers, whereas IP stressers usually only offer pure volume attacks (layers 3, 4). The fact that pentests are priced differently should therefore not unsettle you.