Penetration tests (also called pen tests) are a common method in IT to test networks and IT systems for security gaps and vulnerabilities. Methods are used that are also used by hackers. How a pentest works and how companies should use it for IT security is the content of this article.
Content of a pentest
A so-called penetration test is the technical term for a comprehensive security test in computer science . With a pentest , individual computers or entire networks and IT systems can be subjected to a security check , which is particularly interesting for companies, as networks and cloud solutions are playing an increasingly important role. A pentest uses tools and methods that a hacker would also use. This is to determine how vulnerable and sensitive a system is to such an attack. Due to the security risk, which can be very high with a pentest, there are legal requirements. Penetration testing should also only be performed by people with specific expertise in the field and the right penetration testing platform should be chosen.
Pentest classification scheme
These six criteria serve the transparency and structuring of pen tests for the customer:
- Starting point
- Information base
The goals of a penetration test are:
- Identifying weaknesses in IT
- The identification of possible errors or risks due to incorrect operation
- Improving technical and organizational security
- Confirmation of IT security by an IT service provider
With the criteria mentioned, an individual pen test can be put together by an external IT service provider in practice.
Process description of a penetration test
It is usually a five-step process defined by the BSI. The objectives and the test setup are worked out together with the customer in the preparatory phase . In the information gathering phase, as much relevant information as possible about the system to be tested is gathered. Subsequently, information is analyzed and evaluated in the evaluation phase. The so-called penetration tests then take place. All results are finally summarized in a report . This report should also contain recommendations on how to deal with the discovered vulnerabilities . For each of the five phases there will also be one Documentation created.
However, it is important to bear in mind that pen tests represent a snapshot of the system . An error-free test does not rule out the possibility of new security gaps arising. The advantage, however, is that the cause of the security gaps found are revealed , which can then be permanently remedied. The measures derived from the test results can range from more comprehensive support to decommissioning.
Which risks have to be considered in penetration tests?
IT operations may be disrupted during the individual test phases . In particular, however, disruptions can occur during intrusion attempts. DoS attacks attempt to disable individual computers, services or network segments . Such DoS attacks should therefore take place outside the normal usage times of the system to be tested .
Also Read: IoT Devices Can Pose A Major Security Threat