IT systems and networks in companies must be secure. This is the only way to ensure an optimum level of protection for sensitive company data or customer information against hacker attacks. This can be achieved by ongoing security scans as well as penetration tests, which are a highly recommended way of checking the vulnerability of your own IT systems against cyberattacks. But how does a penetration test – often shortened to pentest – work? What types of pentests are there, and why are they important?
In a nutshell, pentests are simulated hacker attacks on computer systems, networks or web applications carried out at the request of the company. The main goal is to track down potential gaps in IT security that make it easy for attackers to break in. The experts from the commissioned pentesting company then report on what vulnerabilities and security loopholes they have found and give their assessment of the current security situation. Pentests are a proactive form of security measure as they are used to explore what could happen and allow suggestions to be made about which measures should be taken to prevent a successful attack before an incident occurs.
Let’s take a look at pentests in detail. In fact, several points should be factored in by companies seeking to take this precaution for their IT.
Ensure legal clarity
During a pentest, the commissioned specialists – often external IT security consultants or ‘ethical hackers’ – may gain access to very sensitive areas of a company and its data depending on the particular circumstances. This makes it essential that companies having a pentest conducted provide the commissioned pentesters with official permission to perform the process. If no such agreement is in place, the pentest can be seen as an illegal attack and considered a criminal act. It’s also important that clients have a full legal right to all the systems, applications etc., that are being tested. The client is also responsible for ascertaining what truly belongs to them legally speaking to ensure no third-party systems can be tested or ‘attacked’.
Why companies need pentests
A pentest is about finding potential vulnerabilities open to unwanted intruders by using simulated attacks on systems and computers. There are many different benefits for companies:
- Preventing successful attacks and keeping systems up-to-date
- Avoiding outages and data theft
- Averting damage, both from a financial point of a view and in terms of reputation
- Meeting legal provisions to do with data protection and compliance
How pentests are conducted
What types of pentest are there, then? Certain specifications need to be set in advance to define the type of pentest more precisely. The primary factor is the objectives you wish to achieve: what area of your company do you want to put to the test in terms of security level? The goal is often to detect systems that are open to attack and then to attempt to attack them and steal data. Next, you need to define what should be tested exactly, e.g. IT infrastructure (such as firewalls or VPNs) or web applications.
The testers’ prior knowledge of the system in question also needs to be determined and there are three knowledge levels:
- For a black-box test, the testers have no prior knowledge
- For a grey box test, the testers have some information
- For a white box test, the testers know details about the company as well as its IT system
Whether the pentest is performed using automated tools or manually also makes a difference. The extensiveness of a pentest depends on how at risk the system, application or network is.
The result of the pentest allows conclusions to be drawn about how solid and robust the current security level of a company is – and also which tools, strategies and techniques hackers could use in an attack. A protocol drawn up by the person responsible for the pentest provides detailed information on the measures that have been undertaken.
Having penetration tests performed by experts
Once the decision has been made to run a pentest, the next question is: who is to perform the penetration tests in the IT system? Nowadays, many companies have their own IT experts in-house. But these experts don’t usually have the specialist knowledge required to critically and objectively verify their own systems from the perspective of an outside attacker. This means it’s recommended to draw on the advice of external service providers for running pentests.
It’s important to remember that pentests don’t continuously run, unlike ongoing security scans; they only provide a snapshot of the current security situation.
This in turn, raises the question: how often should a company run pentests? There is no one-size-fits-all answer. How often a pentest is advisable depends on the size of the company and the industry. For companies that are very large or work in a vulnerable sector (such as finance) or with a lot of customer data, it’s worth investing in a pentest more often. But smaller companies that rely on a functioning IT system – and who doesn’t that include today – can also benefit from a gain in security. And by the way, we here at Nevis regularly have pentests performed by an independent institute.
But when choosing your pentesters, you need to be cautious: there are some scammers operating on the market. The Swiss Netzwoche Association recently reported on a pentesting company founded by none other than hackers.
After the pentest
Following the pentest, the client receives not only a test log but also a final report. This provides information on which security loopholes were found as well as recommendations for action and solutions for the problems that were uncovered. Depending on the pentest provider, they may also offer to remedy the vulnerabilities and undertake the measures necessary to enhance security. These include updates, patches or upgrades for the systems in use. Training measures for staff can also raise the awareness of IT risks by the classic weak spot: humans.