Questions and Answers on Penetration Tests

General questions and answers

The German Federal Office for Information Security defines a penetration test as follows:

A penetration test is a controlled, authorized attempt to gain access to IT systems and networks using hacking methods in order to identify vulnerabilities.

A penetration test differs from an audit or a security check in that the penetration tester specifically adopts the perspective of a real attacker in order to identify vulnerabilities and security risks using their methods and tools. In particular, this allows technical risks to be uncovered that would not be checked in an audit.

Penetration tests can be differentiated according to a large number of criteria. The BSI's study “Durchführungskonzept für Penetrationstests” (only in German available) even defines six different criteria. We generally only differentiate according to the type of penetration test and the information we receive in advance.

An external penetration test is carried out completely remotely via the Internet, without access to the client's internal network. The primary goal is usually to find a way to gain access to the internal network. An internal penetration test usually takes place directly in the client's network, rarely via VPN, and often aims to gain privileged rights from restricted network or user access. In a web application penetration test, a targeted web application, e.g. a web store or a customer portal, is tested for vulnerabilities.

In a white box penetration test, the penetration testers receive a range of information, e.g. IP addresses or system configurations. In a black box test, the testers do not receive any information and have to gather all the information themselves. As a rule, a white-box test with at least partial information is more efficient.

The costs of a penetration test depend on the type of penetration test, the desired depth of testing and the expected effort involved.

In the case of an external penetration test, the costs are primarily based on the number of public IP addresses. An external penetration test also includes typical content management systems, but does not cover complex web applications.

In an internal penetration test, the number of servers (including virtual ones) and the number of subnets, i.e. the various segments, are important. Clients are usually not all tested completely, but only individual selected systems. Complex web applications are not included here either. The number of testers on site and, of course, expenses and travel costs are also relevant.

It is particularly difficult with web applications. A simple web application can consist of a few forms that can be checked in a short time, but it can also consist of hundreds of API calls, which can take several days or weeks to check, even in a (partially) automated way. A meaningful estimate of the effort involved is sometimes only possible once the web application has been demonstrated and the API documentation is available.

The best thing to do is simply contact us. We will be happy to discuss the specific procedure and the required effort with you and provide you with a binding quote.

No, typically not.

For one thing, the result of the penetration test depends on many aspects. These include, in particular, the quality of the penetration testers, the depth of the test, i.e. the time available for the test, and the penetration test methodology, i.e. the specific test procedure.

On the other hand, a penetration test is always a snapshot in time. In the worst case scenario, new, previously unknown vulnerabilities are found the day after the test that were not visible in the test. A penetration test is therefore never a substitute for vulnerability management.

If you not only want to check technical security but also take a holistic view of the entire company, a necessarily technically oriented penetration test may not be ideal. In this case, a Cyber Security Check is a possible alternative. This examines technical aspects such as the configuration of firewalls, virus scanners and other security systems, organizational aspects such as usage and security guidelines and personnel aspects such as employee awareness and sensitization. If necessary, a cyber security check can also be combined with a vulnerability scan or an automated penetration test.

Legal aspects that must be taken into account during a penetration test

A penetration test requires various contractual agreements; in particular, we need a declaration of consent to carry out the penetration test.

The answer is somewhat more complicated if the systems are not operated by you but hosted in the cloud. For systems managed by you in the cloud (Infrastructure-as-a-Service, IaaS), most cloud providers have rules of engagement for carrying out penetration tests without the express permission of the cloud provider. For systems not managed by you (Platform-as-a-Service, PaaS or Software-as-a-Service, SaaS), the consent of the cloud provider is required in any case. For SaaS applications, however, this declaration of consent is usually not available.

Provided that the declaration of consent is complete and valid and, if applicable, the cloud provider's rules of engagement are complied with, a penetration test is completely legal.

We generally require four contractual agreements to carry out a penetration test:

Declaration of consent: The declaration of consent for the penetration test is the contractually and legally required authorization to defend against the various criminal law paragraphs. Care must be taken to ensure that all parties involved, e.g. client, Internet provider (in the case of hosted systems) and operator (e.g. in the case of outsourcing) have signed the declaration of consent.

Confidentiality agreement: The purpose of the confidentiality agreement is to protect the client's sensitive information. As a rule, the confidentiality agreement primarily binds the penetration testers, as the client may have to pass on information on vulnerabilities to service providers in order to rectify them.

Indemnity: As a contractor, we require an indemnity for consequential damages for which we are not responsible. For example, if a system crashes as a result of the penetration test and greater damage occurs due to missing or incomplete data backup, we cannot be held responsible for this.

Data processing agreement: If the penetration testers can gain access to personal data, e.g. user accounts and passwords, as part of the test, an agreement on the processing of this data should be concluded. This can also regulate the extent to which penetration testers are allowed to penetrate a vulnerability.

What happens during the penetration test?

Never on a large scale. Not with professional penetration testers. However, spontaneous system crashes or system restarts cannot always be avoided.

During external penetration tests of systems on the Internet, the systems are constantly scanned and attacked by others on the Internet anyway. If systems could be disrupted or damaged so easily, you would have noticed it long ago.

In internal penetration tests, embedded systems, control systems and process control technology are particularly at risk. These are often older systems with slow processors and little RAM, which do not tolerate aggressive attacks well. To avoid damage, we may need information from you about which network segments only contain servers and clients and can be scanned without risk and in which network areas non-standard systems are also operated.

In web applications, most vulnerabilities lead to unauthorized data access, i.e. a breach of confidentiality. However, to detect an SQL injection vulnerability, for example, it is sufficient to read out data. Modifying or even deleting the data is not necessary and is of course not done.

If we have found an exploitable vulnerability, we will discuss with you beforehand whether we can test an exploit, as this is the most likely way to cause damage. You can then assess whether and, if so, when the exploit attack can be carried out in order to minimize your risk. In the vast majority of cases, a failed attack only leads to a system crash, which usually only needs to be restarted. In a few cases, such a crash is also associated with a loss of data.

If we find a critical security gap during the penetration test, e.g. a vulnerability through which an attacker could penetrate your systems, but also unprotected personal data on the website by mistake, you will be informed by us immediately. You can then initiate countermeasures to secure your systems while the penetration test is still running.

Of course, we will also check afterwards whether the gap has been closed and include everything in our report.

The penetration test is finished, what happens now?

The penetration test report primarily consists of the potential vulnerabilities found with screenshots or log files. We document each vulnerability with an easy-to-understand explanation of the vulnerability and a risk assessment of these vulnerabilities based on the probability of occurrence and the potential damage. For each vulnerability, you also receive one or more recommendations for eliminating or reducing the risk and securing your infrastructure. These recommendations are also evaluated with expected costs.

You can transfer each of the weak points to your ticket system and check whether and which of our recommended measures are sensible and cost-effective for you. Once the critical risks have been processed, there is of course always the option of a follow-up test.

Our reports consist of at least these chapters:

• Management summary
• Penetration test procedure
• Potential vulnerabilities
• Results with assessment of the vulnerabilities
• Executive Summary

Of course, you will also receive a confirmation after the penetration test has been carried out. The confirmation contains the tested systems or applications, the test period, the test depth, i.e. the number of person days in the test and the result, e.g. no vulnerabilities according to OWASP Top 10. If the penetration test contains significant vulnerabilities, a confirmation may only be issued after a retest.

We will be happy to answer any questions you may have and present our approach and the possibilities of a penetration test, also in a video conference.

Simply make an appointment with us.