Identify, assess and reduce risks
For large corporations, cyber security is a topic with a very high priority and pentests are often already part of the IT security concept. Small and medium-sized enterprises (SMEs), on the other hand, too often neglect this existential field of work for them due to insufficient financial or human resources. Why is a pentest important, how long does it take and how can its results be used in the company with a view to IT security?
IT security review – The basis for efficient cybersecurity
Many small and medium-sized companies rely on classic defensive measures such as firewalls, passwords, access authorizations, VPN (Virtual Private Network) or similar technical applications to protect their IT infrastructure. Despite such security perimeters, professional hackers still manage to break through this barrier again and again and compromise a network.
No matter how high-quality the security technology, there are always vulnerabilities that can be exploited by cybercriminals. They want to steal and resell data, paralyze technically controlled business processes and extort a ransom from the company for the re-release or deliberately sabotage in order to achieve terrorist goals. For this reason, companies specializing in IT security checks, such as Redlings GmbH, have developed the Pentest for companies.
In such a test, a trained IT security expert uses hacker knowledge in an attempt to penetrate the network or parts of it. In doing so, he identifies all known and potential vulnerabilities and exploits them in order to penetrate as deeply as possible into the IT infrastructure. A pentest is therefore basically a hacker attack approved by the commissioning company, which is carried out in a secure, previously agreed framework.
The cost of a pentest
Whenever a company offers a service, the costs can vary because they depend on various factors. Price-determining factors in a pentest are mainly scoping details, e.g. the number of network IP addresses, the complexity and number of (web) applications as well as the number of employees, because they are important in the field of social engineering. Ultimately, the size of the project determines the amount of costs.
Nevertheless, there are, of course, empirical values that can be used as clues. For a professional pentest conducted by IT experts, you can usually expect costs from about 10,000 euros. For very large projects, in which, for example, the entire network of a large corporation is tested by a whole team of experienced IT security experts, there may also be costs that exceed the amount just mentioned.
Duration of pentests
How long such a penetration test takes for companies depends mainly on the type or scope of the test. A network pentest, which includes the entire IT structure, can take up to several days. On the other hand, if only a single area, such as the cloud or the web application, is to be tested, the time frame can be much shorter. The duration also depends on the number of pentesters and the complexity of the IT infrastructure to be tested.
Other factors that affect the duration of a penetration test are, for example:
- whether a pentest takes place internally or externally (both tests are performed separately from each other)
- whether a physical pentest takes place (in which the building security and other infrastructures are tested)
- whether and if so, what information about the network or user credentials will be provided by the company before the pentest
Pentest results as a basis for strengthened IT security in SMEs
All vulnerabilities identified in a pentest are documented by the pentester. Dr. Ewan Fleischmann, founder of Redlings, describes the advantages of a pentest by experts as follows: “Even if the procedure of a penetration test is methodical and structured, there is enough freedom for the experienced pentester to detect and exploit weaknesses with non-linear approaches. A good pentest is characterized by just the right mix of methodical approach, powerful tools, an eye for the business case, experience, and a creative use of knowledge about the latest attack tactics.“
Most of the vulnerabilities are misconfigurations, faulty software programming, passwords that are too weak or session management that is not optimally set up. In the final report, which belongs to the penetration test for companies, the found “gateways” for hackers are listed in detail and also described step by step how they can be exploited.
Thus, the results of the pentest can serve the commissioning company to initiate targeted countermeasures that strengthen the identified vulnerabilities or completely close the loopholes. Here, however, it is advisable not to proceed with individual measures and to create an IT security patchwork, so to speak. It makes more sense to put the existing security concept to the test on the basis of the pentest results and, if necessary, to develop a completely new security architecture. This means that all measures, such as new firewalls, authentication procedures, password management systems and other security measures go hand in hand, must be networked and thought together.