Definition of “Pentesting” What is Penetration Testing?
Penetration Testing is to simulate a process, in the case of the cyber-attacks on your System. Through these controls, carried out the attack Developer, IT-operations and safety Department with an insight into the security of the system.
In Penetration Testing, internal or officer, Security specialist, cyber-attacks on the IT systems can be simulated.
(© ipopba – stock.adobe.com)
Penetration Testing (or, in short, Pentesting or Pen Testing) is a process by which a cyber attack against your System is simulated. The aim of this controlled, conducted, and monitored attack is to collect as much data as possible and vulnerabilities in the security of the habitants.
In Penetration Testing refers to any predefined process, in order to simulate this attack, but is rather an Umbrella term to different practical attack to summarize methods. In addition, the Pen Test of a Vulnerability Assessment should be separated, since the Latter is primarily a Scan and an assessment of the safety mechanisms.
In contrast, a Penetration Test has been actually carrying out the attack under the observed conditions. Closely related to the concept of Pen testing, Ethical Hacking is, after all, it is the Penetration Testing to ethical carried out Hack. This differs from the reputation and White-hat Hacks by the agreement entered into between the company and the attackers.
Of course, a Pen Test can also be carried out internally. In many countries (also in the whole of the ROOF area), Penetration Testing only legal if the test defined by the leading parties of the Test carefully and released.
What is Penetration Testing in practice?
To enable secure Penetration Testing in practice, to pull actionable data out of an attack and to ensure that the network is not compromised, and there is an unintentional DoS, should be adhered to different levels of Pen Tests.
Reconnaissance and planning
In the first step of a Pen test is defined, what System or systems are attacked for the Test, and to what extent the attacks take place. Here, not only technical, but also legal questions, as Pen testing companies is allowed to be released only own networks or systems.
On the technical side, Hacker*need to get an indoor-relevant information to the specified systems to develop an understanding of the function of the System and the potential vulnerabilities to exploit.
Scans and investigations
In the result of static and dynamic analyses are used to examine the Code and the way it works in real-time. Static Code analysis provides a theoretical insight into the dynamic analysis is more detailed, because it gives the actual Status of the operation.
Through the use of loopholes, Web Applications, Cross-Site Scripting or SQL injection vulnerabilities to be identified. This can be exploited to determine Traffic to intercept data and user privileges extend. In this step, a more accurate picture about how much damage a Hacker*could do with the knowledge of the weak points in fact.
Unlike the one-time access of this test is to check step, if access can be maintained and how deep vulnerabilities in fact, rich. As a result, Advanced Persistent Threats (APTs) are to be simulated, which can tap in practice, months of business data, and even the most sensitive information to steal.
Finally, the data has to be gathered, in order to determine what gaps were exploited, in which data access and how long the access has been possible to maintain.
Special features in the Penetration Testing
The Simulation of a cyber attack follows its own laws, and for the Simulation of different parameters in the Pen Test. For example, the attack can be carried out externally, so as a cyber attack are visible from the outside of a system, or internally, as a Simulation of a malicious employee, or through Phishing trophy access data.
Also, the security departments can be integrated in different ways: In the case of a target Test, the IT white-security to the simulated attack, and can coordinate and train. In a Blind Test, the IT security has only knowledge of the company, the goal of the Pen test, a Double-Blind Test is carried out without prior warning.
A special sub-category of the Penetration testing, which should not go unmentioned here, is the physical access. While this is not the case with all companies, but in many companies, the easiest access to the IT infrastructure, the access to the building and the theft of passwords and access is.
Many companies, therefore, have a legitimate interest to their safety due to a physical Penetration Test to analyze. What is the use of finally, a perfect system infrastructure, if the server room is open to the VPN password on a note in the Cafeteria sticks?
Good Penetration Testing is, therefore, in practice, such as a fire alarm systems. With the Pen testing security testing mechanisms and weak, the reaction of IT explored, security can be analyzed in real-time. So not only safer programs, but also recommendations for staff*indoor arise in the sum in order to make systems and networks at all levels of a safe.