A penetration test, or pentest for short, is a comprehensive security analysis of systems (servers, computers, web applications, etc.) to uncover security vulnerabilities so that the operator can close them and prevent damage. It can be thought of as an attack by a hacker with malicious intentions. However, it is not an evil hacker who carries out the attacks, but a so-called pentester. An important aspect of a pentest is that it is largely carried out manually. This increases the chance of finding security vulnerabilities that are not recognized as such by automated tools.
Why is pentesting necessary?
A pentest is not just any test. It is important to carry out such a test at certain intervals. Software is not simply static. Libraries are developed every day. Especially libraries that you or your company use in your software. Just like people, software ages. One reason why bug fixes or changes are always being made is that vulnerabilities are found. And more are found every day. For example, the Log4J vulnerability in Java’s logging library, which you’ve probably heard of.
Libraries are not the only reason why security vulnerabilities occur. In my opinion, the main reason is that no importance is attached to security during the development of a product. It is often said that there is no time for security or that the developers have never thought about security. I don’t want to blame anyone. But companies should pay more attention to it, even if it costs money. It is an investment. Because you can’t undo damage to your image.
All in all, it is necessary to find as many critical and non-critical vulnerabilities as possible in order to avoid major damage. Because damage is much more costly than a pentest. You should know that several non-critical vulnerabilities can combine to form a so-called killchain and together can also cause major damage.
At this point, I would like to list a few more reasons why a pentest is necessary:
- Hidden vulnerabilities should be uncovered before a malicious hacker discovers them and exploits them against you.
- Error messages can be reduced. A malicious hacker could cause your infrastructure to go down completely for an extended period of time. This would also mean that you can avoid loss of revenue (time is money).
- The protection of customer and employee data is particularly important. The loss of this data would diminish trust in the company and can also cause legal problems.
- Another point is the saving of “recovery costs”. A malicious hacker can cause such damage that the infrastructure cannot be restored at all. In this case, the hopefully existing backup copies on the individual servers have to be restored. This costs time and therefore money. And if no backups are available, then it is probably time to rebuild everything from scratch.
Types of penetration tests
There are different options for a pentest on three different levels. As you can see in the following illustration, there are black-box, grey-box and white-box tests.
A pentest at black box level represents an attack under real conditions and naturally involves little organizational effort. You commission a company and let the pentester loose on the external/internal infrastructure without any information. Your aim is then to find critical vulnerabilities and generate as much simulated damage as possible.
A pentest at gray box level, on the other hand, takes place in a defined test environment, also known as a scope. This means that the pentester knows his target and can concentrate exclusively on it. This is particularly advantageous when focusing on a target, as a pentester can concentrate fully on the target and thus delve deeper into the subject matter. He can then find weak points that would have been overlooked when “skimming”.
A pentest at white box level is the final stage. Here, the pentester has full access to all internal information, such as source code, documentation and architectures. All this information can then be used by the pentester to find both programmatic and logical vulnerabilities. A logical vulnerability would be, for example, that you can make a purchase on a marketplace for another person without being logged in as that person.
Summary
The topic of IT security should not be seen as a hurdle or useless. Rather, it should be seen as an opportunity to avoid serious damage. As long as you are not affected yourself, you don’t worry about the consequences. But if a malicious hacker decides to cause damage to your company, it may be too late. And as I’ve learned, you shouldn’t just hope, you should react and address the problem proactively. If you don’t have the necessary knowledge, you should hire a pentester or a company that can support you with their knowledge.
Further topics
If you are interested in this topic, the following articles may also be of interest to you:
- https://cyberphinix.de/blog/cyber-security-for-companies/
- https://cyberphinix.de/blog/owasp-top-10/
- https://cyberphinix.de/blog/open-redirects-a-gateway-for-cyber-criminals/
- https://cyberphinix.de/blog/https-really-secure-find-out/
- https://cyberphinix.de/blog/understanding-brute-force-recognising-and-defending-against-threats/
- https://cyberphinix.de/blog/learn-how-to-use-xsstrike-step-by-step-tutorial/
- https://cyberphinix.de/blog/learn-hacking-for-beginners/
- https://cyberphinix.de/blog/nmap-cheat-sheet-commands-you-should-know/