In a penetration test, IT systems or networks are subjected to a comprehensive examination designed to determine their susceptibility to attack. A pentest uses methods and techniques that are used by real attackers or hackers.
What is a penetration test?
With the help of a penetration test, often called a pentest, IT experts try to determine the sensitivity of networks or IT systems to intrusion and manipulation attempts by carrying out targeted attacks. They use methods and techniques similar to those used by hackers or crackers to penetrate a system without authorization.
A pentest can be used to uncover vulnerabilities and better assess potential threats. During the complete penetration test, all measures carried out are precisely logged. A final report lists the identified vulnerabilities and possible solutions for improving the IT security level. The elimination of vulnerabilities and the implementation of IT hardening measures are not part of the penetration test.
The scope of the tests performed is based on the respective threat potential of a system, application, or network. Systems that are exposed to high threats, such as publicly accessible web servers, are usually subjected to more extensive tests than internal applications without great system relevance.
The goals of a penetration test
The main goal of pentesting is to identify network and computer vulnerabilities at the technical and organizational levels and document them in a detailed report. However, the elimination of the found vulnerabilities is the responsibility of the client or the operator of the examined IT systems. If the recommended measures to eliminate the discovered vulnerabilities are implemented, the security of the examined systems can be improved.
Possible remediation measures may include training of personnel, increasing staff, shutting down a system, or applying fixes and updates. Since a penetration test is not continuous monitoring of IT, it can be seen as a snapshot of the security status. Social engineering penetration tests are often part of the tests performed.
Here, an attempt is made to use the social engineering of internal employees to gain information or access. The tests aim to uncover internal vulnerabilities within the company that can be remedied, for example, by educating and informing employees.
Legal aspects of penetration tests
Before conducting penetration tests, the organization conducting the test must have the consent of the organization being tested. Without such agreement, pentesting is illegal and may constitute a criminal offense. If consent is obtained, the test may only relate to objects that are under the actual sovereignty of the organization being tested.
No IT systems or networks of third parties may be tested. The client must clearly clarify which components this applies to prior to the penetration test. Diverse IT services used, different cloud services, and different contractual relationships for the use of hardware and software can make such clarification difficult.
Differentiation between the terms vulnerability analysis, vulnerability or security scan, and penetration test
Vulnerability analysis is a generic term and can include vulnerability or security scans as well as penetration tests. In contrast to a penetration test, vulnerability or security scans are performed automatically. Systems are checked against known problems and security vulnerabilities by automatically running programs.
A penetration test, on the other hand, is hardly automated and is performed after extensive, often manual, information gathering. It is individually tailored and adjusted to the system to be tested. The planning, execution, and selection of the tools to be used are much more complex in a pentest. As a result, a penetration test can be used to identify previously unknown security vulnerabilities.
Special hacking tools and manually executed attack methods are used. A penetration test is to be understood as an empirical part of general vulnerability analysis.
