The IT security situation in Germany is tense to critical. The German Federal Office for Information Security (BSI) calls on companies, organizations, and public authorities to increase their cyber security, harden systems, and make lateral movements in internal networks more difficult. Such measures are important quite independently of the current political situation.
After all, the cybercrime business is booming. According to a Bitkom study, cyber attacks cause total damage of 223 billion euros to the German economy every year. Hackers are producing new malware variants ever more quickly and are relying on scalable attack strategies with which they can reach as many victims as possible.
Ransomware in particular remains a major risk. In addition to classic encryption, the attackers also threatened to publish the captured data or make the cyber incident public. With the help of Ransomware as a Service – malware in a kit system – even less experienced cybercriminals can carry out attacks quickly and easily.
Cybersecurity from The Attackers’ Perspective
It’s no coincidence that cyberattacks are the biggest business risk today, according to the latest Allianz Risk Barometer. To protect themselves, companies need to continuously review and optimize their security posture. The tool of choice for this is penetration testing, or pentesting for short. This involves looking at cybersecurity from the perspective of the attackers and trying to outsmart security measures using current hacking methods.
Pentesting enables companies to test how effective their cybersecurity measures are without risk. This allows them to identify and close vulnerabilities before cybercriminals exploit them. Security assessments are important for organizations of all sizes and industries, but especially for those that process sensitive data or belong to critical infrastructures. The latter are required by the IT Security Act to implement appropriate state-of-the-art cybersecurity measures.
Pentests generally help companies to comply with regulations and prepare for security audits. Those wishing to take out cyber insurance can also prove that they meet the requirements.
Manual vs. Automated Pentesting
Most companies that perform pentests do so only once a year to date, according to a study by cybersecurity vendor Pentera. This is mainly because manual testing is very time-consuming and cost-intensive. It requires security experts who know the latest hacking methods, and they have to invest a lot of time. But annual pentesting is not enough to ensure good protection. The result is only a snapshot.
Both IT environments and attack techniques evolve highly dynamically, so cybersecurity measures must be adapted. Today, modern software solutions make it possible to perform pentests largely automatically. This saves effort and reduces costs considerably. As a result, companies can carry out security checks on a regular basis. Even large, complex IT environments can be scanned for vulnerabilities quickly and efficiently in this way.
Results are usually available after just 48 hours. In addition, automated tests are reproducible and guarantee consistent, standardized quality. This makes it easy to compare results and establish uniform testing procedures at different sites. Manual pentesting is then only necessary in selected scenarios, for example to check special cases or to perform whitebox testing.
Which Pentesting Approach Is the Right One?
There are three different approaches to pentesting: Blackbox, Greybox and Whitebox. The latter is basically an audit in which the complete system documentation is open. This approach is suitable, for example, for checking compliance with regulations. With the blackbox approach, on the other hand, the attacker knows nothing about the target environment.
Like a real hacker, he or she must first gather all the information themselves – for example, access data, which infrastructure and which operating system are involved. With greybox testing, on the other hand, some things are already known, so that specific scenarios can be simulated. This is why we also speak of what-if tests. How far can attackers get – for example, if they have spied on employees’ login data?
In most cases, a combination of black box and grey box approaches is recommended: First, you try to crack as much as possible without assistance, and then switch to the grey box method in the case of very well shielded systems. Both approaches can be automated.
In addition, a fundamental distinction is made between external and internal pentests. External tests check how well company networks, systems or websites can be attacked from the outside. Internal tests, on the other hand, examine how much room for maneuver and action hackers have when they are already inside the network.
Internal pentests are particularly important because even with the best technical protection measures, people can still make mistakes or be tricked by cybercriminals – whether they fall for social engineering or phishing emails or unsuspectingly plug in an infected USB stick. The crucial question then is: What damage can attackers do after they have infiltrated? Can sensitive data be captured or can they even take complete control of systems?
On Their Own or As a Service?
When it comes to automated pentesting, it is advisable to work with an experienced cybersecurity service provider who has the appropriate references and expertise. They provide the software, operate it, and perform the assessments at the agreed intervals according to the discussed procedure. Companies then receive a detailed results report that identifies potential weaknesses and provides recommendations for action.
Alternatively, IT teams can also establish automated pentesting themselves without a great deal of personnel effort. The software is usually installed and set up quickly. For many companies, however, evaluating the results is likely to be a challenge. That’s because it’s not enough to identify security vulnerabilities. You also have to prioritize them and take the right measures to close the vulnerabilities. In most cases, it is helpful to have the support of specialists within the framework of security validation.
Conclusion: Integrate Pentesting Into the Security Strategy
To protect themselves adequately against the growing cyber risks, companies should continuously adapt their cybersecurity measures to the changing threat situation. Automated pentesting makes it possible to integrate security checks cost-effectively as a regular process in the cybersecurity strategy. Those who purchase the service as a managed security service reduce their own costs to a minimum and also receive support in implementing measures. This makes it possible to uncover weaknesses and efficiently optimize your own security posture.