Pentesting: Which test methods are particularly suitable for medium-sized companies

What pentesting methods are there - and which is the right one?

Pentesting - or penetration testing - refers to targeted and pre-coordinated cyber attack attempts on a company's IT systems - automated or in person, with the human pentester being more effective than a program. Consent and knowledge are required, as some of a pentester's attack methods are criminal offenses under the law. The goal of pentesting is to uncover the company's IT vulnerabilities and provide specific recommendations for action to eliminate any deficiencies. Existing security gaps are closed and the security level is increased. In addition to well-known methods such as white box, black box and grey box audits, social engineering audits, red teaming and internal perpetrator simulation are also common methods. In a preliminary discussion between the IT security experts commissioned for penetration tests and the project managers of your company, the objective and the test object of the penetration test are first defined.  The objectives can go in a wide variety of directions - and for this reason must be planned and formulated precisely, defining not only the scope but also the limits of action. The methods and tools they use for testing are the same as those used by cybercriminals.

Social Engineering Audit

A social engineering audit puts the rules of conduct of a company's employees to the test, because hackers have long since used more than just malware to penetrate corporate networks. Social engineering is therefore not only one of the most efficient, but also one of the most dangerous methods of cybercrime, because employees are a major security risk in companies. In particular, the lack of employee awareness of attack variants carried out by phishing, by telephone or by contacting them in person make the method so popular with cybercriminals.

A social engineering audit serves two purposes. On the one hand, the security awareness of the employees is checked (and thus also trained), and on the other hand, weak points are uncovered and used as part of an analysis for the development of a concept for more security awareness. The IT security experts provide an exact catalog of measures to increase the company's own IT security, also on a non-technical level, such as in relation to the IT security awareness of your employees. It often makes sense to combine an internal perpetrator simulation with social engineering elements to also test compliance with internal policies or the effectiveness of your physical protection measures.

Red Teaming

One of the special attack methods used by pentesters is red teaming. This audit is virtually one of the "highlights of attack simulation". Red Teaming is a security tactic that originated in the military. Similar to a military conflict simulation, a pentester group attempts to successfully execute a cyberattack together. The role of the Red Team is clearly defined: It mimes the "malicious actor" trying to penetrate an IT architecture. By simulating attacks on their own systems, they can uncover vulnerabilities and identify points of attack that could be exploited. Red Teaming is based on a very simple, but equally immensely important insight: no one can know how secure their own systems really are until a real attack has taken place. And this attack is carried out by Red Teams. So from our customer's point of view, it's a real cyber attack, which requires real action. There are no limitations, no fixed target systems, and no restrictions on action. Red Teaming is mainly used for security tests of companies that have a correspondingly powerful IT security.

Inside Perpetrator Simulation

Threats from insiders are among the most serious threats to the integrity of companies. The "insider" does not necessarily have to be one of the company's own employees - external service providers or hijacked internal PCs can also lead to insider attacks! What makes internal perpetrator attacks so dangerous? On the one hand, small and medium-sized companies in particular often believe that threats always come from the outside. Accordingly, the systems are secured externally - the internal IT infrastructure, on the other hand, is neglected, although the significantly greater risk can be hidden here. Internal networks thus contain ineffective protection mechanisms, undocumented systems and authorization assignments that can be described as risky at best. A true paradise for cybercriminals, who can quickly gain control of the entire IT environment.

Internal perpetrators can be divided into two groups. On the one hand, there are the perpetrators who act purposefully and deliberately want to cause damage to the company. The other group, on the other hand, will not recognize themselves as perpetrators, but rather act unconsciously and carelessly. A hastily opened, anonymous e-mail, the use of unauthorized software or the download of unknown attachments are enough - and the uninformed employee has opened the door to the hacker in the background. If the attacker has access to the systems and networks, he can analyze the structure at his leisure, uncover vulnerabilities and look for a way to inflict maximum damage with minimum effort. In the role of an inside perpetrator, the attacker then infiltrates malware and grabs sensitive data, confidential information or even financial resources.

The internal perpetrator simulation assumes the role of an internal perpetrator as part of the security audit. For this purpose, the IT security specialists are given a workstation computer and standard user access, just like the other employees of the company. With this setup, the specialists then try to penetrate other areas of the company and extend their authorizations as far as possible. The internal perpetrator simulation checks when the internal IT department becomes aware of the activities of the "intruder", whether existing security processes are sufficiently effective or whether all security-related standards are also implemented by all employees. The results of the internal perpetrator simulation can then be used to derive strategic recommendations for action that will reliably eliminate identified weaknesses in the future.

How much does a penetration test cost?

The cost of a penetration test always depends on the time required for the pentest. The price range for penetration tests by Allgeier secion IT security experts starts at around 3,800 euros for a basic IT vulnerability analysis and goes up to 18,200 euros for extensive black box audits. It should always be noted that the costs for each project are calculated individually and depend on the effort required for preparation, the actual execution of the tests and the desired scope of the documentation following the pentest.