Pentesting: Which test methods are particularly suitable for medium-sized companies
by Tina Siering
What pentesting methods are there - and which is the right one?
Pentesting - or penetration testing - refers to targeted and pre-coordinated cyber attack attempts on a company's IT systems - automated or in person, with the human pentester being more effective than a program. Consent and knowledge are required, as some of a pentester's attack methods are criminal offenses under the law. The goal of pentesting is to uncover the company's IT vulnerabilities and provide specific recommendations for action to eliminate any deficiencies. Existing security gaps are closed and the security level is increased. In addition to well-known methods such as white box, black box and grey box audits, social engineering audits, red teaming and internal perpetrator simulation are also common methods. In a preliminary discussion between the IT security experts commissioned for penetration tests and the project managers of your company, the objective and the test object of the penetration test are first defined. The objectives can go in a wide variety of directions - and for this reason must be planned and formulated precisely, defining not only the scope but also the limits of action. The methods and tools they use for testing are the same as those used by cybercriminals.
Social Engineering Audit
A social engineering audit puts the rules of conduct of a company's employees to the test, because hackers have long since used more than just malware to penetrate corporate networks. Social engineering is therefore not only one of the most efficient, but also one of the most dangerous methods of cybercrime, because employees are a major security risk in companies. In particular, the lack of employee awareness of attack variants carried out by phishing, by telephone or by contacting them in person make the method so popular with cybercriminals.
A social engineering audit serves two purposes. On the one hand, the security awareness of the employees is checked (and thus also trained), and on the other hand, weak points are uncovered and used as part of an analysis for the development of a concept for more security awareness. The IT security experts provide an exact catalog of measures to increase the company's own IT security, also on a non-technical level, such as in relation to the IT security awareness of your employees. It often makes sense to combine an internal perpetrator simulation with social engineering elements to also test compliance with internal policies or the effectiveness of your physical protection measures.
One of the special attack methods used by pentesters is red teaming. This audit is virtually one of the "highlights of attack simulation". Red Teaming is a security tactic that originated in the military. Similar to a military conflict simulation, a pentester group attempts to successfully execute a cyberattack together. The role of the Red Team is clearly defined: It mimes the "malicious actor" trying to penetrate an IT architecture. By simulating attacks on their own systems, they can uncover vulnerabilities and identify points of attack that could be exploited. Red Teaming is based on a very simple, but equally immensely important insight: no one can know how secure their own systems really are until a real attack has taken place. And this attack is carried out by Red Teams. So from our customer's point of view, it's a real cyber attack, which requires real action. There are no limitations, no fixed target systems, and no restrictions on action. Red Teaming is mainly used for security tests of companies that have a correspondingly powerful IT security.
Inside Perpetrator Simulation
Threats from insiders are among the most serious threats to the integrity of companies. The "insider" does not necessarily have to be one of the company's own employees - external service providers or hijacked internal PCs can also lead to insider attacks! What makes internal perpetrator attacks so dangerous? On the one hand, small and medium-sized companies in particular often believe that threats always come from the outside. Accordingly, the systems are secured externally - the internal IT infrastructure, on the other hand, is neglected, although the significantly greater risk can be hidden here. Internal networks thus contain ineffective protection mechanisms, undocumented systems and authorization assignments that can be described as risky at best. A true paradise for cybercriminals, who can quickly gain control of the entire IT environment.
Internal perpetrators can be divided into two groups. On the one hand, there are the perpetrators who act purposefully and deliberately want to cause damage to the company. The other group, on the other hand, will not recognize themselves as perpetrators, but rather act unconsciously and carelessly. A hastily opened, anonymous e-mail, the use of unauthorized software or the download of unknown attachments are enough - and the uninformed employee has opened the door to the hacker in the background. If the attacker has access to the systems and networks, he can analyze the structure at his leisure, uncover vulnerabilities and look for a way to inflict maximum damage with minimum effort. In the role of an inside perpetrator, the attacker then infiltrates malware and grabs sensitive data, confidential information or even financial resources.
The internal perpetrator simulation assumes the role of an internal perpetrator as part of the security audit. For this purpose, the IT security specialists are given a workstation computer and standard user access, just like the other employees of the company. With this setup, the specialists then try to penetrate other areas of the company and extend their authorizations as far as possible. The internal perpetrator simulation checks when the internal IT department becomes aware of the activities of the "intruder", whether existing security processes are sufficiently effective or whether all security-related standards are also implemented by all employees. The results of the internal perpetrator simulation can then be used to derive strategic recommendations for action that will reliably eliminate identified weaknesses in the future.
How much does a penetration test cost?
The cost of a penetration test always depends on the time required for the pentest. The price range for penetration tests by Allgeier secion IT security experts starts at around 3,800 euros for a basic IT vulnerability analysis and goes up to 18,200 euros for extensive black box audits. It should always be noted that the costs for each project are calculated individually and depend on the effort required for preparation, the actual execution of the tests and the desired scope of the documentation following the pentest.
What makes pentesting by Allgeier secion so special?
Allgeier secion's penetration testers perform more than 100 pentests per year and can look back on more than 50 years of combined pentesting experience. The result reports of the Allgeier secion audits go far beyond the industry standards. The reports provide customers with a comprehensive picture of the status quo of existing security measures, technical information on vulnerabilities and advice on how to eliminate these vulnerabilities in the long term. All findings identified during pentesting are sorted into different vulnerability categories by Allgeier secion experts. This allows conclusions to be drawn about the origin of the vulnerabilities. With easy-to-understand recommendations that can be implemented immediately, companies receive a series of packages of measures that significantly increase the company's overall security level. The goal of all pentesting activities conducted by the IT security experts is to achieve an optimal transfer of knowledge that will permanently eliminate the occurrence of the same or similar vulnerabilities in the future.
Conclusion on the pentesting methods for SMEs
Identify vulnerabilities, close IT security gaps and minimize attack opportunities: Penetration tests put a company's existing IT security to the test. The "human risk factor" in particular is still neglected far too much, especially by small and medium-sized enterprises. Whether attacks by social engineers or compromised systems by careless, negligent employees: internal perpetrators currently represent one of the greatest security risks in the area of IT security. Pentesting is the method with which internal security leaks can be reliably detected and sustainably eliminated. Allgeier secion's pentesters are in daily use to increase the security level of companies throughout Germany.