Pentest – Attack to increase the security level!

Dr. Matteo Große-Kampmann

Pentest – Attack to increase the security level!

A regular pentest is an important part of continuously determining and increasing the IT security level. The IT security investigation can have the goal of attacking a network, an application or individual endpoints. Subsequently, customers receive a report, extensive documentation with the security gaps found and, if required, a final presentation.

What is a pentest?

With the help of a pentest, vulnerabilities in networked information systems that consist of software or hardware, an infrastructure or individual applications can be found, analyzed and closed. A pentest offers an effective way to determine whether systems or their components can be successfully attacked by attackers. A pentest should detect as many security problems as possible. The problems range from configuration errors and missing patches to unknown security vulnerabilities.

Attackers can attack continuously until you have access to the data or systems you are looking for. A pentest is usually limited by a time budget and ends after the time budget has expired. A website that represents your company to the outside world is usually tested with a relatively small time budget, while platforms or applications that process customer data usually require a significantly increased time budget to safely find many entry points.

Why a Pentest?

The advancing digitalization with its saving and optimization potentials is one of the drivers in the field of pentest. From a small shop around the corner to an international corporation, every sector is now dealing with the subject of digitization.

In the past, pentests were only carried out by financial institutions or telecommunications providers, but now AWARE7 GmbH carries out pentests in a wide variety of industries. From health applications to kitchen appliances, AWARE7 tested different system landscapes with different criticalities.

Who should do a pentest?

IT security is usually only considered towards the end of a project in the development process, as it is often a non-functional requirement. A pentest is booked shortly before the planned “go-live”. However, this is usually not recommended, as the last weeks before the “go-live” are hectic anyway. If then critical security gaps are found in the pentest, these have to be fixed additionally fast and therefore mostly not in sufficient quality. If the problems found are not trivial but structural, a redesign may be necessary. This is usually associated with high costs, a lot of time expenditure and possibly even a reduction in turnover.

You commission a pentest to make it as difficult as possible for an attacker who hits your infrastructure or your application to penetrate. The attacker is frustrated and turns to an easier target after a few failed attacks. You don’t have to swim faster than the shark, only faster than the other fish.

Is a pentest always effective?

Performing a pentest is not trivial. The results a customer receives are highly individual. Automated tools make work easier, but usually do not meet the requirements. At the end of a pentest, the results and quality depend on the extent to which the test takes place, the methodology used and who is testing.

The Black Box Pentest –
even if the ordered attackers are not informed.

In a Black Box Pentest, your system is tested without any specific knowledge of it. The pentesters have no access to the source code and no knowledge of the architecture used. This approach comes closest to that of a real attacker. The time budget should be large enough to get a representative result.

The Grey Box Pentest –
most necessary information without a deeper insight.

With a Grey Box Pentest, the most necessary information about the target system is exchanged. This includes e.g. the URL of the application as well as user login information and the representation of different user roles. The Greybox test is the most effective way to examine your application. Due to the lack of extensive information research compared to the black box test, more attention can be paid to the detection and exploitation of security vulnerabilities.

The White Box Pentest –
if the attackers in charge know as much as the developers of the software

The white box or glass box test has full knowledge of the target system. The White Box Pentest contains a comprehensive code review. This review is conducted with a focus on IT security. Architecture and infrastructure aspects are also examined and subsequently evaluated. The white box penetration test, similar to the black box penetration test, takes a lot of time to perform.

“Two pentesters testing the same system lead to three different assessments”- Unknown”

What does a pentest cost?

A cost estimate for your individual Pentest project cannot be calculated as a lump sum. If your application is complex and processes critical data, the higher the Pentest budget should be. Especially for very complex systems, an increased configuration and coordination effort is to be expected in advance. You can roughly estimate what the Pentest could cost your system by answering the following questions:

What is the criticality of the data my system processes?

Very high: A failure or data loss has an extremely fast existential effect on the company. Not only are laws, regulations and contracts broken, but there are also dangers to the personal integrity of employees and customers.

    • High
      A failure or data loss has a significant impact on the system and the company in a short period of time. Multiple laws, regulations, or contracts are broken.
    • medium
      There is a noticeable impact after data loss or infrastructure failure within a medium time horizon. There is a breach of law, regulation or contract.
    • Low
      A failure of the infrastructure or a loss of the data has a small, hardly noticeable effect

.

What is the usual IT daily rate?

Use the current daily rate to approximate the rate of a penetration tester. As a rule, a person day in the field of pentesting costs EUR 1,000.00 or more with an amount open at the top, depending on the qualification and size of the pentest. Necessary qualifications, training and further education make performing Pentest experts popular specialists.

How many man-days did the development of the system take?

Depending on the criticality of the application, it is recommended to apply a certain percentage of the development for the security clearance.

  • criticality very high: ±15% of man-days of system development
  • criticality high: ±10% of man days of system development
  • criticality medium: 5-10% of man days of system development
  • criticality low: 1-5% of man days of system development

What is the result of a pentest?

A pentest gives you at least an overview of which known vulnerabilities in your system can be exploited and how high the risk of a successful attack can be estimated. You receive the written result in the form of a report, documentation and often a final presentation. In the course of a test it can also happen that previously unknown vulnerabilities are discovered. These so-called “zero days” are particularly interesting for attackers.

As part of a pentest by AWARE7, you will not only receive a report on the technical capabilities of your system, but you will also benefit from our Risk Rex technology. We scan your company with our technology as part of the pentest and find not only technical but also human risks and help you to minimize them so that your technology and your employees are equally protected.

Each pentest is of course only a snapshot. Even a pentest without results is no proof that your system is free of vulnerabilities or that all vulnerabilities have been found. However, regular examinations help you to become continuously better and to make your systems resilient in the long term.

If you are interested in a pentest by AWARE7, please do not hesitate to contact us without obligation. We also offer attractive solutions for the areas Employee Training, Phishing Campaigns and Risk Assessment.

Photo of author

Dr. Matteo Große-Kampmann

My name is Matteo Große-Kampmann. Together with Chris Wojzechowski I founded AWARE7 GmbH in Gelsenkirchen. I completed my PhD on "Towards Understanding Attack Surfaces of Analog and Digital Threats" and am a trained ISO 27001 Lead Auditor.