Penetration tests uncover IT security gaps in good time

Cybersecurity and IT security continue to be among the most important digital topics in 2016, and rightly so, as a recent survey by the industry association Bitkom (www. bitkom.org) shows. More than two-thirds of the industrial companies surveyed stated that they had been victims of data theft, industrial espionage or sabotage in the last two years.

But how vulnerable is your own company? In order to assess this realistically and be able to take countermeasures in good time, it is advisable to carry out a penetration test. Similar to a fire drill, this simulates an emergency, in this case an attack on the company's data and IT systems. The aim is to preventively identify vulnerabilities in IT systems, software or their configuration. In the event of an actual attack, these vulnerabilities could otherwise be exploited by hackers to gain access to the systems, obtain sensitive information or restrict the availability of systems and applications.

The emergency is simulated

As a rule, external service providers specializing in security tests are commissioned with the professional execution of a penetration test based on realistic scenarios. Their procedure follows a certain pattern, just like that of actual attackers: At the beginning, information is gathered by evaluating publicly available information about the target systems, e.g., from DNS and WHOIS databases and Google hacking techniques, as well as by sniffing network traffic. Portscans are then used to identify open TCP and UDP ports. Banner grabbing and software fingerprints can be used to determine which operating system and software versions are used in the company. The network services and operating system versions identified in this way are then first checked for known vulnerabilities using automated vulnerability scanners. The results of these scans are then verified by manual checks - to eliminate false positives, but also to identify possible additional vulnerabilities.

What should be taken into account when commissioning an external service provider with a penetration test?

First of all, the test content and objectives should be specified as concretely as possible. Such specifications could be:

• Identify and attempt to exploit operating system implementation weaknesses or incorrect target system configurations.
• e.g. by accessing arbitrary files on an IIS server
• Examination for undesired services that are allowed, e.g. due to faulty configuration or insufficient filter rules
• the attempt to disable deployed services through denial-of-service attacks (DoS) or to launch DoS attacks only after explicit approval by the client.

Identify and minimize risks

The last point makes it clear that penetration tests are always associated with risks. In practice, denial-of-service attacks are only carried out if the client explicitly requests this. But even without such high-risk attacks, a penetration test can lead to the loss of system availability if, for example, the affected system first has to be manually restarted by a local administrator after a crash. Another unintended consequence of a penetration test can be data loss.

Depending on the target environment, these hazards can represent an unacceptable risk. This is particularly true for production systems. These systems can then be excluded from risky tests. However, this always reduces the significance of the test, because real attackers do not stop at production systems. Critical vulnerabilities could be overlooked. An alternative to this is to carry out the test outside business hours or in an identical test environment that replicates the productive environment 1:1. Potential damage to productive systems in the event of a failure can thus be avoided or at least reduced.

However, since a residual risk for the examined systems and data can never be completely excluded, it is essential that penetration tests are planned very thoroughly in advance by the client's IT department and the penetration tester together. During the execution, a technical contact person should be available for coordination at all times.

Combine implementation options correctly

Penetration testing can be performed in several ways, usually combining possible options.

Black-Box vs. White-Box

First of all, a distinction can be made between "black box" and "white box" tests. In the case of black box tests, the external service provider is only provided with the most necessary information, such as the name of the IT network to be tested - in order to simulate the possibilities of an external attacker as realistically as possible. The attacker then researches the IP address range and possible "gateways". Checking the functioning of IDS/IPS systems as well as the behavior and reaction speed of the company's own employees can also be a partial objective of a BlackBox test.

However, this approach is very time consuming and therefore very costly. In the case of the actual attacker, it can be assumed that they would take the necessary time for planning and preparation. Their attacks are becoming increasingly complex and technically sophisticated, and social engineering methods are usually also used to gather information. These methods are not always easy to detect. For example, the sender addresses of e-mails from other companies are forged and pishing e-mails tailored precisely to the recipient, his interests and circle of acquaintances are sent (spear pishing) in order to inject malware. The injected malware is used to obtain all the necessary information from the attacked IT network.

In order to compensate for this "advantage" of potential hackers compared to the IT service provider acting in a limited time frame, one resorts to the white box method when performing penetration tests. Here, the penetration tester is provided with detailed information about the systems to be tested and the network infrastructure. Thus, at the beginning of the penetration tests, the tester is on the information level of a real attacker after weeks of work. This also allows vulnerabilities to be found that might otherwise not be detected in a pure black box test. In practice, a mix of black-box and white-box penetration tests is usually used.

On-site vs. off-site

The second distinction concerns the point from which testing/attacking is carried out. Penetration tests can be performed off-site via the Internet or on-site within the corporate network itself.

Off-site penetration tests have the advantage that they are very cost-effective and correspond to the attack vector of a potential attacker from the Internet. However, their message is limited: A vulnerable service, for example, that was blocked by an upstream firewall during the test would not be identified.

An on-site test from the demilitarized zone (DMZ), on the other hand, can simulate that an attacker has already taken over a system, e.g. a web server. In the case of such a multi-layered security, with a firewall between Internet and DMZ as well as between DMZ and office, the security can be tested much more comprehensively. A defense-in-depth security verified in this way still offers sufficient protection to fend off an attacker even if a system from the security chain is compromised. In addition, on-site tests can also be used to check for threats from internal perpetrators or insiders - a risk that should not be underestimated: according to the Bitkom survey mentioned at the beginning, current or former employees were behind the attacks in 65 percent of cases.

Ultimately, the most effective and comprehensive approach is a combination of the different options: Black-/white-box, off-site/on-site testing to cover all threat scenarios, and supplementing automatic scanners with manual methods. A carefully planned penetration test is therefore an effective measure to safeguard against potential threats and is also more efficient and cost-effective for this purpose than a full system audit - provided, of course, that the identified vulnerabilities are subsequently remediated.