The importance of a company’s IT Security should be clear by now. After all, it can sometimes end in a real disaster if confidential information – be it that of customers, patients or your own company – is made public. German companies are even legally obliged to practise IT Risk Management.
Unfortunately, as in most cases it is not so easy to determine how secure an IT system or network really is, many different organisations recommend a Penetration Test. In this test procedure, the organisation carrying out the test behaves as if it were actually carrying out a hacker attack, i.e. it uses the same methods and means. This makes it possible to determine very precisely where a system’s weak points and security gaps lie.
External vs. Internal Penetration Test
External Penetration Test
The external pentest is probably the most frequently used, as it tests how effective a company’s IT security and virus protection is against external attacks. It is therefore about attacks on the network perimeter. According to Technology Knowledge Online, perimeter security refers to ‘the security at the transition between a private or company network and a public network such as the Internet’. The attacks are carried out from outside, i.e. via the Internet or extranet. To use this type of test, no specific knowledge of the company to be tested is required. Initially, publicly available information about the customer is usually sufficient.
Internal Penetration Test
Internal pentests simulate attacks from within the internal company network. Internal security factors also play an increasingly important role in larger companies with around 50 – 100 employees or more, as it is no longer possible to speak of a familiar working environment and place the same level of trust in all employees. The auditor takes on the role of a disgruntled employee or simply an authorised user who has standard access rights.
Ultimately, the aim is to understand what the consequences could be if the network perimeter is penetrated or how an authorised user could gain access to confidential information.
Although the methods used in the two types of test are similar, the results can differ greatly.
What does a penetration test cost?
Unfortunately, it is not possible to give an exact indication of the pen test costs here. The test methods and the tools used are too different for this. As a rule, a pen test is charged at a daily rate. The typical daily rate is between 1,000 and 1,800 euros. As such a test generally takes between two and ten days, you can expect to pay between 2,000 and 18,000 euros. Depending on how extensive you want it to be. If you obtain quotes from different providers, you should take a close look, as the term ‘Penetration test’ is often also used for the much less secure Vulnerability Scans. Although these are sometimes much cheaper, they can usually only uncover known vulnerabilities and do not provide any information about whether and to what extent these vulnerabilities can be exploited by cyber criminals.
The cost of the pen test pays off
The costs for a ‘real’ penetration test may seem very high to some at first glance, but it should be borne in mind that this cannot be automated at the moment. Firstly, the pentester must select a suitable method that is directly tailored to the company to be tested. In addition, a pentest report must be created for the entire process, which is then discussed with the client. All of this should make it clear why a penetration test is so time-consuming and cost-intensive, as it also involves a considerable amount of work.
In addition, you should always bear in mind that the financial losses of a real ‘hacker attack’ are usually much higher for a company.
Proof of a successful pentest often leads to discounts on cyber risk insurance policies. These insurances are liable, for example, if the consequences of a hacker attack lead to business interruptions or the loss of data carriers and devices.
It is therefore well worthwhile for a company to invest in a penetration test.
Factors that can influence the cost of a pen test
- The test object: What is to be tested? Should the entire operation with several IT systems or just a simple web application be tested?
- Which modules should be tested? For example, only the programme code or the configuration of a web application could be tested, or also its IT infrastructure.
- Test configuration: How should the test be carried out? What types of test methods are possible?
- What level of security is required? The higher the desired security level, the more costly and time-consuming the test.
Conclusion: demand for pen tests is increasing
Despite the possibly higher price and longer duration of the pen test compared to the vulnerability scan, demand for this test procedure is steadily increasing. For many companies, it has now even become a matter of course, which can certainly be seen as a positive when considering aspects such as security and data protection.
Professional Hackers wanted – these methods they use
More and more large companies are looking for professional hackers these days. They find vulnerabilities and security gaps in the company network and infiltrate them.
Ransomware Spreads Fear and Terror
In May 2019, the US city of Baltimore in Maryland suffered a ransomware attack on the city administration’s servers. The type of ransomware used there
What is a hacker?
What is a hacker? According to the definition of the website “Security Insider”, a hacker is nothing more than a “technically experienced person in the