In this article, we answer the question: what is a penetration test?
IT systems (or information technology systems) now play a major role in our daily lives. This generally refers to all types of electronic data processing systems. However, precisely because they have become so important to us, they are often the target of hacker attacks. Cyber criminals try to detect vulnerabilities in programmes and servers in order to ultimately profit from them.
As IT systems and software programmes are highly complex, it is not easy to take the right protective measures. This is where the penetration test comes into play.
A penetration test – or pen test for short – is used to determine the state of IT security and the extent to which IT systems or other networks are vulnerable to hackers.
What happens during a penetration test?
The penetration test is usually carried out by IT security experts. They use the same methods used by hackers to determine where the security gaps in a system are and to what extent the virus protection used can withstand the threats.
The execution and results of these ‘test hacker attacks’ are carefully recorded so that ways can then be found to eliminate the existing vulnerabilities. Finally, the results of the pentest report are discussed with the client and the further course of action is discussed with the client.
Ultimately, the client is responsible for ensuring that the security vulnerabilities found are also eliminated.
Historical Aspect
According to security expert Deborah Russell, ‘the 1960s marked the true beginning of the age of computer security’. And indeed, security concerns were already emerging in the 1960s with the new communication possibilities and time-sharing computer systems. As potential dangers were recognised, the penetration test was born. It was first carried out by the United States Department of Defence (DoD) in 1967 to increase the security of US computer systems.
The leading penetration expert at the time, James P. Anderson, drew up a basic recipe for companies to follow when conducting penetration tests in order to achieve the greatest possible success, which he continued to refine over time. Even today, numerous security experts still work according to the ‘Anderson Penetration Test’.
The Relationship Between Penetration Tests and Data Protection
Before the pen test is carried out, the client must sign a declaration of consent. If this is not the case, the tests are illegal. The client must also make it clear in advance which objects and components are under their responsibility. Networks and IT systems from third-party providers must be excluded from the tests.
For whom is a penetration test useful?
As, in principle, any company or institution can fall victim to a hacker attack, appropriate protective measures should generally be considered in order to protect sensitive data from theft.
For example, it can be fatal for public authorities if personal data is stolen. Hackers can also target the business knowledge of successful companies. This usually results not only in financial losses, but also in damage to a company’s image. In any case, the greatest possible data security and data protection should be ensured.
A pentest can provide good service here by ensuring that vulnerabilities are recognised in good time and that things don’t get that far in the first place.
The penetration test in contrast to the vulnerability or security scan
Penetration tests, vulnerability and security scans can all be summarised under the generic term vulnerability analysis.
The difference is that vulnerability or security scans are carried out by automated programmes to identify security gaps, whereas a penetration test cannot be automated at the moment. A suitable method is selected and customised individually for the system to be tested, whereby various pentest tools are also used. Accordingly, the costs for a pentest are also higher, as it is much more time-consuming in terms of planning and implementation.
What types of penetration tests are there?
The type of pentest that is used depends on the company for which it is carried out. Some go deeper, others are more superficial. The components that are most likely to be weak points also play a role.
These are the most common pentests:
- DDos tests (denial of service): This involves the ‘attacker’ making heavy use of certain resources (e.g. RAM) with the aim that the computer eventually stops responding. This makes it possible to determine whether the security software can withstand a DDoS attack and, if so, for how long.
- Out-of-band attacks: This is where systems are disrupted by the ‘attacker’ deliberately violating the standards for IP headers.
Application security tests: This is used to check applications for data traffic, e.g. the quality of information encryption. - War dialling: This technique involves systematically calling a large number of telephone numbers in order to identify connections for the remote maintenance of computers in companies. If an access device is found, various techniques are used to check whether it is possible to gain access to the company network.
- Penetration tests for WLANs: These tests check network security by identifying security vulnerabilities in a company’s wireless network.
- Social engineering tests: This is an attempt to track down employees as ‘weak points’. The improvised attacker tries to gain access to sensitive data through the employee under a pretext. This is also possible through phishing.
This is just a selection of methods that can be used in penetration tests. It would go beyond the scope of this article to list them all. You can also find more information on this topic on the website of the Federal Office for Security and Information Technology. The BSI has compiled interesting information about penetration tests in a ‘Practical guide for IS penetration tests’. Further useful information on penetration tests can be found here.
![anonymous person Sextortion](https://find-hacker.com/wp-content/uploads/2024/02/pexels-tima-miroshnichenko-5380673-300x200.jpg)
Sextortion: What it is and How You Can Protect Yourself Against It
Sextortion is a serious threat that more and more people are being exposed to. But what exactly does this term mean and how can you
![Tastatur Schatten von Hände gehackt](https://find-hacker.com/wp-content/uploads/2024/03/keyboard-4356763_640-300x200.jpg)
How to find out if you have been hacked
Everything from social media accounts to email addresses can be attacked at any time. Old accounts can jeopardise your new accounts. So how can you
![Identify love scammers](https://find-hacker.com/wp-content/uploads/2024/02/thieves-wear-black-hat-hold-phone-smart-card-gray-300x200.jpg)
How to identify and convict love scammers
You’ve fallen in love, but how sure can you be that this person really is who they say they are? Love is blind, but scammers