A penetration test is the practical examination of IT systems for security gaps and vulnerabilities. Various tools are used to simulate or even conduct an actual attack. The methods used are also called “ethical hacking” or “white hacking”.
Systems and applications are checked for actual gaps in order to close them afterwards. Due to numerous attack scenarios and today’s large selection of software and hardware products, it is almost impossible to standardise such a test. In general, two types of penetration tests are conceivable: “black box” and “white box”.
In a black box test, the penetration tester only receives a URL of the web server or the IP address of the security gateway. All other information must be obtained by the tester. This simulates how a real hacker would proceed. An advantage of this method is that the tester can test absolutely unbiased and tries out a variety of methods. A disadvantage is that due to the lack of information about the system, unwanted impairments could occur. In addition, the effort of the contractor for this type of test is very high.
In a white-box test, the contractor receives all information about the test object as the vulnerabilities can be specifically analysed. The test can be carried out externally via the Internet or internally. An advantage of a white-box test is that the tester has a contact person of the client on site, and a large part of external security mechanisms have no effect on the test result.
The German Federal Office for Information Security (German BSI) generally recommends a white-box test as this method is, above all, the most economical solution for both sides.
Before a penetration test can be performed, a series of preparatory interviews and on-site analyses are required. Obtaining information and its quality are of great importance for the performance and success of a penetration test. In addition, a written contract must be concluded prior to the actual implementation in order to minimise (criminal) legal risks during implementation. Once all formalities have been completed, the actual preparation can begin.
When performing penetration tests, individual capabilities of a penetration tester and the interaction between the client and the contractor are particularly important. Therefore, MORGENSTERN only collaborates with testers with several years of practical experience.