Penetration Testing – Beating The Hackers At Their Own Game
A comprehensive security test of individual computers or networks protects companies from hacker attacks.
Almost every fifth IT manager has no idea what the term “penetration test” means – this was brought to light by a study by TUV Rheinland, whose security experts described the result as “terrifying”. In such a pentest, hackers try to penetrate as deeply as possible and in different ways into a customer’s IT infrastructure on behalf of a company.
This pinpoints the ways in which a criminal hacker would attempt to gain access to a company’s digital assets or blackmail the company by injecting malware. There is every reason to keep an eagle eye on the invulnerability of one’s own digital corporate world: Last year, the damage caused by cybercrime and espionage amounted to around 200 billion euros, estimates the digital association Bitkom. The Federal Ministry of Economics warns that the security of IT systems has long since become a strategic factor for the entire economy.
There Are Two Ways For The Fake Attack On IT Security
The most realistic approach is to use the “black box” method: the dedicated cybersecurity experts do not receive any information about the company’s IT structure and protective measures. According to experts, this is the normal case when a future victim is targeted by cybercriminals. If the “attackers” receive documentation of the digital architecture from the customer in advance, including the security concept and all accesses, the main thing is to identify possible weak points in theoretical scenarios. Both methods focus on two potential risks: a (theoretical) attack via the network, via web applications or mobile apps and via “social engineering”, in which security-relevant data is elicited from employees of a company.
Your Own IT Department Must Be Convinced Of The Pentest
There are reasons that can lead to in-house IT managers initially being skeptical about pen tests:
- The error culture required for such a test is missing in the company
- Improving security is tedious and clashes with day-to-day business
If a company is always looking for someone to blame for errors and optimization opportunities, then management will hardly be able to get the internal experts to stand behind such a test 100 percent. Because the pen test is about identifying weak points and opportunities for improvement before criminal hackers cause economic damage. If IT managers have to fear that discovered attack possibilities will be personally accused of, they can hardly be open to such an investigation. According to Jan Kahmen, all IT managers have a strong interest in checking their own structures for possible entry points together with the management: “In this way, no data protection violations can happen, which are meanwhile punished very severely”.
In many companies, day-to-day business always comes first and IT has to “check off” one milestone after the other in the shortest possible time. Often there is no time for the continuous process of system protection. Because the development and expansion of protective measures never ends: With every new access to the company’s IT structure – be it a new portal, a new social media presence or even just a landing page – potential gaps arise that hackers can use.
Cybercrime Does Not Stop At Small And Medium-Sized Companies
Cyber criminals are not interested in the size of a company, but above all in the possible loot: be it important data, design drawings, customer data or even bank and credit card access. The “planting” of malware is also becoming more and more common, and the victim can only use his IT infrastructure again after paying what is often a large amount of money. It is obvious that criminal gangs hope for easier access to sensitive areas in small and medium-sized companies than in large corporations: no company is too small or too insignificant for an attack.
Of course, cybersecurity experts adapt the test procedure to the size of the company: »In this case, an in-depth analysis would not be a useful part of a penetration test. It makes more sense to concentrate on the quick wins than a detailed examination of individual systems. who have never heard of the “penetration test” should quickly decrease in their own interest and ideally drop to zero.
