Penetrationstests

Der Pentest

Companies of all sizes and industries have a vital interest in protecting their own IT systems from unauthorized access. To strengthen IT security, many companies therefore work together with ethical hacking service providers. Their task is to use penetration tests to uncover security gaps in their own IT systems before others find these vulnerabilities. 

Kurz und knapp

  • Penetration tests help to identify security vulnerabilities
  • Pentests simulate attacks on web applications, networks or computer systems
  • There are a variety of types and methods
  • Service providers must be thoroughly checked for trustworthiness
  • Regularity is the be-all and end-all of pentests

What is a Penetration Test?

A penetration test, also known as a pentest, is a targeted and controlled cyber attack on a computer system, network or application. It is used to identify vulnerabilities and security gaps. IT security experts simulate the techniques and methods that could be used by malicious hackers to gain unauthorized access to systems or steal data.

These attacks on their own IT infrastructure are commissioned by the respective companies themselves. By uncovering these security gaps under “controlled conditions”, measures can then be taken to close these gaps. This also ensures compliance with all legal and industry-specific security standards.

The Relevance of Pentests for Companies

Professionally conducted penetration tests are a costly but enormously important cyber security tool for companies for several reasons:

Protection against Cyber Attacks

Security gaps in IT systems, networks and applications discovered by pentests can be actively analyzed and closed. By repeating such tests at regular intervals and repeatedly addressing any vulnerabilities, the likelihood of the company in question falling victim to an actual cyber-attack is reduced.

Optimization of the Security Strategy

Penetration tests provide valuable insights into the strengths and weaknesses of a company's current security measures - both online and offline. This data can be used to constantly and transparently develop the company's entire security strategy. This open and active commitment to greater IT security is also generally well received by customers and business partners.

Protection of Customer Data

The General Data Protection Regulation (GDPR) contains clear requirements regarding the storage and protection of personal data. This is also linked to severe penalties for violations - for example, if cyber criminals penetrate the system via security gaps and steal sensitive data. Pentests help to proactively prevent such data leaks and protect business-critical data.

Meeting Compliance Requirements

For some service providers, the regular performance of penetration tests can even be a legal requirement. For example, the Payment Card Industry Data Security Standard (PCI DSS) prescribes penetration tests for companies that process credit card information in order to validate their IT security by conducting penetration tests at least once a year.

Types of Penetration Tests

The instrument of penetration testing can be used to put a wide variety of aspects of the IT infrastructure to the test in a very targeted manner. The knowledge of pentesters is most frequently in demand in the following areas:

Network Penetration Test

This test examines the security of network infrastructures, including firewalls, routers and switches. The attack on the network as a whole is aimed at capturing business-critical data or disrupting its function.

Web Application Penetration Testing

At this point, pentesters analyze web applications (online stores / customer portals) for vulnerabilities such as SQL injections, cross-site scripting (XSS) and other types of insecure authentication mechanisms. This also includes security gaps in the respective interface (API) and any application-specific exploits.

Wireless Network Penetration Test

This simulated attack aims to uncover vulnerabilities in wireless networks that would allow hackers access to data traffic on the network. These are often insecure WLAN configurations or inadequate encryption standards on devices.

Cloud Penetration Test

In a cloud-focused pentest, cloud infrastructures and applications based on cloud services are the primary target. In the course of this test, the cloud security situation is determined and whether the respective cloud computing solution - for example our GFOS knownCloud - has been configured correctly and therefore securely.

Social Engineering

Social engineering is about exploiting human rather than technical vulnerabilities. Various techniques are used to trick employees into disclosing sensitive information. One very common form of attack is (spear) phishing via email. Many pentesters include these methods in their work, as humans are one of the most reliable security vulnerabilities in IT.

Physical Penetration Tests

Closely linked to social engineering are physical pentests - where hackers pretend to be authorized persons and attempt to gain access to server systems, data centers or other sensitive areas of the company's IT. This represents an additional test for the local security controls.

In practice, a distinction is also made between internal and external penetration tests. In the external variant, an attack is imitated by a malicious third party who wants to gain access to the system. Internal tests, on the other hand, focus on the potential damage that malicious insiders can cause - i.e. actors who, in the worst case, have extensive access rights within the system.

Penetration Test - Methods at a Glance

The manner and scope of the pentester's work is determined in advance between the service provider and the client company. A simplified distinction is made between three test methods:

Black Box Testing

In this scenario, the commissioned pentesters do not have any details about the system. All the information required for an attack must be gathered independently. This approach is particularly suitable for simulating a real cyberattack on your own IT and testing the resilience of your security systems.

White Box Testing

In this scenario, the pentesters are given full access to information about the system in advance, including source code, network architecture and application details. This represents the potential level of information of a well-informed insider. This method allows a very thorough and in-depth examination of the respective IT systems for vulnerabilities and security gaps.

Gray Box Testing

Gray box testing is a mixture of variants - pentesters receive some information about the target system, but not all the details. This method allows attacks to be simulated by partially informed insiders, which means that both internal and external procedures are incorporated into this penetration test.

The Process of a Penetration Test

An ideal penetration test should follow this pattern or include the phases mentioned here:

1) Planning / Preparation

The company and service provider (“hacker”) define exactly which areas and systems the penetration test should cover. The objective of the test itself is also defined. Important: All these agreements are recorded in writing - especially to ensure that the pentester does not have to fear any criminal consequences for the defined activities.

2) Information Gathering

In the next step of the pentest, the contracted IT expert gathers further information about their target. This can be done, for example, by the attacker accessing publicly available information (Github / databases) or actively spying on systems and networks. To do this, he uses pen test tools such as port scanners and the like.

3) Testing for Vulnerabilities

After gaining an overview of the target, the pentester looks for specific vulnerabilities in the system. A popular tool for detecting such vulnerabilities in networks is the Open Vulnerability Assessment Scanner (OpenVAS). If web applications are the target, the open source security scanner “ZAP” (formerly: OWASP ZAP) is often used for penetration tests.

4) Exploitation

The next phase involves exploiting the identified vulnerability(ies) to gain access to systems and data. Ideally, it is possible to use this initial access to identify further vulnerabilities and use them to extend the simulated attack. When using such exploits, however, pentesters should always ensure that their own activities do not pose an actual threat to the company's applications and networks.

5) Post-Exploitation

Once the penetration test is complete, the IT expert withdraws from the system. In doing so, he removes all backdoors that have been set up as well as any scripts and code that were used during his activities. This ensures that cyber criminals do not become aware of vulnerabilities through the pentester's work and exploit them for their own purposes.

6) Analysis / Reporting

The final conclusion of each penetration test is a summary of all findings and events, which is presented to the client company. This lists in detail which gaps were detected where and how, what access was made possible as a result and what potential damage (data loss) could have been caused. This final report also includes specific recommendations for action to increase IT security.

Pentests between Necessity and Risk Factor

Important: Cooperation between companies and experienced pentesters can make a significant contribution to strengthening their own IT security. At the same time, the commissioned hackers potentially receive very sensitive company data right from the start of the collaboration.

In order to find the right service provider at this point, the German Federal Office for Information Security (BSI) provides a practical guide for IS penetration tests. It lists key points such as checking technical qualifications, determining the scope of a test and more for orientation.

Penetration Tests - Best Practices

We recommend the following best practices to ensure that companies can always rely on the security of their own IT:

Regular Tests

Penetration tests should not be a one-off affair - quite the opposite. Every completed test is always just a snapshot and, in the worst case, the next security gap is not far away. This is why such pentests should be repeated at regular intervals - the more critical the infrastructure, the more important. This is why such tests are an integral part of our GFOS hosting service package.

Collaboration with Experts

For reliable findings, it is necessary that corresponding pentests are carried out by experienced IT experts. Careful research is required here, paying attention to recognized certificates such as Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) and similar qualifications. It is highly likely that companies can rely on professional implementation and cooperation that will help to secure their own IT in the long term.

Integration into Security Strategy

Ideally, penetration tests should be integrated into your own security strategy. As part of our ISO 27001 certification, we regularly have our systems subjected to security and penetration tests. In this way, we ensure that our customers' data is in the best hands at all times.

Do you need support with your IT
Our GFOS Cloud & IT-Infrastructures GmbH is on hand with help and advice. Let us advise you without obligation - for security and performance from a single source.
Call us at

+49 . 201 • 61 30 00

Contact us at

To the contact form

Call us at

DE: +49 . 201 • 61 30 00

CH: +41 . 41 • 544 66 00

Contact us at

To the contact form

Back to top