Penetration Test

Security test of your IT infrastructure

A penetration test can be used to check the extent to which the security of your IT systems is endangered by threats from hackers and whether IT security is currently guaranteed by the security measures used.

Simulation of realistic threat scenarios

If the penetration tester manages to break into parts of the computer systems and is able to access or manipulate confidential information, this is proof of a security gap.

The penetration test is a targeted attack against computer systems. The aim should be to identify and exploit weaknesses even in secured IT infrastructures. A penetration test should only be carried out if the obvious security problems have already been identified and remedied in advance by means of a weak point analysis.

Moreover, a penetration test is always only a snapshot of the current IT security situation, so the IT infrastructure should be subjected to regular checks. For example, it is possible that a new serious security problem may arise after completion of the penetration test due to a human error or due to the installation of software.

There are major differences in the quality of the service referred to as penetration test. The level and practical benefit of a penetration test is essentially determined by the extent to which the client’s individual situation is addressed, how much time and resources are spent exploring weak points and how creative the process is.

The most important goals of a penetration test

  • Increasing the security of your systems
  • Identification of non-obvious weaknesses
  • Confirmation of IT security by an external third party
  • Increasing the security of your organisational and personnel infrastructure

Our penetration test - modular in accordance with customer requirements

For penetration tests we offer the following modules, which can be booked independently from one another. Below are a few examples of possible test scenarios. We will work out the exact test scenario with you in a personal meeting. Based on this, we will prepare the final offer for you.

P | INTERNET
We check your systems accessible via the Internet. This can be for example the VPN gateway, Citrix or mail server. We check the exposed services for vulnerabilities and try to gain access to one of the servers if and to continue working from there into the internal network.

P | LAN
In the P-LAN module, mainly the internal network structures are checked. How is your switch infrastructure secured? Do you use vulnerable protocols? Are there ways to break out of a corresponding VLAN? Etc. We also offer to check the security of your existing protection mechanisms such as intrusion prevention or network access control systems.

P | RADIO
We check your radio-based services such as Wi-Fi or Bluetooth systems. Is the Wi-Fi visitor network properly disconnected from the production network or do you have weaknesses in encryption or authentication?

P | WEBSERVICE
In the P-WEBSERVICE module, a Web application is checked for weaknesses such as SQL Injection, Local/Remote File Inclusion or Cross-Site Scripting. We process the complete list of OWASP TOP 10. A web application can be the online shop you run or your corporate website.

P | APPLICATION
Part of the P-APPLICATION module can be an independent application such as your ERP system or an individual app. A possible test object would be checking for an extension of rights.  For example, is it possible to manipulate or steal data from the application?  We also check applications for programming errors such as stack and heap overflows.

P | SOCIAL
A social engineering test can be used to check the safety awareness of your employees. We distinguish between human based and computer based social engineering. One possible approach would be to obtain confidential information through phishing calls or to place ‘spyware’ on the target systems through targeted phishing attacks. Data protection plays a very important role for us – all personal data is completely deleted after completion of the tests. Today’s professional attacks include in most cases a social engineering attack. An attacker will always take the path of least resistance. If your systems are very well secured, an attacker tries to gain access from your company’s employees in a second step. For this reason, sensitisation and regular testing are nowadays an important aspect.

P | RETEST
A retest should always be part of a penetration test. The retest checks whether all weaknesses discovered in advance have been properly remedied.

Target group
Suitable for entrepreneurs and IT managers who want to know the security of their existing IT infrastructure.

null

Dino Bordonaro

General Manager