Those responsible for a local computer network are aware of the great effort involved in setting up and maintaining it. It is important to configure all components to be functional and up-to-date. For all user devices, the desired software must be installed and the appropriate access rights defined. The most important task, however, is to develop the appropriate security concept to protect your own network against harmful attacks. Depending on the network size and required security standard, very different measures and components are possible – from ordinary software firewalls and antivirus programs to more complex hardware firewalls to solutions with additional components such as intrusion detection and intrusion prevention systems.
But if the defense concept is in place, efforts do not have to be over: regular security testing to verify network protection is a common practice in larger companies and government agencies. With so-called penetration tests, in short, pentests, For example, detect the attack potential of the network, individual participating systems or even a single application. On the basis of the test results, one can then initiate appropriate optimization measures. How is such a test done exactly and what does it mean for the existing network?
What is a pentest?
In information technology, a penetration test refers to the planned attack on a network of any size or individual computers with the aim of disclosing the weak points of the respective test object. For this purpose, various tools are used to simulate various attack patterns that are modeled on known attack methods. The typical components that are subjected to a pen test are:
- Network coupling elements such as routers, switches or gateways
- Security gateways such as firewalls, packet filters, virus scanners, load balancers, IDS and IPS etc.
- Server like webserver, database server, file server etc.
- telecommunications systems
- Any kind of web applications
- Infrastructural facilities such. B. Access control mechanisms
- Involved wireless networks such as WLANs or Bluetooth
In general, a distinction is made between black box and white box tests: in the case of the former, only the address information of the target network or system is available to the penetration testers. In the latter case, the testers have extensive knowledge of the systems to be tested, such as the IP addresses and the software and hardware components used. Therefore, Whitebox pen tests also cover attack scenarios that are not taken into account by a black box test – eg. For example, the attack of a well-informed attacker from within his own ranks.
Motivation and requirements for a pen test
In principle, the threat to your network for an attack naturally increases with the value of your data. Government agencies and banks that manage a wealth of valuable personal customer information are as popular with criminals as successful companies that have valuable expertise on their servers. If you manage data or projects of lesser scope in your network, however, you should by no means be safe – no matter whether you run a webshop and run shop or ERP systems on a server in the network, an informative web project with a large number of maintained Offer contributions or simply use the network as a working platform. Here, attackers can harm you as well and, for example
- paralyze your web projects or work environments,
- get into the possession of valuable passwords of network users,
- Inject malware,
- Steal log-in data from customer accounts
- or misuse computer systems of your network.
Apart from the economic consequences, a loss of image can often not be ruled out if customers are directly affected or the attack becomes public knowledge.
However, if you choose to run a pen test on your network, you should not start attacks on your own computer systems and applications on your own, but seek the services of an expert. The tests require professional competence in the field: Penetration tests can have a different intensity and, if carried out incorrectly, can quickly lead to complications or serious damage. It is therefore important to find the perfect degree of the necessary attack path and avoidable exploitation of the respective weak point. In addition, an external tester who was or is not involved in the design, construction, and management of the network promises, due to its impartiality and a different perspective the best test results.
Any type of penetration test requires that you own or have the appropriate authority to own the tested network. Cooperation with an external tester therefore absolutely requires a contractual regulation in which the duration and intensity of the pen test as well as data protection measures etc. are recorded.
Pentest: These tools are used
The variety of network attack forms ensures that even penetration testers have a whole range of different tools at their disposal. These include. Port scanner, vulnerability scanner, sniffer, packet generator or password cracker. Many tools have been explicitly developed for network security testing and are therefore tailored to specific test areas. While most of the programs come from the open source sector like Nmap, there are also some commercial security applications that are usually better documented and have extensive user support. This fact can be quite beneficial as it is due to the clearly defined usage scenarios and possibilities It is very important for the individual tools that the tester masters the functions of the tools used.
There are now extensive tool collections for penetration testing collected by experienced security professionals. These collections often work on the basis of a stable Linux distribution, which can be executed via an external storage medium such as a DVD or a USB stick. The advantage of such a pen test distribution is that it is hardened, that all important tools are combined in a single interface and preconfigured and ready for use. One of the most popular solutions is the Kali Linux distribution,
Expiry of a penetration test
To perform a successful pen test, you should first create a clear concept. Clarify which components you need to test, what timeframe a single test or scan of your network should have, and whether you have all the tools you need. This preparation phase is even more important if you assign an external tester with the safety check and this is to realize a white box test. In this case, you need to communicate all information about your network and the participating systems and pass on existing documentation. The situation is different with a black box test, for which you only announce the target address of the respective test objects.
The actual test procedure can be divided into the following four areas:
- Review of the network concept: Even during the preparation phase, a penetration tester can detect inconsistencies or specific weaknesses in the design of the network or of the individual components. For example, if different applications are configured with multiple groups of rights, they can quickly cause complications and pose a security risk to the entire network, even if it and the individual hosted programs are sufficiently protected. Some of these cases can already be clarified in the preliminary discussion, while others can only be proven by a practical test.
- Test of the curing measures: The core of a secure company network is that the systems involved are best hardened. Consequently, the penetration test is also about checking the hardening measures taken. On the one hand, it is about installed software such as the operating system, system services or user applications, which should always be up to date. If older versions are in use for compatibility with other applications, alternative safeguards are required. In addition, the access and authentication requirements also play for the individual systems and programs a large role. Here, the pen test deals with issues such as access rights, password usage, and encryption as well as the question of whether unauthorized persons are denied access. Another task is to check the use of existing interfaces and open ports as well as defined rules and regulations, for example, a firewall.
- Finding Known Vulnerabilities: It generally does not take long for discovered software vulnerabilities to become known, which is why penetration testers are generally familiar with the targets of the examined test objects. Thanks to the version and patch levels that they have discovered while researching the degree of hardening of network components, they quickly understand which applications pose a security risk. If many systems are to be examined in a short time, the use of vulnerability scanners is worthwhile, but they do not always lead to an exact result.
- Targeted use of exploits: The tester can only ascertain whether vulnerabilities found can actually be exploited by using an appropriate exploit on their own. Such a command sequence is usually scripts provided by various Internet sources, but not always securely programmed. Performing such an insecure exploit risks to crash the tested application or system and, in the worst case scenario, overwrite important memory areas become. Here, the penetration tester should, therefore, be careful to use only demonstrably safe scripts from reputable sources or to refrain from testing the vulnerability.
All steps and results of the pen test should be recorded in writing by the tester. Which areas he dedicates to, is clarified in advance. So you have the optimal basis to understand the individual steps and to evaluate the situation afterward. Usually, the tester also gives you accurate estimates of which detected security vulnerabilities pose the greatest risk to your network. Using such priority lists you can optimize the system protection step by step.