How is a pentest performed?
A pentest is carried out in several stages. First, information is gathered to identify potential targets or points of attack. Details are collected about access points, employees (who could be worthwhile targets) and technical applications and systems. This information is either made available directly by the customer or is compiled through own research using common search engines, various social media channels, or special search engines.
In a second step, further information can be gathered on the basis of the data obtained. Server systems are scanned for open ports and vulnerabilities while web applications are analyzed using a proxy. All vulnerabilities found by the scanners are checked manually and discarded as necessary. In case of physical assessments, research using Google Maps is conducted, on-site checks are carried out or office appointments are scheduled at this point in time. As a next step, the collected information is analyzed, vulnerabilities that have been detected are actively exploited, or phishing campaigns are developed and realized. For such a social engineering attack, credible contents are created to get the tested employees to enter their access data at a fake login.
Competitions of any kind are especially suitable for this purpose. During the physical security check, lunch breaks and smoking breaks are used to enter the building together with other employees. Once arrived, the goal is to find a suitable network port to connect a smuggled-in third-party device to the network. This device enables remote access to the company’s network, either via the company’s network itself or a built-in LTE modem. Technical vulnerabilities are verified manually and often exploited using tools. The initial way into the company’s network or the application is usually the biggest challenge.
Depending on the mission, the next step is trying to expand initial rights on the systems and to acquire others, in order to achieve the desired outcome. The aim is to get domain administrator rights, to gain access to secure systems or to find particularly sensitive personal data. All changes to the systems are documented during the entire test period. This can refer to stored files, installed programs or added users. After the work has been completed, all changes will be reversed to the extent possible.
At the end of each project, a comprehensive final report is drawn up, sent securely to the client and presented upon request. The report is the most important document of each test. It describes all measures taken and activities performed as well as vulnerabilities and recommendations in detail. Risks are assessed using the traffic light system and rated according to a scale from low to high. Social engineering campaigns are anonymized in the report to avoid drawing conclusions about affected employees. Such attacks must be approved by the works council, incorrect behavior may not result in negative consequences for employees.
The management summary provides a compact overview of the problems discovered. It should help the respective management to quickly and easily understand the situation and to introduce corresponding measures. Pentests also help the management to determine whether internal and external policies are being correctly implemented and complied with.
The experts at Radar Cyber Security almost always find vulnerabilities in their attacks, with only the degree of severity and the exploitability varying. Assessments take an average of a few days to two weeks depending on the task at hand and the scope. Sometimes it can even take a month to completely review a large company. In most cases, pentests are agreed in advance with the internal IT department to ensure a smooth operation. Sometimes only a few managers know about an upcoming test in order to test the behavior of their own employees as well.
As our recent Cyber Security Trend Report has shown, companies usually lack internal security experts and their employees do not have sufficient knowledge about the risks. It is usually people who open e-mail attachments. Fake domain names and senders often go completely unnoticed in the course of day-to-day business. Online competitions are almost always successful. The only winners, however, are the attackers who swiftly and easily get the employees’ valid access data. When working on site, it is easy to disappear into the crowd at the start of work or after lunch in buildings without access gates. Caution should also be exercised if suppliers or service engineers drop by unannounced. Such people can easily gain access to sensitive areas such as the server room. When it comes to improving security, there are some basic aspects and measures to be considered and appropriate precautions to be taken in order to minimize the damage and any loss of reputation for a company. Only with strong cyber security in all areas can companies be sure that they can continue to rely on the trust of their customers and partners in the future.