Penetration Tests
Protect your Infrastructure against Cyber Attacks and Data Leaks.
Web
Penetration Test
Focuses on websites and web applications, regardless of whether they are self- or externally hosted. Any type of website and web application can be tested. The regularly updated OWASP Top 10 ist used to assess the vulnerability and exploitability of the website or web application against the 10 most important web attacks.
Infrastructure
Penetration Test
Focuses on data-, web-, and file-servers, network components, clients and other IP-enabled components. A pentester tests predefined and limited networks areas. Advanced methods such as "lateral movement" and "privilege escalation" are applied, depending test scope. Ultimate goal is to compromise the Domain Controller.
Active Directory
Penetration Test
Focuses on the active directory service from Microsoft. It is an essential component of every IT environment and therefore a lucrative target for attackers. A pentester checks for secure configuration, identifies inactive users and groups, examines policies, verifies permissions and uncovers systems with outdated operating systems.
Application
Penetration Test
Focuses on the evaluation of the security of mobile applications for the Android and iOS operating systems. Relies on the proven and regularly updated OWASP Mobile Security Testing Guide. Official, unofficial and self-developed mobile applications are systematically tested for vulnerabilities by examining accessible interfaces, user input, etc.
What is a Penetration Test?
Definition
A Penetration Test is a proven and goal-oriented procedure to determine and quantify the attack potential and the chances of success of an attack against an IT infrastructure, an individual system, or an application. For this purpose, a deliberate attack is carried out against a previously coordinated IT infrastructure or system by applying suitable methods.
From this, necessary security measures can be derived or existing security measures can be tested for their effectiveness.
Specifically, an IT system and the applications installed on it (web application, mail server, etc.) and the underlying operating system or database are checked for vulnerabilities and configuration errors.
The tagets of a penetration test include:
- Network components e.g. routers and switches
- Security gateways e.g. firewalls and IDS/IPS
- Web, database and file servers
- Telecommunication systems e.g. Voice-Over-IP
- Web applications e.g. web presence and online stores
- End devices e.g. laptops and desktops
- Wireless networks e.g. WLAN
- Infrastructure devices e.g. card readers and building control
Approach
Two approaches to penetration testing exist: black-box and white-box penetration tests. In a black-box penetration test, the tester has no information about the test object in advance except for the entry point (network segment or individual IP addresses). With this approach, the special legal requirements of the Hacker-Paragraph (§202c StGB) must be respected. A black-box penetration test simulates an attack by an external perpetrator who, under the circumstances, has only limited knowledge of the target system. In a white-box penetration test, the tester has all the details about the test object at his disposal, including extensive information about the architecture, software used, hardware and security measures.
Not only DriveByte but also the Bundesbehörde für Sicherheit in Informationssystemen (BSI) generally recommends performing a white-box penetration test.
A black-box penetration test does not take into account the scenario of an informed internal perpetrator ("Evil Employee"). Furthermore, it is possible that vulnerabilities are overlooked due to the lack of information about the test object. In addition to the reasons mentioned above, the increased risk and effort of a black-box penetration test is also a reason for performing a white-box penetration test.
Your Benefits at a Glance
Clairvoyance
Prevent Cyber Attacks and Data Leaks before they occur.
Fairness
Affordable and Tailored Prices for all Company Sizes.
Covert
Percise in Execution and will not Disturb Operations.
Eligible
Certified and Experienced Pentesters Entrusted with Performance.
Frequently Asked Questions
A Penetration Test is executed by a certified and experienced Pentester. The Pentester utilizes a vast amount of tools including automated Vulnerability Scans to uncover vulnerabilities and determine exploitability. In contrast to an automated Vulnerability Scan, the Pentester is able to combine different weaknesess and architectural flaws to exploit the infrastructure, whereas the automated Vulnerability Scan will only uncover vulnerabilities of a single system at a time.
Performing a Penetration Test is in some cases a mandatory legal requirement of applicable laws, like in the case of the Payment Card Industry, Health Apps or critical Infrastructure. Even if a Penetration Test is not legally required, it is highly recommended to uncover vulnerabilities and weakneses in IT infrastructure before they are exploited by attackers that may in return cause loss of data or downtime of production.