Penetration Testing Explanation
There are different types of penetration testing that we offer you. We would be happy to explain every single type of penetration testing to you. External pentest This approach is often chosen. Companies want to know how secure they are against external attacks. Internal pentest If the company to be tested is of a certain size (from around 50-100 employees), internal IT security factors gain in value. So trust in one's own employees is no longer guaranteed by a family environment. The risk of an internal attack increases with the size of the company. A goal is defined for an internal IT penetration test. This can be, for example, testing all internal systems or checking security against internal attackers in the event of certain break-in scenarios. Priorities, such as theft of the hashed passwords on the domain controller, can be set.
IT infrastructure penetration test The testing of e.g. server systems, firewalls, WLAN networks, VPN access or firewall for security gaps belongs to this category. These are the first pentests that were offered in the history of IT security. At that time, tests were often carried out on the IT infrastructure by former hackers. However, having an IT penetration test carried out by (former) hackers is not a good idea. If the former hacker does relapse, the damage will be great. The risk is just too high. Even today, infrastructure penetration tests are an important factor in ensuring IT security for many systems.
Black box penetration test Here the tester does not know which systems to expect. He has no knowledge of the IT infrastructure. The pentester has to act just like hackers and create an image of the infrastructure for itself. This is exactly the opposite of the white box penetration test. White box penetration test Here the pentester knows everything about the IT infrastructure: which servers, operating systems, services and applications are running, which ports are / should be open. Since the tester has all the information, the effectiveness is much higher than with a black box penetration test. The known systems can be tested precisely. The target / actual comparison of IT security is clearest here. Gray box penetration test Here the penetration tester already knows something about the IT infrastructure. The purpose of the IT systems is also often briefly touched upon when talking to the customer. It is the most common practice, as often the IP ranges to be tested are specified and certain systems may be excluded from the test. Practice shows that customers who commission a security audit for the first time tend to prefer a black box penetration test. Customers who commission an annual penetration test usually tend to do a white box penetration test. Where (from where) is testing carried out?