As an administrator and senior consultant, it has been his passion for 20 years to identify the IT problems of our customers and partners, to derive necessary measures and to provide custom-fit solutions. The prodkurist loves new technologies, has internalised the entire software-defined stack and goes all out when it comes to virtualisation techniques and storage technologies.
Penetration test: Hacking in the service of IT security
IT security incidents are currently increasing dramatically. In the last three months alone, the media published countless cases. Here is a small excerpt:
- Hafnium Exploit März 2021
- TU Berlin April 2021 Ransomware attack
- Publishing group Madsack April 2021 Ransomware attack
- Brenntag SE Mai 2021 Ransomware attack
- Toshiba Mai 2021Ransomware attack
- Colonial Pipeline Mai 2021 Ransomware attack
- Tegut Mai 2021 Type of attack unknown
- AXA Versicherung Mai 2021 Ransomware attack
- Mail order company Pearl Juni 2021 Type of attack unknown
The Federal Situation Report Cybercrime 2020 from the Federal Criminal Police Office confirms the feeling that IT security incidents have increased sharply. Compared to 2019, the number of reported cybercrime cases in Germany increases by 7.92% to 108,474 - the number of unreported cases is much higher here.
The forecast in the BKA report suggests that cybercrime will continue to increase. This is due on the one hand to the advancing digitalisation in all areas and on the other hand to the stronger networking of hacker groups and cyber criminals. Thus, there are already real value-added chains in the field of malware, which means that approximately 314,000 malware variants are put into circulation worldwide every day. Meanwhile, a cyber extortionist no longer needs to have in-depth technical knowledge - he can simply book the extortion software as a service, called Ransomware as a Service (RaaS).
Outages, data theft and ransom demands are consequences of a cyber attack
Most contingency plans call for shutting down all systems and taking them offline in the event of a malware infestation or a successful hacker attack. The subsequent examination of the systems for a compromise costs time and limits the company's productivity, depending on the industry and the degree of digitalisation. In the worst case, all systems have to be completely rebuilt (e.g. ransomware attack on the TU Berlin). Due to the sometimes very long downtimes, many companies are willing to pay the ransom demands of ransomware extortionists. If the encryption of the systems does not lead to the demanded ransom payment, data is stolen in many security incidents and subsequently threatened with the publication of this data. The attractiveness of this type of crime can be well illustrated with the following figures:
- The clearance rate of cybercrime cases in Germany is 32.6% (as of 2020). (Criminal offence "goods fraud" at 71.4%, police crime statistics, basic table v1.0 of 21.01.2021).
- According to a 2018/19 business survey, the range of ransom demands after ransomware attacks is between 10 and 100 million euros.
- CNA Financial reportedly pays US$40m ransom after ransomware incident
- World's largest meat producer JBS pays hackers around US$11 million ransom
With ransomware payments soaring after ransomware attacks, many insurance companies are trying to exclude such payments from cyber insurance policies. AXA Versicherungen has already implemented this in its home market of France and now only sells cyber insurance policies excluding ransom payments after ransomware attacks.
This is how security gaps occur
This is how security gaps occur most security vulnerabilities arise from the use of outdated software in companies. These open the door to attackers in IT systems that can be easily closed with an update. But even inexpensively programmed software with a large number of programming errors can lead to vulnerabilities in the system. That is why a thorough check is essential before a new software is used in a company. The greatest weak point is often the human factor. The gateway for malware is often an ill-considered click on a link from a phishing e-mail that leads to an Internet resource. Malware is then downloaded onto the employee's computer in the background and from there it can spread through security gaps in the company network, compromise systems and grab data. An alert test can be carried out to sensitise employees.
Penetration tests provide information about security gaps
Companies have various options at their disposal to find and fix vulnerabilities in their IT infrastructure. Probably the most effective method is to conduct a penetration test. This is a simulated attack on a company network and is usually carried out by a certified service provider. Unlike a vulnerability scan or vulnerability analysis, the vulnerabilities are not only found and assessed, but also exploited to further compromise the IT infrastructure. Since the attack is simulated, companies do not suffer the consequences of a real attack.
One test - different approaches
A penetration test can be conducted either externally or internally. An external test tests the parts of an infrastructure that are accessible from the internet, e.g. web servers, mail servers, firewalls, routers, etc. An internal penetration test targets the resources within an IT infrastructure that are not directly accessible from the internet and checks their security. A typical malware incident takes place inside an IT landscape, e.g. an encryption Trojan is infiltrated via phishing mail. The procedure of pentesters is differentiated into black-box, grey-box or white-box testing:
- Black-box testing
The pentester behaves like a hacker - without knowledge of the system to be infiltrated, he attempts to penetrate in order to then move dynamically and flexibly within the system.
- White-box testing
White-box testing is the exact opposite of black-box testing and gives the pentester full access to the information and documentation of the IT landscape. The challenge here is to analyse the wealth of information and to identify weak points. However, since the tester has all the information here, the target-performance comparison is more effective.
- Grey-box testing
Here, the middle ground between black- & white-box testing is applied. The tester has certain information at his disposal to define systems as targets or to leave other systems out of the test. The remaining systems are then tested dynamically, as in black-box testing.
Evaluation of a penetration test
The vulnerabilities found can then be classified into severity levels by the international standard CVSS (Common Vulnerability Scoring System) and compared in a standardised way across company boundaries. The pentest is followed by an evaluation of the vulnerabilities and the definition of measures to close the vulnerabilities and make the IT infrastructures more secure. Since many security gaps are caused by outdated software versions, it makes sense to repeat a penetration test at regular intervals.
- Data protection