Penetration tests Risk of security loopholes in IT networks

Transcription

1 Penetration tests Risk of security loopholes in IT networks

2 Penetration tests Risk of security loopholes in IT networks Unauthorized access to the systems and data of your company, loss of expertise, and violation of legal provisions are just some of the potential consequences of insufficient safeguarding of internal and external networks. Most companies are unaware of the damage that can be caused by this. To reduce these risks and ensure an essential level of security and functionality, your company can have the security of existing IT systems checked on the basis of penetration tests.

3 Why penetration tests? To establish how secure your company is To raise the level of IT security To comply with legal provisions and regulations for the protection of information within the company What will you receive? An assessment of the security of your company and a presentation of the risk potential of the penetrated environment from the point of view of a hacker Increased security of your technical systems and infrastructure - Identification of vulnerabilities and security problems - Checking of implemented security measures - Recommendation of measures to address identified vulnerabilities - Recommendations regarding compliance of your IT security - Proposals for optimization of IT security guidelines Verification of IT security by an external third party

4 Penetration test areas Two test methods are generally distinguished in the context of penetration tests. Black box tests A black box test simulates an external attack initiated by a person outside the company. The aim is to identify specific security loopholes that can be exploited without any insider knowledge. White box tests In the case of a white box test, the attack is simulated based on the detailed knowledge of an employee. The aim is to identify potential vulnerabilities as well as to check internal IT security concepts. Preparation Information base (black or white box) Aggressiveness (passive to aggressive) Scope (complete to focused) Starting point (from inside or outside) Black box tests White box tests External View of an external hacker without insider knowledge View of an external with insider knowledge (e.g., access data for Web shop) Internal View of an external employee without company authorizations View of an internal employee with extensive knowledge

5 Execution Kickoff and information procurement Agreement of execution period Clarification of legal matters Definition of tools to be employed Specification of reporting structures Information procurement and evaluation Assessment of information/risk analysis Analysis and identification of vulnerabilities Scanning (e.g.: TCP/UDP scan) Active penetration tests Interpretation of vulnerabilities Analysis of facts and agreement of subsequent procedure Documentation and closing discussion Report generation and discussion Documentation of procedure and methodology of executed process steps Documentation of identified vulnerabilities Risk assessment of identified vulnerabilities Detailed recommendations regarding subsequent procedure

6 Individual not standard The IT systems and processes within a company are very different, with structures and technical organizations playing an essential part in their formation and individual configuration. It therefore makes little sense to execute penetration tests according to a fixed, uniform system. Quite the contrary in fact: a test should be as flexible as possible so that it can be adapted to the decisive criteria. We perform individual, targeted penetration tests based on the perspective from which they are to be executed, the aggressiveness and specific procedure of the test sequence, the scope of the systems to be examined, and the information base provided. Curious to learn more? Why not contact us for an individual quote. sales@ibs-schreiber.de Further information on penetration tests can be found at

7 IBS Who we are Founded on July 1, 1979 as "Ingenieurbüro Schreiber" (Schreiber Consulting Engineers), the company now presents itself as IBS Schreiber GmbH International Business Services for auditing and consulting. More space for more service IBS now comprises four business areas, consisting of our audit seminars and professional conferences, auditing and consulting services, CheckAud audit software, and services in the field of data protection. Our references include well-known companies in virtually every sector: banks, insurance, research, public authorities, manufacturing industry, media, auditors, and consultants these are just some of the many areas covered by our ever growing customer base. To us, up-to-dateness, a willingness to learn, and further development are not just means to an end, but instead represent core elements of our company values as instruments of innovation.

8 IBS Schreiber GmbH International Business Services for auditing and consulting Zirkusweg Hamburg, Germany Telephone: Fax: info@ibs-schreiber.de