Penetration Testing:
Protect your company
from hacker attacks

Our security experts use penetration tests, also known as pentests, to simulate cyber attacks on companies’ IT infrastructure. In this way, we show you the practical and realistic ways in which hackers penetrate systems. So that you can close vulnerabilities at an early stage and prevent the worst from happening.

For your all-round IT protection, pentetration testing is ideally combined with other IT security measures such as security awareness training and our IT security tool cyberscan.io®. Within the framework of our cyber security partnerships, this is achieved particularly efficiently: with custom-fit solution packages and our own products, we address the requirements of your company and ensure the highest security standards.

Why penetration testing?

As an endurance test for the IT infrastructure, pentesting helps to test your own cyber security and discover possible points of attack. Companies receive expert and unbiased feedback on their security processes and thus an important decision-making aid for further optimization.

IT security audits may take time and cost money – but the expense is disproportionate to a real security incident, which usually results in significant costs as well as reputational damage. Simulated hacker attacks pay off: The earlier the damage is known, the smaller the impact.

Regular penetration testing also enables companies to meet the requirements of increasingly important security certifications.

Your benefits at a glance

Clarity about your own
IT security situation

Early detection and
closure of vulnerabilities

Decision support
for optimizing the security strategy

Meeting standards
for certifications in the area
of IT security

Professional and realistic implementation thanks to many years of experience

Possible combination with other modules of our Cyber Security Partnerships

Pentests: You should know these 3 test methods

DGC AG offers different pentest methods to test IT infrastructures for security – white box, grey box and black box. These industry-established terms describe the pentester’s prior level of knowledge and granted access to systems under test. Thus, depending on the goals and requirements defined by your company, we will act overtly or covertly. In doing so, we proceed as dynamically and opportunistically as professional cybercriminals would.

White Box
Penetration Testing

For a White Box penetration test, you provide our IT security experts with all the necessary information about your company’s IT infrastructures in advance. Your employees are proactively informed about the execution of the pentest.

Black Box
Penetration Testing

Unlike the White Box penetration test, the Black Box pentest is completed without any prior information about the IT systems to be tested. The goal is to simulate the attack method of a hacker as realistically as possible. Our IT security experts try to compile first, on their own, the information that you would normally disclose in a white box penetration test.

Grey Box
Penetration Testing

The Grey Box penetration test combines the two variants above and presents a particularly authentic hacking scenario. Our security experts receive only fragmentary information about the customer’s IT systems and determine the remaining data themselves. Only later do the penetration testers receive detailed information on the IT infrastructure and selected access data. The combined approach proves to be particularly efficient compared to the frequently requested black box variant.

Our pentesting offers

Internal or external penetration test, web app pentest or one-time vulnerability check: To ensure that no security gap remains undiscovered, our offer includes various types of penetration tests. These can also be combined depending on the project and requirements – we will be happy to advise you.

Internal penetration test

You want to put the security of your internal IT systems and applications to the test? In this case, we conduct an internal penetration test on-site at your company (or remotely). In the process, our experts simulate a hacker attack to identify internal IT systems and their vulnerabilities.

Internal infrastructure includes all assets on the internal network, including cameras, clients, servers and peripherals. These assets are audited for vulnerabilities and security gaps, including protocols, network components, operating systems and applications.

As a result, you receive all identified vulnerabilities, their criticality as well as suitable safeguarding measures in the form of an IT security report. Upon request, we will present the results to you personally in a presentation.

Web application penetration test

Do you have an overview of how secure your web apps are? If not, a web app pentest pays off. The approach is similar to an external penetration test and aims to penetrate your web application like a hacker.

The goal is to identify as many vulnerabilities as possible and exploit them. This is achieved by checking the various areas of the web application or API for common vulnerabilities such as SQL injections, cross-site scripting (XSS) or session hijacking using manual as well as partially automated test procedures.

As a result, you will receive all identified vulnerabilities, their criticality and suitable security measures in the form of a clear IT security report. If required, we can also present the contents and results to you in person.

For our web application penetration testing, we follow the Web Application Security Testing Guide from OWASP (Open Web Application Security Project) – a renowned independent organization that promotes web application security.

External penetration test

If the security of publicly accessible systems is to be checked, an external pentest is recommended. Our experts simulate a hacker attack from the outside and try to penetrate the system. Possible types of simulated attacks include SQL injections, XSS attacks, IP spoofing, sniffing, session hijacking and buffer overflow attacks.

The external pentest identifies your external IT systems and their vulnerabilities. External infrastructure includes all assets that can be accessed from the Internet – such as websites, firewalls and routers, as well as mail servers, FTP servers and systems of specially controlled networks (DMZ). The discovered assets are checked for vulnerabilities and security gaps – for example, with regard to the protocols, network components, operating systems and applications used.

As a result, you receive all identified vulnerabilities, their criticality as well as suitable safeguarding measures in the form of an IT security report. Upon request, we can also present the test results to you in a personal presentation.

One-time vulnerability check

For a quick overview of existing IT security standards, DGC AG also offers one-off vulnerability scans. These are automated scans based on IP addresses, ports and web applications. The results are individually assessed by our experts and, if necessary, adapted to your company in the risk assessment.

As a result, you receive a tool-based overview of all identified vulnerabilities including risk classification – a quick win for optimizing your current cybersecurity.

However, since hacker methods are constantly evolving and a single penetration test hardly allows valid statements to be made about long-term IT security, we recommend scheduling a follow-up test. Our IT security tool cyberscan.io® can also be used for continuous testing of the IT infrastructure.

Remote Pentest

If desired, internal penetration tests can also be carried out remotely in a cost-effective and sustainable way thanks to our DGCAGBOX. Please feel free to contact us if you are interested!

Procedure for a DGC AG security check

From the definition of basic goals and requirements to the final analysis, a penetration test at DGC AG generally runs in five phases. We follow the standards of the German Federal Office for Information Security (BSI). In addition, we offer re-penetration as a further strategic step to protect your systems in the long term.

Depending on your needs, we simulate various scenarios and procedures for your IT security testing – white box, black box and grey box penetration tests are all possible.

For example, a penetration test can be planned together with your internal team. An alternative is the so-called “intern scenario”: one of our IT system analysts carries out the penetration test covertly – without your employees being informed. This also allows you to check the human component of IT security, known as social engineering.

Pentesting – Procedure explained in 5 steps

In order to test IT systems as authentically as possible and protect your company from potential attackers, our penetration tests are always carried out individually and customer-oriented. The process takes place in defined phases according to the BSI standard, which we present here – and have supplemented with the strategic step of re-penetration.

Phase 1: Preparation

In the first phase of a penetration test, the individual goals and requirements of your company, the intended procedure and techniques used are recorded. Relevant legal and organizational requirements as well as possible contractual agreements of your company are also taken into account in order to avoid potential risks. For a common overview, our experts record all details of the penetration test in writing.

Phase 2: Information gathering and evaluation

In phase 2, all discoverable information on the target is compiled. To check the external IT infrastructure, all system components that can be reached are scanned. For the internal IT infrastructure, all reachable assets are inventoried to draw conclusions about available network areas, devices and services.

The findings are used to audit the IT infrastructure. This is done through fingerprinting, also called footprinting: Information is used to correlate data sets to identify the version and patch status of network services, operating systems, software applications and databases. The process also allows conclusions to be drawn about current configurations. Fingerprinting results are used to identify vulnerabilities in systems and applications. At DGC AG, this is done with the help of our cyberscan.io® vulnerability scanner, among other things. Information from freely accessible databases on the Internet, in which vulnerabilities are cataloged, is also consulted.

In short, in phase 2 our experts obtain as comprehensive an overview as possible of the system environment to be tested, possible vulnerabilities and points of attack.

Phase 3: Evaluation of the information/risk analysis

The information obtained about the systems to be tested is analyzed and evaluated in detail in phase 3. This assessment also includes the agreed objectives of the penetration test, the potential risks to the systems, and the estimated effort required to identify possible security vulnerabilities in the course of subsequent intrusion attempts. Based on the analysis, our experts define the specific attack targets for phase 4.

Phase 4: Active penetration tests

In phase 4, the identified vulnerabilities are specifically exploited to gain access to your infrastructure. If our IT system analysts successfully penetrate systems, so-called artifacts are collected. These serve as the basis for the subsequent presentation as well as the IT security report in phase 5. Of course, the highly sensitive information is only documented in consultation with your company and is treated as strictly confidential. Phase 4 is generally only carried out at the customer’s request, as under certain circumstances critical systems could be affected. If agreed, selected or representative systems are systematically attacked (exploit).

Phase 5: Final analysis

In the course of the previous phases, a detailed overview of all identified systems, disclosed security gaps and possible solutions has been created. We present these pentest results and the resulting risks for your company in a written final report, in which we also explain the individual test steps. If activities in phase 4 have taken place, we will present the artifacts to you in a personal meeting if desired. The exploits used will also be explained at this meeting.

Phase 6: Re-Penetration (optional)

A single pentest is only a snapshot and hardly allows reliable statements about the long-term security level of the tested systems. This is because the techniques used by potential attackers are evolving rapidly: new vulnerabilities in current applications and IT systems are reported almost daily. In extreme cases, a cyber attack can even occur immediately after a penetration test has been completed – due to a new security vulnerability. Therefore, we recommend performing a retest after a defined period of time. Our cyberscan.io® software can also be used for continuous testing of the IT infrastructure.

How much does a penetration test cost?

Security audits in the form of pentests cost less than you think and are very flexible in their scope.

FAQ

What does a pentester do?

A pentester is hired by companies to perform security analysis of systems and networks from an attacker’s perspective. To bypass existing security measures, he or she draws on real tactics and techniques used by cyber criminals. The goal is to reveal undiscovered vulnerabilities in the IT infrastructure and show how they can be fixed. The pentester’s approach to such an IT security audit is always carried out in close coordination with the contracting company and in predefined scenarios and phases.

What is a pentest report?

A pentest report summarizes the results of a penetration test. It consists generally of two sections. The main report contains the most relevant results of a pentest – individually categorized and evaluated. In addition to a general overview and risk profile, technical information on found vulnerabilities is summarized in a topic-specific manner and, if useful, enriched with applied tactics. In addition, recommendations for each vulnerability are described. The recommended measures are intended to show how the security problems can be fixed. The second report section lists the overview data, i.e., all systems and vulnerabilities found during the test. The overall overview and detailed descriptions of the vulnerabilities provide companies with well-founded assistance in optimizing their own cyber security.

You want to learn more about penetration testing?

Contact us – we will be happy to advise you

"*" indicates required fields

This field is for validation purposes and should be left unchanged.