Pentest: This is what matters when hacking your own systems

LOG4J will keep IT security experts busy for some time to come. Support is promised by providers of penetration tests. A look behind the scenes of pentesters shows how they work and what they can do. The overview of the different forms of penetration tests also shows frequently found vulnerabilities.

The attack works quite simply: An attacker merely sends a prepared request to a Java application, as can also be found on many web servers. This is logged and evaluated in the background. An external system manipulated by the attacker is contacted and its commands are executed. The perpetrator is already on the system and can run riot there.

This vulnerability, called LOG4J, has kept many administrators on their toes for several weeks. The problem often lies in finding their own vulnerable servers and web applications that have the corresponding software library installed. External support can be helpful here. Among others, pentesters are specialists in detecting such vulnerabilities.

They simulate the behaviour of attackers with so-called penetration tests. Many security service providers offer pentests, one of which is TÜV Informationstechnik (TÜViT), a subsidiary of TÜV NORD Group. "We pretend to be an attacker and use the hacking tools that attackers also use," Timo Müller, pentest expert at TÜViT, explains this approach. "We then analyse the results and give the customer advice on how to close the vulnerabilities found," Müller continues.

Variants of pentesting: automated scan to social engineering

How this is done varies from provider to provider. "With us, every pentester has his own test machine, on which hacking tools and self-developed programmes are installed, among other things. For example, we go into the company with it, connect the device to the network and start various scans," the expert explains a typical variant of pentesting. He emphasises that his team does not only rely on automated tools. "A manual analysis is indispensable; for example, we also look to see if there are other tricks that can be used to access the systems," says Müller, who studied IT security at the University of Bochum and has been pentesting for seven years. The scope of the test depends on what the customer orders. This is determined in preliminary discussions, as are any restrictions and other general conditions. "Sometimes we also test security configurations and thus the hardening of a system, which are then so-called white-box tests," Müller describes another variant. Here, it is tested whether the security measures taken are "watertight". "This also includes the simulation of an internal perpetrator to see if he can, for example, expand his rights and thus obtain data that is not intended for him," he describes the process.

Another form of penetration testing is social engineering, for example with a simulated phishing attack. After all, most attacks start with a simple e-mail. Müller uses an example to describe how such a pentest can proceed: "We practically design a complete phishing attack, for example, we design a Christmas voucher with which we try to lure the employees to an external website. There we put a manipulated login form, with which we try to get access data". Often, he says, his team also receives a number of email addresses with task or department affiliation in advance, then the attacks can be more targeted, for example with fake applications in the form of dangerous PDF files to the HR department. "But we always do anonymised evaluations, anything else would be impossible to do with works councils," he qualifies.

Often too late - expert advises regular penetration tests

Companies often delay commissioning pentests for too long. But Müller warns: "You shouldn't do something like this only when a vulnerability has become known or an attack has occurred", because then it is often too late. Instead, he recommends "proactive regular implementation", for example after updates of systems or applications. This usually results in new attack scenarios. "Many customers therefore carry out pentests every one to two years or after application updates".

Repeatedly found vulnerabilities confirm the recommendations of the pentesters. "We repeatedly find missing important updates or standard user accounts with standard passwords on servers. In web applications, on the other hand, it is injection vulnerabilities that can be used to inject malicious code," Müller summarises typical problems. Passwords stored in plain text were also among the results again and again. Some things never seem to change.

You can find information on organisational aspects as well as decision-making criteria for selecting the appropriate offer in another article on the topic.

Author: Uwe Sievers