You are here:
  1. Home
  2. Cyber Security
  3. Methodology
  4. Test procedure

Test procedure

Our sophisticated and standardized
approach leads to precise results

Efficient processes. Reliable results.

Goal

The aim of a penetration test is to identify security-relevant vulnerabilities in IT systems or processes of the customer organization that endanger the protection goals of confidentiality, integrity or availability of data or systems.

Work result

As a result of the analyses carried out, the customer receives a detailed final report in which the vulnerabilities are described in detail and concrete countermeasures for their elimination are set out. The report also contains a management summary of the results, which also includes recommendations for action. The final report is presented to the client at the end of the project in order to obtain a common understanding of the work result. We have summarized further details of the results report for you in the following article. Please contact us via the contact form or by email if you are interested in a sample report from SmartTECS Cyber Security GmbH!

The following describes the process of conducting penetration tests by security consultants from SmartTECS Cyber Security GmbH.

Phases

The process of a project is divided into different phases that are completed sequentially. The procedure is based on the recommendations of the Federal Office for Information Security (BSI) and has been adapted and improved to the real project situation over several years based on the project experience of the security consultants at SmartTECS Cyber Security GmbH.

Phase 1: Preparation

In the preparation phase of the test, a kickoff meeting is held together with the relevant project managers on the customer side. The goals of the penetration test are defined and organizational points, such as the contact persons during the test execution, the execution period, the required access and requirements for the report, are determined.

The systems and applications to be tested within the scope of the investigation are documented, and the systems and functions that are explicitly excluded from the test are determined.

Depending on the complexity of the test object, the client will present the system. To reduce the risk of delays in the project, a so-called smoke test takes place a few days before the start of the test, in which the access and test requirements are checked together with the client.

Phase 2: Information gathering and evaluation

In the intelligence gathering phase, information is collected about the defined systems and/or IP address ranges in scope to identify further potential attack vectors. Intelligence gathering is divided into a passive and an active phase.

Passive information gathering involves no direct interaction with the target system(s). For example, Internet search engines are used or additional targets are identified via the enumeration of DNS subdomains in order to obtain additional information about the test object.

In the active phase of information gathering, interaction with the systems under investigation takes place with the aim of obtaining information such as operating systems used or services offered in the network. Port scanning techniques (TCP, UDP, ICMP, ARP) are used here, for example.

Phase 3: Identification of vulnerabilities

In the third phase, the identified systems and services are examined for the presence of vulnerabilities. Publicly available sources and vulnerability databases are consulted, as well as vulnerability scanners or other manual analyses.

Phase 4: Exploiting vulnerabilities

To verify vulnerabilities and avoid false positives in the final report, the vulnerability is exploited, if necessary after consultation with the system manager. This makes it possible to draw conclusions about the possible effects of the vulnerability and to identify further attack paths on connected systems.

Phase 5: Documentation of results and cleanup work

In the final phase, the identified vulnerabilities are assessed in terms of their criticality and the results are documented in the final report. The security consultant defines targeted measures to eliminate the vulnerabilities. Any tools installed or changes to configurations on the systems provided are removed or reversed.

Finally, the results are presented to the client's contacts and recommendations are given on how to proceed to eliminate the weak points.

Our work result

As a result of the analyses carried out, the customer receives a detailed final report in which the vulnerabilities are described in detail and concrete countermeasures for their elimination are set out. The structure and content of the final documentation of a penetration test differs depending on the selected test category or type (e.g. source code analysis, network and infrastructure test or web application test). However, the final documents of SmartTECS Cyber Security GmbH in the area of penetration testing adhere to the following overarching structure:

Executive Summary

The executive summary provides a summary at management level and summarizes the test results at an abstract level. The aim of the chapter is to provide a condensed summary of the analysis and to reflect the security level of the test object. The text is aimed at managers and decision-makers in order to provide a basis for decisions on the next steps.

Results overview

The technical overview summarizes the results for experts in a table. In addition, the resulting measures or recommendations for each security vulnerability are given. The aim of the chapter is to provide an overview of the test results.

General information about the analysis

The Project Overview chapter provides detailed information on the test object, category and test methodology. The aim of the chapter is to make the analysis comprehensible in order to enable targeted elimination of the weak points. Furthermore, the test focus of the current analysis is documented in the Methodology subchapter in order to enable a comparison of the test scope and depth.

Test result

The focus of the final report is on the results of the analysis. This chapter provides detailed information on the identified vulnerabilities. Details on the structure of the test results are given below.

Attachment

The appendix of each final report contains further technical information or self-developed scripts or malicious code to enable traceability and retesting of the identified vulnerabilities. In addition, information is provided on the classification of the security level and severity of the vulnerabilities.

Test results

The documentation of the results identified during the analysis period at SmartTECS Cyber Security GmbH is based on the following scheme. Deviations only occur if the type of test or documentation requires it.

Description

The description provides the context in which the vulnerability fits within the affected system. It also provides background information on the category of the vulnerability.

Severity

The severity of a vulnerability serves as the basis for an organizational vulnerability management process and can be used for prioritization. SmartTECS Cyber Security GmbH uses the CVSS score (Common Vulnerability Scoring System) and categorizes vulnerabilities according to the following severity levels: low, medium, high and critical.

Result

The result describes the specific effects of the exploitation of the vulnerability on the test object by an attacker. In addition, a proof of concept is created and documented to demonstrate the exploitability of the vulnerability at a very technical level. This is used by the expert to reproduce the vulnerabilities.

Repairing

The recommended action provides a detailed and concrete explanation of how to remedy the vulnerability.

References

Finally, further links and information about the vulnerability and how to fix it are provided.