You are here:
  1. Home
  2. Cyber Security
  3. Services
  4. Penetration Tests
  5. IT infrastructure

IT infrastructure

IT infrastructure testing

IT infrastructure testing refers to the investigation of software systems and IT landscapes at network level from the perspective of a malicious actor.

The simulation of malicious activities to identify vulnerabilities is carried out via the public Internet or from a company’s internal network and includes, for example, the investigation of network components (e.g. servers, routers or firewalls), network protocols and network services (e.g. Active Directory, SSH, SNMP, IMAP) or remote maintenance and network access (e.g. VPN access) as well as protective measures at network level (e.g. network segmentation).

Why penetration testing?

Due to the ongoing digitalization of business processes in particular, more and more business-critical areas are accessible via the public internet. Adequate protection against malicious attackers is therefore important in order to avoid potential technical and financial damage (e.g. due to data loss, restriction of availability).

With the help of IT infrastructure testing, vulnerabilities within a network can be identified by simulating malicious activities in order to determine existing security risks for applications and their users. By recommending specific measures to eliminate identified vulnerabilities, the software quality in the area of IT security can be increased and adequate protection against successful attacks can be guaranteed.

In general, security tests can be used to check the following protection goals [1] according to the German Federal Office for Information Security (BSI):
Confidentiality
“Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permitted manner.”
Integrity
“Integrity means ensuring the correctness (integrity) of data and the correct functioning of systems.”
Availability
The availability of services, functions of an IT system, IT applications or IT networks or even information is ensured if these can always be used by users as intended.

Goal

The aim of the test activities generally consists of the following three points:
Identification of existing weak points
and misconfigurations within the application system or the IT landscape.
Recommendation of suitable measures
to eliminate vulnerabilities in order to increase the resistance of the IT infrastructure to potential internal and external attackers.
Determination of the safety level
of the IT infrastructure at the time of test execution based on the test results.

General test methodology

Our test methodology in IT infrastructure testing is based on the implementation concept for penetration tests and the IT baseline protection compendium of the BSI and the procedure of the Penetration Execution Standard (PTES). The specific test activities are adapted according to the agreed customer objective and the technical conditions.

Next Steps

Once the study has been completed, there are various starting points for effectively continuing the previous analysis. A selection of sensible options can be put together individually during the consultation depending on the customer’s objective, wishes and results.
Further test activities at network level
If previous penetration tests were not able to sufficiently examine all areas of the network, it is possible to extend them to other network areas.
Web application and web service penetration testing
The previous test activities can be focused on individual application systems within the network in order to carry out a more application-specific analysis of the security risk.
Security consulting
General or application-specific topics in the area of IT security, best practices or know-how for raising awareness or for solution approaches can be communicated on the basis of knowledge gained and identified vulnerabilities.
Systemhardening
Test coverage can be increased by specifically checking application systems that are accessible in the network at configuration level.