Secu6: Planning and Implementation of Penetration Tests

An insecure IT environment may seriously endanger the operations or even the continued existence of companies. Small, insignificant errors often cause dangerous gaps in IT networks. The prerequisite for eliminating these errors is identification of the gaps. Although IT infrastructures and applications may be robustly designed according to high-quality standards, they may still contain weaknesses. In order to identify these weaknesses, a penetration test is ideally suited as a control instrument. Because this is the only way to effectively examine IT networks for security gaps both externally and internally. However, implementation of these simulated hacker attacks is anything but easy and will be discussed during the workshop.

Topics

Why penetration tests?

  • Subject of the tests (perimeter, LAN, WLAN, web application, web services, clients, iOS, Android, special tests)
  • Penetration tests in the light of the new IT Security Act

Organizational possibilities

  • Announced/unannounced?
  • One-off or as a process?
  • Black box test or white box test?
  • Test to be performed by an external expert or internally? Careful selection of the service provider
  • Aggressive or cautious procedure?
  • Attacker models and attack scenarios

Procedure; internal and external communication regarding tests

Cost-benefit ratio, award of penetration tests, budget optimization  

Project management: PPMO

Metrics and standards

Latest trends, future penetration tests

Legal and ethical aspects

Following up vulnerabilities

Multi-period test plans 

Penetration tests as an internal audit tool

Planning and implementation of penetration tests in group structures

10 practical tips by Sebastian Schreiber

Duration

One day