Data storage? for sure!
Error is human. Errors in web applications, unfortunately, are a risk – especially where personal data is merged into those applications. It is not, however, just by electronic means that data thieves try to break and enter: physical security has become an increasing issue – as evidenced by so-called penetration-tests. Wherever there is data it can be captured. Specialists help to find data leaks and to successfully repel attacks.
Wherever there is personal or business data there are also people who are interested in this data and will try to capture it. A web shop’s customers‘ area, a forum or a company’s CRM are just as interesting as e-mails, business and staff data. Regrettably, often a leaking of data has to occur before a search for flaws in infrastructure and organization is commenced. Penetration tests help to find and eliminate flaws in advance. If data is - directly or indirectly – accessible through the internet it has to be considered a potential target of an attack and depending on its need for protection has to be secured. Targeted attacks on the infrastructure do not only put data security to the test but can also serve to understand the intrusion detection of your IT-provider or your own system administrators.
What data is retrievable?
The first objective of the attacks is the gathering of information on technical components and the infrastructure providing the groundwork for the storage, processing and transfer of data. On this basis applications and transfer protocols as well as elements of the infrastructure will be specifically attacked to prompt mistakes and to possibly gain information on software, versions, configurations used – and in the best (or, depending on the point of view, worst) case to even grab passwords. With this information, targeted attacks on the applications and infrastructure will be undertaken, to gain further information or exploit weaknesses of the software in use. The target here may be customer or user data, but also access to systems, control of systems and their resources as well as a space to store high-volume data. Every possible (ab)use of the system is conceivable here – and that is why the means of attack, too, are extensive and manifold. Simultaneously, penetration tests - unless internally announced – check the administration and surveillance of the system. Will system administrators recognize the intrusion attempts or the irregularities in the system? Will they start counter-measures? How will the tests affect other systems within the infrastructure? Even an intrusion test without access to any data is a success – a success for your precautions.
More than just technology
Penetration tests do not only concern technical measures, they start with on-site physical and organizational measures in the office. Are entrances to the office facilities secured or can a trespasser gain access to office rooms or even systems? How do the administrators react to the occurrences? Will employees allow themselves to be fobbed off by the intruder? Will the competent departments be informed? Those are all questions that can be examined and documented in the course of targeted penetration tests.
Prevention instead of damage-limitation?
The advantage of penetration tests is that the leaking of data is only simulated, and weak spots will be reported. That does not only spare you the image problem a leaking of data creates, but also the complex search for the leak. Moreover, technical and organizational weaknesses are recognized and can be fixed preemptively. In the past the cases of Sony in particular made the public aware. Also, recently, small flaws in the Apache webserver possibly enabled trespassers to gain access to servers within a computer network by making requests to the server by means of a manipulated URL. In many cases the flaw in the web server could even be disregarded because of a duly separated infrastructure.
So let’s go?
A penetration test consists of 5 stages. After preparation both retrieval and evaluation of information ensue, forming the basis for active attempts at intrusion. To you as the customer the results of our final analysis will certainly be of the highest interest, because here you can see, in black and white, where problems occur and where data could be lost.
Together with our partners we are happy to offer advice on and the carrying out of penetration tests, even outside of webservers.