Many companies are currently investing in cybersecurity to beef up their defences and protect their critical assets. To get a clear picture of the actual state of their IT security, many of these companies consider ordering a security penetration test conducted by a security provider.
However, such a penetration test may provide a false sense of security. Since quality standards in this field do not exist, the quality of a penetration test depends on the experience, skill and skillsets of the persons executing it.
Other aspects that may determine the outcome of such a test are:
- The number of scenario’s tested (% of attack/exploitation surfaces tested)
- The point of access
- The authentication provided
- The time available for the test
But the most important drawback of a penetration test is that only a subset of possible scenario’s is tested during penetration testing and when the ones that have tested positive have been prevented, many alternative routes to the same or other exploits remain open.
How attack scenario’s work
Typically, a hacker tries to gain entrance to IT Infrastructure first using an entry in the attack surface and will continue to escalate privileges by using different user types, in different steps, until the point is reached from where a successful exploitation is possible.
An example of such an attack scenario is indicated by the red line in the figure above. A hacker might gain access as an application user via the company intranet and is able to escalate privileges to application administrative user. By using the privileges associated with this user, he/she can select and/or copy confidential financial data from the application.
In the real world, these diagrams are much more complex. IT security vulnerabilities present in the infrastructure will lead to higher numbers of possible attack scenario’s, because hackers will have many more possibilities available of gaining privileges by switching to a different user type.
Why a penetration test is incomplete by nature
A penetration test will generally only be able to test a limited set of attack scenario’s due to its inherent restrictions and method. It is simply not possible to enumerate and test all possible attack scenarios that may exist in a complex IT infrastructure, as for example in SAP landscapes.
Therefore, only some attack scenarios are tried out during a penetration test. Whenever such a scenario is found, it is listed in a report and presumably the customer will make sure that the specific recommendations to block these particular scenarios, are followed.
Unfortunately, this approach is not efficient nor complete, since many other routes leading to the same (or other) exploitations may not have been tested at all.
Test vulnerabilities instead of attack scenarios
At ERP-Security we believe in a true, holistic and white-box test for your SAP Infrastructure. Instead of testing attack scenarios and determining the vulnerabilities that make them possible, our SAP vulnerability scanner Protect4S directly finds all known vulnerabilities in your SAP Infrastructure.
- Since attack scenarios are enabled by vulnerabilities, mitigation of these vulnerabilities will severely limit the possible attack scenarios available for hackers.
- In addition, Protect4S enables cost-efficient mitigation of vulnerabilities because for every vulnerability found, Protect4S provides the associated risk value and mitigation effort.
- When these vulnerabilities have been mitigated, the number of possible attack scenario’s will drop dramatically.
For all your questions on Protect4S, contact us on our website.