Yet another building block for IT security – PROMOS has hacking attacks simulated and tested by a cybersecurity firm

Anyone who is active on the Internet these days and receives private or business e-mails will be confronted with various forms of cybercrime sooner or later. The creative attack strategies range from simple spying attempted via spam/phishing e-mails with viruses or trojans all the way to professionally designed attack vectors planted by organised hacker groups.

If a company wants to ensure a level of security capable of withstanding such challenges, it will have to do more than just purchase infrastructure security systems. It may have been sufficient in the past to just “have the IT department simply set up a firewall”, but the current attacks have been far more sophisticated than that for some time now.

Better ISMS than sorry

A holistic concept is necessary and crucial in today’s partly hybrid infrastructures consisting of self-hosted systems (on-premise), cloud applications, technical software extensions developed both in-house and by third-party firms and systems with single sign-on methods. Above all, this requires a functioning and highly integrated information security management system (ISMS). This involves more than just carrying out checks at a single point in time, though. Rather such systems represent a continuous process whose strategies and concepts must constantly be checked for their operational performance and effectiveness.

At the core of an ISMS is the PDCA (plan-do-check-act) cycle. The basis for information security is first established (plan) then implemented via protection requirements analysis into IT security specifications and measures (do), which are then cyclically inspected (check) for optimisation and revision (act).

Stay a step ahead of cyberattacks with pentesting

Among the measures performed during the “check” phase are vulnerability assessment and penetration testing (VAPT) scans, also referred to as pentests. This testing is performed cyclically at PROMOS. Vulnerability scans are automatically carried out weekly to test different platforms such as easysquare using an internal Greenbone engine. Additionally, PROMOS consult commissions an external security company to perform external pentests each year.

These pentests are carried out at PROMOS as a so-called grey-box test. This means that the security company and PROMOS consult agree on the goals, procedures and scheduling of the pentesting in advance. These tests always aim to determine whether there are vulnerabilities in the publicly accessible systems that could allow an attacker to gain privileged access to internal systems, information or applications via the Internet.

Based on the pentests, a report is compiled that evaluates any potentially revealed vulnerabilities according to their urgency and recommends corrective actions. These pentests are executed based on the specifications from the German Federal Office for Information Security (BSI) regarding the structure of the tests.

In this manner, PROMOS consult ensures that its level of security is continuously adjusted to protect customer data and that appropriate measures are incorporated into both infrastructure changes and application development.