| Preparation |
Clarification and definition of an Penetration Tests scope and aims. Documentation of test procedure and associated risks as well as emergency measures. Check test procedures for legal compliance. Maintaining agreements in contractual form. |
| Information Gathering and -Analysis |
Objective: Obtain a complete and detailed overview of the target environment and its weak points / points of attack. Phases: Reconnaissance, Scanning and Enumeration |
| Information Reviews and Risk Analysis |
The assessment must include the agreed objectives, the potential threat to the systems, and the estimated costs of evaluating the potential safety deficiencies for the subsequent active penetration tests. Selection of targets for next phase based on the analysis. Restrictions must be documented and justified. |
| Active Penetration Test |
Only to carry out in tests which require a verification of the weak point. Attack on systems with identified vulnerabilities. High risk due to test, therefore appropriate care necessary. Emergency action plan must exist. For Whitebox tests: Install patches beforehand on target systems. |
| Statement Analysis |
Recording of all test steps. Evalutation of the identified weaknesses in the form of potential risks (e.g. CVS Score). Recommendations for resolving found weakneses. Personal final discussion including written report. |