Attacks on IT systems are no longer unusual, even for small authorities and companies. To optimise protection, it is helpful to consider the attackers' point of view alongside the standard security precautions.

For this purpose, penetration tests have proven a suitable procedure for determining the current security status of an IT network, an individual IT system, or a (web) application. They are used to assess the chances of success of a deliberate attack and thus to check the effectiveness of the existing security measures and establish which additional security measures are necessary. The BSI offers two test methods: the IS penetration test and the IS web check.

Both test methods focus on the most frequent and best-known vulnerabilities of widely used IT systems. The tests show which vulnerabilities can be found at the time of testing with reasonable investigation effort and the agreed methods. Repeating the tests at regular intervals is recommended to gain a good long-term security impression of the IT systems.

IS penetration test

IS penetration tests primarily examine external interfaces through which potential attackers could penetrate the IT systems under investigation. They identify configuration errors and vulnerabilities that have not yet been remedied.

In the case of an IS penetration test by the BSI, testing can be carried out at different depths at the request of the customer.

For a small IS penetration test, security-relevant configurations and sets of rules of the IT systems used are examined on a random basis in the form of a technical audit and recommendations are made for closing possible vulnerabilities. The IT systems are inspected together with the administrators.

In a comprehensive IS penetration test by the BSI, in addition to the technical audit, vulnerabilities in the tested IT systems are detected through technical examinations, including with the help of specialist security tools. Here, the BSI testers on site access the IT systems to be examined under the supervision of the specialist administrators.

IS web check

The BSI's IS web check is used to check the security status of the Internet presence of a public authority or an organisation. For the most part, the tests are carried out using automated methods via the Internet.

Procedure

The exact procedure for the tests is shown in the following summary guides:

• IS-Penetrationstest - Penetrationstest von IT-Systemen durch das BSI
• IS-Webcheck - Sicherheits-Check für Webauftritte durch das BSI

Target audience

The BSI offers IS penetration tests and IS web checks primarily for federal authorities. For these, the tests are generally free of charge.

In individual cases, the BSI also offers the tests for other target groups, such as IT systems with particular public significance that have been attacked. In these cases, the service is chargeable. Details of individual costs are available from it-pentest@bsi.bund.de.

Application

Please complete the relevant form to apply for an IS penetration test or IS web check:

• Antrag auf Durchführung eines IT-Sicherheits-Penetrationstest durch das BSI
• Antrag auf Durchführung eines IT-Sicherheits-Webchecks durch das BSI

From practice for practice

The BSI has produced the guides "IS-Penetrationstest -- Aus der Praxis für die Praxis" [IS Penetration Test -- From Practice for Practice] and "IS-Webcheck -- Aus der Praxis für die Praxis" [IS Web Check -- From Practice for Practice] to assist in commissioning IS penetration testers and to explain the processes involved in an IS penetration test.

The documents are primarily aimed at all persons in charge in companies and public authorities who intend to use IS penetration tests and IS web checks (IS penetration tests via the Internet) as a test procedure in addition to the usual protection measures for their IT systems and data in order to identify possibilities of attack on their data.

Praxis-Leitfaden: IT-Sicherheits-Penetrationstest

Praxis-Leitfaden: IT-Sicherheits-Webcheck

External penetration testers

IS penetration tests and IS web checks can also be carried out by external penetration testers. The following IT security service providers are certified by the BSI for this purpose: