Ethical hacking: Using penetration testing to strengthen corporate security in the context of the Digital Operational Resilience Act (DORA)
In the increasingly complex world of digitalization, companies are faced with the challenge of protecting themselves against cyber attacks. Just recently, a long-established company from Aachen, Germany, had to file for bankruptcy due to a cyber attack. Schumag AG explained the situation by stating that they had a plan for a turnaround, but that this was severely disrupted after the additional stress of the hacker attack.
Companies use various means to increase their resilience to cyber attacks. Penetration tests are one such strategy. These are targeted and controlled attacks on a company's own systems, networks, applications or devices, carried out by security experts (so-called white-hat hackers). Penetration tests simulate real cyber attacks to test the company's current security measures in order to identify potential vulnerabilities caused by insecure configuration, outdated software or programming errors, among other things. These results help the company to initiate targeted measures to improve its security measures and at the same time show which protective measures are inadequate. The most important benefits include:
- Early detection of vulnerabilities: Penetration tests allow vulnerabilities in the IT infrastructure to be identified and rectified at an early stage before they can be exploited by attackers.
- Improvement of security measures: Compared to the early detection of vulnerabilities, penetration tests identify incorrectly implemented security measures in the IT infrastructure.
- Greater awareness of cyber attacks: A penetration test shows how vulnerable a company is to cyber threats and sensitizes management and employees to the need for stricter security precautions. This can lead to greater security awareness within the company.
- Improved emergency planning: Penetration tests help to test the ability to respond to real attacks. Companies learn how well their incident response processes work and can improve them based on the results.
Depending on the industry, penetration testing can also be a regulatory requirement for the company. As part of the Digital Operational Resilience Act (DORA for short), financial companies are obliged to carry out Threat Led Penetration Testing (TLPT for short). This is the name given to threat-based penetration tests in the DORA. (DORA Art. 3 (17)). Five parties are involved in TLPT:
- TLPT Authority: Controls the compliant implementation of the TLPT
- Threat Intelligence Provider: Collects information that is used for the TLPT and uses it to create attack scenarios
- Red Team: The internal or external team that carries out the TLPT operationally
- Control Team: The central contact at the company that is responsible for the TLPT internally
- Blue Team: The team that tries to mitigate the penetration tests in the company
The TLPT must have a minimum duration of four weeks, after which the collected information is processed and consolidated in several reports (Red Team and Blue Team). These tests must be carried out not only at the financial company itself, but also for third-party service providers that provide services for financial companies. Only those third-party service providers that offer important or critical support services for the financial company are tested. These so-called ICT third-party service providers must be tested by the financial company. The special feature of DORA is that TLPT must be carried out on running production systems. So that third-party ICT service providers do not waste all their time testing their own infrastructure, it is possible to carry out pooled tests or joined tests. This involves financial companies joining forces with shared ICT third-party service providers in order to test them only once.
I hope that this article has helped you to gain an initial insight into the world of penetration testing. Complion offers comprehensive consulting services on the subject of DORA. If you have any questions, please contact us at mail@complion.de.
Author: Roman Scholtysik