IT security: Pentests: Protecting IT systems with hacking knowledge

Small and medium-sized e-commerce companies are increasingly being targeted by hackers. For them in particular, so-called penetration tests are an efficient way of discovering weak points in their own IT infrastructure. Dr. Ewan Fleischmann from the IT security service provider Redlings explains what types of pentests there are, whether they should be announced or unannounced and which legal aspects must be observed.

According to study According to Statista from 2021, 46% of all companies surveyed in Germany were victims of a cyber attack at least once in 2020. 15.8% of these were online retailers.

Hackers are increasingly trying to break into company IT infrastructures, steal valuable data and sell it on, or place malware in order to blackmail the company or to sabotage technically controlled business processes for terrorist reasons.

© IMAGO / Jochen Thank you

In a penetration test, IT security experts take the perspective of cyber criminals and try to use their methods to break into a system.

For a long time now, it is no longer just the big online groups such as Amazon or Ebay that have been targets of cyberattacks. Small and medium-sized e-commerce providers are also increasingly in focus. The reason for this is firstly that these companies are very often innovation drivers with important developments and also do not always have a well-staffed and technically well-equipped IT department.

Take the cybercriminal perspective

For such companies in particular, a regularly performed vulnerability analysis is an efficient way to uncover existing, possibly undiscovered weaknesses in the company’s own IT infrastructure and to close them with suitable protective measures.

A company’s IT environment can be protected by performing a penetration test. This is a vulnerability analysis carried out by IT security experts, which differs from automatic analysis tools in that it not only finds known vulnerabilities, but also previously unknown loopholes.

To do this, the testers fall back on the knowledge that the hackers also have. You carry out the pentest from the perspective of the cybercriminals, so to speak, and try to break into the IT system using the same methods.

Incorrect configurations and poorly protected access

Much depends on information about the IT system, especially with regard to the internally and externally used technology that an online retailer uses for its business processes. It is mainly faulty configurations or poorly protected entrances that are suitable as “gateways” for uninvited guests.

The more a hacker knows about a company’s IT system, the more likely he is to find a way to gain access to a delivery service app or an online shop. Companies specializing in IT security assessments proceed in the same way with a vulnerability analysis. A pentest, in simplified terms, usually runs as follows:

  • Gathering of technical information about the IT system
  • Detection of possible weak points (misconfigurations, exploits)
  • Exploiting the weak points to penetrate further into the system
  • Final report with suggestions for closing the vulnerabilities

Growing online trade, growing cyber crime: Hackers use every opportunity to infiltrate shopping platforms and access customer and credit card data.

© image images / Westend61

IT security

How retailers better protect sensitive customer data

Announced or unannounced test

The check can be limited to individual areas such as mobile & API, cloud or web application or it can be carried out as a comprehensive vulnerability analysis for the entire network. Another important aspect of the preparation is the decision whether it should be an announced pentest or an unannounced vulnerability analysis.

If it is not announced, you receive valuable information on how efficiently the employees responsible for IT security react in an emergency. To what extent, with what methods and in what time frame the pentest runs must be contractually agreed in advance. The type of weak point analysis per pentest must also be specified.

“Blue Team” gegen “Red Team”

Here you can choose between black box pentest, white box pentest or gray box pentest. The difference lies in the amount of information that the contracting company makes available to the testers before the security check.

Another variant is the test with the help of a Blue Team and a Red Team, whereby the Blue Team are the “defenders” of the IT system (i.e. all relevant employees of the commissioning company). The red team is made up of IT security experts who try to break into the system.

Badly protected system entrances are gateways for uninvited guests.  Pentests can provide companies with clarity as to whether existing security measures such as passwords, access authorizations or firewalls are sufficient.

© IMAGO / Shotshop

Badly protected system entrances are gateways for uninvited guests. Pentests can provide companies with clarity as to whether existing security measures such as passwords, access authorizations or firewalls are sufficient.

The special feature of this test form is that you can experience “live”, so to speak, how quickly and purposefully the company’s IT department acts when a hacker attack occurs. In addition, it is possible to assess how efficiently the existing security measures such as passwords, access authorizations or firewalls are working.

No substitute for a comprehensive security concept

The weak point analysis by means of a pentest can only be a first step towards more IT security. Ultimately, companies themselves have to ensure that their data and information are efficiently protected. This requires a comprehensive IT security concept.

Especially for companies that operate exclusively via the Internet, a strategy is to defend against all conceivable attacks from outside (via the Internet, for example through phishing emails) or from within (with the help of infiltrated mobile devices such as laptops or USB sticks or less reliable Employees, especially in the home office).

The aim of a well thought-out IT security strategy must be on the one hand to optimize the active security mechanisms and on the other hand to ensure that employees receive training in which hacker methods such as phishing or spear phishing are discussed. In addition to technology, humans are always a potential weak point that hackers try to exploit with the help of social engineering.

Legal protection of pentests

A penetration test must be prepared in such a way that none of the parties involved take any legal risk. Testing IT systems is not legally permitted without express permission. Hacking is a criminal offense. For this reason, companies record their activities in writing in a service contract.

All important details for the commissioned weak point analysis are to be fixed, e.g. B. the area to be tested, the name of the tester, the type of pentest, the time frame or the allowed and not allowed methods. It is also important to clarify the ownership or usage rights to the systems to be tested, software programs or other system services used. Only those that are owned by the client may be tested.

The client must explicitly give his consent to the pentest under the stated conditions. A mandatory part of the contract should be a confidentiality agreement, because the testers can come across sensitive or secret data at any time during their vulnerability analysis.


Retail is becoming increasingly popular as a target for hackers - and Log4j offers cybercriminals a new gateway.

© IMAGO / Alexander Limbach

IT security

What the Log4j alarm means for retailers

Hacker attacks are now part of everyday life in retail as well.  Tegut and Gerry Weber were recently among the most prominent victims.

© Pixabay

IT security

This is how retailers defend themselves against cyber attacks

Not every bot has good intentions: More and more retailers are dealing with malware that resellers use to buy up the stocks of online shops.

© image images / Westend61

IT security

Man versus machine: this is how retailers protect themselves from evil bots

Leave a Reply

Your email address will not be published.