Penetration tests as a continuing current component of IT security measures

Cyber attacks on companies are an everyday threat and are said to have even increased during the Corona pandemic. High-profile examples of such attacks are the Emotet attacks of the past two years or the hafnium attack on the Microsoft Exchange Server by exploiting existing vulnerabilities. From the point of view of companies, they need to know how to protect themselves as effectively as possible against cyber attacks. Not every cyber attack can be countered with the same preventive measures.

In order to check implemented IT security measures and get an overview of possible vulnerabilities, it can be useful to conduct so-called penetration tests. In a penetration test, a potential attack is simulated by trying to find and exploit existing vulnerabilities in the IT network, individual IT systems or a (web) application.

The GDPR requires that the controller regularly reviews and evaluates the effectiveness of the implemented technical and organisational measures, see Article 32(1)(d) of the GDPR. Such a review can be carried out with the help of penetration tests. The Bavarian Supervisory Authority considers penetration tests to be part of the necessary measures for the implementation of data protection and security in the development of own software systems or in the selection of software products within a company. Even manufacturers of digital health applications with a very high need for protection, which are to be included in the directory according to Section 139e SGB V (Social Security Code V), must specifically undergo a penetration test according to Annex 1 of the Digital Health Applications Ordinance (DiGAV), without the manufacturer being left with a choice. The carrying out of penetration tests is therefore also required by the legislator.

Since self-monitoring only works to a limited extent, an IT security service provider is usually commissioned to carry out such a penetration test. The service provider is supposed to take on the role of the attacker. When commissioning such a service, however, some special features should be taken into account.

First of all, the IT security service provider must be carefully selected. In addition to reliability and independence, the provider must above all guarantee professional competence and quality. The Federal Office for Information Security (BSI) certifies penetration testers in order to support the search for trustworthy and competent IT security service providers.

Before commissioning, the precise content and scope of the penetration test must be determined with the service provider, which can vary significantly. In practice, a distinction is often made between so-called “black box tests” and so-called “white box tests”. In a black box test, the IT security service provider is not provided with any information on the systems to be tested in order to imitate a typical cyber attack by an external. In a white box test, on the other hand, the client provides further information about the IT infrastructure, hardware or software used, the systems to be tested, etc. The decision between these two approaches often also depends on the scope of the test, i.e. which IT systems etc. are to be tested and how deeply the systems may be penetrated (test depth). Finally, it should also be agreed how the service provider should behave if it is actually able to successfully bypass security mechanisms and penetrate the system. Finally, in addition to the effort to uncover vulnerabilities, the service provider can also be assigned with eliminating the vulnerabilities found.

The intrusion into foreign IT networks and IT systems and the processing of data found there may constitute a criminal offence under section 202a of the Criminal Code (data espionage), section 202b of the Criminal Code (phishing), section 202c of the Criminal Code (acts preparatory to data espionage and phishing) as well as section 303a of the Criminal Code (data manipulation) and section 303b of the Criminal Code (computer sabotage). For this reason, IT security service providers often obtain – at least as a precautionary measure – the client’s express consent to access actions agreed within the framework of the contract. In this case, the service provider is not acting without authorisation or unlawfully and there is no criminal liability. In the case of group structures, it is important to make sure that the client is actually authorised to possess the data and that it does not concern systems or data of other group companies over which the client has no authority.

Furthermore, from the client’s point of view, special attention should be paid to the protection of confidential information. At the latest when the IT service provider has successfully penetrated the IT systems and has been able to identify vulnerabilities, the client has an increased interest in ensuring that both the vulnerabilities and any business secrets stored in the IT systems are treated confidentially. In this context, the Trade Secrets Act must also be observed.

From a data protection perspective, it must be considered which data the service provider accesses in the course of the penetration test. A distinction can be made between personal data that is made available to the service provider in advance for the purpose of providing the service and data that the service provider may access in the event of a successful penetration. Under data protection law, it should be considered whether the processing by the service provider could be legitimised by a data processing agreement. At the same time, the client must find out on what legal basis it may process any personal data. This will often be employee or customer/supplier data. However, these were not regularly collected for the purpose of a penetration test.

Finally, the IT service provider will insist on an extensive indemnity against liability, because it cannot be completely ruled out that even with careful and cautious procedures, functions of the IT landscape may be impaired or fail, or even data may be lost. Backups and precautions should therefore also be taken to be prepared for such an eventuality.

Penetration tests remain a useful building block for ensuring a functioning IT landscape. However, when drafting the contract between the client and the IT security service provider, some essential aspects must be taken into consideration.