Penetration testing
What do we mean by a penetration testing?
The pentest (penetration testing) is about the manual checking of IT systems for security gaps or weak points. Also, in contrast to the IT security audit, security gaps (e.g., buffer overflows, format string vulnerabilities or simple rainbow table attack on NTLMv2 authentications – unfortunately still used) are largely exploited so that a realistic picture of corporate security is created.
If, in addition to known security gaps in the IT security analysis, so far unknown security gaps – so-called 0-day vulnerabilities – appear, we will coordinate the procedure with you in detail, since in most cases software, for which a third party (manufacturer) is responsible, is usually infected but you are affected by the vulnerability. We do not exploit these 0-day security gaps for ethical reasons, as the manufacturer must have the opportunity to fix them – since there are often 0-days in the context of penetration tests with our customers and maybe also with you, we have internal compliance requirements for such cases, such as these responsible disclosures to proceed. These and other topics will be discussed and documented with you in a joint kickoff appointment.
You can find our penetration test portfolio here.
Penetration testing certifications and standards
Holistic penetration testing - Physical security & Social engineering
In addition to purely technical IT security, our penetration testing also includes other fields such as physical IT security. We use tools such as copied RFID or Mifare access cards for doors or security gates to give us direct company access, so that we can test this area extensively – but lock picking is not neglected either.
At the end of the day there is still a residual risk – people. Therefore we test this risk with social engineering preferred in all penetration tests – this is the only way to create real user awareness and much more important, a holistic picture of IT security.
Each security gap is documented, afterwards, the potential risk is classified and recommendations are given as to how the security gaps can be resolved. In addition to the CVSS (v3) for the classification of security gaps, we supplement the risk classification with senior penetration testers, as the CVSS alone often provides a non-business-oriented assessment, which the following example illustrates: Let’s compromise a smartwatch that has been forgotten in Mobile Device Management (MDM) to be integrated, which is provided with a CVSS greater than 9 due to a security hole, the finding would be critical. If however this smartwatch does not contain any sensitive data, access or other interfaces, we classify the risk as lower – since hackers ultimately have no use to “worthless” assets.
We don’t just send you a Nessus or OpenVAS scan report – sold as a penetration test. We carry out a penetration test specially tailored to your company – quality instead of quantity.
What are the advantages of a penetration test?
A pentest can reveal threats and unknown weaknesses in your IT systems. Through the neutral view of an outside “expert” you receive an objective assessment of potential danger points. The penetration test often also serves as an instrument to clarify project priorities to top management, as there are still deficits in some cases as to why specific subject areas have to be prioritized. A change in IT management is often a reason, as nothing is more important than creating transparency in your own ranks in order to revise holistic IT project plans based on this.
The most common reason is simply, without being derogatory, operational blindness. Whether medium-sized or large companies, IT corpses true to the motto “Yikes, the system or the library in the software should already be switched off / replaced” can be found almost everywhere.
A cyber attack can not only affect your IT systems, but also your finances or your corporate image. Through your commitment to cybersecurity, you can set an example for your business partners and customers using penetration testing.
Last but not least, the results of a the pentest will enable you to take appropriate measures to close the identified weaknesses.
What types of penetration tests do we offer?
It’s not about Fort Knox, economy and realism play a big role
Every company has to be viewed in a differentiated manner and depends on individual protection. Your corresponding penetration test should be structured just as individually. If you have already determined your protection requirements using an information security management system, the depth of the penetration test is based on this procedure.
If no ISMS or a complete ISMS has been set up, we will determine the test depth for your pentest in a joint (free) appointment and a specially customized catalog of questions. You will then receive an offer from us based on your individual requirements.
The phrase often used in the B2B sector for concealing prices and generating leads, “We create individual offers, so we cannot give any figures”, actually applies to us. Due to the complexity and the different scope, no project costs can be given in advance. The costs of the penetration test are transparently recorded in the offer after the complexity has been determined. Until the offer is made, we hold intensive conversations with you in order to a) get to know you better and check the most important things such as philosophy and sympathy – and b) get to know the outlay and scope so that we can determine the scope of the pentest. The whole approach is of course free of charge.
The depth of the penetration tests vary from simple script kiddie tests to the APT (Advanced Persistent Threat, often used in industrial espionage or governments) level. A penetration test can therefore take between 4 days and several months or even turn into red teaming.
No tests will be carried out during this period without your knowledge and consent, so that you are not restricted in your day-to-day business.
