What do we mean by a penetration test?
Pentesting (penetration testing) involves manually checking IT systems for security gaps or vulnerabilities. Unlike IT security audits, security vulnerabilities (e.g. buffer overflows, format string vulnerabilities or simple rainbow table attacks on NTLMv2 authentication, which is unfortunately still often used) are exploited as far as possible, so that a realistic picture of the company's security is created.
If, in addition to known security vulnerabilities, previously unknown security vulnerabilities (so-called 0-day vulnerabilities) appear during the IT security analysis, we will coordinate the procedure with you in detail, since software is usually affected for which a third party (manufacturer) is responsible, but you are affected by the security vulnerability. We do not exploit these 0-day vulnerabilities for ethical reasons, because the manufacturer must have the chance to fix them. Since 0-days can be found again and again in the context of penetration tests with our customers and perhaps also with you, we have internal compliance guidelines for such cases, how to proceed with these "Responsible Disclosures". These and other topics will be discussed and documented with you in a joint kickoff meeting.
You can find our penetration test portfolio here.
Can we just drive to your main site, walk in and find an open network socket somewhere to plug into? Might we have access to sensitive information that could do fatal damage in the wrong hands?
If access to your building is not so easy, we will target the human factor - just like real attackers. Chances are that your employees will simply open the door for us if we just ask nicely.
Do your employees approach conspicuous persons? Does it cause a stir when we try to open the door to the server room without a key? Is your front desk attentive enough and does it check every guest?
If we can't get into your building either directly or through kindness (and audacity), we'll take more time for this.
After a few hours of gathering information, we might, for example, find an employee in his regular coffee shop to clone his RFID or Mifare access cards in passing. Perhaps a door that is otherwise always locked will also open at some point.
There are many questions about physical security. We would like to answer these questions to give you a realistic overall impression of your security.
It was 5:45 p.m. by now. We were sitting in the car, five hundred meters from the building. It was quite a small building. There were two entrances (main and back door), which could only be opened with chip cards.
In the meantime, most of the employees had left the building and gone to their well-deserved closing time. According to our estimate, there were only two employees left in the building.
At 6:00 p.m. sharp, the staff we had been eagerly waiting for finally arrived: the cleaning company.
As they parked their vehicle in the parking lot, we slowly got ready. Clipboard, ID and a nice demeanor. Who could suspect anything evil there?
We waited another 10 minutes and then walked purposefully around the building and towards the back entrance. As expected, there was a wooden wedge between the door and the door frame and we did not need a chip to enter the building. The first encounter with the cleaning staff was straightforward. A friendly "Hello!" and purposeful steps into the offices were enough.
On the first floor, we walked past a cleaner who was vacuuming one of the offices and entered the accounting office. There was all sorts of interesting information to be found here. After we had taken enough proof photos, we walked to the second floor - past an office where one of the employees was still sitting in an important web conference.
On the upper floor, we quickly found our target: network documentation, data carriers and 19-inch server racks.
A firm grip, quick steps towards the back door and we were the proud owners of quite sensitive information and hardware.
Not a day goes by in an office without a printer that doesn't do what it's supposed to. Either it chokes on the paper or it just prints blank pages. Annoying.
Fortunately, the service provider doesn't take long to arrive: Just fifteen minutes ago, I informed the IT department by phone that only hyroglyphs are still coming out of the printer. I'm just on my way to the kitchen to get a new coffee (this will be my third today), when the nice gentleman comes to meet me and asks me where he can find the problem child.
Pleased with the quick handling and solution of the problem, I show the technician the way to the printer room.
A bit scary. It's as if he suspected that our printer would cause problems on this very day. It's equipped with all kinds of technical bells and whistles and, from the looks of it, is prepared for any problem.
I watch the technician in amazement. He flies nimbly through the printer's settings. It seems that it's not the printer after all. According to him, it's probably my computer. Something about "...wrong driver due to an update..." he tells me. The last few years I've learned that updates are important for security, and now one of those updates has ruined my printing.
Fortunately, the nice gentleman is kind enough to take a look at the problem right away. He must have changed something in the system settings. Much too technical for a user like me. I just let him keep tinkering with the settings and go get my well-deserved coffee.
When I return to the office, the technician is just coming out from under my desk.
My cables must not have been plugged into the computer properly, so the data transfer didn't work. The technician disappeared as quickly as he appeared.
My problem still persists, however, and ten minutes later the IT department contacts me:
They're sorry, but someone probably can't take care of my printer problem until tomorrow.
I kept to myself that someone had just been there. Maybe the technician
will finally get the problem solved tomorrow.
A pentest can reveal threats and unknown vulnerabilities in your IT systems. The neutral view of an external "expert" gives you an objective assessment of potential danger points.
Often, the penetration test also serves as an instrument to clarify project priorities to top management, since in some cases there are still deficits as to why specific topics need to be prioritized.
Another reason is often the change of IT management, as nothing is more important than creating transparency within one's own ranks in order to revise holistic IT project plans based on this.
The most widespread reason is simply, without meaning it pejoratively, operational blindness. Whether medium-sized businesses or large corporations, IT corpses can be found almost everywhere, true to the motto "Oops, the system or the library in the software should already be switched off/replaced".
Your commitment to cybersecurity allows you to set an example for your business partners and customers through penetration testing.
Last but not least, the results of the pentest enable you to take appropriate measures to close the detected vulnerabilities.
It's not about Fort Knox. Economy and realism play a big role.
Every company is different and depends on individual protection. Your penetration test should be structured just as individually. If you have already determined your protection requirements using an information security management system, the depth of the penetration test is based on this procedure.
If no ISMS or no complete ISMS has been established, we determine the depth of testing for your pentest in a joint (free of charge) meeting and a specially tailored questionnaire. You will then receive an offer from us based on your individual requirements.
The phrase often used in the B2B sector to conceal prices and generate leads, "We create individual offers, so we can't name any prices", actually applies to us. Due to the complexity and varying scope, no project prices can be titled in advance. The prices of the penetration test are transparently stated in the offer after the effort has been determined. Until the offer is made, we will conduct intensive discussions with you in order to
a] to get to know you better and to check the most important things like philosophy and sympathy - and
b] to get to know the effort and scope, so that we can determine the scope of the pentest. Of course, the whole process is free of charge.
The penetration test depths vary from simple script kiddie testing to APT (advanced persistent threat, often used for industrial espionage or governments) level. Thus, a penetration test can last between 4 days and several months or even turn into red teaming . To ensure that you are not restricted in your day-to-day business, no tests are performed during this period without your knowledge and consent.
"If you want it to be good, you have to do it yourself!"
This sentence has probably crossed the mind of every entrepreneur more than once. If you are responsible, you are reluctant to make your success dependent on the performance of external experts.
We understand that. That's why we simply empower you to protect your business against hacking attacks.