Standards & Certifications

Pentest – What do we mean by that?

Pentests, or Penetration Tests, involve the manual examination of IT systems to identify security vulnerabilities or weaknesses. Unlike IT security audits, penetration tests often exploit security vulnerabilities to create a realistic assessment of an organization's security.

There is no such thing as 100% security – the question is how much damage attackers can cause if they exploit a vulnerability in your system.

Examples of security vulnerabilities (findings) discovered in our penetration tests include buffer overflows, format string vulnerabilities, or simple rainbow table attacks on unfortunately still-used NTLMv1 authentications.

The identified network vulnerabilities are recorded in an action plan in order to work collectively to resolve them.

We discuss these and other topics and document them together during a kickoff meeting.  

Pentest_1

Would you like to find out how our action plan is designed and how you can use it?

Penetration testing holistically – because there is always a person behind the screen

We approach our pentests like real attackers. So before we can check your internal IT infrastructure, we need to gain access to your internal network. This can take place in several ways. One of these ways is this physical access, which we include in the sense of a holistic review of your IT security. Another possibility is one Social engineering campaign with phishing emails.

The best firewall is useless if the key to the server room is in the lock - or your employees reveal their passwords on phishing sites.

Our locations in Mendig (near Koblenz), Berlin and Munich are not near you?
It doesn't matter, we'll come to you!

Physical security & the human factor: Get an overview and strengthen your security.

How easy is it to break into the company building?

Can we just drive to your main location, walk in, and find an open network socket somewhere that we can plug into? Do we perhaps have access to sensitive information that could cause fatal damage in the wrong hands? And if we were able to successfully gain access to your premises, how far will we get? Can we find an unattended printer? Are we going to the server room?

How trained are the employees?

If access to the building is not so easy, we – like real attackers – target the human factor. The chances are good that your employees will simply open the door for us if we just ask nicely.

Do your employees approach suspicious individuals? Does it raise eyebrows when we attempt to open the server room door without a key? Is your front desk vigilant enough to thoroughly screen every guest?

Sometimes you just need a little time.

If we can't gain entry to your building through direct means or even with a bit of charm (and audacity), we allocate more time for this task.

After several hours of gathering information, we might, for example, bump into an employee at their favorite coffee shop and casually clone their RFID or Mifare access cards in passing. Perhaps a door that is usually locked will eventually open.

Do your employees recognize and report phishing emails?

Most people probably now recognize poorly translated phishing emails full of typos and ignore them accordingly. But what about a well-executed phishing campaign? An email that appears to come from the company's CEO and asks to log in via a link - do your users know how to verify its authenticity? Do they contact you if they accidentally clicked on a dubious link? Find out and use the findings for real and sustainable security awareness.

Real Mission Chronicles: Two Remarkable Tales

Patience

It was now 17:45 PM. We sat in the car five hundred meters from the building. The building was relatively small with just two entrances, the main and back doors, both requiring chip cards for access.

By this time, the majority of the employees had left the building and headed for their well-deserved evening break. According to our estimate, only two employees remained inside.

Finally, at exactly 18:00 PM, the personnel we had eagerly awaited arrived—the cleaning company.

As they parked their vehicle in the parking lot, we prepared ourselves methodically. Clipboard, identification, and a friendly demeanor— No one suspected a thing!

Smile and Wave

We waited another 10 minutes and then walked purposefully around the building and towards the back entrance. What we expected was a wooden wedge between the door and the door frame and we didn't need a chip to enter the building. The first encounter with the cleaners was uncomplicated. A friendly “Hello!” and purposeful steps into the offices were enough.

On the ground floor, we walked past a cleaner who was vacuuming one of the offices and entered the accounting office. There was a lot of interesting information here. After capturing enough photographic evidence, we proceeded to the first floor, passing by an office where one of the employees was still engaged in an important web conference.

On the upper floor, we promptly zeroed in on our target: network documentation, data storage devices, and 19-inch server racks.

One bold move, swift strides toward the back door, and we became proud owners of rather sensitive information and hardware.

A Stroke of Luck Amidst the Chaos

Not a single day goes by in an office without a printer throwing a tantrum. It's either munching on paper or performing its best impression of a blank canvas. Annoying, isn't it?

Luckily, the service provider doesn't keep me waiting for long this time. Just fifteen minutes ago, I had called the IT department to report that the printer was spewing out nothing but hieroglyphics. Now I'm on my way to the kitchen to grab yet another coffee (my third one today, thanks for asking), and suddenly, a friendly gentleman approaches me, asking where to find the troublemaker (aka printer).

Delighted with the lightning-fast response and potential resoution of the printer crisis, I lead the IT Technician to printer room.

It's a bit eerie, as if he somehow sensed that our printer would act up today. He's armed with all sorts of technical wizardry and appears to be prepared for any challenge thrown his way.

As the technician navigates through the printer's settings with remarkable ease and grace, I observe his work (with a little bit of awe, I'll admit). Turns out, the printer is not the culprit. He thinks it's actually an issue with my computer. He tells me something about "...wrong driver due to an update...". The past few years have taught me the importance of updates for security, and now, one of these updates seems to have disrupted my ability to print.

Finally Someone Who Cares!

Fortunately, the gentleman is kind enough to investigate the issue. He makes some changes in the system settings that are way too technical for a user like me. I decide to let him carry on and head off to get my well-deserved coffee.

Upon returning to my office, I find the technician coming out from under my desk.

Apparently, my cables weren't properly connected to the computer, causing data transfer failures. And then he just disappeared as quickly as he appeared.

However, my problem still persists and ten minutes later the IT department calls me:
They are sorry, but it seems someone can only attend to my printer problem tomorrow.
I kept it to myself that someone was already there. Maybe the technician can get the
problem solved tomorrow.

How to use a PENTEST for sustainable cyber resilience

Pentests reveal threats and unknown vulnerabilities in your IT systems. The neutral view of an outside “evaluator” gives you an objective assessment of potential danger points.

The most common problems when it comes to IT security: no time, no specialists, no resources. Here, a penetration test is a useful tool for setting priorities at the top management level and using resources efficiently. We are happy to support you with communication between IT and management.

Another challenge is often the change of IT management. Transparency within your own ranks is crucial here in order to revise holistic IT project plans based on this. A pen test is the ideal basis for this.

One of the biggest obstacles on the way to greater IT security is often, without meaning it in a derogatory way, operational blindness. Whether medium-sized companies or corporations, we find IT corpses almost everywhere, true to the motto “Oops, the system or the library in the software should already be switched off/replaced”. The results of a pen test help you to clear out in a controlled manner.

A cyber attack can have consequences not only for your IT systems
but also for your financial stability and your corporate image & reputation.

Through your commitment to cybersecurity, you can set an example for your business partners and customers through penetration testing.

The results of the pen test enable you to close discovered vulnerabilities efficiently and sustainably.

A tailor-made PENTEST to suit your protection needs

It's not about Fort Knox.

Economy and realism play a big role.

Every company must be viewed differently and depends on individual protection. Your corresponding pen test should be structured just as individually. If you have already determined your protection needs using an Information Security Management System (ISMS), the depth of the penetration test is based on this procedure.

If no (complete) ISMS has been set up, we will determine the depth of testing for your pentest in a joint (free) appointment with a specially tailored questionnaire. You will then receive an offer from us that is individually tailored to your requirements.

NBT-NS Poisoning
Prosec penetration testing

We will find the right test depth for you.

The phrase often used in the B2B sector to conceal prices and generate leads: “We create individual offers", so we can't give prices," is actually true for us. Due to the complexity and the different scope, no project prices can be named in advance. The prices of the pen test are recorded transparently in the offer after the effort has been determined. Until an offer is made, we will hold intensive discussions with you

to get to know you better and to check the most important things such as philosophy and sympathy - and

Get to know the effort and scope so that we can determine the scope of the pentest.

This vote is of course free of charge for you.

The Test depths The penetration tests range from simple script kiddie testing to the advanced persistent threat (APT, often used in industrial espionage or governments) level. A pentest can therefore last between 4 days and several months or even longer Red Teaming pass over So that you are not restricted in your day-to-day business, no tests are carried out during this period without your knowledge and consent.

Let's build your cyber resilience together

Pentest Process Cycle Mobile

Start: preparation

We listen to you and your IT professionals

The IT of companies has usually grown historically and, depending on the available resources, the level of cyber security varies. We look at each customer individually, listen to you and adapt our service specifically to the status and needs of your company.

Execution

We work holistically

Just like the malicious hackers you want to protect your business from, we don't limit ourselves to technical vulnerabilities. We also test physical security, your security management processes and the awareness of your team members.

Technical result presentation

We work transparently

We summarize the general conditions of the project for your technical staff and explain the findings of our penetration test.

Handover documentation

We pass on our expertise to your IT

Your IT specialists will receive a comprehensive action plan from us with an overview of all findings and further information from our knowledge base to resolve the vulnerabilities. Documentation is carried out continuously during implementation.

Technical workshop

We make your IT secure

"No time!" is probably the biggest problem for your IT professionals when expanding your security. That's why we rely on efficient knowledge transfer and setting priorities together in order to optimize your IT security as quickly as possible.

Management presentation

We pick up your top management

In order for your IT to be well positioned in the long term when it comes to security, you have to set the right course in management. We pick you and the members of your top management up at your current technical and organizational level and work with you at management level to develop the roadmap for the development of your IT.

Goal: Internal implementation