RedTeam Pentesting GmbH - Frequently Asked Questions about penetration tests

> FAQ

FAQ: Frequently Asked Questions about penetration tests

Why should we do a penetration test?
What is the workflow of a pentest?
How much effort do you estimate for a pentest?
How much information does RedTeam Pentesting need from us?
Why should the inside as well as the outside of the network be tested?
What types of systems does RedTeam Pentesting test?
What products and services does RedTeam Pentesting offer?
Does RedTeam Pentesting use Social Engineering attacks?
Could any harm be done to our productive systems during the test?
What happens to confidential data RedTeam Pentesting gathers during the pentest?
Will the results be written down in a report?
Can we get a list with RedTeam Pentesting's references?
How is RedTeam Pentesting different from other companies that offer pentests?

Why should we do a penetration test?

With the increasing amount of networked systems, an increase in misuse (e.g. industrial espionage) can also be seen. This essentially means attacks against the availability, integrity and confidentiality of these systems, the cornerstones of modern computer security. This can range from corporate secrets being stolen and sold to competitors, to systems suffering from denial of service attacks or the absence of new orders, because somehow competitors mysteriously always have better offers. A pentest will reveal how vulnerable your network is, how likely a successful attack would be and how you can protect yourself in the future. An overview of the benefits of pentests can be found under Benefits.

There is also a legal background to a pentest: It may not be mandatory to do a pentest for corporations, but the German law for example has numerous text passages in its commercial laws which could be validated by doing a pentest. For a more detailed view, please have a look at the German version of this text. Other countries may have similar laws.
- To top -

What is the workflow of a pentest?

Before the penetration test an individual preliminary talk is conducted as a matter of principle. In this talk the various possibilities of pentesting are discussed with respect to the client's systems. A pentest only makes sense if it is realized in an individual and customer oriented way. Further in depth information on the phases of a pentest can be found at Pentest.
- To top -

How much effort do you estimate for a pentest?

The time effort for a pentest varies from case to case depending on the IT-structure and the individual test requirements. Usually the effort ranges from a few days to several weeks. One of the goals of the preliminary talk is to delimit this time-frame.

Human resources on the customer side are not or not significantly needed. Particularly required is a contact person for questions in the phase of Exploitation.
- To top -

How much information does RedTeam Pentesting need from us?

Type and amount of information needed at the beginning will vary with the kind of pentest conducted. One differentiates between Blackbox- and Whitebox-Testing. RedTeam Pentesting will normally start with a Blackbox-Test. In this setup, RedTeam Pentesting will not be provided with any more information than an anonymous attacker might have. The idea is to see how far a potential attacker could compromise your network without having any kind of internal information or access. All gathering of knowledge has to be done by classical Reconnaissance (finding as much information as possible about the target) and Enumeration (a deeper look at individual systems).

After the Blackbox-Test, a Whitebox-Test may, if so desired, follow. The significant difference between these two is, that during Whitebox-Testing the pentester will have some internal knowledge about the target network. Most of the time, internal access to one or more systems in a more or less privileged way will be granted to the pentester from the start. Internal knowledge can go as far as source code to applications and the intricate knowledge a system administrator has. Information given could be knowledge about internal systems like Webservers, Mailservers, LDAP servers etc., but also information about internal organisational structures (which employee has which position e.g.). Access to systems may be given in the form of an useraccount. This tests how far your own employees can abuse their access rights to your systems.

It is often the case that during a Blackbox-Test, the network will be compromised so deeply that a Whitebox-Test will not be necessary, as it does not give RedTeam Pentesting any further advantages. A more complete overview can be found in the pentest section of this webpage.
- To top -

Why should the inside as well as the outside of the network be tested?

If your organisational network is hardened sufficiently at the perimeter systems, so that no successful compromisation during a Blackbox-Test could take place in the given time, it still makes sense to do a Whitebox-Test from the inside. Just because the outer systems are secured sufficiently, it does not mean that the same precautions are used on the inside. Most of the time, internal systems have up to no security, so once you are in the internal network, you have access to all the information locked away so securely from the outside. For a determined competitor, it is not a problem to bribe one of your employees or to plant his own to get your data.
- To top -

What types of systems does RedTeam Pentesting test?

Most knowledge regarding operating system architectures is in the Unix area, followed by Windows. But it goes with the job of being a pentester to have the ability to quickly adapt to new situations and systems, so that nearly all systems can be tested.
- To top -

What products and services does RedTeam Pentesting offer?

RedTeam Pentesting doesn't offer other services besides penetration tests. In particular, no products or services are sold in connection with a pentest. Thus, independent and objective test results are guaranteed.

However, RedTeam Pentesting does not only conduct classic network penetration tests. Devices, applications or other products are also tested. In some cases, a pentest can be performed in parallel to an ongoing attack to identify vulnerabilities that are used by the attackers, so they can be fixed promptly. RedTeam Pentesting can be contacted over the phone at all times, should you have any questions.
- Nach oben -

Does RedTeam Pentesting use Social Engineering attacks?

Penetration tests can include Social Engineering techniques. But these techniques are not without controversy. More detailed information about the problems arising with Social Engineering and penetration tests can be found under Exploitation. As a prevention against Social Engineering attackers, training courses may prove to be reasonable.
- To top -

Could any harm be done to our productive systems during the test?

Unlike real attackers, RedTeam Pentesting takes care to not bring systems down, so normal work will not be interrupted. Potential denial of service attacks will be documented, but will not be verified without your explicit wish. It is hard to simulate DoS-attacks which overload the systems (e.g., by opening too many connections to a webserver) anyway, as the available bandwidth is playing a major role here. Distributed Denial of Service-attacks, which normally consist of hundreds or thousands of zombies (systems, which where compromised and are now at the disposal of an attacker) cannot be simulated realistically. DoS-attacks crashing a system (e.g., by sending an overlong request) may be done after your agreement, to verify that such an attack is indeed possible. To summarize, it is not possible to ensure that a productive system will never crash during a pentest. To be able to react fast in such a situation, emergency telephone numbers are exchanged.
- To top -

What happens to confidential data RedTeam Pentesting gathers during the pentest?

RedTeam Pentesting commits itself to absolute secrecy regarding your confidential data. In the majority of cases, a Non-Disclosure-Agreement (NDA) will also be signed during the signing of the contract, encompassing what information is to be held confidential by RedTeam Pentesting.
- To top -

Will the results be written down in a report?

At the conclusion of a pentest, clients will get a detailed report. This includes a non-technical summary of the results for your management, to give it a short and precise overview, followed by a more extensive technical explanation for your administrators. The individual problems enumerated in the report are separated into a detailed description, a risk analysis and a suggestion for a solution.
- To top -

Can we get a list with RedTeam Pentesting's references?

Among RedTeam Pentesting's clients are national and international companies. Because our customers set a high value on confidentiality RedTeam Pentesting cannot publish a reference list. The expressiveness of such a list would also be marginal without being able to read the corresponding reports.
- To top -

How is RedTeam Pentesting different from other companies that offer pentests?

RedTeam Pentesting, in contrast to the many companies who offer pentests alongside, is specialized exclusively on pentesting. Quite often automated security scans (e.g. with External link nessus) are sold as pentests. Here at RedTeam Pentesting security specialists work in a close team to produce praxis relevant results. Particularly RedTeam Pentesting does not sell any further services before or after the pentest. The pentest should not serve to sell extra services, but should be an independent security inspection.
- To top -

Publications

Advisories