FAQ: Frequently Asked Questions about Penetration Tests
- Why should we conduct a penetration test?
- Are there legal requirements for a penetration test?
- What is the workflow of a penetration test?
- What time investment do you estimate for a penetration test?
- How much information does RedTeam Pentesting need from us?
- What are blackbox and whitebox tests?
- Why should not only the network perimeter be tested, but also the internal network?
- What types of systems does RedTeam Pentesting test?
- Can any harm be done to our productive systems during the test?
- Are denial-of-service attacks also tested?
- Does RedTeam Pentesting do social engineering?
- What happens to confidential data RedTeam Pentesting gathers during the penetration test?
- Are the results written down in a report?
- What other products and services does RedTeam Pentesting offer?
- Can we get a list of RedTeam Pentesting's references?
- How is RedTeam Pentesting different from other companies that offer penetration tests?
- In what countries does RedTeam Pentesting perform penetration tests?
Why should we conduct a penetration test?
IT is an integral part of every company's business today. Therefore, not only
the amount of business-critical data that is stored on IT systems grows, but
also the dependency on a working IT infrastructure. This leads to an increased
amount of attacks against IT systems in the form of industrial espionage, denial
of service attacks and other possibilities to significantly harm a company.
Important corporate secrets are spied on and sold to competitors. The
availability of systems is interrupted, as a non-working IT
is causing more and more problems today. No new orders are placed, because competitors
somehow always have the better offer. A penetration test gives you
information about your systems' vulnerabilities, how probable a successful
attack against your infrastructure is and how you can protect yourself against
potential security breaches in the future. An overview of a penetration test's
benefits is available under benefits.
- To top -
Are there legal requirements for penetration tests?
It may not be mandatory to do a penetration test for corporations, but the
German law for example includes numerous text passages in its commercial laws
which could be validated by conducting a penetration test. For a more detailed
overview, please have a look at the
German version of this section.
Other countries may have similar laws.
- To top -
What is the workflow of a penetration test?
In advance of every penetration test, an individual meeting is held. In this
meeting, the various possibilities of a penetration test in relation to the
customer's systems are discussed. A penetration test only makes sense if it is realised in an
individual and customer-oriented way. Further in-depth information about the
different phases of a penetration test can be found under pentest.
- To top -
What time investment do you estimate for a penetration test?
The time investment for a penetration test varies from case to case depending on the systems to be tested and the individual test requirements. Usually, the time needed ranges from a few days to several weeks. One goal of the preliminary meeting is to get enough information about the systems to be tested to estimate the optimal length for the penetration test.
Human resources on the customer's side are usually only marginally bound. Most
notably, a contact person for questions during the exploitation phase is required.
- To top -
How much information does RedTeam Pentesting need from us?
The type and amount of information needed varies with the kind of penetration test that is to be conducted. The two concepts mentioned most often are blackbox and whitebox tests. Unfortunately, those terms are not defined by a standard and can therefore mean different things, depending on who you talk to. RedTeam Pentesting's understanding of the terms can be found in this FAQ.
RedTeam Pentesting usually recommends a whitebox test. Penetration tests performed
as complete blackbox tests always suffer from the fact that third parties might
get involved without their explicit consent. Providing technical
information in a whitebox test scenario before the test starts also allows
the penetration testers to detect security vulnerabilities that are of importance to your
company even faster and more efficiently. It should always be acted on the
assumption that real, serious attackers are able to obtain the necessary
information prior to their attacks, or can procure it in time. A precise
determination about what information is necessary to conduct an efficient test
is done individually for every client during a preliminary meeting.
- To top -
What are blackbox and whitebox tests?
A blackbox test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. The idea is to check how deeply potential attackers can compromise your systems without any kind of internal information or access. All knowledge has to be gathered with classical reconnaissance (finding as much information as possible about the target) and enumeration (a deeper look at individual systems). Despite the requirement of having as little information in the beginning as possible, at least a few specifications for the test have to be given, lest to unwillingly target uninvolved third parties. This does not pose a restriction for real attackers, but for every reputable company it should go without saying that all phases of a penetration test are only performed where explicit consent is given. This is not the case for third party systems, that would for example be affected by a portscan of a range of systems that presumably belong to the client the penetration test is conducted for.
In contrast, there is the whitebox test (sometimes also denoted as
crystal-box test).
In a whitebox test, the penetration testers already have internal knowledge
about the target systems (for example network plans or a web application's
source code) and possibly various access permissions. The latter could be an
unprivileged user account to the company network, as it is available to
employees, or login credentials for a web application like any normal customer
would have. This allows to test to what extent users with access to a system can
misuse their permissions. Additionally, internal information may be provided
that is also available to every staff member of company. This can be information
about internal systems like web servers, mail servers, LDAP servers etc., but
also for example organisational structures like employee's responsibilities and
positions in the company. If only selected parts of
information are divulged, this kind of test is also often called a graybox
test.
- To top -
Why should not only the network perimeter be tested, but also the internal network?
If your company's network is sufficiently hardened at the perimeter systems and
it was not possible to successfully compromise it during a
perimeter test, it still makes sense to additionally conduct an internal test.
Just because the perimeter systems are sufficiently secured, it does not mean
that the same precautions are taken on the internal network. Most of the time,
too little security is done on the internal network, as it is supposedly only
accessible by trustworthy persons. Especially in larger corporations though,
not every employee needs the same access permissions. The intern does not need
to have the same access level as the CEO. It is therefore a severe problem if a
security vulnerability appearing in the future that allows access to the
internal network eliminates all safety precautions. If the
financial incentive is big enough, it should also be no problem for attackers
(competitors, business rivals) to either bribe one of your staff members or
infiltrate your organization with somebody reporting back to them with all the
data that is supposedly well guarded if seen from the outside.
- To top -
What types of systems does RedTeam Pentesting test?
RedTeam Pentesting tests all kinds of systems. Frequently, the security vulnerabilities that matter the most are independent from the system's technology, making it possible to successfully test even previously unknown types of systems. Additionally, it goes with the job of being a penetration tester to have the ability to quickly adapt to new situations and systems.
Additionally, RedTeam Pentesting's service is not limited to the classic network- or web application
penetration test. Newly developed hardware and other products are also tested, as well as
security concepts only existing as a draft at the time of testing. In some
particular cases, a penetration test conducted in response to the detection of a security
incident can help in identifying the vulnerabilities exploited and in fixing
them in a timely manner. For questions about this, RedTeam Pentesting can
always be contacted via phone.
- To top -
Can any harm be done to our productive systems during the test?
Unlike real attackers, RedTeam Pentesting pays great attention to a customer's production systems, so as to not interrupt them. We always go to the greatest extent to leave all systems unharmed in a penetration test. Attacks where the risk of a system failure is especially high are only performed with the client's explicit consent.
All in all, it is never possible to completely rule out that a production system
crashes in a penetration test. To be able to get hold of someone as fast as
possible in such a situation, emergency telephone numbers are exchanged prior
to the test.
- To top -
Are denial-of-service attacks also tested?
Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a system's availability at risk with very small effort. This can for example be a misconfiguration or a program error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be performed after an explicit agreement is provided, to verify if the attack is indeed possible.
On the other hand, attacks that try to saturate the bandwidth a company has at
its disposal are usually not tested, as this is always possible for attackers
with sufficient resources and will also affect third-party systems.
Distributed denial-of-service attacks, that usually involve hundreds,
if not thousands, of zombie systems (systems that were compromised and can now
be remotely controlled) cannot be simulated realistically.
- To top -
Does RedTeam Pentesting do social engineering?
Penetration tests may include social engineering techniques. These
techniques are not without controversy though. More detailed information about the
problems occuring with social engineering and penetration tests is available
under exploitation. One
safety measure against social engineering attacks can be trainings for
your employees.
- To top -
What happens to confidential data RedTeam Pentesting gathers during the penetration test?
RedTeam Pentesting commits itself to absolute secrecy regarding your confidential data.
A non-disclosure agreement (NDA) determining that RedTeam Pentesting
treats a client's data as confidential is already part of every contract.
All customer data, including information that is used to prepare a first quotation, is
subject to the same obligation to confidentiality. At the end of a penetration
test, all data and possible storage media is either securily destroyed or
handed back to the client.
- To top -
Are the results written down in a report?
Every client gets a detailed report at the end of a penetration test. A
typical report includes a non-technical executive summary of the results, to give
a short and precise overview of the current status, followed by a more extensive technical
explanation for administrators, developers or other technical staff. The individual problems enumerated in the
report are separated into a detailed description, a risk analysis and
proposed solutions, to directly give suggestions for improvement.
- To top -
What other products and services does RedTeam Pentesting offer?
RedTeam Pentesting specialises in penetration tests and does not offer any
other services. In particular, no products or services are sold after a penetration test,
to guarantee independent and objective test results. The specialisation also
ensures that RedTeam Pentesting's employees have a lot of experience and expert
knowledge for conducting penetration tests.
- To top -
Can we get a list of RedTeam Pentesting's references?
Among RedTeam Pentesting's clients are national and international companies of all trades, including the following:
- Trade & industry
- Banking & insurance companies
- Public administration & authorities
- IT service providers & data centres
Because our customers set a high value on confidentiality, RedTeam Pentesting
cannot publish a reference list. However, to get a first impression of our
capabilities you can take a look at a selection of published testimonials, in which some of our customers
report about their experience with RedTeam Pentesting.
- To top -
How is RedTeam Pentesting different from other companies that offer penetration tests?
RedTeam Pentesting specialises exclusively in penetration tests, in contrast to many other companies in IT-security for which penetration tests are one of many business offerings. As the expertise for conducting a penetration test with specialized security experts is absent in many cases, quite often automated security scans are sold as penetration tests. Customers of such service providers most often receive a printout of the program's findings as the result of the »penetration test«. RedTeam Pentesting in contrast employs security specialists who do close teamwork to achieve the best results. The results are documented in a detailed report by the penetration testers that performed the test, with the ambition to communicate the necessary knowledge about the vulnerabilities in an understandable way. For our customers, this means that vulnerabilities can be better comprehended and issues solved more efficiently. RedTeam Pentesting particularly does not sell any other services before or after a penetration test. The penetration test should not serve to sell extra services, but should be an independent security examination.
Additionally, all of RedTeam Pentesting's employees
are permanent employees and publicly listed on our website. Even during workload
peaks, no subcontractors or freelancers are hired, to guarantee the high quality
of the tests as well as strict confidentiality.
- To top -
In what countries does RedTeam Pentesting offer penetration tests?
RedTeam Pentesting works for many international customers. The project
language for penetration tests is either English or German. Depending on
specific customer demands, penetration tests can be performed
locally at the client's premises, or via the Internet or other means
of remote access. It is of course also possible to conduct a penetration
test on a client's test system in RedTeam Pentesting's laboratory,
for example in case of a
product pentest.
- To top -