> FAQ vertical divider

FAQ: Frequently Asked Questions about Penetration Tests

Why should we conduct a penetration test?

IT is an integral part of every company's business today. Therefore, not only the amount of business-critical data that is stored on IT systems grows, but also the dependency on a working IT infrastructure. This leads to an increased amount of attacks against IT systems in the form of industrial espionage, denial of service attacks and other possibilities to significantly harm a company. Important corporate secrets are spied on and sold to competitors. The availability of systems is interrupted, as a non-working IT is causing more and more problems today. No new orders are placed, because competitors somehow always have the better offer. A penetration test gives you information about your systems' vulnerabilities, how probable a successful attack against your infrastructure is and how you can protect yourself against potential security breaches in the future. An overview of a penetration test's benefits is available under benefits.
- To top -

Are there legal requirements for penetration tests?

It may not be mandatory to do a penetration test for corporations, but the German law for example includes numerous text passages in its commercial laws which could be validated by conducting a penetration test. For a more detailed overview, please have a look at the German version of this section. Other countries may have similar laws.
- To top -

What is the workflow of a penetration test?

In advance of every penetration test, an individual meeting is held. In this meeting, the various possibilities of a penetration test in relation to the customer's systems are discussed. A penetration test only makes sense if it is realised in an individual and customer-oriented way. Further in-depth information about the different phases of a penetration test can be found under pentest.
- To top -

What time investment do you estimate for a penetration test?

The time investment for a penetration test varies from case to case depending on the systems to be tested and the individual test requirements. Usually, the time needed ranges from a few days to several weeks. One goal of the preliminary meeting is to get enough information about the systems to be tested to estimate the optimal length for the penetration test.

Human resources on the customer's side are usually only marginally bound. Most notably, a contact person for questions during the exploitation phase is required.
- To top -

How much information does RedTeam Pentesting need from us?

The type and amount of information needed varies with the kind of penetration test that is to be conducted. The two concepts mentioned most often are blackbox and whitebox tests. Unfortunately, those terms are not defined by a standard and can therefore mean different things, depending on who you talk to. RedTeam Pentesting's understanding of the terms can be found in this FAQ.

RedTeam Pentesting usually recommends a whitebox test. Penetration tests performed as complete blackbox tests always suffer from the fact that third parties might get involved without their explicit consent. Providing technical information in a whitebox test scenario before the test starts also allows the penetration testers to detect security vulnerabilities that are of importance to your company even faster and more efficiently. It should always be acted on the assumption that real, serious attackers are able to obtain the necessary information prior to their attacks, or can procure it in time. A precise determination about what information is necessary to conduct an efficient test is done individually for every client during a preliminary meeting.
- To top -

What are blackbox and whitebox tests?

A blackbox test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. The idea is to check how deeply potential attackers can compromise your systems without any kind of internal information or access. All knowledge has to be gathered with classical reconnaissance (finding as much information as possible about the target) and enumeration (a deeper look at individual systems). Despite the requirement of having as little information in the beginning as possible, at least a few specifications for the test have to be given, lest to unwillingly target uninvolved third parties. This does not pose a restriction for real attackers, but for every reputable company it should go without saying that all phases of a penetration test are only performed where explicit consent is given. This is not the case for third party systems, that would for example be affected by a portscan of a range of systems that presumably belong to the client the penetration test is conducted for.

In contrast, there is the whitebox test (sometimes also denoted as crystal-box test). In a whitebox test, the penetration testers already have internal knowledge about the target systems (for example network plans or a web application's source code) and possibly various access permissions. The latter could be an unprivileged user account to the company network, as it is available to employees, or login credentials for a web application like any normal customer would have. This allows to test to what extent users with access to a system can misuse their permissions. Additionally, internal information may be provided that is also available to every staff member of company. This can be information about internal systems like web servers, mail servers, LDAP servers etc., but also for example organisational structures like employee's responsibilities and positions in the company. If only selected parts of information are divulged, this kind of test is also often called a graybox test.
- To top -

Why should not only the network perimeter be tested, but also the internal network?

If your company's network is sufficiently hardened at the perimeter systems and it was not possible to successfully compromise it during a perimeter test, it still makes sense to additionally conduct an internal test. Just because the perimeter systems are sufficiently secured, it does not mean that the same precautions are taken on the internal network. Most of the time, too little security is done on the internal network, as it is supposedly only accessible by trustworthy persons. Especially in larger corporations though, not every employee needs the same access permissions. The intern does not need to have the same access level as the CEO. It is therefore a severe problem if a security vulnerability appearing in the future that allows access to the internal network eliminates all safety precautions. If the financial incentive is big enough, it should also be no problem for attackers (competitors, business rivals) to either bribe one of your staff members or infiltrate your organization with somebody reporting back to them with all the data that is supposedly well guarded if seen from the outside.
- To top -

What types of systems does RedTeam Pentesting test?

RedTeam Pentesting tests all kinds of systems. Frequently, the security vulnerabilities that matter the most are independent from the system's technology, making it possible to successfully test even previously unknown types of systems. Additionally, it goes with the job of being a penetration tester to have the ability to quickly adapt to new situations and systems.

Additionally, RedTeam Pentesting's service is not limited to the classic network- or web application penetration test. Newly developed hardware and other products are also tested, as well as security concepts only existing as a draft at the time of testing. In some particular cases, a penetration test conducted in response to the detection of a security incident can help in identifying the vulnerabilities exploited and in fixing them in a timely manner. For questions about this, RedTeam Pentesting can always be contacted via phone.
- To top -

Can any harm be done to our productive systems during the test?

Unlike real attackers, RedTeam Pentesting pays great attention to a customer's production systems, so as to not interrupt them. We always go to the greatest extent to leave all systems unharmed in a penetration test. Attacks where the risk of a system failure is especially high are only performed with the client's explicit consent.

All in all, it is never possible to completely rule out that a production system crashes in a penetration test. To be able to get hold of someone as fast as possible in such a situation, emergency telephone numbers are exchanged prior to the test.
- To top -

Are denial-of-service attacks also tested?

Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a system's availability at risk with very small effort. This can for example be a misconfiguration or a program error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be performed after an explicit agreement is provided, to verify if the attack is indeed possible.

On the other hand, attacks that try to saturate the bandwidth a company has at its disposal are usually not tested, as this is always possible for attackers with sufficient resources and will also affect third-party systems. Distributed denial-of-service attacks, that usually involve hundreds, if not thousands, of zombie systems (systems that were compromised and can now be remotely controlled) cannot be simulated realistically.
- To top -

Does RedTeam Pentesting do social engineering?

Penetration tests may include social engineering techniques. These techniques are not without controversy though. More detailed information about the problems occuring with social engineering and penetration tests is available under exploitation. One safety measure against social engineering attacks can be trainings for your employees.
- To top -

What happens to confidential data RedTeam Pentesting gathers during the penetration test?

RedTeam Pentesting commits itself to absolute secrecy regarding your confidential data. A non-disclosure agreement (NDA) determining that RedTeam Pentesting treats a client's data as confidential is already part of every contract. All customer data, including information that is used to prepare a first quotation, is subject to the same obligation to confidentiality. At the end of a penetration test, all data and possible storage media is either securily destroyed or handed back to the client.
- To top -

Are the results written down in a report?

Every client gets a detailed report at the end of a penetration test. A typical report includes a non-technical executive summary of the results, to give a short and precise overview of the current status, followed by a more extensive technical explanation for administrators, developers or other technical staff. The individual problems enumerated in the report are separated into a detailed description, a risk analysis and proposed solutions, to directly give suggestions for improvement.
- To top -

What other products and services does RedTeam Pentesting offer?

RedTeam Pentesting specialises in penetration tests and does not offer any other services. In particular, no products or services are sold after a penetration test, to guarantee independent and objective test results. The specialisation also ensures that RedTeam Pentesting's employees have a lot of experience and expert knowledge for conducting penetration tests.
- To top -

Can we get a list of RedTeam Pentesting's references?

Among RedTeam Pentesting's clients are national and international companies of all trades, including the following:

  • Trade & industry
  • Banking & insurance companies
  • Public administration & authorities
  • IT service providers & data centres

Because our customers set a high value on confidentiality, RedTeam Pentesting cannot publish a reference list. However, to get a first impression of our capabilities you can take a look at a selection of published testimonials, in which some of our customers report about their experience with RedTeam Pentesting.
- To top -

How is RedTeam Pentesting different from other companies that offer penetration tests?

RedTeam Pentesting specialises exclusively in penetration tests, in contrast to many other companies in IT-security for which penetration tests are one of many business offerings. As the expertise for conducting a penetration test with specialized security experts is absent in many cases, quite often automated security scans are sold as penetration tests. Customers of such service providers most often receive a printout of the program's findings as the result of the »penetration test«. RedTeam Pentesting in contrast employs security specialists who do close teamwork to achieve the best results. The results are documented in a detailed report by the penetration testers that performed the test, with the ambition to communicate the necessary knowledge about the vulnerabilities in an understandable way. For our customers, this means that vulnerabilities can be better comprehended and issues solved more efficiently. RedTeam Pentesting particularly does not sell any other services before or after a penetration test. The penetration test should not serve to sell extra services, but should be an independent security examination.

Additionally, all of RedTeam Pentesting's employees are permanent employees and publicly listed on our website. Even during workload peaks, no subcontractors or freelancers are hired, to guarantee the high quality of the tests as well as strict confidentiality.
- To top -

In what countries does RedTeam Pentesting offer penetration tests?

RedTeam Pentesting works for many international customers. The project language for penetration tests is either English or German. Depending on specific customer demands, penetration tests can be performed locally at the client's premises, or via the Internet or other means of remote access. It is of course also possible to conduct a penetration test on a client's test system in RedTeam Pentesting's laboratory, for example in case of a product pentest.
- To top -