External pentest
The third penetration test then follows in quarter 3. Usually an external penetration test is opted for here.
There we will simulate a scenario where we put ourselves in the shoes of a real hacker who has no prior knowledge of your company, services, network, etc.
This simulated attack can be performed from anywhere in the world. For this we will use a number of open source tools (free to find) to show what anyone can find about your company. We are also going to use a number of automated scanning tools that perform a check on the most common vulnerabilities.
Furthermore, manual checks will also be done by our expert within our company. With our website scanning, we already check for weaknesses through a fully automated procedure. This of course limits this to all already known security flaws.
A pentest goes much further. Pentesters search manually and automatically for weaknesses in the IT environment in the broadest possible way. We always consider our calculated time, budget and scope of the assignment. Our expert uses creative attack techniques, methods and tooling.
In this way, we deliver insights with which an organization can strengthen its security. This can be useful in all sorts of cases. For example, our pentest can identify the weaknesses of a new server or website. In other cases, it can be valuable to map the overall security level of the organization.
Pentests generally make sense for organizations that rely heavily on good availability of their IT systems or have valuable data where integrity and confidentiality are of great importance.
For our external pentest, we always use a black box pentest. With a black box pentest, our ethical hacker does not receive any information about the IT infrastructure in advance. We do agree on a scope in advance to guarantee a complete investigation.
Our pentester simulates the mindset of an opportunistic, uninformed hacker.
The duration of our pentest depends entirely on the intended goal, the chosen method and the available budget. We usually work with a timeboxed pentest (the pentest takes place within an agreed maximum duration. Within the allotted time as many vulnerabilities as possible are identified) which we calculate on a 4h. If desired, we can of course deviate from this at any time.
For our pentests we always start with an intake meeting with our pentester. Besides a general introduction, we discuss the scope of the test, the method of approach, the available budget and the timeframe of the test. Then the actual pentest takes place.
Demonstrating the impact of a vulnerability enables a client to estimate which vulnerabilities have the greatest impact on his or her organization and therefore deserve priority. When our expert discovers weaknesses at an external party, that party is notified so they can take action. This ultimately increases your security level as well.
After the execution, our expert prepares a report containing the findings, conclusions and recommendations. The report consists of a management letter containing the main conclusions and recommendations, as well as a more detailed technical section.
All reports from each individual pentest are stored encrypted in a so-called “cryptocontainer,” so that they are safely shielded from the outside world. In addition, we give a presentation at the quarterly meeting so that the most secure solution for particular situations can be sought together.