Internal pentest

The fourth quarter is then followed by the fourth penetration test. Usually an internal penetration test is opted for here.

Here we assume a scenario where a hacker effectively already has access to the business system. For example, through a phishing mail or virus. That they got in that way.

Then we look at what a hacker can do with a low level account. So an account with no privileges. We will try different ways to upgrade this account to administrator in order to obtain sensitive information. An admin account can add an account so that it has permanent access to the system. But an admin account can also, for example, establish a special invisible (in the background) connection to his computer so that every time a computer boots up, he gets access to the network.

In this way, it is possible to sit in the backups unseen even for years. Making them unusable.

In our internal pentesting, we always use a grey-box test. A grey box test is halfway between a black box test and a white box test. Our expert receives limited information about the IT infrastructure in advance, such as a customer/employee account.

Grey-box tests have a realistic starting point. This gives our pentester about as much inside information as, say, a vindictive customer/employee or a knowledgeable hacker. In this way, we can clearly see how secure an environment is from a customer or employee perspective.

Good preparation makes a pentester much more effective and focused. A risk inventory is therefore valuable. Ask yourself what your organization’s Achilles heel might be. For example, do you have sensitive business information, or do you process a lot of personal data? Is image important? Do you operate in a controversial market and might hackers be out to sabotage your activities? Try to find out what makes your organization an attractive target for malicious parties. That way, focus on this during the test.

It is also wise to make a tour along all departments and stakeholders in the organization. For example, an HR director may be able to point out different risks than the CFO. A company-wide inventory provides a complete risk picture. This prevents too narrow a focus during the pentest.

The duration of our pentest depends entirely on the intended goal, the chosen method and the available budget. Usually we work with a timeboxed pentest (the pentest takes place within an agreed maximum duration. Within the allotted time, as many vulnerabilities as possible are identified) which we calculate at 8h. If desired, we can of course deviate from this at any time.

For our pentests, we always start with an intake meeting with our pentester. In addition to a general introduction, we discuss the scope of the test, the method of approach, the available budget and the timeframe of the test. Then the actual pentest takes place.

Demonstrating the impact of a vulnerability enables a client to estimate which vulnerabilities have the greatest impact on his or her organization and therefore deserve priority. When our expert discovers weaknesses at an external party, that party is notified so they can take action. This ultimately increases your security level as well.

After the execution, our expert prepares a report containing the findings, conclusions and recommendations. The report consists of a management letter containing the main conclusions and recommendations, as well as a more detailed technical section.

All reports of each individual pentest are stored encrypted in a so-called “cryptocontainer”, so they are safely protected from the outside world. In addition, we give a presentation at the quarterly meeting so that together we can look for the most secure solution for certain situations.