F.A.Q.

Why should we conduct a penetration test?

IT is an integral part of every company's business today. Therefore, not only the amount of business-critical data that is stored on IT systems grows, but also the dependency on a working IT infrastructure. This leads to an increased amount of attacks against IT systems in the form of industrial espionage, denial of service attacks and other possibilities to significantly harm a company. Important corporate secrets are spied on and sold to competitors. The availability of systems is interrupted, as a non-working IT is causing more and more problems today. No new orders are placed, because competitors somehow always have the better offer. A penetration test gives you information about your systems' vulnerabilities, how probable a successful attack against your infrastructure is and how you can protect yourself against potential security breaches in the future.

Are there legal requirements for penetration tests?

It is not mandatory to do a penetration test but it is best practice.

What is the workflow of a penetration test?

In advance of every penetration test, an individual meeting is held. In this meeting, the various possibilities of a penetration test in relation to the customer's systems are discussed. A penetration test only makes sense if it is realized in an individual and customer-oriented way.

What time investment do you estimate for a penetration test?

The time investment for a penetration test varies from case to case depending on the systems to be tested and the individual test requirements. Usually, the time needed ranges from a few days to several weeks. One goal of the preliminary meeting is to get enough information about the systems to be tested to estimate the optimal length for the penetration test. Human resources on the customer's side are usually only marginally bound. Most notably, a contact person for questions during the exploitation phase is required.

How much information does the Techrate team need from us for a penetration test?

The type and amount of information needed varies with the kind of penetration test that is to be conducted. The two concepts mentioned most often are blackbox and whitebox tests. Unfortunately, those terms are not defined by a standard and can therefore mean different things, depending on who you talk to.

Will you put malicious software in our system?

The software we occasionally put in customers' systems (keyboard sniffers, network monitors, covert communication software etc.) is entirely developed by our company and is also merely a simulation of actual malicious software. We make sure that our software doesn't do any damage to your data or services, and completely remove it at the completion of the project if not sooner. Our penetration testing tools are not self-propagating, allowing us to maintain an accurate list of their deployment at all times, and to remove them when they're no longer needed.

What is the difference between a Flaw and a Vulnerability?

Our vulnerability scan highlights flaws discovered. It is important to understand that not all flaws will be exploitable vulnerabilities. A flaw is a potential vulnerability. A flaw is a pattern that is flagged that is indicative of a vulnerability.

A vulnerability is a hole within the security of a system caused by software flaws, incorrect configurations and/or insecure user behavior. Vulnerabilities can cause the software to work contrary to its documented design and can be exploited to cause the system to violate its documented security policy. An exploit is something that takes advantage of a vulnerability to either gain unauthorized access or do damage to a system.

What are black box and white box tests?

A black box test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. In contrast, in a white box test, the penetration testers already have internal knowledge about the target systems

Why should not only the network perimeter be tested, but also the internal network?

If your company's network is sufficiently hardened at the perimeter systems and it was not possible to successfully compromise it during a perimeter test, it still makes sense to additionally conduct an internal test. Just because the perimeter systems are sufficiently secured, it does not mean that the same precautions are taken on the internal network. Most of the time, too little security is done on the internal network, as it is supposedly only accessible by trustworthy persons.

Are denial-of-service attacks also tested?

Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a system's availability at risk with very small effort. This can for example be a misconfiguration or a program error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be performed after an explicit agreement is provided, to verify if the attack is indeed possible.

On the other hand, attacks that try to saturate the bandwidth a company has at its disposal are usually not tested, as this is always possible for attackers with sufficient resources and will also affect third-party systems. Distributed denial-of-service attacks, that usually involve hundreds, if not thousands, of zombie systems (systems that were compromised and can now be remotely controlled) cannot be simulated realistically.

Does Techrate penetration testing do social engineering?

Our penetration tests may include social engineering techniques.

What happens to confidential data Techrate team gathers during security audits and penetration testing?

Techrate commits itself to absolute secrecy regarding your confidential data. A non-disclosure agreement (NDA) determining that Techrate treats a client's data as confidential is already part of every contract. All customer data, including information that is used to prepare a first quotation, is subject to the same obligation to confidentiality. At the end of a penetration test or security audit, all data and possible storage media is either securely destroyed or handed back to the client.

Are the results written down in a report?

Every client gets a detailed report at the end of every test or audit. A typical report includes a non-technical executive summary of the results, to give a short and precise overview of the current status, followed by a more extensive technical explanation for administrators, developers or other technical staff. The individual problems enumerated in the report are separated into a detailed description, a risk analysis and proposed solutions, to directly give suggestions for improvement.

How is Techrate different from other web security companies?

Techrate specializes exclusively in web security and penetration tests. In particular, Techrate specializes in manual security testing in contrast to many other companies in IT-security which rely wholly on automated processes! No automated technique can find every vulnerability type. Some categories, such as authorization issues and business logic flaws, will always require a skilled penetration tester. Also:

Trusted by thousands of companies