Penetration tests, or pentests for short, are one of the most important IT security measures that companies can conduct proactively to protect themselves against hacker attacks. Companies planning to order a pentest for the first time need to figure out what information their service provider needs to prepare and conduct the pentest. We asked Daniel Heyne, usd Teamlead Sales, OSCP- und OSCE-certified penetration tester, what those companies should keep in mind:
Daniel, do most companies know right from the start which technical security analyses are suitable for them?
DH: In many cases we discuss the suitable analysis method with our customers. We define the systems and applications to be tested, i.e. the scope, as well as the specific goal of the analysis. Whether we consider conducting a vulnerability scan or a pentest, for example, depends on the protection requirements of the particular components and the risks associated with a hacker attack.
What exactly does that mean?
DH: Let me give you an example: A web shop runs on the systems of the web shop owner, but the associated news blog is hosted on an external service provider’s servers. A cyber attack on the web shop directly affects the business and possibly the company’s own IT infrastructure and therefore poses a higher risk for our customer than an attack on the news blog. If there is a limited budget, we can reduce the pentest scope to the web shop while the blog is tested with a vulnerability scan.
Do companies ever ask directly for a pentest?
DH: Yes, some do. There are various reasons for ordering a pentest. Pentests are a conditon for fulfilling many regulatory or internal requirements, for example. However, companies may also decide to conduct pentests on their own accord in order to check their own resistance to hacker attacks or to proactively identify potential vulnerabilities before they can be exploited by attackers.
What is the most challenging part for companies while planning a pentest?
DH: In the beginning, it is often not quite clear which systems and applications have to be included in the test and how extensively and intensively they should be tested. What are the risks and how high is the protection requirement? If, for example, an external service provider hosts any part of an application, an extension of the testing scope may have to be considered. Weak points at the service provider, such as a lack of current security updates, pose an attack vector that cannot be neglected.
Does a company need to provide all this information at the initial meeting with the service provider?
DH: It’s not a problem for us at all if a company can’t provide the information on the testing scope and objectives that we need. We discuss all details with our customer during our initial meeting and find a suitable solution. We explain exactly what further information we need. Everything will be sent to the customer in writing so that they can gather the details at their own time. However, if our customer already has all the necessary information at hand, this speeds up the procedure enormously.
Can you tell us what a company might face if it orders a pentest from you?
DH: The first step is an invitation to a preparatory online meeting in which we discuss all important details, questions and the further procedure. We check in with our customer within a timely manner before the agreed examination date and during the examination we inform the customer about identified vulnerabilities on a daily basis. Subsequently, the customer receives the results in report form and comprehensive recommendations for the elimination of identified vulnerabilities. Throughout the project, we are of course always happy to answer any questions.
Do you have any questions about conducting pentests or need support? Contact us, we are happy to help