Ever since encryption trojans like Emotet started spreading, Cyber security is at the top of the agenda of decision-makers such as CIOs, risk managers or compliance officers: Hackers have a business plan, that - in the worst case - leads to bankruptcy. Cyber attacks today target more than just your data. Endpoint security alone is no longer sufficient; an auditable cyber resilience strategy is a must-have for every company.
Penetration Testing – Analysis. Evaluation. Measures.
Many hacker attacks are very simple in themselves: attack everyone and everything with a repeatable tactic. We know the typical procedures used to quickly snatch prey and know why many companies do not close known security gaps in time. That is why a PenTest is more to us than just trying out an attack: We also analyze the processes, architectures and responsibilities and involve experts from the areas of IAM, EAM and ITSM.
The following main questions have to be answered:
- Which vulnerabilities in your systems can be identified as a result of default configurations, programming errors or generic design flaws?
- To which extent can attackers infiltrate the infrastructure to conduct further attacks?
- Which measures help when addressing current security flaws and which commercial, technical and organizational upsides are possible?
- What can be done beyond direct measures – how can you optimize the general security level of IT and the enterprise in a way that is sustainable, measurable and efficient?
Let's improve the Cyber Resilience of your company, together!
Knowing what can happen tomorrow sounds unbelievable. We can make that happen, though - thanks to our experts who work on the pulse of ZeroDay exploits, CVEs and security researchers. As hackers and cybercriminals discuss the latest findings, we understand what measures actually make an attack impossible. Cyber Resilience doesn't just mean optimizing the level of IT security and infrastructure. Through social engineering, the deliberate exploitation of trust in known sources and senders, criminals often succeed in an attack via privileges that ingenuous employees present to them on a silver platter by just one wrong click.
Our end-to-end approach evaluates the entire attack surface, including the desktop with e-mail, the network, data centers and cloud providers. This is how we create awareness, knowledge, in-house competence and also strengthen the most important factor in your company: your employees.
No “One Size Fits All” approach:Penetration tests are planned and executed according to customer needs
Transparent: Total visibility of measures and actions
Personal: Direct line of communication with the penetration testers
Sustainable: Implementing a security mindset, together
„IT security needs to be understood in its entirety – Management and employees share the accountability for a secure and sustainable enterprise.“
Way too often, IT security is limited to best practices, handling of known security gaps and - with a little diligence - proper access controls. However, while most IT departments feel safe, hackers are keeping an eye on new attack vectors every day. Our professionals know how hackers think and operate. With their perspective, you are able to carry out attacks with the same effectiveness during pentesting in order to measure realistic damage scenarios. Our experienced penetration testers are competent in the analysis, assessment and optimization of modern IT infrastructures.
Our approach ensures results that go far beyond vulnerability scanning. This also enables us to find vulnerabilities that only arise from the combination of findings. Due to our contextual approach, you will receive concrete recommendations for measures with real value for your company, instead of hundreds of pages of unrelated scan results.
Our approach makes the difference:
Context and challenge
More and more systems and databases within companies are internet-facing or provide publicly available services. The risk of being hacked is underestimated. Most of the time, awareness comes in the aftermath. Automated, continuous attacks gain traction and are conducted every minute, every day – attack vectors and configuration flaws expose your data to hackers.
Identification and remediation of attack vectors
- Identification of the security level of all publicly available services, matching of configuration to typical threats
- Incorporation of all network boundaries, existing security measures and their effectiveness
- Enablement of Vulnerability Management as a continuous process to anchor measures sustainably
- Partly automated scans for first, fast results
- Manual penetration of relevant services
- Analysis of possible hacks and full-scope exploitation reports
Methods & Tools
- Vulnerability scans using up-to-date toolsets, standards and methods
- In-depth manual analysis of configuration and protocols help to create a comprehensive list of attack vectors
Desktop services deliver popular attack vectors
Initial attacks targeting corporate data and network systems happen from desktops more often than expected. The payload is dropped via documents, open interfaces and cloud services. Attackers attack sources with human interaction and try to hide behind identities of trust. Every year, companies lose money, trust and market share – whilst receiving attention and bad publicity.
More than just endpoint protection
- Realistic assessment of current resilience regarding attacks such as trojan horses and ransomware
- Raised awareness of effectiveness regarding existing security measures and how to stay safe
- End users learn and understand why awareness is key to stay safe today, tomorrow and in the future
- Efficient and practicable measures for optimal integration
- We begin by assessing the effectiveness of your established security.
- Attack vectors and targets are outlined.
- We also incorporate the penetration of Identity and Access Management.
Methods & Tools
- Dropping of payload via web browsers and email
- Utilization of realistic attack scenarios
- Deriving of precise technical measures that help improve security levels and awareness
Threats are multi-layered, complex and numerous
Attackers not only want your data: They tend to stay within your infrastructure for as long as possible. By implementing backdoors, botnets and trojan horses, ransom attacks can be started at the push of a button. In a worst-case scenario these vulnerabilities lead to a total loss of all digital assets – you are „out of business“.
Security on all layers
- Multi-dimensional analysis of web services for a comprehensive result beyond business logic
- Prioritized measures and best practices help when bringing standards to life – for an efficient future level of resilience
- Implementation of Vulnerability Management as a continuous process to anchor measures sustainably
- Manual penetration of all web apps, security systems, cloud and network/data centers
- Incorporation of leading industry standards
- We derive measures that help optimize security
- OWASP Top 10
- OWASP Open Testing Guide
- OWASP Application Security Verification Standard
- NIST Cybersecurity Framework & CVEs
Security within complex corporate networks
Most of the time, the question is not if but when you will be hacked. The delimitation between internal networks and the Internet is becoming more complex every day – which enables attackers to create more damage. To minimize risk, security needs to be at the heart of the corporate network, IT operations and IT strategy.
A granular analysis that enables resilience
- Detailed evaluation of corporate IT, networks and architecture to address security issues, attack vectors and create a sustainable approach to secure IT whilst maintaining performance and availability
- Rating of effectiveness for existing processes and measures in context of realistic attack scenarios
- Initial check-up of your IT-baseline and health in terms of security
- Offensive penetration to realistically measure the impact of attacks
Methods & Tools
- Create a concept and execute attacks within the complexity of the enterprise architecture
- Vulnerability scans using established tools and exploits that attackers use to hack you
The ultimate check for your Cyber Resilience
Penetration tests are nothing new to you? Your IT-infrastructure is already monitored by a SOC/SIEM? You already have existing security measures? Curious about what external, professional attackers can do to your infrastructure? Want to know whether you will be able to identify an attack at an early stage?
Security for the entire enterprise
-Bring your resilience to the next level!
-Identification of weak spots within your line of defense that may fail when it gets serious
-Team up with experts that know how to implement measures that make a difference
-Incorporating staff, employees and leaders helps to understand how important security awareness actually is
- Realistic analysis of your resilience level in real-life-scenarios
- Full-scope approach including social engineering and physical security
Methods & Tools
- Comprehensive blackbox approach
- Social Engineering
- Physical checks
- Long-term monitoring
- Results presentation for management and employees
Low-level pentest for high-level security
The best security concepts are prone to fail when underlying hardware is vulnerable. Critical security issues remain unknown while hackers already use them to steal your data. „Smart systems“ and IoT are seen as a black box and are often left behind when auditing networks and infrastructure.
Security for a solid foundation
- Secure implementation of embedded systems – especially within corporate networks
- Security-by-design: optimized development processes from idea-to-offer, initiative to finished product
- Mitigation of post-implementation expenses through cost and effort reducing measures
- In-depth analysis of hardware and firmware
- Know-your-device for „smart systems“ and IoT
- Security-by-design for better development and operations
Methods & Tools
- Hardware Hacking
- Reverse Engineering
- Logic Analyzing
At a glance
Not only professional hackers, but also script-kiddies and bot nets are constantly scanning the internet for publicly known attack vectors that yield into hackable targets. Such vulnerabilities may first sound minor – although press coverages of major breaches are ubiquitous. As malware also targets these points of vulnerability, your compromised systems may become infiltrated without human interaction – overnight.
Low budget vulnerability map
- Identification of high-level vulnerabilities by using fast, automated vulnerability scans
- Auditing of results regarding validity and attack vectors
- Overview regarding publicly known vulnerabilities
- Risk mitigation using continuous Vulnerability Management
- Automated vulnerability scans for web apps and perimeter systems for a full scope overview
- No manual penetration test, thus quick and cost-efficient
Methods & Tools
- Vulnerability scans using proven tools and kits
- Manual verification of results help identify false positives
- Risk analysis based on CVSS v3.0
Penetration Testing – Our services in a nutshell:
- Hand-crafted, no batch-execution: Combination of knowledge, skill and expertise instead of a list of findings without context
- Targeted, comprehensive actions and recommendations for your business which we can implement as a team
- Sustainable improvement of Cyber Resilience helps to prevent cases of damage and reduce risk
- Improved trust and market position: You are recognized as a secure, resilient company that is aware of excellence