What can an intruder do with information they obtain?
To steal or somehow modify information is probably the primary goal of the hacker. There are also instances of hooliganism, but they are less common. A professional hacker will probably have a goal other than destruction. Sometimes, he will break in to one network only to use it as a base from which to attack his next target, but sooner or later he will want something. A hacker can do a range of things, from pranks such as changing the look of your screen to more serious breaches such as stealing your passwords or other sensitive information such as customer data or trade secrets.
Does anyone notice the intrusion?
Most hacker attacks go unnoticed, many times because no one is looking. Most computers have logs, but for the hacker, covering tracks by deleting entries from a log file is pretty easy. Another way to cover tracks is to “hijack” intermediary systems for all communication with the target computer so locating the hacker through an IP address will be much more difficult. Software may be also be used to hide hacking tracks. Once the intruder has sufficient privileges on a computer, they can do pretty much whatever they want. For example, they can modify the operating system in ways that are practically impossible to detect.
How common is internal hacking?
Your most serious risk is often from the inside – from a problem employee, from someone who has been let go but has not yet left the company, or from a person motivated to steal proprietary information to sell to competitors. During many internal assessments, Pure Hacking has discovered significant exposures that could lead to disruption or complete outages for many businesses. A Pure Hacking On Site Penetration Test lets you know where you stand when it comes to internal IT security.
Can you check business to business connections?
Yes. This confirms what your business partners can see about you.
Do you employ ex-hackers?
Absolutely not. First and foremost, the penetration tester must be entirely trustworthy. While testing the security of a client's systems, our team members may discover information that must remain confidential. If confidential information was released, this may lead to loss of corporate reputation, and ultimately financial loss. Pure Hacking does not use ex-hackers to review the security of a clients system as trust is of paramount importance. We require our testers to have a minimum of 5 years experience in the IT security field and appropriate academic qualifications.
What is the benefit of a penetration test?
A penetration test is a controlled security review conducted by an independent security professional who attempts to break into a client’s computer system. A penetration tester employs the same tools and techniques as real intruders but does not damage the systems or attempt to steal information. A penetration tester then reports on the vulnerabilities that were found and the ways that they can be fixed.
Does my system need a penetration test?
If you answer “yes” to any of the following questions, you need to consider a penetration test.
- Will I suffer a financial loss if my systems are compromised?
- Will my organization lose public confidence if my systems are seen to be vulnerable to attack through Web site defacements or unavailability?
- If my system is compromised and used to attack somebody else's system, will I be legally liable?
Can a penetration test simulate an attack by a disgruntled employee?
Yes. This is referred to as an “internal hack” and usually represents the most damaging hacking engagement.
How often should I assess my security through a penetration test?
It varies and depends on the complexity of your systems, but most of our clients would check their systems with a penetration test at least once a year.
When can the penetration tests occur?
Pure Hacking will perform a penetration test at any time that is convenient to you. There is no additional cost if the hack is performed outside of normal business hours.
What effect will a penetration test have on my system?
Every effort is made to minimize the risk to your systems, but in some cases you may notice extra logging activity and your intrusion detection systems may be alerted.
How long does a Pure Hacking engagement normally take?
An engagement can last anything from 1 day to 300 days depending on your security challenge. To cover the full range of threats, most clients usually request an external and an internal hack. An external hack is performed from our hacking lab, while an internal hack will be performed from within your premises.
How effective is a penetration test?
We use the same tools and techniques as are used by criminal hackers, and we keep up to date with the current vulnerabilities in your software. We are usually able to find the things that will make your system vulnerable to attack and can help you close these holes well before your systems are attacked. This method is effective because it shows you your real threats.
What does it cost?
Clients engage Pure Hacking on a daily rate, inclusive of all tools and insurances. The engagement is scoped using tools and conversations with the client. These conversations determine the business objectives of the testing and the ultimate duration. No systems or business objectives are identical as each engagement is customised to the clients needs. When the systems are important, our clients call Pure Hacking because they need to know if they are safe.
Do you need a test account?
Except for web application penetration tests which tend to take 3 days, a test account is not mandatory for all of our penetration tests. However, testing with a test account is significantly quicker and therefore more cost effective.
How long does an application test take?
On average it takes three days to conduct a web application penetration test.
What do you test for?
There are literally thousands of automated tests; however, automated testing comprises only one third of the engagement. The remaining two thirds is manual testing, using human ingenuity to find ways to circumvent the controls you’ve put in place. You need to know if your controls can be compromised. Pure Hacking also applies the OWASP ASVS and WASC standards to our testing.
Do you test to a standard?
Pure Hacking is a registered auditor and contributor for the Open Source Security Testing Methodology Manual (OSSTMM) and perform tests according to the Open Web Application Security Project and Application Security Verification Standard (OWASP ASVS) and Web Application Security Consortium (WASC) assessments. Customised testing is also frequently performed.
ONGOING SECURITY MANAGEMENT
How many machines do you manually assess in a day?
Our PureScan managed service assesses up to twenty live machines in a day. The results come back for these machines and we see if there is a way to gain access, bypassing the controls you have in place.
I don’t make that many changes to my environment. Do I need this service?
Even if you don’t make changes, the Internet is continually coming out with new ways to compromise your business. Our PureScan service keeps on top of the changes.
Are your managed services just a vulnerability tool?
This is primarily a service. PureScan scan your machines daily, and then manually check the results. PureWeb is a monthly service If a new method of compromising your systems is discovered, we’ll manually check your systems to see if you have an issue. Alternatively, PureWAF is used predominantly for analysing security status.
What’s the main reason why people use WAFs?
They either don’t have the skills, or they don’t have the time to implement this important service. However they want to be confident that they are across new security threats that appear on a daily basis and tend to want to rely on security specialist rather than a service for monitoring their systems.