Frequently Asked Questions

  • Why is Penetration Testing necessary?

    Penetration Testing is used to determine if an organization’s security is robust enough to protect the Confidentiality, Integrity and/or Availability of the data that it accesses, contains, or processes.

    In many cases, penetration testing is often carried out to satisfy regulatory requirements. For example, a PCI Penetration Test would satisfy the requirements outlined by Payment Card Industry Data Security Standard (PCI-DSS).

  • The difference between Pen Testing and Vuln. Assessment?

    • A vulnerability assessment is the use of an automated tool to scan a network or application for known vulnerabilities. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, it's not accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation.
      Scanning software is limited to identify only vulnerabilities it has signatures for (such as out-of-date software updates, incomplete deployment of security software, etc). It cannot take into consideration business logic or find vulnerabilities that are unknown.
    • A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture.
      Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets.

  • How often should we have Penetration Tests done?

    This depends on a variety of factors, such as how big your environment is and how often it changes. Last but not least, it also depends on your budget constraints. It is advisable to perform a security audit every time any software or application is updated and, at least, once a year.

  • Will other servers be affected during the penetration testing?

    Unless legally authorized, HTD will NOT perform penetration testing on servers other than the agreed targets.

  • Are you completely secure after penetration testing?

    Hacker attacks are constantly evolving threats. Even a website kept unaltered without any minor modifications can be intruded with new attack vectors in the future.
    Therefore, we suggest organizations to perform Penetration Testing on a regular basis, at least once a year.

  • Is it legal to perform simulated DDoS attacks?

    Our position is that a simulated DDoS attack is legal when performed in a responsible manner.
    Our commitment to responsible testing includes the following:

    • Properly sizing simulated DDoS attacks to minimize impact beyond the intended target.
    • Require all customers to complete an authorization that proves they own or completely control the target.
    • Require all customers to notify their upstream ISP(s) of the proposed testing.
    • Provide multiple fail-safe mechanisms to deactivate a running DDoS attack simulation.

  • How are simulated DDoS attacks different than load testing?

    The main distinction is that a load test is attempting to find the upper limit of an environment when exposed to normal traffic, whereas a simulated DDoS attack is specifically crafted to maximize the impact to the target.
    As an example, a load test tool may repeatedly load a website using behaviors intended to closely match a normal user with normal traversal through the site with pauses and such. A DDoS attack equivalent, however, might focus on a specific "edge case" like opening 10's of thousands of connections that intentionally send/receive data at a very slow rate.

  • Which types of simulated DDoS attacks are available?

    We offer simulations of dozens of common DDoS attacks that can be modified to a nearly limitless number of permutations to meet the unique needs of our customers.
    Additionally, our engineers are skilled in creating DDoS attacks, and are able to craft custom attacks specifically designed to exploit the weaknesses of a customer's environment.

  • Why should I conduct a Red Team test?

    Red Team testing can give you valuable insight into the security posture of your various, diverse assets so you are able to take steps to correct them before hackers are able to cause serious damage by exploiting them.

  • How often are the Dark Web scans performed?

    With our ongoing algorithms, we notify you when we find information that may belong to you on the Dark Web.

  • Can Dark Web monitoring help businesses?

    Yes. The online security practices of end users affect the safety of the entire business. Weak and reused passwords can make it easier for hackers to get into a users' work accounts just as easily as their personal accounts.

  • How soon can you start on my project?

    A professional manual penetration testing takes some planning and preparation for our assessment team. With that said, if you have an urgent project feel free to contact us about timelines.

  • How much does a Penetration Test cost?

    Penetration testing costs can vary significantly depending on multiple variables.
    There is no universal price for a penetration test, in fact, if you are presented with a generic price it should serve as a red flag not to proceed with that provider.
    We provide a free consultation, to understand your organization’s aims and objectives and to determine a high-level threat model before providing a quote.

  • How long does a Penetration Test take?

    The length of a test depends on the complexity of your requirement and the level of assurance you require. Penetration testing is a hands-on assessment not suited for short, and quick sprints.

  • How much of the testing is automated vs. manual?

    While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies from project to project, but around 95% of the Penetration Testing is hands-on.
    This isn’t to say that automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

  • Can Penetration Tests impact my business operations?

    Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.
    For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact.

  • How can DDoS testing be done safely?

    Our DDoS testing is quite safe, as we manage the risks by:
    1. Ensuring permissions are granted for every asset and network being tested.
    2. Ramping up traffic levels slowly from very low levels.
    3. Emergency stop all traffic.

  • Who needs DDoS testing most?

    The need for DDoS testing depends heavily on how much your business relies on the online systems. If your organization must maintain 24/7 online presence, this type of security assessment is essential.

  • What is the difference between Penetration Testing and Red Teaming?

    A Penetration Testing is a focused form of Cybersecurity assessment designed to identify and exploit as many vulnerabilities as possible over a short period of time, often just a few days.
    A Red Team Operation is an extended form of engagement conducted over a period of weeks and designed to achieve a set objective such as data exfiltration, and test the organization’s detection and response capabilities.

  • How much does a Red Team Engagement cost?

    This isn’t an easy question to answer until some level of scoping has been performed.

  • Could a Red Team operation cause any damage or disruption?

    Unlike genuine cyber-attacks, Red Team operation is designed to be non-destructive and non-disruptive. You can be sure that all engagements will be carried out in line with pre-agreed rules of engagement and the highest technical, legal and ethical standards.

  • How does Dark Web monitoring work?

    Dark Web monitoring proactively checks for breached credentials related to your brand. You will be alerted with an email if your brand has been compromised.

Copyright @2020 HTD.RED