Q & A

 

As a means to give a clear understanding for my clients, provided below is some commonly asked questions before hiring and conducting security testing.

 

What is a penetration test?

A penetration test is a simulation of an actual attack on computer and network devices on a specific network, providing for a report of internal and external threats to operations.

Why is a penetration test needed?

A penetration test is a valuable for many reasons.

  • Determine the possibility of leveraging attack vectors
  • Identify high risk vulnerabilities due to multiple low risk vulnerabilities.
  • Identify threats missed by automatic scanning software
  • Assessment of impact to critical operations
  • Tests the network’s administers ability to quell an attack and response times.
  • Provides evidence for increased security considerations

What is my scope of security testing?

I handle penetration testing in a breadth of areas. From company reconnaissance, to infrastructure profiling, to network and web auditing, I perform customized testing for companies as large as a Fortune 500 and as small as a personal web blogger.

Large corporations sometimes need someone to handle a specific investigation outside of the company, someone who has an understanding not only of network security but of the legal realm as well. In my personal experience, I have worked with litigation directors and attorneys at Legal Aid in downtown Milwaukee, am familiar with business law, and have studied how network security and the law interact.

We have security applications, why do i need a pentest?

This is a reasonable question, as security applications are supposed to look for security holes. The truth is, some security scanners simply do not provide a fully-detailed investigation into certain applications you have on your network. Many of my clients use a variety of custom applications for their operations. This is where you need the human element. A network penetration tester will look at the broad picture and see how it applies to your network in regards to custom-made applications that, while helpful, may be lacking in security.

Can my system be broken by certain tests?

Yes, and this is a valid consideration. This vulnerability is especially of concern when dealing with stress-testing to see if your network can handle a DDOS or DOS (Denial of Service) attack. A Denial of Service attack can take your whole public network down if you do not have proper load balancing. This is why it is very important for a penetration tester to work with the company it audits to perform certain tests outside normal business hours, so your employee traffic will not interfere with the tests.

It is also very important for the tester to know his tools and how they will interact with your network. Generally, a stress test will only bog down your system until the test is complete. Any other risks would be uncovered after successfully gaining access to the network and changing settings. If successful access is gained, it is detailed in an ongoing report and moved on to the rest of my testing.

Your system will never be altered. Ever!

How long does a test take?

Since penetration testing deals with many different types of testing, it is hard to give a concrete time frame off the bat. However, once a contract is made your quote will always have a time frame, so you know what is being performed and how long it will take.

What do I need to start?

To start, go to the Request a Quote page and fill out the form. After your quote is received, you will have to sign a Non-Disclosure Agreement and provide permission to test the network by the appropriate Agent in your company. I will not perform any test without both the signed NDA and permission to perform the audit.

What are the legal implications?

Under US Law, you are not required to perform a penetration test. However, any work performed will be done so under the Uniform Commercial Code. That means all legal and lawful implications will be met by the conditions of my NDA and contract bid.