Hey Sascha, thanks for taking the time for a short interview. Let's start off in a very basal way: What is that anyway, pentesting?
Sascha Zinke: Basically, there are two different ways to advance IT security: in addition to meticulously preparing your own company and your respective employees, there are of course also people who actively try to prepare and carry out fake, as it were realistic attacks. In other words, you virtually simulate the activity of an attacker, including the same methods and goals. In contrast to an actual attacker, vandal, script kiddy or “bad boy,” as part of a pentest, we always act in response to the respective organizations and comply with appropriate agreements. That is the main difference; the general procedure, however, is similar to that of a common hacker.
For whom is pentesting interesting or for whom is it sometimes even essential?
Sascha Zinke: The question that a pentest tries to answer is primarily about the weak points of an information technology system. And a pentest tries to answer this question as quickly and efficiently as possible. This means that a pentest is particularly relevant for organizations that need a concise answer to the question of the vulnerabilities within their respective infrastructure in a relatively short period of time: Where are potential entry points for potential attackers in the respective exposed services, e.g. on the website? A pentest simply tries to answer these questions quickly and efficiently.
“Small companies are subject to the same guidelines as large corporations! ”
Are there industries in which a pentest is needed more urgently than in others?
Sascha Zinke: If I have a company or even just a small business with a website, I must of course also strive for IT security. Now, of course, a small local textile company has bought its potential online shop somewhere and also probably only has a static website with an HTTP web form that does not allow any real interaction at all. This means that a pentest may not be the most effective and efficient means at this point; you will probably reach the desired goal more quickly with other means. Nevertheless, even such small companies are generally subject to the same guidelines as large corporations!
If I, of course, offer more extensive services, perhaps I am a major entrepreneur myself, then I have different requirements and am also more reliant on functioning technology. If a small company “loses” its website, i.e. it goes offline, then that may not be as decisive for my business model. Although customer data may be affected in the worst case scenario, general business capacity will not be immediately affected. The situation is completely different for critical infrastructure companies (KRITIS). Not only are the company itself and its direct customers in acute danger, but this can quickly also have socially relevant consequences. That is why critical infrastructures are so worthy of protection and, conversely, predestined for pentests.
As part of my research, I came across OWASP. Can you briefly say something about this?
Sascha Zinke: OWASP stands for Open Web Application Security Project and is a foundation sponsored by various companies that deals with web security and also with pentesting guidelines. As such, the OWASP is of course particularly exciting because it provides a fairly good understanding and a coherent overview of the rather fragmented IT security landscape — and they even provide programs for this purpose. So that's a pretty nice thing.
Red Team, BlueTeam; white box, grey box, black box... There is truly no shortage of colors in the semantic environment of pentesting. Can you briefly explain the terms?
Sascha Zinke: Yes, the color theme comes from military jargon: Red Team and Blue Team accordingly describe attacking and defensive units. As a Red Team, we tend to be the attackers, whereas the Blue Team sits on the other side of the metaphorical trench and tries to react accordingly. What differs again between the respective types of attacks is the level of transparency: So how do I proceed exactly? This means that if we act in close consultation with the customer, if we have extensive information, then more light is brought into the dark: that is when we speak of a white box pentest. The less information we are provided with, the more we grope in the proverbial darkness and the darker the color of the description of the respective pentest becomes. With a black box pentest, you therefore only have the company name and the URL, but no further information.
What you also encounter from time to time is the mix of Red Team and Blue Team, a so-called Purple Pentest; also Purple Security called. There is therefore certainly an attempt to intersperse new colors that correspond to new approaches. Basically, however, we usually travel as a Red Team — and preferably in a grey area of information technology.
What does such an average job description look like? Is there just an indefinite request with the motto: “Hack us,” or is more specific information being shared?
Sascha Zinke: The decisive factor is to conduct a comprehensive preliminary discussion and find out what the goal actually is. So what do you want to make a statement about? It is very possible to say “So I'm interested in our overall corporate security.” But I can of course also review certain aspects of IT security. For example, if I have a new product or service online, then I can also focus on that. The all-important question is yes, what do I want to make a statement about? In addition to the context, our respective approach also changes according to the respective answer. All of this must be considered in a comprehensive preliminary discussion. Of course, it always remains linked to a balancing question of costs: it is ultimately a matter of finding a compromise between the time spent, the appropriate budget and the safety-relevant results of a pentest.
Technology is only one side of the coin of a coherent security strategy; the social nature of humans is another factor that needs to be considered. How does pentesting take account of this fact?
Sascha Zinke: In this regard, too, the most important question is once again: What do I want to know in the end? I think it is clear to all of us that people are seductive and somewhat easy to deceive. That is not yet a finding in itself. The exciting question then is whether and how the technical systems are prepared for this. This means that our goal is, on the one hand, to find out whether the technological security mechanisms are so sophisticated that, if something happens, the damage done remains minimal. On the other hand, it is of course also exciting to see how trained the respective employees are. For example, you can simulate phishing attacks to test work routines. In the end, however, it is never a question of denouncing employees, but rather of adapting the technical components in such a way that they enable safe work. One such Social Engineering, i.e. exploiting human vulnerabilities, is primarily part of large-scale Red Teaming campaigns.
Thank you so much for your time and the illuminating answers to my questions.
The reason for the extensive discussion of security aspects of the IT world was an online seminar on the topic planned by Assecor. The focus was on cyber security and domain security. You can download the recorded video here.
