Have I been hacked? Nowadays, the question is not whether your organisation will be hacked but when your organisation will be hacked. You may have already even been hacked without being aware of it. No matter how big or small your business is, cybercriminals are on a daily hunt for new ways to penetrate organisations like yours. Hackers are becoming increasingly creative in this. And fortunately, so are Hoffmann’s pentesters. Do not get caught off guard: have your IT infrastructure regularly checked by Hoffmann’s hackers. That is how you make your IT infrastructure resilient and stay prepared for unknown threats.
Feel free to contact our pentest specialists
Contactform 088-2986600 info@hoffmann.nl
Conversations with our specialists are always confidential due to our professional secrecy.
On average, it takes 16 days for a company to discover a hack—also known as ‘Cyberattack Dwell Time’. There have been incidents in which the hack was only discovered after several weeks or even months.
In 82% of cases, the hack itself happens within one minute
In virtually 100% of cases, it is evident afterwards how the incident could have been prevented
We have seen that cybercrime has been on the rise for quite some time and know that this will not change in the coming years. Yet many organisations do not think they are an interesting target for cybercriminals. Unfortunately, wrongly so.”
Periodic pentesting
A penetration test (pentest) shows whether your organisation is sufficiently resilient against digital attacks. It provides insight into the vulnerabilities of your IT infrastructure and the potential consequences of those vulnerabilities. It is critical that you regularly test your security and resilience. This is especially the case when adding new systems to your infrastructure but also because new vulnerabilities are discovered every day in hardware and software already in use. This also applies to the hardware and software you use!
CCV, ISO27001 en NEN7510
Hoffmann holds the CCV pentesting quality mark. Pentests are performed according to the conditions and requirements of this quality mark. The CCV quality mark offers assurance and guarantees the quality of the pentests performed.
Are you in the process of obtaining ISO27001 certification or NEN 7510 (for the healthcare sector)? Hoffmann can test whether the technical security of your IT systems is adequate through a penetration test.
Our approach: visible impact through pentesting
Hoffmann’s creative pentesters go a step further than the average pentester. They do not just work through a standard checklist but use their creativity and ingenuity to really break into your systems. They subsequently concretely show what hackers are capable of.
- They are Offensive Security Certified Professional (OSCP) pentesters.
- Hoffmann’s pentests are always carried out with indemnification, and we determine the scope of the test together with you.
- Your current security level is mapped out so that you can preventively enhance your IT security.
Clear reporting & advice
The pentest report describes which key digital access doors were tested, how it was done and what tools were used to accomplish this. The pentesting findings are classified according to a rating system that ranges from low to medium to high to critical. This is done using either the Common Vulnerability Scoring System (CVSS) methodology or the NCSC-NL matrix (the Dutch equivalent of the CVSS). With this, we assess and prioritise vulnerabilities in comprehensive, customised recommendations.
Would you like to know more about a prospective pentest?
Would you like to know more about pentesting options for your organisation?
Our specialists would be pleased to share their thoughts with you.
Or contact one of our consultants directly.
How does pentesting work?
Many organisations find it difficult to formulate their core question. Therefore, our consultants aim to flesh this out during the comprehensive intake beforehand. In addition to the risks that apply to every organisation, we identify your organisation’s core interests and associated risks. Based on the input from the intake session, we determine together with you which key access doors will be tested to access company-sensitive data, and in what way.
In addition, it is important that you have a clear picture, or get one on the basis of our input, of the systems to be tested. We call this defining the scope. Of course, you can provide this information yourself, but we can also use an open-source investigation (open source intelligence/OSINT) to find out what your organisation’s digital footprint and systems look like.
Corporate network (the internal and external infrastructure)
Cybercriminals do everything they can to penetrate your internal network from the outside. But (malicious) employees and guests can also expose important company data from within.
What options does a hacker have once they have managed to circumvent the first lines of defence and gain access to an internal workstation, for example? Is your network adequately protected against this and segmented?
You might think that pentests are performed entirely remotely. Nothing could be further from the truth. Hoffmann recommends looking at your infrastructure not only from the outside (internet), but also from your own office or from the immediate vicinity of your business premises. Criminals can capture wi-fi signals in a relatively simple way and thus attempt to penetrate your network from a distance. Here, pentesting by Hoffmann on your premises (in-house) provides you with insights into the risks you may currently be facing.
(Web)applications
(Web) applications and services linked to the internet are important access doors through which criminals can obtain sensitive data. Technical vulnerabilities could potentially even lead to access to the internal company network.
Mobiel & IoT
Mobile apps and internet of things (IoT) devices are always connected to other (web) services and APIs. The sensitive data processed over this route can be intercepted by cybercriminals by means of the network.
Types of pentests
Together with you, we determine per system, application or network how much prior knowledge the pentester will work with (‘black box’, ‘grey box’ or ‘white box’). This is done within a predefined time frame (‘time box’). Of course, a pentest can also consist of a combination of a black box, grey box or white box approach. The following sections explain the differences between these methods.
Black box pentest
Our analysts initiate pentesting by attacking your systems with no prior knowledge. Through an open-source investigation (open source intelligence), they will further map your organisation and find out what information is (publicly) available. Examples include email addresses, outdated passwords and even (internal) documents.
This method approaches the attack just as a cybercriminal would. This makes black box pentesting the most commonly chosen type of pentest.
Grey box pentest
Our analysts are given limited access to the systems, and from there, we further investigate the vulnerabilities. This scenario corresponds to a hacker who already has access to your systems. This could be due to malware or a successful phishing operation. In this real-world scenario, for example, an employee is (unintentionally) involved in a cyberattack.
White box pentest
All the information is provided beforehand to search for vulnerabilities in a targeted and efficient manner. Here, we study designs, source code, documentation and other available information to advise you on how to enhance security.
Combination
Needless to say, a combination of the different types of pentests is also possible. Our advice is therefore generally to start off with a black box pentest and then move on to a grey box pentest. This can be done with information that has been provided or with the information that our analyst has retrieved during the black box test.
Hacking à la carte with ART
ART, which stands for Advanced Red Teaming, is a methodology developed by De Nederlandsche Bank. While it was initially designed for financial institutions, ART is also highly applicable to critical sectors such as healthcare, telecommunications, and energy. Any organization can be a target of a cyberattack, and ART goes beyond standard penetration tests to assess how effectively an organization can defend itself against such threats.
Unlike a standard penetration test, which usually lasts a few days, ART extends over a minimum of eight weeks. Using techniques modeled after real cybercriminals, Hoffmann’s hackers deploy one or more attack scenarios over a prolonged period to attempt to breach your organization’s digital defenses. Only a select few individuals within the organization are aware of this simulated attack, ensuring a realistic test of how employees respond in real time.
ART begins with the threat intelligence phase, during which potential threat scenarios are identified. These scenarios form the basis for the subsequent red teaming phase. The required timeframe, scope, and depth of the investigation depend on the number of selected scenarios. During the red teaming phase, these scenarios are then translated into a practical plan structured according to the MITRE ATT&CK framework. After coordination and approval, Hoffmann’s hackers proceed with the attack simulations.
A one-day purple team exercise is conducted to review the attacks and assess how defenses can be improved. The ART process may conclude with a gold teaming exercise, a crisis management drill that allows your organization to practice responding to a simulated cyberattack scenario.
Want to learn more about ART? Contact our expert team for further details.
CCV quality mark
Hoffmann has been awarded the CVV seal of approval for pentesting. As a result, you can rest assured that the pentest is guaranteed to be performed to the correct standards. Moreover, our penetration tests are carried out according to international standards.
- Penetration Testing Execution Standard (PTES)
- Open Source Security Testing Methodology Manual (OSSTMM) for IT-infrastructure
- Mobile Security Testing Guide (MSTG) for mobile applications
Contactformulier Pentesten