Interview with Gergő Pap, Quadron’s ethical hacker
During penetration testing or vulnerability assessments, we examine various IT infrastructures—such as websites, email systems, and employees’ computers—to identify as many vulnerabilities as possible and provide recommendations for fixing them. This is crucial because attackers can exploit these weaknesses to cause significant damage, including data leaks, cryptojacking, or ransomware attacks that encrypt corporate systems and demand a ransom for data recovery. At Quadron, we conduct these assessments to prevent such security incidents.
What risks do attack surfaces and security vulnerabilities pose to companies?
Security vulnerabilities and attack surfaces become a real problem when they result in system damage. Many companies tend to delay security investments because they don’t produce tangible outcomes like a new website or server room. Decision-makers often view cybersecurity spending as worthwhile only after an actual attack or data loss occurs, perceiving these investments as mere expenditures rather than essential safeguards. However, the severity of these issues becomes evident when attacks result in system outages or data breaches.
Is penetration testing useful after a security incident?
Absolutely. Penetration testing is always valuable, especially after an incident. At that point, it’s crucial to understand what led to the breach. A vulnerability assessment and penetration test can help identify the weaknesses that were exploited in the attack. Moreover, such incidents often raise awareness among company leadership about the importance of regular security assessments and proactive defense measures.
What motivates a company to seek penetration testing services?
Typically, organisations that request penetration tests already suspect security issues and recognise the need for a thorough assessment. Wise companies learn from others’ mistakes, or they may be required to conduct penetration testing as part of risk assessments mandated by regulations like the NIS2 directive. Although NIS2 doesn’t explicitly require vulnerability assessments, it includes them as part of risk evaluations.
Another example is GDPR, which doesn’t directly mandate penetration testing but imposes heavy fines for data breaches, making such assessments a justified precaution. As a result, GDPR indirectly encourages companies to conduct security evaluations.
How does a vulnerability assessment work from start to finish at Quadron?
The process begins in one of two ways: either a company reaches out to us with a vulnerability assessment request, or we proactively offer our services to potential clients. Once both parties agree on the need for an assessment, the client outlines their specific requirements. For instance, if they need a web application tested, we discuss its functions—whether it includes login capabilities or is simply a static page. Based on this, we estimate the time required for the assessment, typically completing website testing within five days.
We then schedule the test, considering factors such as whether access is remote or on-site and whether the system is hosted internally or accessible via the internet. After gathering all necessary information—such as the web application’s structure, user levels, and database details—the penetration tester begins the vulnerability assessment. The first step involves understanding the web application’s architecture, identifying available directories and files, and determining the development environment, framework, and operating system supporting the web server.
Next, the tester identifies potential attack surfaces, such as login forms or search fields, and tests for vulnerabilities. Once vulnerabilities are found, a report is compiled, detailing the issues along with recommendations for remediation. This report is then shared with the client.
The next steps depend on the client’s needs. Some clients handle the fixes themselves, while others request Quadron’s assistance to verify that the implemented patches effectively resolve the identified issues.
How is penetration testing distributed across different IT environments, such as web applications, websites, or internal infrastructure?
Around 70% of assessments focus on web applications and websites, as they are publicly accessible and present the highest risk. However, internal infrastructure assessments are becoming increasingly in demand, especially in industrial settings that require complex internal network testing. These account for roughly 30% of our work. Internal environments are generally more secure due to their isolation from the internet, which makes them harder for external attackers to access. While some clients see these security measures as regulatory obligations rather than proactive investments, they are essential for overall protection.
Why do clients choose Quadron over other penetration testing providers?
Clients often select Quadron over competitors because they perceive our expertise as superior to that of smaller firms. This reputation is reinforced by the high-quality reports we produce, which have been refined over the years. Recent feedback, such as that received after testing nn.hu, emphasised the exceptional clarity and structure of our reports.
Quadron’s reports are well-structured, easy to follow, and thoughtfully compiled—not only for IT professionals but also for non-technical decision-makers. This approach ensures that all stakeholders can understand the test results at the necessary level, making us a highly recommended provider in the industry.
What distinguishes penetration testing from an audit?
Penetration testing differs from auditing in that it doesn’t rely solely on predefined checklists and standards. While audits assess specific compliance points, penetration testing focuses on uncovering complex vulnerabilities that may be interconnected. These issues cannot always be predicted or resolved through standard compliance measures alone.
A penetration tester’s role is to dynamically analyse a system’s complexity, identifying security flaws based on deep knowledge rather than fixed assessment criteria. This requires specialists who understand intricate system architectures and can recognise how different vulnerabilities interact.
Are penetration testers also ethical hackers? How do these roles relate?
Yes, penetration testers are essentially ethical hackers who conduct authorised attacks on systems. Ethical hackers work under contracts with companies to uncover security weaknesses before malicious attackers can exploit them.
Penetration testing and ethical hacking serve the same purpose as cybercriminal activities—but within legal boundaries. Both ethical hackers and malicious attackers look for system weaknesses, but while penetration testers aim to strengthen security, cybercriminals seek to cause harm.
How do security advancements affect penetration testers’ work?
The nature of security flaws remains the same. The challenge now lies in the increasing complexity of exploiting them, due to advancements in operating system protections and security mechanisms. While security has improved significantly, basic vulnerabilities, such as memory corruption issues, remain fundamentally the same as they were 20 years ago. The difference is the growing difficulty of exploitation due to mitigation techniques implemented in modern operating systems.
What makes a good penetration tester, and how do you develop expertise in this field?
A good penetration tester constantly deepens their understanding of system architecture, programming languages, and processor operations. Mastery of these areas helps in identifying potential coding flaws.
The best hackers are often excellent programmers who know where vulnerabilities typically occur. Continuous research and staying updated on newly discovered security flaws are crucial. Many professionals contribute to industry knowledge by publishing their findings on security forums, helping others learn and improve.
What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw unknown to the software vendor, with no available fix. These are particularly dangerous because neither developers nor users are aware of them, allowing attackers to exploit them freely. For example, if Microsoft Word had an undisclosed vulnerability, an attacker could craft a malicious document that, when opened, executes harmful code on the victim’s computer. Such vulnerabilities remain exploitable until the vendor identifies and patches them.