Frequently Asked Questions
Quite simply, why technical vulnerability is like a disease.
Q. Why information security?
A. The mass media are full of news about security breaches and data leakages. Organizations suffer from considerable damages from cyber incidents. Security processes and solutions are required by the regulations, such as GDPR, PCI DSS and HITECH/HIPAA. The incompliance can lead to serious sanctions. Even if the company is not subject to a security regulation or standard, the security compliance and best practices are competitive advantages. Cyber-health is analogous to physical health, so it is always better to prevent a disease than to heal it.
Q. What is the motivation to buy a technical security assessment service?
A. Technical security assessment is the best way to find out the current security status of an application, network infrastructure or other systems. Technical security assessment is useful for risk assessment. Risk assessment is extremely important for clarifying and substantiating the security budgets and activities. The internal personnel cannot perform the independent security assessment objectively, so a competent third party is the best choice. Finally, the security assessment service is a security service, so you can also use the previous answer.
Q. What is the difference between information security audit, review, assessment, penetration testing, and vulnerability scanning?
A. Penetration testing is an assessment of technical and/or socio-technical security. In our context,
security assessment are synonyms.
Security assessment is a more official term. Security audit or review usually cover more strategic layer, such as process compliance, and can include the technical security assessment part. Sometimes,
security audit is used as a synonym for
security assessment. In some cases,
audit means security event logging.
Vulnerability scanning is relatively simple automated work to find technical vulnerabilities in systems. This work is only one stage of some pentests. Unscrupulous security service providers call vulnerability scanning a pentest.
Q. What are the information security vulnerabilities and how do they appear?
A. Information security vulnerabilities (or technical vulnerabilities) are weaknesses or drawbacks in the software code or configuration. Some security vulnerabilities can be exploited and used for hacker penetration or other attacks. The vulnerabilities are introduced into websites, applications, firmware, services, etc. mainly due to human errors, but sometimes due to malicious deliberate actions. Building secure applications and networks is much longer and more expensive than the usual ones, but modern software markets require quick product release and cost reduction. Therefore the producers have to allow for the probability of security vulnerabilities in their software products. To compensate the deficiency of security, the security assessment is conducted during the production stage of the software. Software producers, security researchers and other specialists are continuously looking for the new security vulnerabilities in many applications. They automate their work and let us use their findings using vulnerability scanners.
Q. Is hacking legitimate?
A. The term
hacking is ambiguous. The terms
computer crime and
security assessment are more accurate.
The difference and the key point is the customer's permission.
If the owner of the target object gives a written permission, it is legitimate to make security assessments.
Q. Why should we trust you?
A. Our certifications require only legitimate actions and ethical behaviour. You can verify our certifications at the respective independent international certification organizations. Read more about us because this is important.
Q. Who are your clients?
A. Our clients are e-commerce, industrial, pharmaceutical, telecommunication, retail, IT and insurance companies, as well as banks and governmental organizations. Any company that values its information, online services, compliance, privacy and business continuity is our potential client.
Q. Who in a client company is usually responsible for security? Who should be contacted to promote security?
A. You can talk to the company's owner, director, CEO (Chief Executive Officer), CIO (Chief Information Officer), CSO (Chief Security Officer), CISO (Chief Information Security Officer), CTO (Chief Technology Officer), CAE (Chief Audit Executive), CFO (Chief Financial Officer), IT and security specialists, or similar roles.
Q. If security is an intangible asset, then how will a customer know what they pay for?
A. Together with a commercial proposal, we provide a detailed project plan developed individually for the customer. To create such plan, we find out all needs, prerequisites and conditions of the customer. Security requirements, threat models, testing modes, scope specifications and several dozen other parameters are described in the plan. Development of the project plan is a part of pre-engagement stage and is free of charge.
Q. What does ‘H-X’ stand for?
A. Just H-X. If you insist on some meaning, let it be ‘Hacker eXperience’.