DERUUA

Frequently Asked Questions


technical vulnerability is like a disease
Why technical vulnerability is like a disease?

Q. Why do I need information security?
A. The mass media continuously reports the news about security breaches and data leakages. Organizations suffer considerable damages from cyber incidents. Security processes and solutions are required by regulations, such as GDPR, PCI DSS, and HITECH/HIPAA. Non-compliance can lead to serious sanctions. Even if the company is not subject to a security regulation or standard, security compliance and best practices provide a competitive advantage. Cyber-health is analogous to physical health, so it is always better to prevent a disease than to treat it.


Q. Why should I buy a security assessment service?
A. Technical security assessment is the best way to find out the current security status of an application, network infrastructure or another systems. Technical security assessment is useful for risk assessment. Risk assessment is extremely important for clarifying and substantiating the security budgets and activities. The internal personnel cannot perform an independent security assessment objectively, so a competent third party is the best choice. Additionally, a security assessment service will considerably improve your security by uncovering the most critical vulnerabilities.


Q. What is the difference between information security audit, review, assessment, penetration testing, and vulnerability scanning?
A. All these terms are close in meaning but have some difference in usage. Penetration testing (officially called information security assessment), is an assessment of technical and/or socio-technical security. Security audit/review usually means a more general approach, such as process compliance, and can include the technical security assessment part. Sometimes, security audit is used as a synonym for security assessment and sometimes it means security event logging. Vulnerability scanning is a relatively simple, automated work to find technical vulnerabilities in systems. This work is only one stage of some pentests. Unscrupulous security service providers only do vulnerability scanning and call it a pentest.


Q. What are information security vulnerabilities and how do they appear?
A. Information security vulnerabilities (or technical vulnerabilities) are flaws in software code or configuration. Some security vulnerabilities can be exploited and used by hackers for penetration and other attacks. Vulnerabilities occur in websites, applications, firmware, services, etc. mainly due to human error, but sometimes due to malicious actions. Building secure applications and networks takes a lot of time and is expensive, but modern software markets require quick product release and cost reduction. Therefore, the producers have to allow for the probability of security vulnerabilities in their software products. To compensate for this deficiency, a security assessment is conducted after the release. Software producers, security researchers, and other specialists are continuously looking for new security vulnerabilities in many applications. They automate their work and let us use their findings using vulnerability scanners.


Q. Is hacking legitimate and legal?
A. The term hacking is ambiguous. The terms computer crime and security assessment are more accurate. The key difference is the customer's permission. If the owner of the target object gives permission, it is legitimate to make security assessments. To make it also technically legal, the permission must be written.


Q. How do I know I can trust you?
A. Our certifications permit only legal actions and ethical behavior. You can verify our certifications at the respective independent international certification organizations. You can find some other important facts about us here.


Q. Who are your clients?
A. Our clients are e-commerce, industrial, pharmaceutical, telecommunication, retail, IT and insurance companies, as well as banks and governmental organizations. Any company that values its information, online services, compliance, privacy, and business continuity is our potential client.


Q. Who usually contacts you to request your services? Who should be contacted to promote security?
A. Usually, it is the company's owner, director, CEO (Chief Executive Officer), CIO (Chief Information Officer), CSO (Chief Security Officer), CISO (Chief Information Security Officer), CTO (Chief Technology Officer), CAE (Chief Audit Executive), CFO (Chief Financial Officer), IT and security specialists, or similar roles.


Q. If security is an intangible asset, then how will I know what I have paid for?
A. Together with a commercial offer, we provide a detailed project plan developed individually for you. To create such a plan, we find out all your needs, prerequisites and conditions. Security requirements, threat models, testing modes, scope specifications, and numerous other parameters are detailed in the plan. Developing the project plan is part of the pre-engagement stage and is free of charge.


Q. What does ‘H-X technologies’ stand for?
A. Initially it was ‘Hacker eXperience’, but we have grown beyond just hacking, so now H-X is our name and that's it.


Who we are, what we do and what we offer.

About penetration tests.


Our certificates:

(ISC)2
CISSP
Offensive Security
OSCP
ISACA
CISA
CISM
Microsoft
PECB
LPTP
Qualys
PECB
LPTP
BSI
LPTP
BSI