Basics of Hacking a Web Server: Educate yourself-Soutech Ventures Tips and Tricks

A typical web server faces the risk of all forms of attacks from attackers but one of the most popular attacks forms are defacement also known as web vandalism. The act of defacing websites and web servers may be subtle, it may also be aggressive but actually depending on the what the attacker’s goals are. Howbeit, the goals of any hacking attempt on a web server is always the same such as

  • To make a statement
  • To create nuisance
  • To embarrass the company

The act of defacing websites comes with a lot of possible methods depending on the personal skill-level of the attacker as well as his capabilities and the available opportunities. I will be giving you a few tips on hacking web servers though I will not shed on everything you need to know here. You can subscribe to our CEH training courses in soutech ventures to be well equipped on web server hacking.

Hacking Activity: Hack a Web Server

I am going to practically teach you about the anatomy of attacking a webserver. I am going to choose a target which is www.certifiedhacker.com, and of course you hacking into it is illegal so I am going to just use it for educational purposes.

So what are the things which we will need to perform this exercise?

 

Information Gathering: Just as it is in every hacking scheme, we must first gather information about our target. First of all we need to get the IP address of the target and also any other website that happens to share IP addresses with our target.

I am going to make use of an online IP address tracking tool called reverse IP domain check to find our target’s IP address and any possible website sharing the same IP. This can be done by first;

  • This is the result you will get

From our result above, the IP address of the target is 69.89.31.193 and we have also been able to find out that over 1000 domains are hosted on the same web server as our target and they are listed below.

So the next thing or step we can take is to scan the other discovered websites if they are vulnerable to SQL injection.

One important to note is that if we find any site that is vulnerable to an SQL injection attack then we can directly exploit that site without even considering any other website.

  • Open www.bing .com on your browser. Note that this step can only work on bing and not any other search engine like yahoo and google search engines. So, don’t bother using them.
  • Now enter this search query ip:69.89.31.193 .php?id=
  • What this query does is to limit our vulnerable website search to all the ones that are hosted on the web server carrying the IP address 69. 89.31.193
  • Also so you know, this part of the code “ php?id=” searches for the URL GET variables which are used as parameters for performing SQL statements.
  • This is the result you will get

 

  • The next thing you will have to do is to scan all the listed web sites for SQL injection. The purpose of this article is not to teach you SQL injection. You can however, use any of the tools mentioned in my previous article.

Uploading a PHP Shell

I will not attempt to scan any of the websites listed as it is an illegal thing to do, so I’ll assume to have logged in to one of them. The next thing we can do is to upload the PHP shell that we downloaded from the http://sourceforge.net/projects/icfdkshell/

  • Go ahead to open the URL which you uploaded the dk.php file.
  • You will get something like this

  • Click on the Symlink URL which will give you a direct access to the target domain.
  • Now once you have gained access to the files, the next thing you can do is to get the credentials for logging into the database. After you have logged in, you can perform any attacks you want such as defacing, downloading sensitive data such as emails, files etc.

Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails, etc.

Summarily, it is important to note that a web server stores sensitive and valuable information and are readily accessible to public domain and this is the reason why attacks often go for it. Just like I have said in my previous article, I will quickly remind you that the  most popularly used servers are Apache and IIS (Internet Information Service). Also, I established the fact that web servers take advantage of system bugs and misconfigurations in the operating system, network and web servers. The popular web server hacking tools are Neospoilt, Zeus, Mpack.

Most importantly I will stress that a good security policy can reduce any chances of being attacked.

Enroll for a certified ethical hacking training today at SOUTECH.

 

Protect your webserver from hackers: Tips

The internet has provided a more robust and easy platform for customers to order and purchase products and services. This has prompted many businesses and organizations to opt for websites which enable them to store valuable information such as email addresses, passwords, usernames and credit card numbers of customers. If a website is defaced, it can shut down business operations, can affect cost turnouts and can be used to communicate political and religious ideologies.

Dear reader, the essence of this article is to introduce you to web servers, the types of web servers and how you can protect them from being hacked.

What is a web server?

A web server is a PC framework that processes demands through HTTP, the fundamental system convention used to circulate data on the World Wide Web. The term can allude to the whole framework, or particularly to the software program that oversees and guides all the HTTP request.

The essential capacity of a web server is to store, process and convey pages to customers. The communication that takes place within the client and the server utilizing the Hypertext Transfer Protocol (HTTP). Pages conveyed come in form of  HTML records, which may include pictures, templates and contents notwithstanding content substance.

Numerous web servers might be utilized for a high movement site. A user agent, usually a web program or web crawler, begins the communication process by making a demand for a particular asset utilizing the HTTP and the server reacts with the content linked to that particular resource or a mistake message if unfit to do as such. The resource is commonly a genuine document on the server’s database, yet this is not really the case and relies upon how the web server is actualized.

While the essential capacity is to serve content, a full execution of HTTP additionally incorporates methods for getting content from the clients. This component is utilized for submitting web shapes, including transferring of records.

Numerous non-specific web servers likewise bolster server-side scripting utilizing Active Server Pages (ASP), PHP, or other scripting dialects. This implies the conduct of the web server can be scripted in isolated documents, while the genuine server programming stays unaltered. More often than not, this capacity is utilized to create HTML reports progressively (“on-the-fly”) rather than returning static archives. The previous is essentially utilized for recovering or changing data from databases. The last is regularly considerably speedier and all the more effortlessly stored however can’t convey dynamic substance.

Web servers are not just utilized for serving the World Wide Web. They can likewise be inbuilt in gadgets, for example, printers, switches, webcams and serving just an organized neighborhood. The web server may then be utilized as a piece of a framework for observing or controlling the gadget being referred to. This more often than not implies that no extra programming must be introduced on the customer PC, since just a web program is required (which now is incorporated with most working frameworks).

Vulnerabilities in Web Servers

A web server can be referred to as program that stores files such web pages and makes these files accessible through the internet or the network. Since web servers require both softwares and hardwares, it makes its software a target by attackers by exploiting it in order to gain unauthorized access in to the server. I am going to discuss some common web server vulnerabilities that attackers always try to exploit.

  1. Default settings: Attackers can leverage on default settings which can help them to easily guess default user id’s and passwords. Attackers therefore can perform certain tasks like running of commands on the default settings of the server which can be exploited.
  2. Web server bugs and operating system bugs: When bugs are inherent in the software of a webserver or an operating system, an attacker can exploit it to gain unauthorized access into a webserver.
  3. Operating system and network misconfigurations: Configurations like user permissions to execute commands on a server can be a serious factor to exploiting webservers especially when the user does not have a strong password.
  4. Non-adherence to security policies and procedures: When security policies and procedures like patching OS’s, updating and upgrading antivirus softwares, web server softwares can easily make the web server susceptible to attacks.

Types of web servers

Now that have known the type of vulnerabilities in web servers, let us get more understanding on some of the web servers that are available;

The following listed are the most commonly available web servers

  1. Internet Information Services (IIS): This server was developed by Microsoft and designed to run on windows. It has been known to be the second most used web server being hosted on the internet all over the world. The IIS server has most asp and aspx websites being hosted on it.
  2. Apache Server: This server is the popular and most commonly used servers on the internet today. It can run on crossed platforms but typically installed on Linux platforms. Apache server has most PHP websites hosted on it.
  3. Apache Tomcat Server: This server has most java server pages websites being hosted on it.

There are other web servers such as

  • Novell’s web servers
  • IBM’s Lotus servers
  • Domino servers

Types of Attacks performed against Web Servers

Directory traversal attacks

This kind of attacks exploits bugs within the web server to have unauthorized access to files and folders that don’t seem to be within the property right. Once the attacker has gained access, they will transfer sensitive data, execute commands on the server or install some sort of malicious software package.

Denial of Service Attacks

With this type of attack, the webserver could crash or become unavailable to the legitimate or authorized users.

Domain Name System Hijacking

With this kindof attack, the DNS settings are modified to redirect users to the attacker’s web All traffic that was intended to be sent to the weserver is redirected to the incorrect one.

Sniffing

In this type of attack, unencrypted information sent over the network is also intercepted and can be used to gain unauthorized access to the web

Phishing

With this kind of attack, the attack impersonates the web sites and directs traffic to the faux (fake) Unsuspecting users may also be tricked into submitting sensitive information like login details, Mastercard numbers, etc.

Pharming

This attack involves compromising a Domain Name System (DNS) servers or on the user’s system so that traffic intended for it is redirected to a malicious website crafted by the attacker.

Defacement: With this kind of attack, the attacker replaces the organization’s website with a special page that contains the name of the hacker, pictures and also having background music and messages.

Effects of successful attacks on Web Servers

• An organization’s image will be ruined if the attacker edits the web site content and includes malicious information and links to a pornography website.
• The web server will be used to install malicious softwares on users who may have to visit the compromised web site. The malicious computer software downloaded onto the visitor’s laptop can take the form of a virus, Trojan or Botnet computer information. etc.
• The user data that is being compromised can also be used for all activities which can cause business loss or lead to lawsuits from the computer users who had entrusted their details to the organization.

Tools for Attacking Web Servers

Some of the common webserver attacking tools include;

Metasploit: This tool is open source and can be used for developing, testing and for making use of exploit codes. It discovers vulnerabilities in webservers and to write exploits which will be used to compromise a webserver.

MPack: This particular tool is a typical web exploitation tool. It is written in PHP and the SQL engine is what backs it with the database engine. Once a webserver has been compromised by using the MPack, all traffic to that website is redirected to downloaded malicious websites.

Zeus: This is a tool that can be used to compromise a computer and turn it into a bot or a zombie. A bot is a compromised computer system that is employed to perform internet-based attacks. A botnet is a collection of computers that have been compromised and which can used in performing denial of service (DOS) attacks or causing spam mails.

Neosplit: This tool is particularly used to install programs, delete programs, replication of programs as well,etc.

How to Avoid attacks on Web Servers

An organization can adopt these policies to protect their webservers from any form of attacks.

  • Patch management: This requires an installation of patches which can be used to secure the webserver. A patch can be referred to as an update that can be used to fix bugs within the computer software. The patches will be applied to the OS and also the web server system.
  • Securely install and configure the operating system.
  • Securely install and configure the webserver computer software.
  • Vulnerability scanning system: Securely install tools such as Snort, NMap, Scanner Access currently simple (SANE) and use them to test your webservers for vulnerabilities
  • Employ the use of firewalls to stop DoS attacks by interfering or blocking all the traffic coming in in order to determine the IP address of the attacker.
  • Antiviruses can be used to remove any form of malicious softwares on the webserver.
  • Ensure to disable remote administration.
  • Any form of default accounts and unused accounts should be far-away from the system.
  • Any form of default ports & settings such as  port 21 (FTP) should be modified to custom port and settings (FTP port at 5069).

In my next article, I will be discussing on how to hack web servers. You can subscribe for our services to learn CEH which provides a comprehensive understanding of web servers, applications and other web security techniques. Call us today at SOUTECH : 08034121380

Just how safe are Public Wi-Fi’s?Stay protected- Soutech ventures

Having Wi-Fi readily available in public places has become a trend in larger cities of the world. Public places such as restaurants, coffee shops, libraries, hotel rooms, auxiliary offices, airports and other places you can think of have all adopted the use of Wi-Fi. Having a free and easily accessible internet connection to use can be a very convenient way of catching up with your work, meeting targets, accessing your online accounts, checking your mails etc. However, we seem not to know to the security risks associated with the use of publicly available Wi-Fi’s. Well, like you know already that one of best ways to optimally and speedily access your sensitive information and carryout sensitive transactions through Wi-Fi, there are some measures you need to take additionally in order to kept safe online which is the purpose of this write up.

According to a popular research journal published by Norton, said that over 68% people fell victim to publicly available and unsecured Wi-Fi’s in the last year. Therefore, we must take practical measures and efforts to make sure our devices are kept safe and protected.

Brief History in the encryption standard adopted by the Wi-Fi

Let me shade some more light on the encryption protocols and standards that existed before the encryption protocol adopted for use by Wi-Fi’s. One of the security problems faced by older encryption standards is in the aspect of security which was adopted by some wireless networks. One of the first encryption schemes for wireless network devices was the Wireless Encryption Protocol (WEP) and this encryption standard was found to be weak and very easy to crack. Although the WEP protocol is still regularly found as an option in many wireless access points and devices, there is need to give way for upgrading hardware that will be supported by newer standards whenever it is possible.

WEP was developed with the intention to manage the following;

  • To prevent eavesdropping in communications which aims at reducing any forms of unauthorized disclosure of data.
  • To ensure data integrity while it flows across the network.
  • Encryption of packets during transmission using a shared secret key.
  • To allow access control, confidentiality and integrity in a lightweight and efficient system.

However, WEP failed in handling some of these issues which birth WPA.

The Wireless Protected Access (WPA) came as a successor to WEP and was birth with the intention of checking and curbing the many issues faced by the WEP standard. This is the reason why its encryption abilities addressed some vulnerabilities however it was being found vulnerable and cracked. It was designed not to required full hardware upgrades as compared to the WEP.

However, its processing power and mechanisms were being limited especially where older versions of hardwares were involved. The TKIP standard was one of the standards developed to platform the WPA. TKIP was an improved standard for the WEP protocol because at every point there is a static and unchanging key being used for every frame transmitted.

WPA however suffered from the following flaws;

  • Weak key selection by users
  • Issues of packet spoofing
  • Issues with authentication as regards Microsoft Challenge Handshake.

This gave way to the WPA2 standard intended to address the flaws in WPA. WPA came with a stronger and tough encryption standard which are CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and AES (Advanced Encryption Standard). It also employs the TKIP Temporary Key Integrity Protocol and MIC (Message Integrity Code) as encryption standards.

This enterprise is a version that incorporates the EAP standard as a medium to improve the strength of the security and also make the system scalable for use in large organisations and enterprises. WPA2 is special because it offers an improved security when compared over its predecessors and maintains the IEEE 802.11i standard for security. It uses a server to carry out its key management and authentication for its wireless clients.

The WEP, WPA and WPA2 all suffer serious vulnerability issues which an attacker can exploit in order to take advantage of the victim. All of them offer ways to be exploited in recent times.

Why Public Wi-Fi is Vulnerable to cyber attacks

Given all the risk associated with all the protocols described above, users still suffer a great deal from unknown and known flaws. The fact that you may need a password to log in to access the Wi-Fi does not mean that your activities online are encrypted and that a publicly available Wi-Fi is secure. There a few issues that make public Wi-Fi’s susceptible to attacks and one of the issues related to the encryption protocol which the Wi-Fi technology adopts. Another issue has to do with the possibility of connecting to a rogue Wi-Fi hotspot. Tools like Aircrack-ng have been built and are readily available online to perform brute force attacks on any weak passwords and keys involving WEP and WPA.

The risk of joining a rogue Wi-Fi hotspot is also a big issue when using free public Wi-Fi’s. All a hacker has to do is to create a rogue hotspot with the intention of unleashing a sort of Man-in-the-middle (MITM) attack on whoever becomes a victim by connecting to the rogue Wi-Fi. When this attack occurs, it allows a hacker to intercept the communication that goes on between you and the server of the website you are visiting at a time. There are pre-built tools that can be used to easily eavesdrop, capture sensitive information like login credentials, credit card numbers and social media security passwords etc. and monitor online traffic for performing MITM attacks

 

What are the signs that you may have logged on to a Rogue Wi-Fi?

Of course, you know that once a device discovers a Wi-Fi network it probes the known networks which an attacker can leverage on. An attacker can configure a rouge Wi-Fi hotspot which can look like a typical home network that can be found in a coffee shop. Therefore, your device can be connected to the hackers’ rogue Wi-Fi hotspot instead of connecting to the real publicly available Wi-Fi hotspot.

Another trick you should know is that, a public Wi-Fi network can be created with the name Free Wi-Fi which is flooded for victims to be connected to them and very naturally people will want to join such networks especially if the free internet service is offered. I must say I personally has been a victim to this a few years ago. If you are at a coffee shop, or at home or in a public place and suddenly your device shows you have been connected to your home network, there are huge chances that someone has been able to grab your devices’ or computers broadcast request. If also you are browsing a website or webpage such as your bank or favorite social media page that should normally be HTTPS instead it shows HTTP, then you must know that someone might have connected to your network. Once this person has linked up to your network, the person can perform a MITM attack by serving you a HTTP version of the site with the intention of capturing your login credentials. So, you must always be on the lookout these little details.

 

What are the Measures you can take to ensure your safety on a Public Wi-Fi?

  1. Accessing Sensitive information using public Wi-Fi: I will as a matter of fact always advice anyone never to use public Wi-Fi’s to access their sensitive information. If there is need at any point in time to access your sensitive data online, you need to switch you’re your local ISP or get someone to pretty much share their device hotspot with you. You can do use the public Wi-Fi to browse for things like directions and other things that are less sensitive like getting information from google, bing or yahoo. If you’re trying to process things like paying of bills or even shop online, these things can wait. If it is an urgent situation which you need to achieve, the use of a VPN (Virtual Private Network) is advised. There is a plethora of trusted VPNs online and obviously if you need a good service, then you need to pay for such VPNs. Ensure you choose a reputable VPN security provider.
  2. Use VPNs (Virtual Private Network): If there is a need to use a publicly available Wi-Fi to do your work and your company or organisation offers a VPN access, ensure to make use of it. VPNs provide a private tunnel for you to transmit or communicate by adding an extra layer of security for your connection.
  3. Visit HTTPS only: If you are using a public Wi-Fi, ensure to avoid websites that are HTTP (not protected or secure) and visit or browse websites that begin with HTTPS.

Why am I saying so, if you are an IT expert, you not, you must know that HTTPS are encrypted and provide an extra layer of security which makes browsing more secure. If you connect to an HTTP site which is unsecure, a hacker can easily see your traffic if he snoops around the network.

 

 

  1. Consider installing an extension such as HTTPS-Everywhere in order to re-route all the websites you visit to HTTPS. There is a tool offered by the Electronic Fronteir Foundation which provides this option.

2.Configure wireless settings on your device: Configure your device not to connect automatically to any available Wi-Fi hotspots. This can be done by navigating to the wireless settings of your PC or device. This setting makes sure your device does not automatically and unknowingly gets connected to any public network. On your PC, just turn off the “connect automatically” option. When you do this, you prevent your device from broadcasting to the world that it is attempting to get connected to the “home network” which a hacker can easily spoof.

  1. Use Privacy screens: Hackers are everywhere and are usually not afraid of using any means possible to access and obtain your data, you must consider making use of privacy screens if there is a need to access sensitive information in a public place.

In general terms, whether or not you are using a your smart-devices or PC’s to access some sensitive information like accessing your bank account and financial information, always ensure not to do it in a publicly available Wi-Fi network. Ensure to consider all the tips above to keep your information protected online.

Soutech ventures offers a comprehensive information security course such as (CEH and CISSP) which can give more security insights, tools/tips and countermeasures in the different facets of technology. Subscribe to our services today.

Certified Ethical Hacking Training in Abuja,Nigeria

Online Dating: Protect your privacy online-SOUTECH Cyber security Tips

In the past 3years, Nigerian singles have flocked dating sites and took to social media to employ their services in searching for partners. Online dating has outgrown all the stigma it used to have in the past as a research by psychologist and counsellors have found that one out of ten Nigerian single person has veered on to social media and online dating sites on their mobile apps and PC’s to get hooked up with people. Since the negative stigma attached to the online dating has gradually been phased out and nearly going into extinction, the popularity of these services has been on the rise and has caught the attention of hackers and scammers.

Recently in Nigeria, a lot of hackers and scammers have taken to social media platforms to trick people into giving sensitive and personal information. I have a made a personal study on this and from reading experiences from people and it has become of concern for me the reason behind this article. Apart from phishing scams and other vices that hackers have adopted to take advantage of unsuspecting victims, online dating has become one of the tools of meeting the emotions of people to exploit them.

The intention of this article is not to talk about dating and online dating or its sort but to give you tips on how to protect your privacy online.

Privacy Protection Tips

Creating of new user accounts

Create a username different from any other account that you have ever had and used. Now you may be wondering why you should do this, this is because a username can be searched easily and any account related to it, so this is the reason why you usually need a totally different account.

Images and photos uploaded

The same applies to photos and the images that you post on your social media profiles. You should try as much as possible to make sure that any reverse image searches performed on you will not work.

Opening Email accounts

Ensure to setup a free email account to use on the dating accounts with a unique name. Note that most sites provide features that offer users anonymity protection via their own in-site messaging products.

Using Free Google voice accounts for Calls

If you must do a phone call, open a free google voice account that will generate a different phone number for you and then go ahead to forward it to your mobile. By doing this, you have been able to secure your phone number that will enough to give you your potential match.

Use Reputable Online Dating sites

Always research properly and subscribe to popular and reputable online dating sites if you must use them. You can either delete or disable an account which come sites actually allow you. And since the site retains your previous information, you can always return to the online dating sites whenever.

Check website privacy policies

Ensure to check the sites privacy policies and try to verify how information with these sites are being handled. Some of these sites by default make profile pictures and profiles public which can be easily indexed by any search engine. There is a popular website that was penalized recently for secretly trying to experiment with their user’s data.

The fact that users have to pay to use their services for communication, this has reduced the rate of scammers and illegitimate daters. Note that some of these sites perform background screenings for criminals.

How can online dating scams be spotted?

Now that you have known some of the do’s and don’ts of the social online dating sites, now I will teach us how to spot any form of scams that you may be exposed to know.

  • I have heard people say someone comes up to them with some stories to get to their emotions. Now this is one popular trick by scammers in that an individual can add up and start giving you some sad stories like “ I am stranded in a foreign country at the moment, my family has an emergency and needs immediate attention”. The endpoint of this story is request for some amount of money from you. Once you see this, immediately report such accounts to the service and do well to block such.
  • Another trick I apply is to request a recent photo of the person I am chatting with in order to verify their identity. If in anyway they come up excuses or start a sort of protest as to the know why they won’t be able to provide the photo, the best thing to do is to run for safety and apply caution at once.
  • If you been chatting with and familiarizing a supposed sweetheart for some time and you observe that they avoid any real-life meetings and dates, this could be a warning signal to take note of.
  • Do not click open any links that is sent to you by anyone you have not been chatting or communicating with as well as from the ones you’re in frequent chats with. A scammer can appear to be a contact and try to get you to click the links which may redirect you to a pornographic site or webcam site and even malware infected sites.
  • Be careful about your behavior and your outfit if you want to engage in any sort of webcam or video chat. A criminal will want to record these sorts of sessions in order to blackmail you with it. You can disconnect from any form of communication or chat sessions that makes you uncomfortable.
  • Scammers use bots to create fake profiles that run their accounts with the aim of getting you to click these links that redirect you to unwanted sites described above. Some of them can even be programmed to steal your credit card information. Well, you can easily spot a bot because they are programmed to give out a set of predetermined responses. When you observe that you are not getting direct replies to your conversation, then there are chances that a bot has been set in.

CatFishing

The term catfishing is a scamming trick in which a user takes the identity of another person. This scamming has been adopted by scammers and cyber criminals to lure people into online romantic relationships and friendships.

A typical catfisher will always come up with excuses as to why they can’t have dates, call you in phone or even do video and webcam chats. It probably is true if the user’s profile appears too real that a lie. What you can do is to perform a reverse online image search of their photo and if they seem to be a place which is different from the one showing in their profiles then congratulations you have been able to catch a catfish.

As a parting word, we are in the age and era of the internet where we can order just anything from online. And as it is in all facets of life to have scammers and tricksters, scammers and hackers are in strong search of loopholes to exploit online users. But I have and will always do my bit in keep u appraised with all the techniques they can possibly come with to trick you. All you have to do is subscribe to all the tips I have given out in this article and you can safely be online and keep your relationships going on just fine.

Subscribing to our CEH course in Soutech ventures gives you an added edge to stay one step ahead of hackers and cyber criminals all over the world.

 

What is Social Engineering? Protect Yourself and Organization from all forms of Social Engineering-SOUTECH Nigeria

Vulnerabilities in softwares have been widely discussed and looking at it from the human perspective, human emotions play a large part. Anytime someone is faced with a scary or frightening scenario, their first reaction to it matters a whole lot.

Social engineers leverage on this type of vulnerability to launch successful attacks on victims. I am going to discuss in details what social engineering is all about and its different forms as this particular vulnerability stands at 80% when it comes to the techniques which cybercriminals perpetrate attacks.

What is Social Engineering?

Social engineering is a technique whereby cybercriminals make use of human interactions to trick users into giving out sensitive information such as personal credentials.

Types of Social Engineering

The fact that social engineering leverages on the human nature and emotions to perpetrate, attackers have deployed many techniques to trick users both online and offline. Here are a few techniques you should know about;

Phishing:

Phishing is one of the oldest cyber tricks and has been grown to be one of the most popular most successful means of exploiting computer users. In phishing, cybercriminals usually attempt many tricks and methods to get information from you. Recently, they have resorted to using scare tactics which can come in form of an urgent situation which requires your attention usually having to do with your banking details or your other online accounts. Users therefore will have to make decisions based on fear and how they feel at the time the scenario is simulated.

Emails that seem to be from a legitimate authority such as your financial institution or your company will be sent to you requesting your username or password in order to get login access. Normally, people tend to react to when issues involving their finances or jobs are involved especially when it appears to come from a higher management. I will reiterate that one major phishing tactic is in the sense of urgency applied to these messages.  I have written comprehensively on the forms and techniques of phishing so you can look it up. Read more on phishing

Baiting

Now let’s look at this technique which involves cybercriminals leaving a malware-infected USB or external devices in a public or open place. They leverage on the curious nature of humans such that when someone out of curiosity picks up this device and plugs it onto their computer systems in order to see what information is on it. Once they do this, the malware automatically gets injected into their computers.

Pretexting

In pretexting, the cybercriminal fabricates some very emotional stories and scenarios that tend to get to the emotions of their victims. Sometimes the stories can come in form stories of being stranded in a foreign country and sometimes can be that they are princes or princesses in their countries and their Father just passed away. They then try to tell the victim to please help them with a sum of 500USD or more in order to take back the throne. Like I said, these type of scenario tends to get to the emotions of victims who may always want to help. Pretexting is used alongside other methods as most of the techniques are targeted towards getting to the emotions of the victim or the cybercriminal attempts to impersonate someone on the telephone.

Hacking Emails and Spamming of Contacts

It is in the human nature to be inclined towards the affairs of their family and people they seem to know. For example, if my brother sends me an email message that comes with a subject that says “Look up this website, you may find something of interest” I normally wouldn’t resist checking it out by clicking open. Now this is the reason why a cybercriminal will try to leverage on this technique by using emails addresses and passwords. Immediately the victim’s personal credentials are obtained by the cybercriminal, they are take total control of the users account and will further more spam all the contacts that are on the users’ list. Always remember that the main objective of this attack vector is to spread malware with the desire of tricking people into giving out their personal data.

Vishing

This technique of all the methods mentioned so far and beyond involves the most of human interactions. In vishing, the cybercriminal puts a call through to an employee of an organisation faking to be a trusted individual to the organisation. They can pose to be a representative from the bank or other highly profiled company’s related to the organisation of the victim proposing to do a business with them.

Their aim is to try to get as much information as possible from the victims. They can even pose to be a fellow employee with a lost or misplaced password and request for their passwords and may try to sound legitimate by asking questions to verify the identity of the victim.

Quid Pro Quo

This is also referred to as something-for-something. This technique involves attempting to entice users with winning prizes, products or getting discounts on purchase of expensive products. This scam is fashioned such that the users can only get something only after they have completed a form which requires mostly your personal data. The information gathered can then be used to perpetrate other attacks such as identity theft etc.

Spear Phishing

This is a technique that is related largely related to phishing and can be referred to as phishing’s complex cousin. In spear phishing, the cybercriminal targets the employees of an organisation and does some reconnaissance on them online with the aim of getting personal information.

Information can be gotten from internet searches and social media platforms via profiles. Once they have been able to get details personal to them, they can then start sending emails that may seem very necessary and of interest to them in order to entice them. Such that once they click the links sent to them, the malware file attached can be downloaded to their system. Once the cybercriminal successfully tricks the user, the malware is installed on the user’s computer which can be spread throughout the network to other computers on the company network.

Farming

This is more like a long-con where the cybercriminal tries to establish a relationship with a target. They usually go through their targets social media profiles in order to establish a relationship and gather as much as information that will help them perform an attack.

This attack form typically depends on pretexting because the attackers aim is to have prolonged conversations with the target in order to extract as much information as possible.

Hunting

This is a shorter version of all the attack forms. The cybercriminal will typically use baiting, phishing and email hacking to extract information from a chosen target passively (i.e. with no direct contact or with little interaction as possible).

Social engineering has taken over all forms, both online and offline and therefore has become very difficult to control or cut off its threats. Therefore, your best defense mechanism against social engineering is to educate yourself and your employees if you run an IT-driven organisation. You should also be aware and lookout for any possible attack methods that may come.

We have a comprehensive course that can help you learn more on how to protect yourself from social engineering and other attack forms. Subscribe to our CEH course today in SOUTECH.

Setting up a Bring-Your-Own-Device (BYOD) policy for your Organization- Be Cyber-safe-SOUTECH

In a recent survey by Symantec, it said that about three to four small and medium-sized organization owners have adopted smartphones and tablets as a core part of achieving their teams’ success. Since the use of these devices are gradually expanding, therefore there is a need to provide an apt security for them. This is the main reason why organizations have adopted the bring-you-own-device concept an approach that is commonly referred to as BYOD.

The fact that smartphones and tablets have grown into consumer markets have made a lot of employees choose employ the Bring-Your-Own-Device concept to their places of work. So, I’ll be giving you a few tips on how to stay protected on the internet as mobile devices have become a core entity in many organizations.

Therefore, the idea of developing a sound and efficient BYOD policy that can assist in gaining a maximum productivity in your organization or your company.

These are a few things I will buttress on this point which are the necessities for every organization;

1.Assessing the needs of Your BYOD 

One of the key things you can do is to brief or engage your employees and staff in talks regarding the use of their devices in the organization for business transactions. The things you need to find out are;

  • Do they access the company server and read emails related to work or the business?
  • What operating systems and the devices they employees use in order to access their network?

This information will guide your policies and help you to dictate the scope of your policies and the measures you can take to secure your devices. It can also help you to in making choices of the security softwares you can deploy to protect their devices.

2. Always Educate Your Employees

Endeavour to talk to your employees and team members on the potential risks of using mobile devices in and out of the office including the importance of managing these any related risk. It must be made compulsory for employees to follow security best practices, which include:

  • Employing the use of complex passwords for their devices and for any program that is related to work which are accessed using those devices.

                                 

These passwords can be set by navigating through the device’s settings. Learn more about creating strong passwords.

  • Employing a regular password changing policy. For example, changing passwords quarterly or every 90days. You can use password manager services like KeePass or LastPass which is capable of helping employees manage multiple and regular password changes.
  • Always ensuring that system updates and app updates are done once the device prompts for them. This is done in order to protect against any possible security vulnerabilities.
  • Being on the lookout for phishing text messages and emails which can be avoided by avoiding to click on such links that prompt them to download files and documents from unknown pages.
  • Doing a thorough research on applications before having to download them unto devices. Employees should be discouraged from downloading applications from unofficial or third-party app stores.

3. Strong Protective measures must be implement

Products that will assist employees to build their strength and ability of their devices when used for business should be explored. A very good tool is the Norton Small Business software that performs the function of protecting mobile devices against malwares associated with mobiles.Research has had it that many devices running on Android platforms carry potential malwares and privacy loopholes and greywares which are capable of hindering productivity. However, there have been new products that provide more security including remote locate and lock and wipe features. These features allow mobile users to manage their device security from a central web portal. Consider using a VPN (Virtual Private Network) service if the employees access the company’s network remotely with their mobile devices. A VPN creates a tunnel that is encrypted in the internet which allows traffic to pass through it. There are mobile apps that allow users to connect to a VPN via their mobile devices or smartphones.

4. Acceptable Use should be properly defined

Guidelines should be outlined to clarify and define how employees can use their devices during business hours for business purposes. For instance, you may employ a pervasive policy by allowing your team members to access documents and emails, but prohibiting them having access to sensitive files such as financial data. Websites and apps that are prohibited from accessing with the company VPN during work hours should be specified.

5. Decide how these Guidelines are Enforced

Setup due consequences for any member of your team who goes against any of the outlined policies. Measures could be that if anyone accesses those prohibited apps or softwares during business hours it could result in warning and if anyone downloads or stores confidential files from a malicious app, such persons will not get funding for their mobile devices.

These measures should be outlined clearly with how any potential violations will be handled.

If you run a business or an organisation that encourages the BYOD policy, thinking through these steps and few tips should be able to guide you through building a firm foundation and an effective way to manage your infrastructure and protect it from any possible security breaches.

You can learn about a lot of more tips on how to better manage your infrastructure along proper auditing skills from SOUTECH ventures. We offer the best IT consulting solutions to our clients in Abuja, Lagos and Port Harcourt. Subscribe to our Ethical hacking course and learn more.

 

Understanding the importance of an IT audit: SOUTECH Ethical hacking tips

An IT audit is an audit that deals with the review and evaluation of all automated and non-automated information processing systems and all the interfaces that it encompasses. It also includes setting up management controls for information technology and infrastructures.

The elementary function of IT audits includes, evaluation of systems that are already in place to guard the organization’s information. It looks into the ability of an organization to protect its assets as well as be able to legitimately and adequately give out information to authorized parties.

The process of planning IT audits involves two key steps

  • Gathering information and planning
  • Gaining an understanding of the already existing internal control structures

Many organizations are gradually phasing towards the approach of risk-based audits which is used for risk assessment and to help the IT auditor to decide on whether to carry out a compliance and substantive test. The risk based approach involves the IT auditors relying on the internal and operational controls and also the knowledge of the organization involved.

However, this type of decision as regards risk assessment can go a long way to relate the profits analysis of the control to the risk.

These are the 5 aspects that an  IT auditor needs to identify when gathering information:

  • Good knowledge of the business and industry
  • Previous results obtained from all the years
  • Recent financial data
  • Already existing standards and policies
  • Inherent risk assessments

Inherent risk here refers to the risk that there is an error that could be a function of combined errors that are encountered during this audit assuming there are no controls in place.

Once the auditor has gathered relevant information and has an understanding of the control, then they are ready to start planning or select areas that need auditing.

Why is it important to do an IT Audit?

Hardly will you find an organization in recent times that is not IT driven. A lot of organisations today are investing huge amounts of cash on their IT infrastructure because they have come to realize the tremendous importance of using IT in their business services and operations. As a result of this, they need to always make sure that their IT systems are very secure, very reliable and is not susceptible or vulnerable to any form of cyber attacks.

The importance if an IT audit can never be over emphasized because it provides the assurance that the IT systems deployed by the organization is well protected, is available at all times, properly managed to get the required results and that it gives out reliable information to users. Many people use and rely on IT without knowing how it works and that a computer can make errors repeatedly and incurring extensive damages than a human being can. An IT audit is also very important in reducing risk of data leakage, data losses, service disruptions and ill-management of an IT infrastructure.

The Objectives of an IT audit

The objectives of an IT audit often focus on substantiating that the existing internal controls and are functioning as expected in order to minimize business risk. The objectives include

  • Assuring compliance with legal and regulatory standards
  • Ensuring confidentiality
  • Ensuring Integrity
  • Improving availability of information systems

Confidentiality here relates to information security and refers to protecting information from being disclosed to unauthorized persons or parties. This means that information such as personal credentials, trade secrets, bank account statements are kept confidential and protecting this information plays a major role in information security.

The fact that information is valuable only when it has not been tampered with gives way to data integrity such that information is not modified by an unauthorized party. If information is inappropriately altered, it could prove costly for example, a transaction of 1000naira can be altered to 10,000naira. Making sure data is protected from being tampered with is a core aspect of information security.

Availability here means that information is made available to authorized individuals whenever it is needed. Unfortunately, the act of denying rights to resources to rightful users has been in on the rise lately. An information systems audit will therefore ensure confidentiality of an organizations data, data integrity and availability of resources. An IT audit therefore oversees the organizations IT systems, its operations and management processes.

The reliability of data from an IT system can as well have huge impact on the financial statements of an organization. There an IT audit must be able to

  • Check for instances of excesses, gross inefficiencies, extravagance which has to do with wastage of resources in the management of IT systems
  • Ensure that there is a high level of compliance with government laws as applicable to the IT system.

Types of IT audits

Different bodies and authorities have developed their views to distinguish the types of IT audits. Goodman and Lawless have outlined three systematic approaches to perform IT audits

  • Technological Innovation Process Audit: This audit type attempts to construct a risk profile for already existing as well as new projects. It assesses the length, depth and presence of the technologies used by the company and how it relates to the relevant markets. It also looks into the way each project is organized, the structure of industry as regards its projects, products etc.
  • Technological position audit: This audit type deals with the technologies that the business has on ground and what it needs to add to it. Technologies can be categorized into
    • Base
    • Key
    • Pacing
    • Emerging
  • Innovative Comparison Audit: This audit deals with the analysis of the innovative capabilities of the organization being audited when compared to its competitors and rivals. The company’s research and development facilities as well as its track record of producing new products will be examined.

Other authorities have also categorized IT audits in 5 spectrum

  • Information Processing Facilities: It is focused on verifying the processing ability of the facility and if it is designed under normal and disruptive conditions to process applications in a timely, accurate and efficient way.
  • Systems and Applications: It is focused on verifying systems activity are controlled appropriately, efficiently and adequately in order to ensure its output at all levels are valid, reliable, and timely. This audit type forms a sub-type that focuses on business IT systems and also focuses on financial auditors.
  • Management of IT and Enterprise Architecture: IT focuses on verifying that organizational structure and procedure that ensures a controlled and efficient information processing environment is developed by the IT management.
  • Systems Development: This audit verifies the systems that are under the process of development meet the requirements and objectives of the organization. It also ensures that the systems are developed in line with generally accepted policies and standards for systems development.
  • Client/Server, Intranets, extranets and Telecommunications: This audit verifies that the controls for telecommunications are in place both the client and the server ends as well as the network that connects both the clients and servers.

Types of Auditors

  • Internal Auditor: This auditor usually performs internal accounts auditing as well as IS audits.
  • External Auditor: This auditor reviews the findings and inputs, processes and outputs of the information systems made by the internal auditor.

Types of Audits

  • Internal Audits: As explained above, an internal audit considers all the potential controls and hazards in an information system. It takes care if issues like operations, data, data integrity, security, privacy, software applications, productivity, expenditures, cost control and budgets. The auditor works with guidelines such as Information systems audit and control association which are available to make their job patterned.
  • External Audits: This audits buttresses on information obtained from internal audits on information systems. External audit is performed by an certified information systems audit expert.

IT Audit Strategies

  1. We’ll discuss two areas here but first one must be able to determine if it is a compliance or substantive testing. The next thing to consider is how to go about gathering evidences to enable one perform application audits and make reports to the management.

What is substantive and Compliance Testing?

  • Compliance testing involves gathering evidence to test if an organization is following the control procedures. For example, If an organization has a control procedure that says all application changes have to pass through a change control, an IT auditor will have to get the current running configurations of the router as well as the configuration file. After he does this, he can then run a file to compare the differences and use the result of the differences to look for a supporting change control documentation.

  • Substantive Testing involves gathering evidence that enables one evaluate the data integrity of individual data and other information. For example, If an organization has a policy that has to do with backup tapes in storage locations offsite which includes three generations (Grandfather, father and son), then the IS auditor has to take physical inventory of the tapes in an offsite storage location as well. After this he can then compare it with the organizations inventory and also making sure the three generations are involved and are available at the time of the audit.
  1. The thing to discuss on is How to get the evidence that can help you audit the application and deliver a report to management. A few things you can review are;
  • Review the IT organizational structure
  • Review the IT policies and procedures
  • Review the IT standards
  • Review the IT documentations
  • Review the organizations BIA
  • Take time to interview employees
  • Observe the employee’s performance
  • Test controls and examine necessary incorporated entities
  1. Draft out a set of questionnaires
  • Whether there is a thorough documentation of approved IS audit guideline?
  • Whether IS audit guidelines are consistent with the security policy?
  • Whether responsibilities for the IT audit has been assigned to a separate unit that is independent of  the IT department?
  • Whether periodic external IS audit is carried out?
  • Whether independent security audit is conducted periodically?
  • Whether contingency planning, insurance of assets, data integrity etc. are made part of External audit?
  • Whether vulnerability and penetration testing were made part of external audit?
  • Whether the major concerns brought out by previous Audit Reports have been highlighted and brought to the notice of the Top Management?
  • Whether necessary corrective action has been taken to the satisfaction of the Management?
  • Whether the facilities for conducting trainings which will enable IS audit teams to conduct the audit process effectively?
  • Whether IS audit team is encouraged to keep themselves updated?
  • Whether IS auditors exchange their views and share their experiences internally?

Operations is modern organizations  are increasing dependent on IT, this is why IT audits are used to make sure that all information-related controls and methods are functioning properly. Most of all the companies if not all are IT driven and not enough awareness has been made on auditing of IT infrastructure the reason for this write up. If you’re in search of a professional firm to audit your organization, look no more as soutech web consults which is the number one IT consulting firms offers in Nigeria offers this service. Subscribe to us for your auditing and all types of IT-related issues.

 

Has your account just been hacked? Wondering what to do next?

Just recently it was in the news that over 7million Dropbox usernames and passwords were being stolen with initial reports that the Dropbox server itself was hacked. The company made this statement on their blog as quoted “The usernames and passwords and passwords that are referenced in these articles were stolen from unrelated services and not Dropbox. Attackers however, went further more to use the stolen credentials to attempt log in into our websites across the internet, including Dropbox”.

Stories and news of data and network breaches in organizational networks have become trending on every headline recently so regardless of where the loopholes are, it is something we hear frequently. So many highly profiled businesses that we interact with regularly such as restaurants, product retailers have had POS (Point of Sale) data breaches over the past months.

However, I will tell you a few tips on how to approach a data breach situation and some things you can put in place in case you’re faced by such situations.

What to do Immediately- First Things First

  • First of all, try to determine the form of data breach that your information has been involved in. If it is an online data breach, then there is a possibility that your username and password might have been stolen, and if it is a POS data breach then it means your credit card numbers have been stolen as well.

  • Now if it is a POS data breach from a product outlet or a store, a restaurant that you have just purchased something with, then immediately check your credit card credentials and bank details for any suspicious activity.
  • Lookout for any alerts from the vendors that you use such that immediately a vulnerable vendor has contacted customers of password change, the user should do so too.
  • Avoid any potential phishing email or emails that require you update your password and private information via email. One tip you should always look out for is to check the email id or web address to confirm it is the official email or web address of your financial institution.
  • You can also change your other passwords if you use the same password over several accounts particularly the ones linked to your email account and those that contain your private and financial information. I advise you to go through you bank and credit card accounts as well.
  • Always notify you financial institution whenever you receive any suspicious activity going on as regards your financial account. Make sure you let them know the breached institution which your credit was used. They can take immediate action by blocking any transaction to that account.

 Meanwhile in the Interim

  • Continue to keep a close eye on you bank or financial accounts. You could also subscribe for receiving transaction alerts via text and emails. It is policy now for every bank provide these services. Sometimes it may seem that you are now safe but a cybercriminal has patience has a key virtue and therefore may take months to make use of your stolen bank and financial information.
  • You might as well contact the company which the data breach occurred when you did your transaction. They can provide you with information as regards the type of information that was leaked and the policies they have put in place to keep your personal details protected.

In the Long run

  • A lot of businesses or organisations have developed a policy such that any customer that gets affected by a data breach is given a free year of data monitoring. You can also find out with the organisation if they have such policies or if they such services.
  • I still lay emphasis on the use of a secure password coupled with a two-factor authentication as explained in my previous articles to be a key online safety means.

Data breaches however continue to be most frequent incidents these days like I said, there are ways to stay alert and be protected at all times. Luckily, if there are purchases you have made, there are anti-fraud laws in place to ensure your safety. If you find yourself in the clutch of any of the data breaches, be diligent enough to monitor your accounts. Soutech web consultants are just the right professionals to handle to fears. If you in anyway become a victim of sort, you can contact us at SOUTECH. Also, if you take all the methods and tips mentioned in this article and as long as you report any suspicious fraudulent activity then you are just as well informed as ever.

 

Network Penetration Testing Services: Tools and Methodologies

In my previous articles, I have discussed intensively on vulnerability analysis and penetration testing but I’ll reiterate a few things to help buttress the points in this article.

Penetration plays a major role in the playbook of any security consultant and penetration test and it is the best clue to know how vulnerable a network is to an attack. Compliances such as PCI and HIPAA require vulnerability assessment and they also enable penetration testing to be performed smartly and in a targeted form when compared to performing simple port scans. Vulnerability assessments most importantly is the bedrock for developing an information security program that is proactive, going beyond reactive techniques such as starting firewalls and identifying loopholes and making attempts to seal them. But know this, that when installing and managing your websites and networks even if you might know much about the basic security measures and even follow them, it is never enough to discover and mitigate all the vulnerabilities by yourself.

Now lets us understand what a network vulnerability assessment is as an entity of penetration testing. A network penetration testing is a penetration testing technique that involves reviewing and analyzing a network in order to discover any possible security loopholes and vulnerabilities. Network administrators and network security staff use this technique to do a thorough evaluation of their security architecture as well as to defend the computer network against any form of threats and vulnerabilities. It also helps them to assess the network to know its strength. But the key objective of this technique generally is to discover vulnerabilities that may compromise the overall privacy, security and operations of a computer network.

Network penetration testing Methodology

 

1. Data and Information gathering and project set up

This involves;

  • Reviewing the project to obtain all assumptions
  • Listing and detailing out the IP scanned IP addresses
  • Configuring the IDS and IPSes to accept the originating IP addresses
  • An optional scan of all user credentials
  • Obtaining contact information for both parties
  • Planning the scans and including the time it is being performed

2. Scanning the tools being setup

This step involves configuring all the vulnerability scanning tools for “safemode”

3. Performing the vulnerability scan

This involves performing and in-depth scan of all provided IP addresses and identifying any security weaknesses and vulnerabilities on user credentials after they have been scanned.

4. Research and Verification of vulnerabilities

This involves

  • Verifying all the discovered vulnerabilities
  • Identifying false positives
  • Determining any potential impacts of the vulnerabilities being exploited
  • Prioritizing remediation efforts
  • Developing specific plans and recommendations for the remediation

5. Create reports and a project close-out

This involves;

  • Delivering final and concluding reports
  • Teleconferencing of the scheduled project conclusions
  • Ensuring a full understanding of the remediation actions being recommended
  • Facilitating knowledge transfer in and effective form

Network Vulnerability Assessment Tools

In order to carry out an automates security audit in any organization, vulnerability scanners play a very critical role. This is because they can scan the website, network and other internal systems for thousands of security risks and can automatically prioritize them alongside the right patches. Some can automatically perform the patches.

Scanning websites is an entirely different ballgame from network scans. In the case of websites, the scope of the scan ranges from Layer 2 to 7, considering the intrusiveness of the latest vulnerabilities. The correct approach for scanning websites starts from Web-level access, right up to scanning all back-end components such as databases. While most Web security scanners are automated, there could be a need for manual scripting, based on the situation.

1.OpenVas: This is a short for Open Vulnerability Assessment System and is a free network security tool that has most if its components licensed under GNU General Public License (GNL). This tools is very effective in scanning for thousands of vulnerabilities and supports concurrent and scheduled scans and tasks. Its main component is available as Linux packages and as virtual appliances that are downloadable for the purpose of testing and evaluation. OpenVas does not work on windows but it offers clients for windows platforms. It can run mainly on Linux platforms and can perform scans and receive over 33,000 updates daily of Network vulnerability tests.

OpenVas has a manager that controls its intelligence and it is command line based with full services of daemon for user management and feed management. It is not easy and quick to be installed but it has one of the richest features in It security scan.

2. Retina CS Community: This is a vulnerability scanning and patching tool for Microsoft and most third-party applications like Firefox, adobe etc. It can scan for vulnerabilities in mobile devices, virtualized applications, servers, web applications, and private clouds as well. It identifies missing patches and configuration issues. It has a software that which is called Retina Network Community which is to be installed first before actually installing the Retina Cs Community software. It works on windows server 2008 or later versions, Microsoft SQL 2008 version or its later versions and it also requires a .net framework 3.5 to be installed, it is IIS server enabled.

It gives you the option of choosing from a variety of scans with reporting templates which can specify IP address ranges. You could also provide any necessary credentials for scanned assets which may be required may make your reports come out in a readily and organized format including email alerts. Most businesses however may find its system requirements very stringent since it requires windows server.

3. Microsoft Baseline Security Analyzer (MBSA): This is a tool that can perform both local and remote scans on windows servers and desktop. These tools are very efficient because it can identify missing service packs, security patches and any common security misconfiguration. Platforms that support it are windows XP Windows 8 and 8.1, windows Server 2012 and windows server 2012 R2. It is an easy-to-understand tool and a straightforward tool as well. It provides options of selecting a single window machine to perform a scan where you can choose a name, specify IP addresses and even choose a domain. You could choose the platform you want to scan which can either be a Windows, IIS, SQL admin vulnerability, windows update or weak passwords.

5. SecureCheq: This is a tool that can perform local scans on both windows desktops and servers and is capable of identifying many insecure advanced windows settings such as COBIT, ISO, CIS standards. It deals majorly on common configuration errors which are related to OS hardening, communication security, data protection issues, audit logs and user account activities. Its free version can only perform less than 24 scans which is about a quarter of what its full version scans. SecureCheq is a simple tool which lists all the checked settings including passed or failed results. Even though it is easy to use and its ability to scan for advanced configuration settings, it cannot reach deep to scan general windows vulnerabilities and network based threats. But it however complements MBSA well enough by scanning for basic threats and performing a follow up scan using securecheq.

6. Qualys freeScan: This tool can perform about 10 free scans of URLs and IPs of local servers and machines on the internet. It can be downloaded from web portals which can be installed and run on virtual machines for scanning internal networks. It can scan for issues in SSL, and vulnerabilities in their related networks.

It may seem first see an online tool which appears to do scan via internet if you put in the local IP address, it prompts you to download to your system via virtual machines like VMware or VirtualBox image. This tool allows you to scan local networks and gives an interactive report of the threats and patches.

7. Wireshark: Wireshark, previously called Ethereal, is one of the most popularly used tools for network vulnerability testing or assessment. This is because it gives you a clear picture of happenings on your network. It works in promiscuous mode in order to capture all the traffic on a TCP broadcast domain. It has features of customized filters that can be configured to intercept specific traffic such as communication between two IP addresses, UDP-based DNS queries on that network.

Data obtained can be dumped into a capture file for later review. It can also look for stray IP addresses, unnecessary packet drops spoofed data packets and any suspicious single IP address. Although wireshark gives one a clearer and broader picture of the network activities, it however does not have its own intelligence and should therefore be used as a data provider.

8. Nmap: This has remained one of the most popular scanning tools for over a decade now. It has the capability of crafting data packets and perform scanning to a TCP granular level such as ACK, SYN scans etc. some of the characteristic of this tool include

  • Algorithms for built-in signatures designed to guess OSes and its versions based on the TCP handshake
  • It can detect remote devices on the network as well as firewalls, routers, and their models
  • It can check for open and running ports and which ports can be exploited for simulation of attacks
  • It gives results in plain text and verbose
  • It is scripted to automate routine task and obtain evidence for audit reports

9. Metasploit: Metasploit is a tool that comes to play after scanning and sniffing have been done. It provides the following capabilities;

  • It is a rigorous tool for performing scans against a set of IP addresses.
  • It can be used for anti-forensics
  • Programmers can write codes that can be used to exploit vulnerabilities and to test it on Metasploit if its working
  • It is a commercially available tool for performing virus attacks.

10. Aircrack: This is a network scanning tool that acts as a sniffer, packet crafter and decoder. It targets a wireless network by subjecting a packet traffic to capture vital information about a certain underlying encryption. A Decryptor is then used to perform a brute-force on the captured file to find passwords. Aircrack can be found in kali-linux which is the most preferable.

11. Nikto: This is an interactive open source tool for scanning websites because it supports HTTPS and HTTP. Nikto works by

  • Crawling a website like a human would do in a little amount of time
  • It uses a technique known as mutation to create combinations of various HTTP tests to perform an attack.
  • It finds critical loopholes like improper cookie handlings, XXL errors, upload misconfigurations etc.
  • It dumps all the findings in a verbose mode which can also help in knowing more about vulnerabilities in a website.

Care should be applied when interpreting Nikto logs because it can result in too many things getting noticed and can trigger a false alarm.

12. Samurai framework: It is used to for deep-diving after a baseline check has been done by Nikto. It is a powerful scanning utility which can be used to target specific set of vulnerabilities. It is pure penetration testing tool which focuses on other penetration tools such as WebScarab for HTTP mapping.

13. SQLmap: This tool is a first-generation tool capable of exploiting SQL injection errors but it can as well take over the database server. It works for speedy fingerprinting of the database to find underlying OSes and file system to fetch data from the server.

Note that a regular scheduled network vulnerability scan can help an organization to identify loopholes and weaknesses in a network even before any cybercriminal can perform a seeming attack. The aim of performing a network vulnerability is to identify devices on your network without compromising the systems on your network. Therefore, ensure to conduct a periodic network vulnerability scan on your network in order to discover and mitigate and possible weaknesses on you network before it can be exploited.

Why do you need the services of a Network Penetration Tester?

A network penetration tester is specially and specifically with trained the expertise to effectively conduct penetration testing and network assessments. Note that is a penetration is improperly conducted, it could be detrimental to your organization and its daily operations. Some of the skills a Network security specializes in are;

  • Data breach prevention
  • Application security
  • Security control testing
  • Gap analysis maintenance
  • Compliance testing and analysis

Who do you contact?

To get a range of services ranging from certifications and trainings in vulnerability and penetration testing and many more courses. We at Soutech web consults have a team of professionals that cannot only train you and your staff on vulnerability and penetration testing which is an entity of cyber security but also conduct them. Endeavour to visit us at soutech web consults or subscribe to our website to find out we can help your organization and your business mitigate any form network vulnerabilities by just implementing any of our test processes and technologies.

Vulnerability Testing: A Detailed Guide-SOUTECH guide

One of the major challenges which the cybersecurity world is facing is the way vulnerabilities are classified or grouped. Many security vendors, professionals and product developers have given different names the same type of vulnerabilities and it has grown to become a confusing idea to security practitioners when performing tests. This is the reason why some organisations such as CVE (Common Vulnerabilities and Exposures have come together to develop a common language for vulnerabilities.

The CVE which is sponsored by the Mitre Corporation, has set up a standard for which naming security vulnerabilities conventionally in other to make it easier to discuss, perform and document. A complete list of CVE for vulnerability testing can be downloaded from CVE.

CVE standard has been deployed by many security products to name but a few such as;

  • Nessus Security scanner
  • STAT (Security Threat Avoidance Technology
  • Internet Scanner by ISS (Internet Security Systems)

Types of Vulnerability Scanners

Vulnerability scanners can be classified into;

  1. Host Based vulnerability scanners
  • It identifies the issues that are inherent in the host system.
  • This process of scanning is performed by using host-based scanners to check for the vulnerabilities.
  • When the host-based tools load the mediator software to the target system, it traces the events that have occurred and sends the report to the security analyst for analysis and decide the next move.
  1. Network Based vulnerability scanners
  • This process is performed using Network-based Scanners.
  • The function of the network-based scanners is to detect the open ports, identify the unknown services and active and running ports.
  • It then gives a result of all the possible vulnerabilities that are associated with these services.
  1. Database Based Vulnerability scanners
  • The database -based vulnerability scanners will identify the security loopholes in the database
  • Here, tools and techniques are applied to test if the database is susceptible to SQL injections. The tester performs an SQL injecting SQL queries into the database in to read any sensitive data from the database. If there are any loopholes, the cyber security expert then updates the data in the data and tries to patch the security issue.

Steps for Performing Vulnerability Testing

The full methodologies on how to perform Vulnerability testing can be found in my previous article on vulnerability testing. I will describe briefly the steps that can be used to carry out any vulnerability test.

1.Check for Live Hosts: Here we have to check if the host is alive on the network. We can also

  • detect firewalls in the network
  • Probe for open ports such as UDP and TCP ports and other ports
  • TCP ports such as 1-111, 135,139, 443, 445 etc.
  • UDP ports such as 53, 111, 135, 137, 161 and 500

Whether or not the target is alive or offline, the scan can still be done.

2. Detect Firewalls: Here we try to determine there is a firewall in front of the target system. This is because some systems may appear to be offline but in the actually sense they are just protected by firewalls to be off and can still be open to attacks.

This test also attempts to gather a lot of network information from the target network especially when doing UDP and TCP probing.

3. Determine Open services and ports: In this step, we try to scan the UDP and TCP ports in other to discover the ports and services that are open. The ports to be probed are UDP and TCP ports 65-535 and in most setups, it is recommended to use the best scan probes to save the network bandwidth and the network time. So during the performance of an indepth scan, the use of full profiled scan probes are recommended.

4. Detection of Operating Systems and Versions: This involves discovering the OS versions and the services in other to optimize it. Once the process of UDP and TCP port scanning have been over, the pen tester uses different techniques in other to identify the OS that is running on the target host and network.

5. Perform a profiled Vulnerability scan: A profiled scan is applied in order to get an optimized vulnerability scanning result. Profiled scans include;

  • Best scan to get popular ports
  • Quick Scan to get most common ports
  • Firewall scan by performing stealth scan
  • Aggressive Scan by performing full scan, exploits and for DOS attacks

6. Developing a detailed Report: There are different formats to generate reports and the outputs of risk analysis and remediation suggestions. You can read the the OWASP full vulnerability scan documents to get a template for presenting your reports.

Vulnerability Testing Tools

Vulnerability testing tools can be classified into  Host-based tools and Data-based tools. I will describe a few tools which are efficient for performing vulnerability assessment.

Category

Tool

Description

Host-Based STAT It scans multiple systems on the network.
  TARA An acronym for Tiger Analytical Research Assistant. It is a unix-based system scanner which detects a set of known vulnerabilities in the local host of the network.
  Cain and Abel It can be used for cracking HTTP passwords and for retrieving passwords by sniffing the network.
  Metasploit It is an open source platform on linux for developing, testing and exploit of codes.
  WireShark This is an open Source network protocol analyzing tool that runs on both Linux and Windows platforms. Used to sniff the services running on the network.
  Nmap This is also an open source utility tool for carrying out security audits.
  Nessus This is an agent-less platform for auditing, reporting and carrying out patch management integration.
Database-based SQL diet A tool door for the SQL server for performing dictionary attacks.
  Secure Auditor It enables a user to carryout enumeration, network scanning, auditing and also perform penetration testing and forensic on the operating systems.
  DB-scan It is a tool used for the detection of trojans on the database, and also detecting hidden trojans by performing baseline scanning.

 

Advantages of Vulnerability Assessment

The common advantages of performing vulnerability assessments are;

  • There are readily available open source tools for performing vulnerability assessments.
  • It provides a platform to identify, detect and curb almost all vulnerabilities inherent on any system.
  • Some of the afore mentioned tools are automated for scanning.
  • These vulnerability assessment tools are easy to run on a regular basis.

Disadvantages of Vulnerability Assessment

  • There is an increase in the rate of false positive results
  • A vulnerability assessment tool can easily be detected by an Intrusion Detection System (IDS)/Firewall.
  • Sometimes recent and latest vulnerabilities can be hardly noticed.

Vulnerability Assessment vs Penetration Testing

Vulnerability Assessment Penetration Testing
Functionality To discover Vulnerabilities To Identify and exploit known vulnerabilities
Mechanism For discovery & scanning Perform simulations
Focal point Considers breadth over depth Considers depth over breadth
Coverage of Completeness High Low
Cost of Use Low to Moderate High
Tester House staff An attacker or Penetration Tester
Tester Knowledge High Low
How often is being run Run after every single equipment is loaded Run once in a year or quarterly depending on organizations policy
Results provided Gives partial and inconclusive details about the Vulnerabilities It gives a complete detail of all the  identified vulnerabilities

When performing vulnerability testing, you must know that it depends on two major mechanisms which are vulnerability assessment and penetration testing which I have been able to differentiate summarily. Now, these two test methods differ from each other in the areas of the tasks they perform and the weight of their performance levels.

However, if one must achieve a comprehensive and well detailed vulnerability testing with reports, a combination of both methods is always recommended.

We at Soutech web consults have a professional team that can carry out well organized and detailed vulnerability testing on your organization. Do well to contact us today on our website.

 

 

 

 

 

 

 

 

 

 

All you need to know about Penetration Testing: Soutech Ventures

Penetration which is colloquially referred to as pen test is a simulated attack that is being performed on a computer system or its network infrastructure with permissions from management to probe for security vulnerabilities, and a potential means of gaining access to data and other features on the system.

Penetration testing helps one to find out the vulnerability of a system to an attack and if the defense mechanism created are sufficient and which defense mechanisms or techniques employed that can be defeated. A typical penetration testing process focuses on finding vulnerabilities depending on the nature of the approved activity for a given engagement.

A security testing will never prove the absence of security flaws in a system but it can sure prove their presence.

 Brief History of Penetration Testing

In the mid-1960s, for over 50years and more, as the sophistication of networks increased, white hat hackers have been putting in work to make sure computer systems are protected from unauthorized access by hackers. They understood if hackers gain access into their systems, they could even destroy information networks asides stealing information. As computers began to gain the ability to share data or information through and across communication lines, the challenge to protect information increased. These lines if broken and data compromised, contained or stolen.

As early as 1965, computer security experts warned the government and business outlets that because of the increasing capability of computers to share information and exchange vital data across communication lines, there could be an inevitable attempt to penetrate those communication lines during exchange of data. In the year 1967, in the annual joint computer conference which had over 15,000 cyber security experts in attendance, there were serious deliberations that computer communication lines could be penetrated by hackers. They coined the term penetration which has perhaps become a major challenge in computer communication today.

This meeting brought the idea of actually testing systems and networks to ensure that integrity is increased as the expansion of computer networks such RAND corporation which first discovered a major threat to internet communications. The RAND Corporation aliased with the Advance Research Projects Agency (ARPA) located in the US to produce a report known as The Willis Report named after its lead author. The Willis Report discussed this security issue with a proposition of policies to serve as countermeasures in security breaches.

From this report however, the government and organizations started to form teams with the sole responsibility of finding weaknesses and vulnerabilities in the computer networks and measures to protect the systems from unauthorized or unethical hacking or penetration.

Today, there are numerous and specialized options that are available for performing penetration testing. Many of these systems include tools that a range of features for testing the security of the operating system. For example, we have Kali Linux which can be used for performing penetration testing and digital forensics. Also contained in it are 8 standard tools such as burp suite, Nmap, Aircrack-ng, Kismet, Wireshark, the Metasploit framework and John the Ripper. Kali Linux has all these tools and many more and for a system to contain all this sophisticated tools goes to show how much sophisticated today’s technology has gradually become and how many hackers are finding ways to create problems for computer-driven networks and computing environments most the especially the internet.

Objectives of Penetration Testing

The objectives of an intense pen test involve

  • Determining how an attacker can find any loopholes to unlawfully gain access to the systems assets that can be of harm to the fundamental security of the systems logs, files.
  • Confirming that all the applicable controls like the vulnerability management methodologies and segmentation required for the good functioning of the system are in place

Types of Penetration Testing

  1. Black box penetration testing: Also referred to as blind testing. Here, the client does not give out any prior information of the system architecture to the pen tester. It may offer little as regards value to the pen tester since the client does not provide any information. It can require more money, more time as well as resources to carryout
  2. White box penetration testing: Also known as Here, the client provides the pen tester with a comprehensive and complete detail of the network and how is being applied.
  3. Grey box penetration testing: The client may provide incomplete or partial information of the system network.

Stages of Penetration Testing

There are basically 5 stages of a penetration test.

1. Reconnaissance and planning: This stage involves gathering intelligence such as network, mail servers and domain names in the bid to understand how the target system works and the potential vulnerabilities it is facing.

It also involves a thorough definition of the scope and the goals of the penetration test, including the systems that are to be addressed and the methods of testing to deployed.

2. Scanning: This stage requires an in-depth understanding of how the target applications will respond to any attempt of intrusion. Scanning can be performed in the following ways:

  • Static analysis: This is a process involves a careful inspection of the codes in the application and how it behaves when it is run. These tools have the capability of scanning the entire code in a single pass.
  • Dynamic Analysis: It involves a careful inspection of the codes in the application when in the running state. It is a more practical approach to scanning in that it gives the real-time view of the applications performance.

3. Gaining Access: In this stage, the pen tester uses web application attack techniques such as SQLs, XXLs and backdoors to unravel the vulnerabilities on the target system. In a quest to understand the damages they can cause on the target, the tester will try to exploit the vulnerabilities discovered by intercepting traffic, stealing data and escalating privileges etc.

4. Maintaining Access: The stage aims at achieving a persistent presence in the exploited system using the known vulnerabilities. Advanced threats which are capable of remaining on the system for months are logged into the system into to monitor changes, enhancements and any new information being loaded onto the system.

5. Results and Analysis: In this stage, all the results obtained from the penetration test are compiled comprehensively and in details. This includes;

  • All the vulnerabilities that have been exploited
  • All sensitive data that has been accessed
  • The amount of time spent during maintaining access without being detected.

The security personnel then analyses the results in a bid to where necessary reconfigure the organization’s WAF settings and any other application security flaws. This is done to patch all the vulnerabilities and to protect information against any future attacks.

Classification of Penetration Testing

1. External Penetration Testing: An external penetration tests is targeted at the assets owned by an organization that are accessible to and on the internet. Examples of such assets can be,

  • The organizations website
  • Domain name servers
  • Emails
  • Web applications

The major goal of the external pen test is to gain access and extract data.

2. Internal Penetration Testing: It attempts to mimic an attacker actually launching an attack on the network to find vulnerabilities or loopholes.

It involves an examination of the IT systems of an internal network for possible traces of vulnerabilities which can affect the confidentiality, integrity and availability, and thereby giving the organisation the clues to take steps to address such vulnerabilities.

Penetration Testing Services

I will describe 4 distinct penetration testing service offerings that we can provide you

  1. Vulnerability Scanning: This scanning technique provides a very transparent and mature offer but the biggest challenge always lies on whether to resell a service offering or to buy that can be used to internally scan the clients systems and networks. Every regulation requires scanning which is the first and easy step taken towards achieving security assurance. This is because all regulated customers need to scan.
  2. Penetration testing of Infrastructure: This offers tools such as Metasploit or Core Impact, that can be used to perform live exploits. Live ammunitions are used so you have to orchestrate or organize the test with the client in such a way that the amount of disruption during the tests is minimized. The pen tester should endeavor to test all externally visible IP addresses because it is what the bad guys want in order to penetrate the system and network. The tester should also attach to the conference room network which is one of the softest parts of the customers’ defense.
  3. Penetration of Applications: This is a very important step which involves an attempt to break into the applications because so many attacks are directly targeted at applications. Web applications such as HP’s WebInspect and IBM’s AppScan can be employed, but the tester can also find ways to exploit the application logic errors. Nothing stands a skilled application test because once an initial application is compromised, a direct access to the database where valuable data is easy. If the tester can access the database, then the customers system is owned already and scripts can be written to block every loop holes by the attacker.
  4. User Testing: This part of the penetration test is always fun for the penetration testers because they get to see how gullible and vulnerable most users are. The test may involve sending fake email messages to customer service representatives in a bid to gather information that can be used to penetrate their facilities. They even drop thumb drives at the parking lot and watch out for people that will plug them. Social engineering is one of the key ways of information gathering and should never be underestimated. Social engineering can be used on the client in order to catch them off guard.

Standards for Penetration Testing Methodologies

There are many accepted industry methodologies that may guide and help the pen tester through any test.

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • OWASP Testing Guide
  • The National Institute of Standards and Technology (NIST)
  • Penetration Testing Execution Standard
  • Penetration Testing Framework

These frameworks have set standards that any penetration testing activity should follow as should strictly be adhered to guide the pen tester whenever necessary.

A typical penetration activity is detailed and must be carried out in an organized fashion. This is because organisational data and assets are very important and delicate things to handle therefore there is a need to have an orgnised team of professionals to handle your penetration testing services.

We at SOUTECH web consults are the perfect consulting firm for carrying out your penetration testing. We have professional staff and a team to conduct a well detailed and professional penetration testing. Subscribe for our services today.

 

Performing a Detailed Penetration Testing: Soutech Ventures

Pen tests as we already know are intended to identify and confirm actual security breaches and to report such issues to management. This ensures that an organization experiences a balance in business and a good network security to ensure the smooth operation of business.

Just to reiterate as this is a follow up article to my basics on penetration testing, penetration testing colloquially called pen test refers to an ethical hacking method which is used to perform security testing on a computer network of an organization. It involves a lot of methodologies which I have already explained in my previous write up which is designed to explore a network for potential known vulnerabilities and to test them if they are real. A properly performed penetration test allows a network professional to fix issues within the network in order to improve the network security and provide the needed protection for the entire network against future cyber-attacks and intrusions.

The terms vulnerability assessment and penetration testing are often confused and I have made an attempt to differentiate them because they mean different things.

Pen tests involve methods require using legal permissions to exploit the network while vulnerability assessment requires evaluating the network, its systems and services for potential security problems. While a pen test is designed to perform simulated attacks, vulnerability assessments only require pure analysis and vetting of an organizations network for vulnerabilities. Note that no attack is launched.

Penetration Testing Services

I will describe 4 distinct penetration testing service offerings that we can provide you

1.Vulnerability Scanning: This scanning technique provides a very transparent and mature offer but the biggest challenge always lies on whether to resell a service offering or to buy that can be used to internally scan the clients’ systems and networks. Every regulation requires scanning which is the first and easy step taken towards achieving security assurance. This is because all regulated customers need to scan.

2. Penetration testing of Infrastructure: This offers tools such as Metasploit or Core Impact, that can be used to perform live exploits. Live ammunitions are used so you have to orchestrate or organize the test with the client in such a way that the amount of disruption during the tests is minimized. The pen tester should endeavor to test all externally visible IP addresses because it is what the bad guys want in order to penetrate the system and network. The tester should also attach to the conference room network which is one of the softest parts of the customers’ defense.

3. Penetration of Applications: This is a very important step which involves an attempt to break into the applications because so many attacks are directly targeted at applications. Web applications such as HP’s WebInspect and IBM’s AppScan can be employed, but the tester can also find ways to exploit the application logic errors. Nothing stands a skilled application test because once an initial application is compromised, a direct access to the database where valuable data is easy. If the tester can access the database, then the customers system is owned already and scripts can be written to block every loop holes by the attacker.

4. User Testing: This part of the penetration test is always fun for the penetration testers because they get to see how gullible and vulnerable most users are. The test may involve sending fake email messages to customer service representatives in a bid to gather information that can be used to penetrate their facilities. They even drop thumb drives at the parking lot and watch out for people that will plug them. Social engineering is one of the key ways of information gathering and should never be underestimated. Social engineering can be used on the client in order to catch them off guard.

 

The Qualifications of a Penetration Tester

The task of penetration testing can be performed by a qualified third-party agent as long as they are organizationally independent. What I mean is that they must be organizationally separate from the management of the client or the target system. Example, if we use a case study of a PCI DSS company as our assessment entity and as the third-party company carrying out the assessment, they cannot conduct the pen test because they’re involved in the installation, maintenance or as support to the target systems.

The following guidelines can be useful in your choice for a good and qualified penetration tester

Certifications for a penetration tester: The certifications which a penetration tester hold is a very indicative guide to their level of competence and skill. While these certifications may not be required, they can indicate a common body of knowledge for the tester. These are the few among’st many certifications a penetration tester can have;

  • Certified Ethical Hacker (CEH)
  • Offensive Security Certified Professional (OSCP)
  • Global Information Assurance Certification (GIAC)
  • Computer Information System Security Professional (CISSP)
  • GIAC Certified Penetration tester (GPEN)
  • EC-Council Security Analyst (ECSA)
  • Licensed Penetration Tester (LPT)
  • GIAC Exploit Researcher and Advanced Penetration tester (GXPN)

Always remember that before any test begins, all parties are recommended to be involved such as the organization, pen tester, the assessor where applicable. They all must be aware of the types of test being performed i.e. external, internal, network layer or application and how the test will be performed and the target.

Steps to Perform a Detailed Penetration Testing

1.Scoping of the organization: The responsibility of the organization is to the adequately define the critical systems. The normal recommendation is that the organization works hand in hand with the pen tester whenever it is applicable. The assessor also plays major role here to verify that none of the components are overlooked and also to determine if there are additional systems to include in the scope. The scope of the penetration test should include the critical systems, the access points and the methods for segmentation.

2. Documentation: All components within the scope of the documentation should be made available to the tester whenever necessary. Documents include,

  • Application interface documentation
  • Guides to the implementation

This will help the tester to understand the functionality of the system. Other information which the organization needs to supply the tester should include

  • Network diagram. showing all the network segments.
  • Data flow diagram
  • Detailed list of all services and ports that are being exposed to the perimeter.
  • List of the network segments in isolation

A typical network diagram showing      the  network architecture

 

The pen tester uses all this information to assess and identify all unexpected attack vectors and any insufficient authentication controls.

3. Rules of Engagement: Before any test begins, it is very important to agree and document on conditions and terms in which the test is being performed and the extent to the level of exploitation. This gives the pen tester the authority to the test environment and to make sure the organization has an understanding of test and what to expect from it. The following are what to consider as rules of engagement

  • Window time will the test be performed?
  • What are the known issues in the system and issues with automated scanning? And if so, will such systems still be tested?
  • Any preferred methods of communication about the scope and any issues that will be encountered in the course of the test.
  • Any security controls could detect the testing?
  • Are there passwords or any sensitive data to be exposed during the test.
  • If the equipment to be used by the tester will pose any threats to the systems in the organization.
  • Any updated OSes, service packs and patches and if the tester should provide all the IP addresses for which the test will originate.
  • What steps the tester should take when he detects any flaw or loophole.
  • Will the tester retain any data obtained during the tester?

4. Third-party Hosted/Cloud environments: The following should be added to the rules of engagement.

  • Before test commences, if the service-level agreement requires any approval from the third-party.
  • Web management portals that are provided to manage the infrastructure by the third-party should not be included unless noted in the scope.

5. Criteria for success: Pen testing is supposed to simulate a real-world attack with the aim of identifying the extent an attacker can go to penetrate the systems. Therefore, defining the success criteria for the pen test will allow the entity to program limits for the pen test. Success criteria should be included in the rules of engagement and should include

  • Restricted services or data should be directly observed in the absence of access controls
  • Level of compromise of the domain being used by legitimate users.

6. Review of past vulnerabilities and threats: this involves a review and a consideration of all the threats and vulnerabilities that were encountered in the last 12 months. It is more like an historical look into the organizations environment since the last assessment was performed. This information is very important to give insights on how to handle the current vulnerabilities. Depending on whether it is a white box, grey box or black box test that is to be performed, these are not to be included in the review.

  • Vulnerabilities being discovered by the organization and have not be solved within a certain time.
  • Compensation controls preventing the discovered vulnerabilities
  • Upgrades or deployments that are in progress
  • Threats and vulnerabilities that have led to a possible data breach
  • Valid remediation of pen test in the past years.

7. Segmentation: This is done by conducting test used during the initial stage of the network penetration such as port scans, host discovery. It is performed to verify that all the isolated LANs do not have access to the database. Testing each of these unique segments should ensure that security controls are working normally as intended. The pen tester should check the LAN segments that they have access to the organization and restrict access.

8. Post Exploitation: This means taking actions after an initial compromise of the system. It refers to the methodical approach of making use of pivoting techniques and privilege escalation to establish a new source of attack. This can be done from a vintage point in the system in order to gain access to the network resources.

9. Post- Engagement: the following activities should be done after the engagement or testing are being performed:

  • Remediation best practices
  • Retesting all the identified vulnerabilities

10. Cleaning up of the work Environment: After the pen test has been performed, it is necessary to do a thorough cleanup of the working environment. The tester does some documentation and informs the organization of any alterations that have been made to the environment. These include but not limited:

  • Installed tools by the tester on the organizations system
  • Created accounts during part of the assessment
  • Changed passwords for accounts
  • Any additional documents not related to the organization

11. Reporting and Documentation: Report helps an organization in their efforts to improve upon their security posture and also to identify any areas that are vulnerable to threats. A report should be structured in a such a way that it the test is clearly communicated, how it was carried out. The report should be done in the following steps;

  • Report identified vulnerabilities
  • Any firewall mis-configurations
  • Report of detected credentials that were obtained through manipulation of the web application.The service of penetration testing is a typical learning experience for everyone in the organization that is involved in it as well as the tester. The testers get to discover and learn what it is that works and what does not work and is not obtainable to the entity being tested. They can also learn how to find ways to adapt to the defenses of the customer. The client i.e the organization gets to learn of what they should have known and done that is less effective and finally learn and appreciate what is applicable. The pen tester now tries to pick the pieces and build a strong and long-term relationship with the client.

We at soutech web consults are the perfect consulting firm for carrying out your penetration testing. We have professional staff and team to conduct a well detailed and professional penetration testing. Subscribe for our services today.

 

 

 

Why do you need a Vulnerability Test? Concepts and Methodologies

First of all, let us understand what a vulnerability is. I’ll define a vulnerability as any form of loophole, a weakness or mistake that can be found in a system security design, its implementation, security procedures, or its control that can lead to systems security policy violation. A vulnerability can make it possible for cybercriminal or attacker to gain unauthorized access to the system.

As we already know, confidentiality, integrity and availability which are the three cores of IT security. Once any or all of these elements are compromised, then one can say there is a security vulnerability. Infact, a single security vulnerability has the potential of compromising one or all of these elements. For example, the confidentiality can be compromised if there is an information disclosure vulnerability while the compromise of integrity and availability can be as a result of remote code execution.

What is Vulnerability Testing?

It can also be referred to as vulnerability assessment which is a software testing technique that is conducted in order to evaluate the inherent risk in an IT system and measures employed to reduce or curb the probability of the event.

Vulnerability testing has some similarities with risk assessment and these assessments can be performed following some steps as highlighted below.

  • Developing a catalogue for assets and resources in the system.
  • Assigning rank orders to quantify resources by value and importance.
  • Identifying the potential threats and vulnerabilities to the resources.
  • Eliminating totally or mitigating the high ranked vulnerabilities for the most valuable resources.

Vulnerability testing depends majorly on 2 mechanisms

  • Vulnerability assessment
  • Penetration testing

Objectives of Vulnerability Testing

The common goals and objectives of risk and vulnerability assessments are as follows;

  • To get an accurate inventory of all data and IT assets.
  • To prioritize organizational IT and data assets according to the importance and criticality to the organization
  • To identify and document all the potential risks, threats and vulnerabilities to the organizational infrastructural assets.
  • To prioritize the potential risks, threats and known vulnerabilities based on their impact or criticality on the IT or data assets being affected.
  • To identify and minimize the vulnerability window of the organizational IT and data assets according to the minimum acceptable tolerance level.
  • To curb, mitigate or remediate the identified risks, threats and vulnerabilities and properly plan and budget them based on the criticality of the IT and data assets.
  • To check for compliance with the updated information security laws, regulations, procedures and mandates
  • Just as explained previously, it helps to identify lapses, voids and gaps in the organizations IT security framework and architecture by looking out for specific recommendations.
  • To identify the potential risks, threats and vulnerabilities that an organization’s is susceptible to and to find ways to justify the cost of all the security countermeasures and solutions to be adopted in order to mitigate, eliminate or reduce the identified risks, threats and vulnerabilities.
  • To provide an objective assessment and prompt recommendation to help define the organizations goals and objectives for performing risk and vulnerability assessment.
  • It helps organizations to understand the return on investments (ROI) whenever funds are to be invested in the IT security infrastructure.
  • To scan operating systems, application softwares and the entire network for known vulnerabilities such as insecure authentications and software designs.

                                 Scope of Vulnerability Testing

 

  1. Black Box Testing: It involves performing vulnerability testing from an external network with no prior knowledge of the internal network infrastructure and systems.
  2. White box testing: It involves performing vulnerability testing within an internal network with prior knowledge of the internal network infrastructure and systems. White box testing can also be referred to as internal testing.
  3. Grey box testing: It involves performing vulnerability testing from either an external or internal network with little knowledge of the internal network infrastructure and system. It involves the combination of black box ad white box testing.

Elements of Vulnerability Testing

  • Information Gathering: This can also be referred to as reconnaissance and it deals with obtaining as much information as possible about an IT environment. Information such as Networks, IP addresses, versions of operating systems in use etc. and it is applicable to the 3 scopes of vulnerability assessment.
  • Detection of vulnerability: This process involves the use of vulnerability scanners to scan the IT environment to identify the unknown and potential vulnerabilities.
  • Information analysis and planning: It involves the analysis of all the vulnerabilities that have been identified and further devising a means to penetrate into the network and the systems.

Types of Vulnerability Test

  1. Predefined Tests: These is a vulnerability test that is designed to discover some common vulnerabilities in databases and its environments. Predefined tests can be customized to suit the needs or requirements of an organization. Predefined tests include;
  • Configuration Tests: It checks a database for all configuration settings realted ti security. It looks out for common flaws and mistakes in database configurations. Such configuration issues include;
  • Privelege which include; system level rights, privilege access to database and users, rights of use and creation of objects
  • Configuration: Which include parameter settings for the database and parameter settings for the system level.
  • Authentication: It includes, use of accounts by users, use of remote logins, password policies.
  • Version: This includes, versions of the database and patches for the database.
  • Object: It involves sample databases that have been installed, database layouts that have been recommended and ownership of the databases.
  • Behavioral Tests: This test type checks and analyses the security posture and wellbeing of the database environment. It does this by observing the database when it is in real time mode and checking how information is manipulated. Some of the behavioral tests include;
  • Violations of access rules
  • Failures in excessive logins
  • Errors in the excessive SQL
  • Access to default users
  • Logins at after hours
  • Execution of DDL, DBCC commands from the client side of the database
  • Calls for stored procedure checks
  • Ensures user ids are not accessed from multiple IP addresses
  1. Query- based vulnerability tests: This test type can either be a pre-defined test or a user-defined test that can be created easily and quickly by modifying SQL queries which can be run against database entities or resources.
  2. CVE (Common Vulnerabilities and Exposures) Tests: This test type monitors and exposes common vulnerabilities from the MITRE corporation and further adds the results of the test for related vulnerabilities that are related to the database.
  3. CAS-based Tests: This test type can either be a predefined test or a user-defined test which is based on the template of a CAS item found in the OS script command. It uses the collected data. Users can therefore check which of the template items and tests against the contents in the CAS results.

Vulnerability Testing Methodologies

  1. Setup:
  • Begin the documentation process of all assets
  • Secure permissions to credentials and assets
  • Perform tools update
  • Configure the tools
  1. Execute the Test
  • Run the tools to begin execution
  • Run all the data packets captured (A packet is a unit of data that is crafted to be routed from a source to destination). If a file whether email, HTML, or URL request is being sent from a particular point to another on the internet, the TCP layer of TCP/IP will divide the file into small chunks each having a sequence number on the headers for efficient routing. Now, these small individual chunks are referred to as packets. On the destination end, the packets reassemble to form the original file that was sent while running the assessment tools.
  1. Analyze the vulnerabilities:
  • Define and classify the system resources as well as the network
  • Prioritize the resources based on their importance such as High, Medium, low
  • Identify all potential threats to the assets
  • Based on the priorities, develop a strategy to first handle the most prioritized problems
  • Define and implement measures to mitigate or minimize the consequences of the occurrence of an attack.
  1. Form a Report: Develop a report of all the steps you took to arrive at your results. The report is also important in order to guide to aid future understanding of the system and as well to report to the management of the organization.
  2. Remediation plans: This process involves developing measures and taking the appropriate steps to fix the vulnerabilities.

Responsibilities of a Vulnerability Tester

  1. Unit management such as Information Security Coordinators and Unit IT supervisors
  • They support and enforce the standards, approve and submit the annual risk assessment documents to management
  • They determine the person who maintains the documentation.
  • They also request for the internal audits, procure and assign the necessary resources that are needed to implement the standards and polices.
  • They notify the users and support staff who are involved in performing the test.
  • The also request for any exceptions
  • They supervise and coordinate the vulnerability test and also the remediation processes.
  1. The System administrator and Computing device Administrator
  • They implement the best practices which are needed to comply with the test.
  • They support and comply with the policies.
  • They scan all the systems in the network for compliance to standards devices.
  • They monitor the systems actively for any available patches in other to remediate tasks that can affect the user.
  1. Information security Officer
  • These people approve and oversee the all the vulnerability scans.
  • They review and approve the use of any alternative scanning tools when required.
  • They conduct reviews and risk assessments annually.
  • They authorize the removal of network devices from the network when needed.

 Vulnerability testing focuses more on determining loopholes and weaknesses in an IT infrastructure. In my next article i will try to shed some more light on the tools which can use to perform vulnerability since we already have the standard methodologies to follow in order to perform a detailed vulnerability test.

Soutech ventures offers courses that can better equip and train you on all you need to know with practical hands-on knowledge on vulnerability assessment. Subscribe to our CEH course today on www.soutechventures.com/courses

 

 

Secure Connections: What you need to know about SSL Certificates: SOUTECH Cybersecurity Tips and training in nigeria

The first purchase using an online transaction took place in a pizza hut, where the customer purchased a large pepperoni pizza with extra cheese and mushrooms. But 20years later on, ecommerce has become a bustling economy with over $1.2trillion sales in the year 2013.

The growth in online purchases was solidly built on the foundation of trust. By this I mean that people have grown to trust that when they make purchases on websites, these websites are proven to be legitimately and largely secured because of the Secure Socket Layer (SSL) certificates often found on the URL bar of your browser as a little green padlock.

An SSL certificate indicates first of all that there is a secure connection between your personal device and the company website. It also verifies that the provider is who they claim to be. It is very important that you understand the role of an SSL certificate to prevent you from being a prey to scammers and cybercriminals. This is because, not all the sites you visit that have SSL certificates as protection are created equal.

Certificate Authorities are known to provide SSL certificates and website owners purchase SSL certificates from these Certificate Authorities (CA). Different types of SSL certificates provide different levels and layers of security but there have been issues overtime. The issue is that in as much as these certificates provide that safety padlock that you have on your browser along with HTTPS (where “S” means “Secure”) also found on the address bar, the security levels provided by these certificates differ to a large extent. This is the reason why I’m trying help you understand what type of SSL certificate a website uses especially when you want to do any financial transactions and anything that is related to your personal financial credentials.

I’ll throw some more light on the types of certificates and how they work.

Types of Certificates

  • Domain Validator (DV): The domain validator simply verifies the owner of a site. In this case, the CA just has to send an email to the email which the website was registered with. This is done in order to verify the identity of the website owner. Many cybercriminals make use of the domain validator because they can obtain it easily and by so doing make the website appear to be very secure a lot more than it actually seems. Over time, cybercriminals have taken to using DV certificates to lure users to phishing websites i.e. websites that look legitimate but are crafted for the sole purpose of stealing a user’s sensitive data.
  • Organizational Validators (OV): The process of obtaining an OV takes a longer period. For and OV certificate to be obtained, the CA needs to validate some basic information such as the organization, the physical location of the organization and its website domain.
  • Extended Validator (EV): This is the highest level of security and often the easiest to identify with. The process of issuing an EV certificate tries to increase the level of confidence in the business by making the CA perform an enhanced review of the applicant. This process of review involves an examination of corporate documents, confirmation of the identity of the applicant and the checking through the third party’s database for information. This adds on the browser of the URL, the “S” that is a part of HTTPS, the company’s name in green and also the padlock.

Now take at these URLs and try to notice the difference. Now the first is the DV certificate, the second is an OV certificate which actually looks like the first. Only difference is the “.” Before the com.

Now the last one clearly is an EV certificate.

What can you do to be safe?

Now that you know what an SSL certificate is, its importance as well as the three different types. You have also known that an DV- enabled site poses a huge risk to be scammed, I’ll give out a few tips on how to reduce the risk when performing any form of online transaction that involves your sensitive credentials.

  1. Be Alert: Now the fact that a website has a padlock or HTTPS just by to its URL is not a guarantee that it is certified safe for financial transactions. Users are used to looking out for these two things before performing any transaction which is the more reason why the cybercriminals go through the trouble of obtaining the SSL certificates to which is obviously make it look legitimate.
  2. Look out for the SSL certificate type that a website has: The first thing you should do is to look for any visual cues that indicates security like a green color and a lock symbol in the address bar of your browser. Just a quick reminder once again that it is only an EV-enabled website that has the company name in the address bar. However, browsers do not clearly display the difference between a DV and an OV certificate so to enable you tell the difference, there is an open source tool (https://safeweb.norton.com/) developed by Norton that can help you. All you have to do is to simply copy the URL paste it directly into the tool. The tool will tell you if the site is a DV, OV or EV-enables and more explicit results to tell you if the site is legitimate and safe.

  1. Perform transactions only on OV and EV-enabled websites: If you analyze the URL on the tool I just explained above, and it gives you a result saying that the site has a DV certificate, have a rethink as regards conducting any transaction with that site. Now if it is an OV or EV-enable site, then you can conduct your transaction with confidence that your business information is safe.

The deployment of online transactions has come to stay and will not be phased out anytime soon. People will have to bear with the crude task of combatting with cybercriminals as regards phishing. I will tell you that knowing the risk before time keeps you knowledgeable on becoming a victim of phishing websites.

You can subscribe to our well detailed course in ethical hacking at soutech web consults to be learn about cybersecurity and how you can stay protected at all times

 

Learn smart website design( ecommerce , company and blog websites) within days- SOUTECH Academy

So you really want to be a website designer? Well, website designing is very interesting and website designers around the world earn some reasonable amount of wages. It is a process of bringing in concepts and ideas into a functional reality.

WHY WEBSITE DESIGN?

As a website designer, you have many options to choose from when it comes career choices. A website designer has some sets of I.T. skills that put the individual in the positions such a website consultant, creative content creator, website administrator, webmaster, website theme developer, plugins developer, theme and plugin customization expert, blogger and much more.

A website designer possesses the ability to design and lunch a functional website or blog, and can also manage and maintain websites including creating contents for various websites, consulting and training other people on website designing. Website design comes with many opportunities, giving you enough room for work flexibility as you can choose to work from anywhere all you need is a computer devices and internet service. You can become a website designer by spending three (3) days with Soutech Web Consult for an intensive website design training and become an expert in less than one month.

WHY SOUTECH WEB CONSULT

Soutech offers various I.T trainings such as Certified Ethical Hacker, Website Design, Web Development, Mobile App, Digital Marketing and many more. Visit www.Soutechventures.com/courses to learn more. Soutech trainings are hands-on emphasizing on relevant areas with over 30 days’ mentorship giving you an opportunity to have you own website for practical practices and experience.  The training labs are conducive in a serene environment that gives you comfort throughout your training period.

THE NEED OF WEBSITE DESIGN

The need of website design is based on the demand of websites.

A website is the single most important marketing tool for any business. It serves as a virtual equivalent of a physical business for the over 3 billion internet users. Think about it: when you want to learn more about a company, you typically turn to Google and search about the company and most times you eventually end up on their website. The same process happens when you are looking for products and services.

As a web development and marketing services company, whenever someone searches for Soutech Web Services, they’ll usually hit our website as the main source to learn about our services, our work, and about the team.

Now, for any organisation that offers services, users will certainly turn to past clients and case studies section of a website. So much information is gained by users browsing a website: what users see and read shapes the perception of the company or brand in the user’s decision-making. According to Statista, over 2 billion people are expected to buy goods and services online by the year 2019. So, having the best content on your website is important so that your website acts as your main marketing tool.

A well-built website should be mobile-responsive, and important aspect to consider based on the fact that it contribute in making a website the most important marketing tool as more and more users browse the web on smartphones (more than desktop usage now, according to Google). Any organisation that desire growth cannot afford to miss out on opportunities for new leads by not having a responsive website.

So there you have it – a website is the most important marketing asset, not just because it acts as a salesperson and a brand ambassador, but because it can be use to genuinely connect with potential customers, whether that’s through engaging content, mobile-responsive layout, or intelligent analytics and personalization. If a website isn’t hitting all these goals, that’s all right. It’s definitely an interactive process, and few if any websites can accomplish everything they need to right out of the gate. It is imperative that one should add these goals to an overall inbound marketing strategy and work on executing them, by doing so, there is assurance that a business will continue to grow. That is what all organisation wants “Grow” hence the will seek the services of someone with the ability to activate that growth through digital presence which is where you will come in as a website designer.

So are you ready? The first step is to visit www.soutechventures.com/courses and give us a call today.

Penetration Testing Training in Nigeria(Certified Ethical Hacking, Certified Penetration Tester,Certified Expert Penetration Tester and the Metasploit Pro Certified Specialist )

Expert Penetration Testing Course Overview

SOUTECH Web Consults Penetration Testing Training, delivered in the form of a 10 Day Boot Camp style course, is the information security industry’s most comprehensive penetration testing course available. You will learn everything there is to know about penetration testing, from the use of network reconnaissance tools, to the writing of custom zero-day buffer overflow exploits. The goal of this course is to help you master a repeatable, documentable penetration testing methodology that can be used in an ethical penetration testing or hacking situation. This penetration testing training course has a significant Return on Investment, you walk out the door with hacking skills that are highly in demand, as well as up to four certifications: CEH, CPT, CEPT and the MPCS!

HOW YOU’LL BENEFIT:

  • Gain the in-demand career skills of a professional security tester. Learn the methodologies, tools, and manual hacking techniques used by penetration testers.
  • Stay ethical! Get hands-on hacking skills in our lab that are difficult to gain in a corporate or government working environment, such as anti-forensics and unauthorized data extraction hacking.
  • Move beyond automated vulnerability scans and simple security testing into the world of ethical penetration testing and hacking.
  • More than interesting theories and lecture, get your hands dirty in our dedicated hacking lab in this network security training course.

After SOUTECH’s Penetration Testing Training course, you will be prepared to take (and pass) up to 4 certifications:

  • CEH – Certified Ethical Hacker
  • CPT – Certified Penetration Tester
  • CEPT – Certified Expert Penetration Tester
  • MPCS – Metasploit Pro Certified Specialist

Prerequisites:

  • Firm understanding of the Windows Operating System
  • Exposure to the Linux Operating System or other Unix-based OS
  • Firm understanding of the TCP/IP protocols.
  • Exposure to network reconnaissance and associated tools (nmap, nessus, netcat)
  • Programming knowledge is NOT required
  • Desire to learn about Ethical Hacking, and get great penetration testing training!

Course Cost: N750,000 ( 10% Discount for Educational and Group Training)

Duration: 10 Days

Weekday Option- Mon-Fri( for 2 weeks)-( 9am-3pm dialy)-

Weekend Option-  Sat- 9am-5pm and Sun- 2-6pm( 5 weekends)

10 Deadly sins of Wireless Security- SOUTECH Cybersecurity Training tips, hints

Ten Deadly Sins in Wireless Security  The emergence and popularity of wireless devices and wireless networks has provided a platform for real time communication and collaboration. This emergence has created new IT vulnerabilities, which in turn have created the necessity to establish practices that make the wireless environment secure and convenient. in order to reap all of the benefits associated with wireless technology. This paper focuses on the ten deadly sins of Wireless security.

Wireless technology is yet another offshoot of Information and communication technology  revolution. Users now rely extensively on networks for carrying out personal and business activities. Wireless networks provide users with real-time access to information from  anywhere at any time without the constraint of wired networks. In essence, wireless networks provide mobility, unavailable with wired networks. It is easier to install wireless network and systems can be configured to communicate in the wireless environment. As more and more people use wireless devices and avail online services, wireless networking is set to gain inroads into the daily routine of users.

Attend a Certified Ethical Hacking Training in Nigeria– Live Class in Abuja, Online Training from anywhere(Lagos,Port Harcourt, Kano,Ghana- All cities anywhere around the world).

https://www.soutechventures.com/certified-ethical-hacking-training-in-abujanigeria/ 

Read more below

Best website hosting service in Nigeria- Learn Web Design Skills in Abuja, Lagos, Port Harcourt Nigeria

WEB HOSTING, WHAT DOES THAT MEANS?

One of the questions we hear often from new students or client who wants to learn or venture into web design and development is – what is web hosting and how does it work?

Well, think of hosting as a house, it could be an apartment building or lake view terrace that you rented for a particular purpose, in our context website. Websites are hosted on web servers and in order to get your website hosted, you will pay for a web-hosting service. You will be given a space to run your business, just an empty space with no shelf, no furnishing although it is easy to furnish your space by installing any framework you want choosing from the many that come in with your cPanel account. If you do not have a hosting service, you will have a place to put your files and the domain name you bought (if you already have), will be just a virtual house address with no physical building. To run a website, you will need basically three things; domain name, Hosting and Web content. Your web content includes text and media files that needed a space to be stored in, which is where web hosting comes in play.

CHOOSING A HOSTING PLAN.

When choosing a web hosting plan, you should first consider what type of website you are going to be running. Is it going to house members? Will it be a database driven website or static HTML? Will it be strictly informational? Will you be running an e-commerce store? How huge are your website files? What is your estimated traffic? All these will affect the choice of hosting you want.

Just like the housing illustration, most web-hosting providers offers three main categories consisting of Shared, VPS and Dedicated Servers.

Shared Hosting – This is hosting type is more like an apartment building, where you neighbor and everyone is using the same resources. If one of the neighbours is over-using a resource, it can affect the others on the server. It is the cheapest and most common type of hosting. Many people start out on a shared hosting plan.

VPS – Virtual Private Servers are much like a townhome, or row house. Each account is like its own home unit. They have separate resource allocation and are in much more control over their site environment. However, just like in a shared, tenants that overuse resources may have an effect on the other accounts on the server. This doesn’t happen often on a VPS than a shared server.

Dedicated server – This is like owning your own house, the entire building is yours. In other words, the entire server is yours. All the resources are dedicated to your account, so no one else can bother you on the server. Just like a house, it varies in sizes, so you may need to upgrade to larger dedicated servers as your website grows.

Irrespective of the hosting category you choose, you will still have to decide on the size of space and amount of allocated bandwidth you will want to acquire. You can always upgrade to increase space and bandwidth as you desire in future.

Website content /files are what your visitors and potential customers actually see when the visit you site. The site files are not different from any other file you normally use, like a .jpg photograph, or .mp3 music file. Though, website files are also. PHP files or .html files, which are PHP scripts or HTML pages respectively.

Web hosting services works simply by giving us a storage space where our website files will be stored in high-powered computers (web servers) connected to a very fast network. In web-hosting, anything correlated to managing these servers and its software, security, support, bandwidth, speed and so much more, is known and web server management.

I hope you now understand what is web-hosting, do not forget to order a hosting space with us, visit http://www.soutechhosting.com

Learn website design today- Online or Offline! Dont miss it, Start Learning to Earn

www.soutechventures.com/courses

How to build and design a website within 3 days: SOUTECH Web design training school Abuja, Nigeria

Learning how to build a website is much more fun than painstaking as often presumed. You can learn how to build your own website within just days. Gone are the days when you must have to be a web programmer learn how to code before building websites. Today, with the emergence and development of content management system, building websites has become much easier. A lot of content management systems are open source, which means you can use them freely and also modify the codes to achieve what you want to achieve. Also, the open source content management systems have led to the development and website templates, components and plugins which add some specific functionalities on our websites.

You can easily change website layout, colour and fonts styles with just a few clicks and add functionalities by installing desired plugins and components.

Some widely used content management systems include:

  • WordPress
  • Joomla
  • Drupal
  • Open
  • Magenta and so much more

YOU CAN ALSO TRY WYSIWYG

Although building websites with CMS is recommended, building without CMS can also be achievable and fun as well. There many WYSIWYG (what you see is what you get) website editors that make creating a website easy. Some WYSIWYG editor like Adobe Dreamweaver also gives you the opportunity learn some HTML tags and codes by splitting the windows into design view and editor view. Microsoft Expression Web is also a good WYSIWYG editor with lots of features that are fun to explore.

If you are not a fan of GUI, there are also IDE editors that you can make use of such as;

  • Aptana Studio
  • Brackets
  • Codelite
  • Netbeans
  • Notepad++
  • PHPeD
  • PHPStorm

 BEGINNERS LOVE CMS

Though PHP frameworks such as Laravel, has proven to be a better practice in web development, especially for OOP (Object Oriented Programing) projects, beginners still find it easy to learn website design using CMS. CMS offers many advantages to designers, developers and content managers for speedy development and to some extent simple access to advanced features. You can easily install new website templates seamlessly without altering the website content. Some CMS will include everything you need to implement an integrative online marketing strategy. Most CMS will contain tools for search engine optimization, email and sms marketing, social media marketing and blogging. You can also use a CMS with necessary plugins to create event registration forms, collect fees and donations, and store member information.

 SOUTECH MAKES IT EASY

Despite the fact that building websites using CMS is easy, some knowledge and skills are required in order to make effective use of the software mentioned above. These skills and knowledge can be learned by completing a certificate course on Website Design Management. Soutech has designed this course to enable you to become acquainted with content management system. You have the options to either have a live training which I recommend, or order for our visual training online via www.soutechventures.com

Becoming  a website designer expert is easy at Soutech Web Consult, Soutech has design a complete CMS Website Design package that makes enables you to become a WordPress CMS Expert.

Do you want to become an expert website designer? Be able to build websites for school, churches, institutions, government agencies,hotels and just for about any body.?

What to become a partner and start reselling softwares? visit : www.buyallsoftwares.com

Do you want to buy over 150 ICT Training home kits?  https://buyallsoftwares.com/product-category/dvd-training-kits/

Do you want to buy any antivirus?  https://buyallsoftwares.com/product-category/antivirus-softwares/

Buy iTunes gift card and get 24hrs Delivery: https://buyallsoftwares.com/product-category/gift-cards-2/

Building a fully responsive, functional and interative website using Content Management System- Website Design Training in Nigeria. SOUTECH

Building website using CMS is fun and simple as playing a video game. You will have access to some graphic interface which saves you the stress of coding, drag and drop functionality that eliminates time waiting and WYSIWYG editors so you do not need to refresh your browser all the time for testing.

Most CMS are shipped with fewer default plugins and components that can be use in developing websites, whilst you can install additional plugins to use at will. The CMS with the largest number of downloads and installation still remains WordPress. WordPress is the real deal when it comes to open source CMS. It has robust plugins of various functionalities and the largest number of website templates.

There are some plugins that could be extremely useful when you install a WordPress CMS and ready to start building your website.

LOGIN AND SECURITY:

When building websites with CMS, there are always some serious concerns when it comes to login and security. For instance, you will want to control access to your users and administrative roles as well. Some level of programing knowledge might be required to implement certain protocols in order to safeguard and control your WordPress dashboard (backend). However, some developers has already created plugins that will do all those painstaking tasks for you. Some important plugins that could be useful in this aspect are;

Wordfence: is great for beginners and pro users alike that covers login security, security scanning, IP blocking and WordPress firewall and monitoring. It performs a deep server scan of a website’s source code of the and compares it to the Official WordPress repository for core, themes and plugins.

Login LockDown: records the IP address and timestamp of every failed login attempt. If more than a. certain number of attempts are detected within a short period of time from the same. IP range, then the login function is disabled for all requests from that range.

Sucuri: offers a free plugin that is available in the WordPress repository. This plugin offers various security features like malware scanning, security activity auditing, blacklist monitoring, effective security hardening, file integrity monitoring, and a website firewall. It is a security suite meant to complement your existing security posture.

SEARCH ENGINE OPTIMISATION (SEO)

The advancement of a good web present resides on an effective SEO management. This includes keywords, tags, image descriptions etc. Some of the plugins that can manage your WordPress website SEO are:

WordPress SEO by Yoast: is a best free SEO plugin for WordPress. This single plugin takes care of many aspects of your WordPress website’s SEO. It can be used to add meta value for homepage and single post, perform social SEO, create sitemap file and Control indexing of your website.

SEMrush: Unlike others which are plugin, this is a web based tool. Think of SEMRUSH as a complete SEO suite for people with or without SEO skills. The most popular feature of SEMRUSH is, it let you do the complete site SEO audit which helps you to identify SEO issues that are preventing the organic growth of your blog.

 

SOCIAL MEDIA INTEGRATION

One of the reasons why WordPress has become the developer’s choice is capability of diverse plugins, such that can be integrated into your website easily. Below are some useful social media integration plugins;

Sumo Share: offers multiple apps designed for increasing traffic. It is precisely made for WordPress, and has a lot of options for customizing the social buttons that you add to your website. It comes with a meek interface that makes choosing where to place the icons easy. It’s a free plugin that also has a premium version with advanced features for $20 a month.

Smart Website Tools by AddThis: is a neat plugin which requires that you register on the AddThis service in order to use it. It offers numerous placement options for your social media icons. You can make use of five of them for free, while a premium version that offers you another five cost $12 per month

WP Social Sharing: is a well arranged plugin supporting 6 of the big social media networks, including Facebook, Twitter, Pinterest and LinkedIn. The great thing about it is that it’s mobile-friendly and allows easy resizing for mobile devices. It also supports shortcodes, and enables you to modify the text for your social media buttons.

Jetpack: is a great plugin for your social media needs, with an easy-to-use but actual sharing component. But it’s also much more than that, as it contains 34 other modules, adding numerous functionalities to your WordPress website.

COMMUNICATION

Communication is a dynamic feature that circles a good website. In order to keep your website alive and dynamic, you will need to install some communication plugins such as;

Subscribe Me The free Subscribe Me plugin makes it easier for your visitors to use some of the most popular feed reading applications or services to subscribe to your feed, by adding a popup that lets them choose which service they want to use.

Contact Form 7: manages multiple contact and other forms, allows you can customize the form and the mail contents easily with simple markup. The form also supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering, etc.

Zendesk Chat (Formally Zopim Live Chat): is one of the most popular live chat services available to WordPress users. It is easily installed thanks to a dedicated WordPress plugin, available for free from the official repository. Zopim’s chat boxes are among the most stylish you will find, with beautiful, customizable layouts and themes.

WP Live Chat Support: the only completely free option in today’s list of best live chat plugins for WordPress – though you can unlock additional features by upgrading to the Pro version for $39.95.

 It is also a good practice explore the WordPress plugins directory and if possible test some plugins to see how they work for you. You will be amazed on what you will discover. Do not forget that it is advisable to deactivate and uninstall any unused plugin. Also adapt the practice of updating any outdated plugin in order to enhance the security of your WordPress website.

Becoming a WordPress expert is easy at Soutech Web Consult, Soutech has design a complete CMS Website Design package that makes enables you to become a WordPress CMS Expert.

Do you want to become an expert website designer? Be able to build websites for school, churches, institutions, government agencies,hotels and just for about any body.?

What to become a partner and start reselling softwares? visit : www.buyallsoftwares.com

 

 

Local Web Development via a server: Learn how to start developing websites- SOUTECH

So you have just found web development interesting and want to learn or you are a beginner in web development? Whichever category you belong; you will definitely find this article interesting and useful. During my first three months as a beginner in web design, I recall how difficult it was for me to see my codes displayed on the browsers as intended. Most times the HTML display just fine while some PHP and JavaScript will not display as intended and I often wonder what is it that I am not doing right, that before I meet a good friend called “Local Server”. Off cause, PHP is a server-side language, so you will definitely need a server to run it.

Local Server

Local Server often called a localhost is a software with some built-in functionalities that make your website looks just like it should when it is been hosted on a live server. You will need a local server if you intend to install and run a Content Management System on your computer. It can be accessed by pointing your browser to 127.0.0.1 or http://localhost, at some point you might need to add a port i.e. http://localhost:8080. To install a local server on a windows computer you have an option to choose between XAMPP (X-Cross-Platform, A-Apache, M-MariaDB, P-PHP and P-Perl) and WAMP (Windows, Apache, MySQL, PHP). I prefer XAMPP which works just fine for me and other developers find it to be awesome. Don’t worry both packages are open source.

Functionality

The two regular functions often used are the server (which is apache) and database (MariaDB). The Apache server which is known to be the best server in the world, serving HTTP document over the internet allows your website to be published locally for testing. MariaDB is one of the most popular open source database servers created by the original developers of MySQL, it allows for database creation when building a data-driven website.

How to install

We will use this guide to install XAMPP on our local server. So with no wasting of time head straight tohttps://www.apachefriends.org/index.html choose the version of XAMPP you prefer to download (I suggest you choose the one with a widely used PHP version).  After the download is complete, you need to open the folder where you saved the file, and double-click the installer file.

First, you will be prompted to select the language you wish to use in XAMPP. Click the arrow in the drop-down box to select your desired language from the list, then click OK to continue the installation process.

If you are using Windows 7 or higher, you will see a pop-up window, warning you about User Account Control (UAC) being active on your system. Do not panic, just click OK to continue the installation.

Next, you will see the Welcome to The XAMPP Setup Wizard screen. Click Next to continue the installation.

The next dialogue screen will allow you to choose which components you would like to install. To run XAMPP properly, all components checked need to be installed. Click Next to continue.

It is time for you to Choose Install Location screen. Unless you would like to install XAMPP on another drive, you should not change anything. Click Install to continue.

Relax while XAMPP extract files to the location you selected in the previous step.

Once all of the files have been extracted, the Completing The XAMPP Setup Wizard screen will appear. Click Finish to complete the installation.

Click Yes to open the XAMPP Control Panel after you have click Finish in the previous screen.

You now have a local server.

A local server is idle for testing when building websites and web applications. XAMPP needs to be configured properly for better functionality. To learn more about building web applications and testing with a local server, I recommend you enroll in a web design training at Soutech Web Consult.

Why you should start digital marketing TODAY: SOUTECH Ventures business growth guide

WHY YOU SHOULD “SWITCH” TO DIGITAL MARKETING

Digital marketing has not just been proved as the substratum of marketing, it also encases how cost effective marketing can be done, with a higher rate of an outcome. Technology itself has taken over a seemingly command over almost everything. Today, technology has adopted a face of digitalization, which has suddenly started looking like a quicksand, where everything has been absorbed and turned into a new digital world. Today the concept of digital marketing with or without organic and inorganic techniques, allows individuals and entities to bring their businesses and services on the internet and establish it by means of online marketing.

Digital marketing refers to advertising and promoting businesses, services, and brands through digital media channels. A digital media channels can be any platform that can deliver information electronically, such as websites, social media, mobile, e-mails, radio, television, billboards.

The Cost Effective Marketing

Regardless the size of your pocket, digital marketing can help in establishing your business portfolio in a more productive manner, where every resource spent would generate value. The “switch” to digital media is being driven by marketing agencies, business owners and consumers alike. The increasing demand to show quantifiable results has made going digital a dream for every marketing agency.

The cost of digital marketing is very low to an extent, especially for business owners. Having an effective web presence whilst engaging customers in conversations through social media and e-mail marketing, are low-cost alternatives to print advertising. In a simple illustration I would say; if you are to share flyers to some people using print media, each flyer has a cost and there is no guarantee that a person you give a flyer will gain interest. But in digital marketing, all you need is one flyer in soft-copy which can be broadcast to as many persons as possible.

You should be where you can be found

The easiest way consumers can find your business is by whipping out their phone and search for products or items they intend to purchase, if your digital marketing strategy is effective and using the right keywords appropriately, your business and services will experience a robust growth globally. While every business has some kind of product and every product needing promotion, promotions must follow a strategy starting with a unique approach called digital marketing. No marketing techniques had ever had the kind of reach that digital marketing has achieved. For instance, any update you make on social media networks like facebook, in no time it will be notice and conversation will start on that update. In the instance of digital marketing, that update could be a new product or about a new service.

Taking the first step

A good approach to digital marketing, I would say starts by having a website that does the following:

  • Adequately represents your business and brand (look and feel, messaging)
  • Adequately speaks to your target audience
  • Can be found by searchers on top search engines
  • Is up-to-date and easily navigable
  • Provides multiple channels for customer communication
  • Connects to other marketing efforts

Of great importance is the need to be consistent. If you are not consistent in your digital marketing approach then you might not get your desired results.


Also focus is very key to getting on top of google search engine results. There is nothing as using a good content marketing strategy to attract your potential customers and clients to your website.

Soutech Web Consult is an I.T company that specialized in providing solutions in both I.T and E-business. At Soutech, a Training on Digital Marketing will shape your knowledge towards engaging in effective digital marketing.

Click Below:

Enroll for a digital marketing training today.

 

How to become a mobile application development expert- SOUTECH Ventures

A little bite of history: 

With mobile device manufactures each having its own preferred development environment, a growth mobile phone application developments that are World Wide Web capable and a large population of HTML savvy developers, there has arisen web-based application frameworks to help developers write applications that can be deployed on multiple devices.

There are several ways to build mobile applications, and using a framework

 A framework is the base of your future application. Its usage greatly simplifies the whole development process. Instead of writing an application from scratch and dealing with large portions of code to make your application work on different platforms – you use a framework. Here’s a list of framework for mobile app development:

Also what is a hybrid application(Hybrid Mobile Applications. Hybrid development combines the best (or worst) of both the native and HTML5 worlds. We define hybrid as a web app, primarily built using HTML5 and JavaScript, that is then wrapped inside a thin native container that provides access to native platform features.

 Bootstrap is a free, open-source. Front – End framework used for creating websites & web applications. It contains HTML and CSS based templates for forms, buttons, typography, navigation and other interface components, as well as other optional JavaScript extensions.

2. Apache Cordova

Apache Cordova is a popular Mobile Development Framework. Cordova enables software programmers to build applications for mobile devices using HTML5, CSS3, JavaScript, Android, iOS, Windows Phone.

3. Ionic

Ionic is a Free open source. It offers a library of mobile-optimized HTML , CSS and JS components, gestures, and tools for building highly interactive apps. Built with Sass and optimized for AngularJS.

4. Framework 7

It is an HTML framework for building iOS and Android apps . Framework 7 is a opensource framework to develop hybrid mobile apps. It has Full Featured HTML Framework for Building iOS & Android Apps.

5. PhoneGap

PhoneGap is an open source framework for building fast, and easy mobile apps . It built hybrid application with HTML, CSS and Javascript.

6. Appcelerator Titanium

Appcelerator Titanium is an open-source framework. It allows create mobile apps on platforms including iOS, Android and Windows Phone from a single JavaScript codebase.

7. jQuery Mobile

It is an HTML5-based user interface system designed to make responsive web sites and apps. JQueryMobile is a robust mobile development framework. It is used to build cross-mobile platform app. JQuery Mobile supports a wide range of different platforms, from a regular desktop, smart phone, tablet.

8. React Native

React Native built mobile apps only with JavaScript. It uses the same design as React, letting you to compose a rich mobile UI from declarative components. it builds native iOS and Android apps with JavaScript.

9. Kendo UI

The Kendo UI framework builds, interactive and high-performance websites and applications. The framework comes with a library of UI widgets, client-side data source, an abundance of data-visualization gadgets, built-in MVVM library.

10. Onsen UI

Onsen UI is an open-source UI framework. It is based on PhoneGap and Cordova. Onsen UI allows the developers to create mobile apps using CSS, HTML5, and JavaScript.

What Next:

Get a complete home video/slides/book training kit on each of this framework and start developing mobile apps:  Click Here – Nationwide Delivery within 24hrs.

Attend a hands-on training at SOUTECH Mobile Application Development training in Abuja. Contact Us Today. Click here to attend a training today.

Click here to start making MONEY TODAY- Become a software reseller

Click here to get a website today

Mobile Application Development Services- Click here

Kindly share this article.

Mobile Application Development Solution and Training Company in Abuja, Nigeria

We are Mobile App Development Company with experience of delivering over 500 projects for about clients across Nigeria, Africa,US, Europe, Australia and Middle East.

 We provide affordable solutions with high levels of satisfaction to global organizations at competitive prices and followed is a list of services offered by us:

    UX/UI Design

   IOS, Android and Windows based Apps Development

   Web Application Development (LAMP, .NET, Python)

   Enterprise Application Development (Web, Mobile and MS technologies)

 Get to us today for your solution deployment

Professional Training Videos for Microsoft, Comptia , AutoCAD, Graphics and Branding, SPSS, Motivational in Abuja, Nigeria

Soutech Ventures is primarily an Information Technology Firm, which was created to be the numero uno in business promotion development & implementation, eBusiness & IT systems integration and consultancy industry of the Nigerian Economy and to partners worldwide.
We have over 50+ discounted training kits on any industry subject: DVD Packs( Minimum 20hrs training hands-time videos)

Inline image 2Inline image 7Inline image 1Inline image 3Inline image 4Inline image 5Inline image 6

 
Cost: 6,500 Each including next day shipment via courier
 

Payment can be made via Bank deposit/transfer.

Account Details
diamond bank

DIAMOND BANK
SOUTECH VENTURES
0054227379

Debit/Credit Card Payment

*Please remember to notify us after successful payment or sending a payment notification directly to this email address: contact@soutechventures.com, 08034121380

 Some titles

  1. 50+ Motivational Audio Books by John Maxwell and Brain Tracy
  2. Advance Blogging for cash Training -Make Money Online
  3. Advance Website Analytics, Tracking, Audit and Security
  4. Advanced Excel Training course for Statisticians and Accountants
  5. AUTOCAD Full Training Course
  6. Boostrap Website Developer Course
  7. Branding- Building Brands and Increasing Revenue for Business Executives
  8. Building Enterprise eCommerce-Online Store Websites
  9. Building Mobile App with AngularJS and Ionic
  10. Building Online Website Forums
  11. Business Analysis
  12. C# Complete Developer Course
  13. Cloud Computing Training Course
  14. CMS- WordPress and Joomla Theme Developer Course
  15. Complete Email Marketing Course+ Free 1mil Email Database
  16. Complete Voilin Training Course
  17. CompTIA A+ Computer Repair, Maintenance and Upgrade
  18. ComTIA Linux Training
  19. CompTIA N+ Networking Training
  20. CompTIA Security Training
  21. CompTIA Security+ Training
  22. Computer Literacy for Windows
  23. Core Javascript Master Developer Course
  24. Dreamweaver Professional Training Course
  25. Drupal Advanced Training Course
  26. Creating Web Application
  27. Cybersecurity and Ethical Hacking
  28. Digital Marketing Research
  29. Dreamweaver Professional Training Course
  30. Drupal Advanced Training Course
  31. eBusiness Technologies-
  32. eHR- Building a Company Team for World Impact
  33. Entrepreneurship- Smart Business Models for Business Growth and Success
  34. eProcurement and Online Payments- Tools, Tools and Techniques
  35. Game Developer Training Course
  36. How to Make Massive Cash as a Web designer and Developer
  37. How to Start a Company and Become Global Within 3 Months
  38. Internet Marketing Training Course
  39. Java Application Development Course
  40. Joomla Developer Full Training Course
  41. Learning to Use The Macintosh Computer
  42. Microsoft Office 2013 Full Training Program
  43. Microsoft Sharepoint Training
  44. Microsoft Visio Studio Training Course
  45. Mobile Application Developer Course-Andriod, iOs, Windows
  46. Mobile Marketing Advance Course- SMS, Robo Calls, ShortCode
  47. Oracle Training Courses
  48. Sales Secrets for Small Business
  49. SPSS Professional Training
  50. Strategic Negotiation
  51. User Experience Fundamentals for Web Design

Website design and Development Service in Abuja

web-design-banner

Do you need a cost effective website? Do you want to improve the performance of your existing website? Do you need SEO services that increase traffic to your site and boost sales? Do you want to grow your business online, with a customer and sales focused website? If your answer is yes to any of these questions, then you are in the right place.

SouTech Web Consults now offers cost effective web design solutions for your online presence. We concentrate on providing you with a website that is simple, clear, light and easy to navigate both on computer, tablets, and mobile phones. So, that no matter the device, customers can reach your business.

At SouTech Web Consults, we have been building and managing websites for over 10 years. We will be bringing our experience to bear in designing a good website for your business. At all stages in the web design process, Search Engine Optimization (SEO) is at the top of our mind to ensure you get targeted traffic to your website. This is because no matter how beautiful your website is, without SEO you will have very few and low quality visitors.

We do not just design your website, we will give you helpful tips and guide you on the type of content you should put on your website for maximum result. We know that the whole going online thing may be new to you. So, we will hold you by the hand to ensure you succeed online.

Our objective when we design a website for you is to:

  • Drive traffic to your website
  • Keep visitors longer on your website to view your offers (product & services)
  • Turn visitors into customers by offering compelling content that will drive sales

We also design websites that are useful, functional and within budget.

Some of our web design plans come with free telephone consultancy on any aspect of taking your business online. From Improving search engine traffic, to effectively using social, media, to online advertising, etc.
You may want to see some of our works below

Website Design(Redesign) Projects
www.foramfera.com
www.washerman.ng
www.wiseliftafrica.org
www.365trainingportal.com
www.topganhotel.com
www.bafvoice.com
www.bosespecialisthospital.com
www.lpgservicesnigeria.com
www.buyallsoftwares.com
http://jolakinsevents.com/

Home Page


http://projectandresearchng.com/
http://www.surcon.org.ng/
http://princeworldgroup.com/
http://wordalivecentreintl.org/
www.americananimationinstitute.com
http://www.vmsprojects.com/
www.microchips.com.ng
www.guagingsystemsnigeria.com
www.chesstgroupstore.com
www.flashshipservices.com
http://smenetwork.org/
www.soutechhosting.com
www.projectandresearchng.com
www.growyourbusiness.com.ng

and over 100 more

Call us on 08034121380 NOW or filling the below form to get started!

Professional IT Courses Training in Abuja: Web Design, Ethical Hacking, Networking, Mobile App Development, Project Management

SOUTECH Web Development Consults – (a smart and budding Information Technology (IT) firm with innovative, intelligent, knowledgeable and experienced consultants, trainers and developers.

To be efficient in IT service delivery and management you need  core practical training from SOUTECH Web Consults to help you in:

  • Critical thinking and problem solving skills
  • Communication skills
  • Collaboration  skills
  • Creativity and innovation skills

We look forward to training you in the following courses.

 

COURSES Duration

(Live Class- Practical)

Follow Up Contact(Project) Mentorship

 

Cost
Professional Website Design(HTML,CSS,WordPress) 3 days( 20hrs) 1 month 30 Days 40,000
Website Development( Javascript, PHP or Python Options)   — web design is a prerequisite 5 days( 20hrs) 2 months 30 Days 60,000
Digital Marketing and SEO 1 days( 6hrs) 1 month 30 Days 50,000
eBusiness and eCommerce 1 days( 6hrs) 1 month 30 Days 20,000
Blogging for Profit 1 days( 6hrs) 1 month 30 Days 15,000
Website Design + Digital Markering Combo 5 days( 25hrs) 1 month 30 Days 60,000
Mobile Application Development( HTML,CSS,iOnic,Phonegap,AngularJS)- Andriod,iOs,Blackberry  Development– web design is a prerequisite

Advanced Mobile App Dev- 100k- 8 Contacts

4 days( 20hrs) 2 month 30 Days 50,000
Web Design + Digital Marketing + Mobile App Development( 3 in 1) 8 days( 40hrs) 2 months 30 Days 100,000
Microsoft Office Training( Word, Excel, PowerPoint) 2013/2016 6 days( 20hrs) 1 day 30 Days 50,000
Certified Ethical Hacking(CEH ver 9) and Cybersecurity 4 days( 20hrs) 1 day 30 Days 70,000
Certified Information Systems Security Professional(CISSP) 4 days( 20hrs) 1 day 30 Days 70,000
ITIL ver 3(Information Technology Infrastructure Library) 4 days( 20hrs) 1 day 30 Days 40,000
Corporate & Product Graphics and Branding( Corel/Photoshop) 4 days( 20hrs) 2 day 30 Days 40,000
MS Project and Primavera 4 days( 20hrs) 1 day 30 Days 50,000
Advanced Excel 2013/2016 3 days( 15hrs) 1 day 30 Days 40,000

 

All courses comes with 30 days weeks mentorship program to ensure you get the best and become an expert in the field of training.

Highlights

  • Venue: SOUTECH VENTURES, Kano Street, After Shehu Shagari Mosque, Area 1, Abuja
  • Real-life application and understanding
  • Conducive learning environment
  • Participants Abuja, get a Certificate of Training
  • Restricted and interactive classes
  • Service comes with all necessary softwares
  • Soft copy training(Videos and eBooks) materials will be available
  • Qualified and experienced facilitators
  • Get a full Audio recording of the training (No need for refresher class)
  • Full certification course (Good for your CV)
  • Job/Internship placement support (Optional)
  • Customized soft copy of training materials will be provided
  • Organized and efficient training process
  • Tea/Cofee Breaks and Snacks to be provided
  • Conducive air conditioned learning environment and Parking Space

Registration Procedures

  1. Pay Training fee before training start date( to claim discounted fee)
  2. Upon confirmation of your registration,payment, an electronic receipt  will be sent to your mail.
  3. Commence your  training at SOUTECH Training Venue

Payment can be made via our through Bank deposit/transfer.
Account Details
diamond bank

DIAMOND BANK
SOUTECH VENTURES
0054227379

or Pay via debit/credit cards throw below link

www.soutechventures.com/payments/

*Please remember to notify us after successful payment or sending a payment notification directly to 08034121380