Basics of Hacking a Web Server: Educate yourself-Soutech Ventures Tips and Tricks

A typical web server faces the risk of all forms of attacks from attackers but one of the most popular attacks forms are defacement also known as web vandalism. The act of defacing websites and web servers may be subtle, it may also be aggressive but actually depending on the what the attacker’s goals are. Howbeit, the goals of any hacking attempt on a web server is always the same such as

  • To make a statement
  • To create nuisance
  • To embarrass the company

The act of defacing websites comes with a lot of possible methods depending on the personal skill-level of the attacker as well as his capabilities and the available opportunities. I will be giving you a few tips on hacking web servers though I will not shed on everything you need to know here. You can subscribe to our CEH training courses in soutech ventures to be well equipped on web server hacking.

Hacking Activity: Hack a Web Server

I am going to practically teach you about the anatomy of attacking a webserver. I am going to choose a target which is www.certifiedhacker.com, and of course you hacking into it is illegal so I am going to just use it for educational purposes.

So what are the things which we will need to perform this exercise?

 

Information Gathering: Just as it is in every hacking scheme, we must first gather information about our target. First of all we need to get the IP address of the target and also any other website that happens to share IP addresses with our target.

I am going to make use of an online IP address tracking tool called reverse IP domain check to find our target’s IP address and any possible website sharing the same IP. This can be done by first;

  • This is the result you will get

From our result above, the IP address of the target is 69.89.31.193 and we have also been able to find out that over 1000 domains are hosted on the same web server as our target and they are listed below.

So the next thing or step we can take is to scan the other discovered websites if they are vulnerable to SQL injection.

One important to note is that if we find any site that is vulnerable to an SQL injection attack then we can directly exploit that site without even considering any other website.

  • Open www.bing .com on your browser. Note that this step can only work on bing and not any other search engine like yahoo and google search engines. So, don’t bother using them.
  • Now enter this search query ip:69.89.31.193 .php?id=
  • What this query does is to limit our vulnerable website search to all the ones that are hosted on the web server carrying the IP address 69. 89.31.193
  • Also so you know, this part of the code “ php?id=” searches for the URL GET variables which are used as parameters for performing SQL statements.
  • This is the result you will get

 

  • The next thing you will have to do is to scan all the listed web sites for SQL injection. The purpose of this article is not to teach you SQL injection. You can however, use any of the tools mentioned in my previous article.

Uploading a PHP Shell

I will not attempt to scan any of the websites listed as it is an illegal thing to do, so I’ll assume to have logged in to one of them. The next thing we can do is to upload the PHP shell that we downloaded from the http://sourceforge.net/projects/icfdkshell/

  • Go ahead to open the URL which you uploaded the dk.php file.
  • You will get something like this

  • Click on the Symlink URL which will give you a direct access to the target domain.
  • Now once you have gained access to the files, the next thing you can do is to get the credentials for logging into the database. After you have logged in, you can perform any attacks you want such as defacing, downloading sensitive data such as emails, files etc.

Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails, etc.

Summarily, it is important to note that a web server stores sensitive and valuable information and are readily accessible to public domain and this is the reason why attacks often go for it. Just like I have said in my previous article, I will quickly remind you that the  most popularly used servers are Apache and IIS (Internet Information Service). Also, I established the fact that web servers take advantage of system bugs and misconfigurations in the operating system, network and web servers. The popular web server hacking tools are Neospoilt, Zeus, Mpack.

Most importantly I will stress that a good security policy can reduce any chances of being attacked.

Enroll for a certified ethical hacking training today at SOUTECH.

 

Protect your webserver from hackers: Tips

The internet has provided a more robust and easy platform for customers to order and purchase products and services. This has prompted many businesses and organizations to opt for websites which enable them to store valuable information such as email addresses, passwords, usernames and credit card numbers of customers. If a website is defaced, it can shut down business operations, can affect cost turnouts and can be used to communicate political and religious ideologies.

Dear reader, the essence of this article is to introduce you to web servers, the types of web servers and how you can protect them from being hacked.

What is a web server?

A web server is a PC framework that processes demands through HTTP, the fundamental system convention used to circulate data on the World Wide Web. The term can allude to the whole framework, or particularly to the software program that oversees and guides all the HTTP request.

The essential capacity of a web server is to store, process and convey pages to customers. The communication that takes place within the client and the server utilizing the Hypertext Transfer Protocol (HTTP). Pages conveyed come in form of  HTML records, which may include pictures, templates and contents notwithstanding content substance.

Numerous web servers might be utilized for a high movement site. A user agent, usually a web program or web crawler, begins the communication process by making a demand for a particular asset utilizing the HTTP and the server reacts with the content linked to that particular resource or a mistake message if unfit to do as such. The resource is commonly a genuine document on the server’s database, yet this is not really the case and relies upon how the web server is actualized.

While the essential capacity is to serve content, a full execution of HTTP additionally incorporates methods for getting content from the clients. This component is utilized for submitting web shapes, including transferring of records.

Numerous non-specific web servers likewise bolster server-side scripting utilizing Active Server Pages (ASP), PHP, or other scripting dialects. This implies the conduct of the web server can be scripted in isolated documents, while the genuine server programming stays unaltered. More often than not, this capacity is utilized to create HTML reports progressively (“on-the-fly”) rather than returning static archives. The previous is essentially utilized for recovering or changing data from databases. The last is regularly considerably speedier and all the more effortlessly stored however can’t convey dynamic substance.

Web servers are not just utilized for serving the World Wide Web. They can likewise be inbuilt in gadgets, for example, printers, switches, webcams and serving just an organized neighborhood. The web server may then be utilized as a piece of a framework for observing or controlling the gadget being referred to. This more often than not implies that no extra programming must be introduced on the customer PC, since just a web program is required (which now is incorporated with most working frameworks).

Vulnerabilities in Web Servers

A web server can be referred to as program that stores files such web pages and makes these files accessible through the internet or the network. Since web servers require both softwares and hardwares, it makes its software a target by attackers by exploiting it in order to gain unauthorized access in to the server. I am going to discuss some common web server vulnerabilities that attackers always try to exploit.

  1. Default settings: Attackers can leverage on default settings which can help them to easily guess default user id’s and passwords. Attackers therefore can perform certain tasks like running of commands on the default settings of the server which can be exploited.
  2. Web server bugs and operating system bugs: When bugs are inherent in the software of a webserver or an operating system, an attacker can exploit it to gain unauthorized access into a webserver.
  3. Operating system and network misconfigurations: Configurations like user permissions to execute commands on a server can be a serious factor to exploiting webservers especially when the user does not have a strong password.
  4. Non-adherence to security policies and procedures: When security policies and procedures like patching OS’s, updating and upgrading antivirus softwares, web server softwares can easily make the web server susceptible to attacks.

Types of web servers

Now that have known the type of vulnerabilities in web servers, let us get more understanding on some of the web servers that are available;

The following listed are the most commonly available web servers

  1. Internet Information Services (IIS): This server was developed by Microsoft and designed to run on windows. It has been known to be the second most used web server being hosted on the internet all over the world. The IIS server has most asp and aspx websites being hosted on it.
  2. Apache Server: This server is the popular and most commonly used servers on the internet today. It can run on crossed platforms but typically installed on Linux platforms. Apache server has most PHP websites hosted on it.
  3. Apache Tomcat Server: This server has most java server pages websites being hosted on it.

There are other web servers such as

  • Novell’s web servers
  • IBM’s Lotus servers
  • Domino servers

Types of Attacks performed against Web Servers

Directory traversal attacks

This kind of attacks exploits bugs within the web server to have unauthorized access to files and folders that don’t seem to be within the property right. Once the attacker has gained access, they will transfer sensitive data, execute commands on the server or install some sort of malicious software package.

Denial of Service Attacks

With this type of attack, the webserver could crash or become unavailable to the legitimate or authorized users.

Domain Name System Hijacking

With this kindof attack, the DNS settings are modified to redirect users to the attacker’s web All traffic that was intended to be sent to the weserver is redirected to the incorrect one.

Sniffing

In this type of attack, unencrypted information sent over the network is also intercepted and can be used to gain unauthorized access to the web

Phishing

With this kind of attack, the attack impersonates the web sites and directs traffic to the faux (fake) Unsuspecting users may also be tricked into submitting sensitive information like login details, Mastercard numbers, etc.

Pharming

This attack involves compromising a Domain Name System (DNS) servers or on the user’s system so that traffic intended for it is redirected to a malicious website crafted by the attacker.

Defacement: With this kind of attack, the attacker replaces the organization’s website with a special page that contains the name of the hacker, pictures and also having background music and messages.

Effects of successful attacks on Web Servers

• An organization’s image will be ruined if the attacker edits the web site content and includes malicious information and links to a pornography website.
• The web server will be used to install malicious softwares on users who may have to visit the compromised web site. The malicious computer software downloaded onto the visitor’s laptop can take the form of a virus, Trojan or Botnet computer information. etc.
• The user data that is being compromised can also be used for all activities which can cause business loss or lead to lawsuits from the computer users who had entrusted their details to the organization.

Tools for Attacking Web Servers

Some of the common webserver attacking tools include;

Metasploit: This tool is open source and can be used for developing, testing and for making use of exploit codes. It discovers vulnerabilities in webservers and to write exploits which will be used to compromise a webserver.

MPack: This particular tool is a typical web exploitation tool. It is written in PHP and the SQL engine is what backs it with the database engine. Once a webserver has been compromised by using the MPack, all traffic to that website is redirected to downloaded malicious websites.

Zeus: This is a tool that can be used to compromise a computer and turn it into a bot or a zombie. A bot is a compromised computer system that is employed to perform internet-based attacks. A botnet is a collection of computers that have been compromised and which can used in performing denial of service (DOS) attacks or causing spam mails.

Neosplit: This tool is particularly used to install programs, delete programs, replication of programs as well,etc.

How to Avoid attacks on Web Servers

An organization can adopt these policies to protect their webservers from any form of attacks.

  • Patch management: This requires an installation of patches which can be used to secure the webserver. A patch can be referred to as an update that can be used to fix bugs within the computer software. The patches will be applied to the OS and also the web server system.
  • Securely install and configure the operating system.
  • Securely install and configure the webserver computer software.
  • Vulnerability scanning system: Securely install tools such as Snort, NMap, Scanner Access currently simple (SANE) and use them to test your webservers for vulnerabilities
  • Employ the use of firewalls to stop DoS attacks by interfering or blocking all the traffic coming in in order to determine the IP address of the attacker.
  • Antiviruses can be used to remove any form of malicious softwares on the webserver.
  • Ensure to disable remote administration.
  • Any form of default accounts and unused accounts should be far-away from the system.
  • Any form of default ports & settings such as  port 21 (FTP) should be modified to custom port and settings (FTP port at 5069).

In my next article, I will be discussing on how to hack web servers. You can subscribe for our services to learn CEH which provides a comprehensive understanding of web servers, applications and other web security techniques. Call us today at SOUTECH : 08034121380

Just how safe are Public Wi-Fi’s?Stay protected- Soutech ventures

Having Wi-Fi readily available in public places has become a trend in larger cities of the world. Public places such as restaurants, coffee shops, libraries, hotel rooms, auxiliary offices, airports and other places you can think of have all adopted the use of Wi-Fi. Having a free and easily accessible internet connection to use can be a very convenient way of catching up with your work, meeting targets, accessing your online accounts, checking your mails etc. However, we seem not to know to the security risks associated with the use of publicly available Wi-Fi’s. Well, like you know already that one of best ways to optimally and speedily access your sensitive information and carryout sensitive transactions through Wi-Fi, there are some measures you need to take additionally in order to kept safe online which is the purpose of this write up.

According to a popular research journal published by Norton, said that over 68% people fell victim to publicly available and unsecured Wi-Fi’s in the last year. Therefore, we must take practical measures and efforts to make sure our devices are kept safe and protected.

Brief History in the encryption standard adopted by the Wi-Fi

Let me shade some more light on the encryption protocols and standards that existed before the encryption protocol adopted for use by Wi-Fi’s. One of the security problems faced by older encryption standards is in the aspect of security which was adopted by some wireless networks. One of the first encryption schemes for wireless network devices was the Wireless Encryption Protocol (WEP) and this encryption standard was found to be weak and very easy to crack. Although the WEP protocol is still regularly found as an option in many wireless access points and devices, there is need to give way for upgrading hardware that will be supported by newer standards whenever it is possible.

WEP was developed with the intention to manage the following;

  • To prevent eavesdropping in communications which aims at reducing any forms of unauthorized disclosure of data.
  • To ensure data integrity while it flows across the network.
  • Encryption of packets during transmission using a shared secret key.
  • To allow access control, confidentiality and integrity in a lightweight and efficient system.

However, WEP failed in handling some of these issues which birth WPA.

The Wireless Protected Access (WPA) came as a successor to WEP and was birth with the intention of checking and curbing the many issues faced by the WEP standard. This is the reason why its encryption abilities addressed some vulnerabilities however it was being found vulnerable and cracked. It was designed not to required full hardware upgrades as compared to the WEP.

However, its processing power and mechanisms were being limited especially where older versions of hardwares were involved. The TKIP standard was one of the standards developed to platform the WPA. TKIP was an improved standard for the WEP protocol because at every point there is a static and unchanging key being used for every frame transmitted.

WPA however suffered from the following flaws;

  • Weak key selection by users
  • Issues of packet spoofing
  • Issues with authentication as regards Microsoft Challenge Handshake.

This gave way to the WPA2 standard intended to address the flaws in WPA. WPA came with a stronger and tough encryption standard which are CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and AES (Advanced Encryption Standard). It also employs the TKIP Temporary Key Integrity Protocol and MIC (Message Integrity Code) as encryption standards.

This enterprise is a version that incorporates the EAP standard as a medium to improve the strength of the security and also make the system scalable for use in large organisations and enterprises. WPA2 is special because it offers an improved security when compared over its predecessors and maintains the IEEE 802.11i standard for security. It uses a server to carry out its key management and authentication for its wireless clients.

The WEP, WPA and WPA2 all suffer serious vulnerability issues which an attacker can exploit in order to take advantage of the victim. All of them offer ways to be exploited in recent times.

Why Public Wi-Fi is Vulnerable to cyber attacks

Given all the risk associated with all the protocols described above, users still suffer a great deal from unknown and known flaws. The fact that you may need a password to log in to access the Wi-Fi does not mean that your activities online are encrypted and that a publicly available Wi-Fi is secure. There a few issues that make public Wi-Fi’s susceptible to attacks and one of the issues related to the encryption protocol which the Wi-Fi technology adopts. Another issue has to do with the possibility of connecting to a rogue Wi-Fi hotspot. Tools like Aircrack-ng have been built and are readily available online to perform brute force attacks on any weak passwords and keys involving WEP and WPA.

The risk of joining a rogue Wi-Fi hotspot is also a big issue when using free public Wi-Fi’s. All a hacker has to do is to create a rogue hotspot with the intention of unleashing a sort of Man-in-the-middle (MITM) attack on whoever becomes a victim by connecting to the rogue Wi-Fi. When this attack occurs, it allows a hacker to intercept the communication that goes on between you and the server of the website you are visiting at a time. There are pre-built tools that can be used to easily eavesdrop, capture sensitive information like login credentials, credit card numbers and social media security passwords etc. and monitor online traffic for performing MITM attacks

 

What are the signs that you may have logged on to a Rogue Wi-Fi?

Of course, you know that once a device discovers a Wi-Fi network it probes the known networks which an attacker can leverage on. An attacker can configure a rouge Wi-Fi hotspot which can look like a typical home network that can be found in a coffee shop. Therefore, your device can be connected to the hackers’ rogue Wi-Fi hotspot instead of connecting to the real publicly available Wi-Fi hotspot.

Another trick you should know is that, a public Wi-Fi network can be created with the name Free Wi-Fi which is flooded for victims to be connected to them and very naturally people will want to join such networks especially if the free internet service is offered. I must say I personally has been a victim to this a few years ago. If you are at a coffee shop, or at home or in a public place and suddenly your device shows you have been connected to your home network, there are huge chances that someone has been able to grab your devices’ or computers broadcast request. If also you are browsing a website or webpage such as your bank or favorite social media page that should normally be HTTPS instead it shows HTTP, then you must know that someone might have connected to your network. Once this person has linked up to your network, the person can perform a MITM attack by serving you a HTTP version of the site with the intention of capturing your login credentials. So, you must always be on the lookout these little details.

 

What are the Measures you can take to ensure your safety on a Public Wi-Fi?

  1. Accessing Sensitive information using public Wi-Fi: I will as a matter of fact always advice anyone never to use public Wi-Fi’s to access their sensitive information. If there is need at any point in time to access your sensitive data online, you need to switch you’re your local ISP or get someone to pretty much share their device hotspot with you. You can do use the public Wi-Fi to browse for things like directions and other things that are less sensitive like getting information from google, bing or yahoo. If you’re trying to process things like paying of bills or even shop online, these things can wait. If it is an urgent situation which you need to achieve, the use of a VPN (Virtual Private Network) is advised. There is a plethora of trusted VPNs online and obviously if you need a good service, then you need to pay for such VPNs. Ensure you choose a reputable VPN security provider.
  2. Use VPNs (Virtual Private Network): If there is a need to use a publicly available Wi-Fi to do your work and your company or organisation offers a VPN access, ensure to make use of it. VPNs provide a private tunnel for you to transmit or communicate by adding an extra layer of security for your connection.
  3. Visit HTTPS only: If you are using a public Wi-Fi, ensure to avoid websites that are HTTP (not protected or secure) and visit or browse websites that begin with HTTPS.

Why am I saying so, if you are an IT expert, you not, you must know that HTTPS are encrypted and provide an extra layer of security which makes browsing more secure. If you connect to an HTTP site which is unsecure, a hacker can easily see your traffic if he snoops around the network.

 

 

  1. Consider installing an extension such as HTTPS-Everywhere in order to re-route all the websites you visit to HTTPS. There is a tool offered by the Electronic Fronteir Foundation which provides this option.

2.Configure wireless settings on your device: Configure your device not to connect automatically to any available Wi-Fi hotspots. This can be done by navigating to the wireless settings of your PC or device. This setting makes sure your device does not automatically and unknowingly gets connected to any public network. On your PC, just turn off the “connect automatically” option. When you do this, you prevent your device from broadcasting to the world that it is attempting to get connected to the “home network” which a hacker can easily spoof.

  1. Use Privacy screens: Hackers are everywhere and are usually not afraid of using any means possible to access and obtain your data, you must consider making use of privacy screens if there is a need to access sensitive information in a public place.

In general terms, whether or not you are using a your smart-devices or PC’s to access some sensitive information like accessing your bank account and financial information, always ensure not to do it in a publicly available Wi-Fi network. Ensure to consider all the tips above to keep your information protected online.

Soutech ventures offers a comprehensive information security course such as (CEH and CISSP) which can give more security insights, tools/tips and countermeasures in the different facets of technology. Subscribe to our services today.

Certified Ethical Hacking Training in Abuja,Nigeria

Online Dating: Protect your privacy online-SOUTECH Cyber security Tips

In the past 3years, Nigerian singles have flocked dating sites and took to social media to employ their services in searching for partners. Online dating has outgrown all the stigma it used to have in the past as a research by psychologist and counsellors have found that one out of ten Nigerian single person has veered on to social media and online dating sites on their mobile apps and PC’s to get hooked up with people. Since the negative stigma attached to the online dating has gradually been phased out and nearly going into extinction, the popularity of these services has been on the rise and has caught the attention of hackers and scammers.

Recently in Nigeria, a lot of hackers and scammers have taken to social media platforms to trick people into giving sensitive and personal information. I have a made a personal study on this and from reading experiences from people and it has become of concern for me the reason behind this article. Apart from phishing scams and other vices that hackers have adopted to take advantage of unsuspecting victims, online dating has become one of the tools of meeting the emotions of people to exploit them.

The intention of this article is not to talk about dating and online dating or its sort but to give you tips on how to protect your privacy online.

Privacy Protection Tips

Creating of new user accounts

Create a username different from any other account that you have ever had and used. Now you may be wondering why you should do this, this is because a username can be searched easily and any account related to it, so this is the reason why you usually need a totally different account.

Images and photos uploaded

The same applies to photos and the images that you post on your social media profiles. You should try as much as possible to make sure that any reverse image searches performed on you will not work.

Opening Email accounts

Ensure to setup a free email account to use on the dating accounts with a unique name. Note that most sites provide features that offer users anonymity protection via their own in-site messaging products.

Using Free Google voice accounts for Calls

If you must do a phone call, open a free google voice account that will generate a different phone number for you and then go ahead to forward it to your mobile. By doing this, you have been able to secure your phone number that will enough to give you your potential match.

Use Reputable Online Dating sites

Always research properly and subscribe to popular and reputable online dating sites if you must use them. You can either delete or disable an account which come sites actually allow you. And since the site retains your previous information, you can always return to the online dating sites whenever.

Check website privacy policies

Ensure to check the sites privacy policies and try to verify how information with these sites are being handled. Some of these sites by default make profile pictures and profiles public which can be easily indexed by any search engine. There is a popular website that was penalized recently for secretly trying to experiment with their user’s data.

The fact that users have to pay to use their services for communication, this has reduced the rate of scammers and illegitimate daters. Note that some of these sites perform background screenings for criminals.

How can online dating scams be spotted?

Now that you have known some of the do’s and don’ts of the social online dating sites, now I will teach us how to spot any form of scams that you may be exposed to know.

  • I have heard people say someone comes up to them with some stories to get to their emotions. Now this is one popular trick by scammers in that an individual can add up and start giving you some sad stories like “ I am stranded in a foreign country at the moment, my family has an emergency and needs immediate attention”. The endpoint of this story is request for some amount of money from you. Once you see this, immediately report such accounts to the service and do well to block such.
  • Another trick I apply is to request a recent photo of the person I am chatting with in order to verify their identity. If in anyway they come up excuses or start a sort of protest as to the know why they won’t be able to provide the photo, the best thing to do is to run for safety and apply caution at once.
  • If you been chatting with and familiarizing a supposed sweetheart for some time and you observe that they avoid any real-life meetings and dates, this could be a warning signal to take note of.
  • Do not click open any links that is sent to you by anyone you have not been chatting or communicating with as well as from the ones you’re in frequent chats with. A scammer can appear to be a contact and try to get you to click the links which may redirect you to a pornographic site or webcam site and even malware infected sites.
  • Be careful about your behavior and your outfit if you want to engage in any sort of webcam or video chat. A criminal will want to record these sorts of sessions in order to blackmail you with it. You can disconnect from any form of communication or chat sessions that makes you uncomfortable.
  • Scammers use bots to create fake profiles that run their accounts with the aim of getting you to click these links that redirect you to unwanted sites described above. Some of them can even be programmed to steal your credit card information. Well, you can easily spot a bot because they are programmed to give out a set of predetermined responses. When you observe that you are not getting direct replies to your conversation, then there are chances that a bot has been set in.

CatFishing

The term catfishing is a scamming trick in which a user takes the identity of another person. This scamming has been adopted by scammers and cyber criminals to lure people into online romantic relationships and friendships.

A typical catfisher will always come up with excuses as to why they can’t have dates, call you in phone or even do video and webcam chats. It probably is true if the user’s profile appears too real that a lie. What you can do is to perform a reverse online image search of their photo and if they seem to be a place which is different from the one showing in their profiles then congratulations you have been able to catch a catfish.

As a parting word, we are in the age and era of the internet where we can order just anything from online. And as it is in all facets of life to have scammers and tricksters, scammers and hackers are in strong search of loopholes to exploit online users. But I have and will always do my bit in keep u appraised with all the techniques they can possibly come with to trick you. All you have to do is subscribe to all the tips I have given out in this article and you can safely be online and keep your relationships going on just fine.

Subscribing to our CEH course in Soutech ventures gives you an added edge to stay one step ahead of hackers and cyber criminals all over the world.

 

What is Social Engineering? Protect Yourself and Organization from all forms of Social Engineering-SOUTECH Nigeria

Vulnerabilities in softwares have been widely discussed and looking at it from the human perspective, human emotions play a large part. Anytime someone is faced with a scary or frightening scenario, their first reaction to it matters a whole lot.

Social engineers leverage on this type of vulnerability to launch successful attacks on victims. I am going to discuss in details what social engineering is all about and its different forms as this particular vulnerability stands at 80% when it comes to the techniques which cybercriminals perpetrate attacks.

What is Social Engineering?

Social engineering is a technique whereby cybercriminals make use of human interactions to trick users into giving out sensitive information such as personal credentials.

Types of Social Engineering

The fact that social engineering leverages on the human nature and emotions to perpetrate, attackers have deployed many techniques to trick users both online and offline. Here are a few techniques you should know about;

Phishing:

Phishing is one of the oldest cyber tricks and has been grown to be one of the most popular most successful means of exploiting computer users. In phishing, cybercriminals usually attempt many tricks and methods to get information from you. Recently, they have resorted to using scare tactics which can come in form of an urgent situation which requires your attention usually having to do with your banking details or your other online accounts. Users therefore will have to make decisions based on fear and how they feel at the time the scenario is simulated.

Emails that seem to be from a legitimate authority such as your financial institution or your company will be sent to you requesting your username or password in order to get login access. Normally, people tend to react to when issues involving their finances or jobs are involved especially when it appears to come from a higher management. I will reiterate that one major phishing tactic is in the sense of urgency applied to these messages.  I have written comprehensively on the forms and techniques of phishing so you can look it up. Read more on phishing

Baiting

Now let’s look at this technique which involves cybercriminals leaving a malware-infected USB or external devices in a public or open place. They leverage on the curious nature of humans such that when someone out of curiosity picks up this device and plugs it onto their computer systems in order to see what information is on it. Once they do this, the malware automatically gets injected into their computers.

Pretexting

In pretexting, the cybercriminal fabricates some very emotional stories and scenarios that tend to get to the emotions of their victims. Sometimes the stories can come in form stories of being stranded in a foreign country and sometimes can be that they are princes or princesses in their countries and their Father just passed away. They then try to tell the victim to please help them with a sum of 500USD or more in order to take back the throne. Like I said, these type of scenario tends to get to the emotions of victims who may always want to help. Pretexting is used alongside other methods as most of the techniques are targeted towards getting to the emotions of the victim or the cybercriminal attempts to impersonate someone on the telephone.

Hacking Emails and Spamming of Contacts

It is in the human nature to be inclined towards the affairs of their family and people they seem to know. For example, if my brother sends me an email message that comes with a subject that says “Look up this website, you may find something of interest” I normally wouldn’t resist checking it out by clicking open. Now this is the reason why a cybercriminal will try to leverage on this technique by using emails addresses and passwords. Immediately the victim’s personal credentials are obtained by the cybercriminal, they are take total control of the users account and will further more spam all the contacts that are on the users’ list. Always remember that the main objective of this attack vector is to spread malware with the desire of tricking people into giving out their personal data.

Vishing

This technique of all the methods mentioned so far and beyond involves the most of human interactions. In vishing, the cybercriminal puts a call through to an employee of an organisation faking to be a trusted individual to the organisation. They can pose to be a representative from the bank or other highly profiled company’s related to the organisation of the victim proposing to do a business with them.

Their aim is to try to get as much information as possible from the victims. They can even pose to be a fellow employee with a lost or misplaced password and request for their passwords and may try to sound legitimate by asking questions to verify the identity of the victim.

Quid Pro Quo

This is also referred to as something-for-something. This technique involves attempting to entice users with winning prizes, products or getting discounts on purchase of expensive products. This scam is fashioned such that the users can only get something only after they have completed a form which requires mostly your personal data. The information gathered can then be used to perpetrate other attacks such as identity theft etc.

Spear Phishing

This is a technique that is related largely related to phishing and can be referred to as phishing’s complex cousin. In spear phishing, the cybercriminal targets the employees of an organisation and does some reconnaissance on them online with the aim of getting personal information.

Information can be gotten from internet searches and social media platforms via profiles. Once they have been able to get details personal to them, they can then start sending emails that may seem very necessary and of interest to them in order to entice them. Such that once they click the links sent to them, the malware file attached can be downloaded to their system. Once the cybercriminal successfully tricks the user, the malware is installed on the user’s computer which can be spread throughout the network to other computers on the company network.

Farming

This is more like a long-con where the cybercriminal tries to establish a relationship with a target. They usually go through their targets social media profiles in order to establish a relationship and gather as much as information that will help them perform an attack.

This attack form typically depends on pretexting because the attackers aim is to have prolonged conversations with the target in order to extract as much information as possible.

Hunting

This is a shorter version of all the attack forms. The cybercriminal will typically use baiting, phishing and email hacking to extract information from a chosen target passively (i.e. with no direct contact or with little interaction as possible).

Social engineering has taken over all forms, both online and offline and therefore has become very difficult to control or cut off its threats. Therefore, your best defense mechanism against social engineering is to educate yourself and your employees if you run an IT-driven organisation. You should also be aware and lookout for any possible attack methods that may come.

We have a comprehensive course that can help you learn more on how to protect yourself from social engineering and other attack forms. Subscribe to our CEH course today in SOUTECH.

Setting up a Bring-Your-Own-Device (BYOD) policy for your Organization- Be Cyber-safe-SOUTECH

In a recent survey by Symantec, it said that about three to four small and medium-sized organization owners have adopted smartphones and tablets as a core part of achieving their teams’ success. Since the use of these devices are gradually expanding, therefore there is a need to provide an apt security for them. This is the main reason why organizations have adopted the bring-you-own-device concept an approach that is commonly referred to as BYOD.

The fact that smartphones and tablets have grown into consumer markets have made a lot of employees choose employ the Bring-Your-Own-Device concept to their places of work. So, I’ll be giving you a few tips on how to stay protected on the internet as mobile devices have become a core entity in many organizations.

Therefore, the idea of developing a sound and efficient BYOD policy that can assist in gaining a maximum productivity in your organization or your company.

These are a few things I will buttress on this point which are the necessities for every organization;

1.Assessing the needs of Your BYOD 

One of the key things you can do is to brief or engage your employees and staff in talks regarding the use of their devices in the organization for business transactions. The things you need to find out are;

  • Do they access the company server and read emails related to work or the business?
  • What operating systems and the devices they employees use in order to access their network?

This information will guide your policies and help you to dictate the scope of your policies and the measures you can take to secure your devices. It can also help you to in making choices of the security softwares you can deploy to protect their devices.

2. Always Educate Your Employees

Endeavour to talk to your employees and team members on the potential risks of using mobile devices in and out of the office including the importance of managing these any related risk. It must be made compulsory for employees to follow security best practices, which include:

  • Employing the use of complex passwords for their devices and for any program that is related to work which are accessed using those devices.

                                 

These passwords can be set by navigating through the device’s settings. Learn more about creating strong passwords.

  • Employing a regular password changing policy. For example, changing passwords quarterly or every 90days. You can use password manager services like KeePass or LastPass which is capable of helping employees manage multiple and regular password changes.
  • Always ensuring that system updates and app updates are done once the device prompts for them. This is done in order to protect against any possible security vulnerabilities.
  • Being on the lookout for phishing text messages and emails which can be avoided by avoiding to click on such links that prompt them to download files and documents from unknown pages.
  • Doing a thorough research on applications before having to download them unto devices. Employees should be discouraged from downloading applications from unofficial or third-party app stores.

3. Strong Protective measures must be implement

Products that will assist employees to build their strength and ability of their devices when used for business should be explored. A very good tool is the Norton Small Business software that performs the function of protecting mobile devices against malwares associated with mobiles.Research has had it that many devices running on Android platforms carry potential malwares and privacy loopholes and greywares which are capable of hindering productivity. However, there have been new products that provide more security including remote locate and lock and wipe features. These features allow mobile users to manage their device security from a central web portal. Consider using a VPN (Virtual Private Network) service if the employees access the company’s network remotely with their mobile devices. A VPN creates a tunnel that is encrypted in the internet which allows traffic to pass through it. There are mobile apps that allow users to connect to a VPN via their mobile devices or smartphones.

4. Acceptable Use should be properly defined

Guidelines should be outlined to clarify and define how employees can use their devices during business hours for business purposes. For instance, you may employ a pervasive policy by allowing your team members to access documents and emails, but prohibiting them having access to sensitive files such as financial data. Websites and apps that are prohibited from accessing with the company VPN during work hours should be specified.

5. Decide how these Guidelines are Enforced

Setup due consequences for any member of your team who goes against any of the outlined policies. Measures could be that if anyone accesses those prohibited apps or softwares during business hours it could result in warning and if anyone downloads or stores confidential files from a malicious app, such persons will not get funding for their mobile devices.

These measures should be outlined clearly with how any potential violations will be handled.

If you run a business or an organisation that encourages the BYOD policy, thinking through these steps and few tips should be able to guide you through building a firm foundation and an effective way to manage your infrastructure and protect it from any possible security breaches.

You can learn about a lot of more tips on how to better manage your infrastructure along proper auditing skills from SOUTECH ventures. We offer the best IT consulting solutions to our clients in Abuja, Lagos and Port Harcourt. Subscribe to our Ethical hacking course and learn more.

 

Protect your Infrastructure-Know the Importance of Firewalls : SOUTECH Cyber security training program Nigeria, Africa

A firewall just as its name implies is a protective barrier whose function is more like a physical firewall. The firewall lies just between the computer and the connection it has with the internet to provide protection from any form of online threats.

A firewall is a software program or a piece of hardware device that is programmed to provide security for your computer by placing limitations on information that you can receive from an external network. A firewall is designed to either allow or block information coming in or out of a network based on certain security policies.

The term firewall came into the cybersecurity world as a borrowed term from the word firefighting where an effort is made to prevent the spread of fire.

Organizations actually started moving from the use of mainframe computers and dumb clients in a client-server model and therefore the need to put a control over the server became a top priority. Before the introduction of firewalls in the late 80’s, the only form of protection from the outside world was the use of Access control lists (ACLs) resident in routers. The function of the ACLs was to choose which IP address to grant or deny access to a certain network.

Due to the swift growth of the internet and increased rate of connectivity of people and organizations to networks, it gradually meant an end of the ACL as a filtering method which was not enough to keep of malicious traffic. This was so because basic about network traffic was embedded in the packet header. The first organization to deploy the use of firewalls to tackle the threat of cyberattacks was the Digital equipment Corp (DEC) in 1992.

 

Types of Firewall Techniques

  • Packet Filter Firewalls: This type of firewall handles the packets going in or out of the network based on pre-defined rules by the user. The packet filtering ability is fairly transparent and effective to users however can be difficult to configure. It is however very susceptible to IP spoofing.
  • Application gateway Firewalls: This type of firewall applies security configurations  to specific applications like the Telnet and FTP servers. The application gateway firewall is very effective but can impose some performance degradations.

  • Circuit-level Gateway firewalls: This firewall type applies its security configurations when a TCP or UDP connection has been established. Therefore, once this connection is established, the packets begin to flow between the hosts without any further verification.

  • Proxy Server Firewalls: This firewall type intercepts all the messages that go in and out of the network. The proxy server firewall cascades or hides the real network address of the host.

 

The benefits of a firewall

  • It prevents any unauthorized user from an external network from gaining access to your internal network i.e. your computer in your network.
  • It monitors all forms communications that goes on between your computer and other computers outside of you network and over the internet.

  • It establishes a protective shield that either allows or blocks any attempt to access data or information on your computer.
  • It sends out a warning when any other computer tries to connect to you.
  • It also warns against any illegitimate connection by an application on your computer that gives access to other computers.

The Limitations of a Firewall

Firewalls however have not been able to determine the contents of email messages that are sent to your computer so they cannot you from malware sent through phished emails.

So therefore:

  • The need for antivirus softwares that can detect, quarantine or delete suspicious email attachments
  • Learn to protect yourself from phishing scams

If you have a private network, ensure that you protect your devices by configuring the firewall settings on your computers and wireless router. You can also add an extra level of security to your personal computers by using security softwares. However, even if your wireless network may seem secure, it may not be secure from other types of malware that can be gotten from computers through the internet.

Build your firewalls such that it can defend you against hackers and viruses. You can do this by always ensuring that your firewall is turned on. You can configure the firewall settings in the security and privacy section which can be found under your systems preferences section.

Also ensure to do regular updates of your anti-virus software as an extra security measure. Please note that firewalls and anti-viruses are not the same thing

Finally, asides the protection a firewall offers you, learn safe online practices.

If you need to learn about firewall configurations, and purchase latest and licensed anti-virus softwares contact us at soutech ventures. Subscribe to us today for all types of IT trainings and consultations you may require.

Understanding the importance of an IT audit: SOUTECH Ethical hacking tips

An IT audit is an audit that deals with the review and evaluation of all automated and non-automated information processing systems and all the interfaces that it encompasses. It also includes setting up management controls for information technology and infrastructures.

The elementary function of IT audits includes, evaluation of systems that are already in place to guard the organization’s information. It looks into the ability of an organization to protect its assets as well as be able to legitimately and adequately give out information to authorized parties.

The process of planning IT audits involves two key steps

  • Gathering information and planning
  • Gaining an understanding of the already existing internal control structures

Many organizations are gradually phasing towards the approach of risk-based audits which is used for risk assessment and to help the IT auditor to decide on whether to carry out a compliance and substantive test. The risk based approach involves the IT auditors relying on the internal and operational controls and also the knowledge of the organization involved.

However, this type of decision as regards risk assessment can go a long way to relate the profits analysis of the control to the risk.

These are the 5 aspects that an  IT auditor needs to identify when gathering information:

  • Good knowledge of the business and industry
  • Previous results obtained from all the years
  • Recent financial data
  • Already existing standards and policies
  • Inherent risk assessments

Inherent risk here refers to the risk that there is an error that could be a function of combined errors that are encountered during this audit assuming there are no controls in place.

Once the auditor has gathered relevant information and has an understanding of the control, then they are ready to start planning or select areas that need auditing.

Why is it important to do an IT Audit?

Hardly will you find an organization in recent times that is not IT driven. A lot of organisations today are investing huge amounts of cash on their IT infrastructure because they have come to realize the tremendous importance of using IT in their business services and operations. As a result of this, they need to always make sure that their IT systems are very secure, very reliable and is not susceptible or vulnerable to any form of cyber attacks.

The importance if an IT audit can never be over emphasized because it provides the assurance that the IT systems deployed by the organization is well protected, is available at all times, properly managed to get the required results and that it gives out reliable information to users. Many people use and rely on IT without knowing how it works and that a computer can make errors repeatedly and incurring extensive damages than a human being can. An IT audit is also very important in reducing risk of data leakage, data losses, service disruptions and ill-management of an IT infrastructure.

The Objectives of an IT audit

The objectives of an IT audit often focus on substantiating that the existing internal controls and are functioning as expected in order to minimize business risk. The objectives include

  • Assuring compliance with legal and regulatory standards
  • Ensuring confidentiality
  • Ensuring Integrity
  • Improving availability of information systems

Confidentiality here relates to information security and refers to protecting information from being disclosed to unauthorized persons or parties. This means that information such as personal credentials, trade secrets, bank account statements are kept confidential and protecting this information plays a major role in information security.

The fact that information is valuable only when it has not been tampered with gives way to data integrity such that information is not modified by an unauthorized party. If information is inappropriately altered, it could prove costly for example, a transaction of 1000naira can be altered to 10,000naira. Making sure data is protected from being tampered with is a core aspect of information security.

Availability here means that information is made available to authorized individuals whenever it is needed. Unfortunately, the act of denying rights to resources to rightful users has been in on the rise lately. An information systems audit will therefore ensure confidentiality of an organizations data, data integrity and availability of resources. An IT audit therefore oversees the organizations IT systems, its operations and management processes.

The reliability of data from an IT system can as well have huge impact on the financial statements of an organization. There an IT audit must be able to

  • Check for instances of excesses, gross inefficiencies, extravagance which has to do with wastage of resources in the management of IT systems
  • Ensure that there is a high level of compliance with government laws as applicable to the IT system.

Types of IT audits

Different bodies and authorities have developed their views to distinguish the types of IT audits. Goodman and Lawless have outlined three systematic approaches to perform IT audits

  • Technological Innovation Process Audit: This audit type attempts to construct a risk profile for already existing as well as new projects. It assesses the length, depth and presence of the technologies used by the company and how it relates to the relevant markets. It also looks into the way each project is organized, the structure of industry as regards its projects, products etc.
  • Technological position audit: This audit type deals with the technologies that the business has on ground and what it needs to add to it. Technologies can be categorized into
    • Base
    • Key
    • Pacing
    • Emerging
  • Innovative Comparison Audit: This audit deals with the analysis of the innovative capabilities of the organization being audited when compared to its competitors and rivals. The company’s research and development facilities as well as its track record of producing new products will be examined.

Other authorities have also categorized IT audits in 5 spectrum

  • Information Processing Facilities: It is focused on verifying the processing ability of the facility and if it is designed under normal and disruptive conditions to process applications in a timely, accurate and efficient way.
  • Systems and Applications: It is focused on verifying systems activity are controlled appropriately, efficiently and adequately in order to ensure its output at all levels are valid, reliable, and timely. This audit type forms a sub-type that focuses on business IT systems and also focuses on financial auditors.
  • Management of IT and Enterprise Architecture: IT focuses on verifying that organizational structure and procedure that ensures a controlled and efficient information processing environment is developed by the IT management.
  • Systems Development: This audit verifies the systems that are under the process of development meet the requirements and objectives of the organization. It also ensures that the systems are developed in line with generally accepted policies and standards for systems development.
  • Client/Server, Intranets, extranets and Telecommunications: This audit verifies that the controls for telecommunications are in place both the client and the server ends as well as the network that connects both the clients and servers.

Types of Auditors

  • Internal Auditor: This auditor usually performs internal accounts auditing as well as IS audits.
  • External Auditor: This auditor reviews the findings and inputs, processes and outputs of the information systems made by the internal auditor.

Types of Audits

  • Internal Audits: As explained above, an internal audit considers all the potential controls and hazards in an information system. It takes care if issues like operations, data, data integrity, security, privacy, software applications, productivity, expenditures, cost control and budgets. The auditor works with guidelines such as Information systems audit and control association which are available to make their job patterned.
  • External Audits: This audits buttresses on information obtained from internal audits on information systems. External audit is performed by an certified information systems audit expert.

IT Audit Strategies

  1. We’ll discuss two areas here but first one must be able to determine if it is a compliance or substantive testing. The next thing to consider is how to go about gathering evidences to enable one perform application audits and make reports to the management.

What is substantive and Compliance Testing?

  • Compliance testing involves gathering evidence to test if an organization is following the control procedures. For example, If an organization has a control procedure that says all application changes have to pass through a change control, an IT auditor will have to get the current running configurations of the router as well as the configuration file. After he does this, he can then run a file to compare the differences and use the result of the differences to look for a supporting change control documentation.

  • Substantive Testing involves gathering evidence that enables one evaluate the data integrity of individual data and other information. For example, If an organization has a policy that has to do with backup tapes in storage locations offsite which includes three generations (Grandfather, father and son), then the IS auditor has to take physical inventory of the tapes in an offsite storage location as well. After this he can then compare it with the organizations inventory and also making sure the three generations are involved and are available at the time of the audit.
  1. The thing to discuss on is How to get the evidence that can help you audit the application and deliver a report to management. A few things you can review are;
  • Review the IT organizational structure
  • Review the IT policies and procedures
  • Review the IT standards
  • Review the IT documentations
  • Review the organizations BIA
  • Take time to interview employees
  • Observe the employee’s performance
  • Test controls and examine necessary incorporated entities
  1. Draft out a set of questionnaires
  • Whether there is a thorough documentation of approved IS audit guideline?
  • Whether IS audit guidelines are consistent with the security policy?
  • Whether responsibilities for the IT audit has been assigned to a separate unit that is independent of  the IT department?
  • Whether periodic external IS audit is carried out?
  • Whether independent security audit is conducted periodically?
  • Whether contingency planning, insurance of assets, data integrity etc. are made part of External audit?
  • Whether vulnerability and penetration testing were made part of external audit?
  • Whether the major concerns brought out by previous Audit Reports have been highlighted and brought to the notice of the Top Management?
  • Whether necessary corrective action has been taken to the satisfaction of the Management?
  • Whether the facilities for conducting trainings which will enable IS audit teams to conduct the audit process effectively?
  • Whether IS audit team is encouraged to keep themselves updated?
  • Whether IS auditors exchange their views and share their experiences internally?

Operations is modern organizations  are increasing dependent on IT, this is why IT audits are used to make sure that all information-related controls and methods are functioning properly. Most of all the companies if not all are IT driven and not enough awareness has been made on auditing of IT infrastructure the reason for this write up. If you’re in search of a professional firm to audit your organization, look no more as soutech web consults which is the number one IT consulting firms offers in Nigeria offers this service. Subscribe to us for your auditing and all types of IT-related issues.

 

Has your account just been hacked? Wondering what to do next?

Just recently it was in the news that over 7million Dropbox usernames and passwords were being stolen with initial reports that the Dropbox server itself was hacked. The company made this statement on their blog as quoted “The usernames and passwords and passwords that are referenced in these articles were stolen from unrelated services and not Dropbox. Attackers however, went further more to use the stolen credentials to attempt log in into our websites across the internet, including Dropbox”.

Stories and news of data and network breaches in organizational networks have become trending on every headline recently so regardless of where the loopholes are, it is something we hear frequently. So many highly profiled businesses that we interact with regularly such as restaurants, product retailers have had POS (Point of Sale) data breaches over the past months.

However, I will tell you a few tips on how to approach a data breach situation and some things you can put in place in case you’re faced by such situations.

What to do Immediately- First Things First

  • First of all, try to determine the form of data breach that your information has been involved in. If it is an online data breach, then there is a possibility that your username and password might have been stolen, and if it is a POS data breach then it means your credit card numbers have been stolen as well.

  • Now if it is a POS data breach from a product outlet or a store, a restaurant that you have just purchased something with, then immediately check your credit card credentials and bank details for any suspicious activity.
  • Lookout for any alerts from the vendors that you use such that immediately a vulnerable vendor has contacted customers of password change, the user should do so too.
  • Avoid any potential phishing email or emails that require you update your password and private information via email. One tip you should always look out for is to check the email id or web address to confirm it is the official email or web address of your financial institution.
  • You can also change your other passwords if you use the same password over several accounts particularly the ones linked to your email account and those that contain your private and financial information. I advise you to go through you bank and credit card accounts as well.
  • Always notify you financial institution whenever you receive any suspicious activity going on as regards your financial account. Make sure you let them know the breached institution which your credit was used. They can take immediate action by blocking any transaction to that account.

 Meanwhile in the Interim

  • Continue to keep a close eye on you bank or financial accounts. You could also subscribe for receiving transaction alerts via text and emails. It is policy now for every bank provide these services. Sometimes it may seem that you are now safe but a cybercriminal has patience has a key virtue and therefore may take months to make use of your stolen bank and financial information.
  • You might as well contact the company which the data breach occurred when you did your transaction. They can provide you with information as regards the type of information that was leaked and the policies they have put in place to keep your personal details protected.

In the Long run

  • A lot of businesses or organisations have developed a policy such that any customer that gets affected by a data breach is given a free year of data monitoring. You can also find out with the organisation if they have such policies or if they such services.
  • I still lay emphasis on the use of a secure password coupled with a two-factor authentication as explained in my previous articles to be a key online safety means.

Data breaches however continue to be most frequent incidents these days like I said, there are ways to stay alert and be protected at all times. Luckily, if there are purchases you have made, there are anti-fraud laws in place to ensure your safety. If you find yourself in the clutch of any of the data breaches, be diligent enough to monitor your accounts. Soutech web consultants are just the right professionals to handle to fears. If you in anyway become a victim of sort, you can contact us at SOUTECH. Also, if you take all the methods and tips mentioned in this article and as long as you report any suspicious fraudulent activity then you are just as well informed as ever.

 

All you need to know about Polymorphic Viruses

Polymorphic viruses have over the years been one of the most difficult and complex viruses to detect. Anti-virus manufacturing companies have had to spend days and months trying to create detection routines required to track a single polymorphic.

I’ll attempt to discuss about polymorphics and some of the detection mechanisms existing and also introducing Symantec’s striker Technology, a patent-pending mechanism for detection of polymorphics.

The Norton anti-virus 2.0 was the maiden version to include a striker for possible detection of polymorphics.

 The Evolution of Polymorphic viruses

A computer virus can be defined as a self-replicating computer program that functions without the permission of the user. In order to spread, it attaches a copy of itself to some part of the program such as a word processor or a spreadsheet. A virus can also attack boot records and master boot records that contain all the information that a computer needs to startup.

Some viruses can replicate themselves, some may display messages input by its creator, some can be designed to deliver a part of a payload to corrupt programs, delete files, reformat a hard-disk drive, shutdown or crash a corporate network. I will quickly discuss about some viruses before we can relate it to polymorphic viruses.

Simple Virus

All a simple virus does is to replicate itself such that if a user launches the program, the virus gains control of the computer and attaches a copy of itself to other program files. After it spreads successfully, the virus transfers control back to the host program, which functions normally. You can perform a simple anti-virus scan to detect this kind of infections.

Encrypted Virus

The mode of operation of the encrypted virus was via signatures. Its idea was to hide the fixed signatures by scrambling the virus therefore making it unrecognizable by the virus scanner.

An encrypted virus is made up of a virus decryption routine as well as an encrypted virus body such that if the user launches the infected program, the virus decryption routine first gains control of the computer, then decrypts the body of the virus.

                                            An Encrypted Virus

Polymorphic viruses

The polymorphic virus is built in such a way that it has a scrambled virus body and a decryption routine that first gains control and then decrypts the virus’ body. However, it possesses a third component which is a mutation engine that sort of generates randomized decryption routines which change each time the virus infects a new program.

The mutation engine and the virus body are both encrypted such that when a user runs a program infected with a polymorphic virus, the decryption routine first gains control of the computer, then decrypts both the virus body and the mutation engine.

                             An Encrypted Virus before execution

 

                                 An Encrypted Virus after Execution

The decryption routine then transfers control of the computer to the virus, which locates a new program to infect. At this point, the virus makes a copy of both itself and the mutation engine in random access memory (RAM). The next thing the virus does is that it invokes the mutation engine, which will randomly generate a new decryption routine that will decrypt the virus and yet does not bear any resemblance to the previous decryption routine. The virus encrypts the new copy of the virus’ body and the mutation engine. Finally, the virus then attaches this new decryption routine, alongside the newly encrypted virus and mutation engine to the new program.

Decrypt virus

                                                      A Fully decrypted Virus

So, we can see that not only is the virus’ body encrypted, but the decryption routine varies from infection to infection. This therefore confounds a virus scanner searching for the tell-tale sequence of bytes that identifies

a specific decryption routine. With a signature that is not fixed to scan for, and a non-fixed decryption routine as well, no two infections look alike.

Detecting a Polymorphic Virus

Anti-virus researchers launched an attempt to fight back by developing special detection routines crafted to detect and catch each and every polymorphic virus. Special programs were written by line for line which were designed to detect various sequences of computer codes known to be used by all the mutation engines to decrypt the virus body.

This approach was not feasible, it was as well time consuming and costly. Every new polymorphic virus needs its own detection program and also, a mutation engine which produces seemingly random programs which can properly execute decryption and some mutation engines to generate billions of variations.

Moreover, a lot of polymorphics make use of the same mutation engine, credits to the authors of viruses like dark avenger. In addition to this, different engines are being used by different polymorphics to generate a similar decryption routine, which can make identification of the virus solely based on decryption routines wholly unreliable.

This approach can be misleading by identifying one polymorphic as another. These shortcomings led anti-virus researchers to develop generic decryption techniques that trick a polymorphic virus into decrypting and revealing itself.

To gain more knowledge about all forms of malwares with malware analytical skills subscribe to our CEH course at Soutech Ventures. We have trained and seasoned experts to give you both theoretical and hands-on ethical hacking knowledge and skills.

Network Penetration Testing Services: Tools and Methodologies

In my previous articles, I have discussed intensively on vulnerability analysis and penetration testing but I’ll reiterate a few things to help buttress the points in this article.

Penetration plays a major role in the playbook of any security consultant and penetration test and it is the best clue to know how vulnerable a network is to an attack. Compliances such as PCI and HIPAA require vulnerability assessment and they also enable penetration testing to be performed smartly and in a targeted form when compared to performing simple port scans. Vulnerability assessments most importantly is the bedrock for developing an information security program that is proactive, going beyond reactive techniques such as starting firewalls and identifying loopholes and making attempts to seal them. But know this, that when installing and managing your websites and networks even if you might know much about the basic security measures and even follow them, it is never enough to discover and mitigate all the vulnerabilities by yourself.

Now lets us understand what a network vulnerability assessment is as an entity of penetration testing. A network penetration testing is a penetration testing technique that involves reviewing and analyzing a network in order to discover any possible security loopholes and vulnerabilities. Network administrators and network security staff use this technique to do a thorough evaluation of their security architecture as well as to defend the computer network against any form of threats and vulnerabilities. It also helps them to assess the network to know its strength. But the key objective of this technique generally is to discover vulnerabilities that may compromise the overall privacy, security and operations of a computer network.

Network penetration testing Methodology

 

1. Data and Information gathering and project set up

This involves;

  • Reviewing the project to obtain all assumptions
  • Listing and detailing out the IP scanned IP addresses
  • Configuring the IDS and IPSes to accept the originating IP addresses
  • An optional scan of all user credentials
  • Obtaining contact information for both parties
  • Planning the scans and including the time it is being performed

2. Scanning the tools being setup

This step involves configuring all the vulnerability scanning tools for “safemode”

3. Performing the vulnerability scan

This involves performing and in-depth scan of all provided IP addresses and identifying any security weaknesses and vulnerabilities on user credentials after they have been scanned.

4. Research and Verification of vulnerabilities

This involves

  • Verifying all the discovered vulnerabilities
  • Identifying false positives
  • Determining any potential impacts of the vulnerabilities being exploited
  • Prioritizing remediation efforts
  • Developing specific plans and recommendations for the remediation

5. Create reports and a project close-out

This involves;

  • Delivering final and concluding reports
  • Teleconferencing of the scheduled project conclusions
  • Ensuring a full understanding of the remediation actions being recommended
  • Facilitating knowledge transfer in and effective form

Network Vulnerability Assessment Tools

In order to carry out an automates security audit in any organization, vulnerability scanners play a very critical role. This is because they can scan the website, network and other internal systems for thousands of security risks and can automatically prioritize them alongside the right patches. Some can automatically perform the patches.

Scanning websites is an entirely different ballgame from network scans. In the case of websites, the scope of the scan ranges from Layer 2 to 7, considering the intrusiveness of the latest vulnerabilities. The correct approach for scanning websites starts from Web-level access, right up to scanning all back-end components such as databases. While most Web security scanners are automated, there could be a need for manual scripting, based on the situation.

1.OpenVas: This is a short for Open Vulnerability Assessment System and is a free network security tool that has most if its components licensed under GNU General Public License (GNL). This tools is very effective in scanning for thousands of vulnerabilities and supports concurrent and scheduled scans and tasks. Its main component is available as Linux packages and as virtual appliances that are downloadable for the purpose of testing and evaluation. OpenVas does not work on windows but it offers clients for windows platforms. It can run mainly on Linux platforms and can perform scans and receive over 33,000 updates daily of Network vulnerability tests.

OpenVas has a manager that controls its intelligence and it is command line based with full services of daemon for user management and feed management. It is not easy and quick to be installed but it has one of the richest features in It security scan.

2. Retina CS Community: This is a vulnerability scanning and patching tool for Microsoft and most third-party applications like Firefox, adobe etc. It can scan for vulnerabilities in mobile devices, virtualized applications, servers, web applications, and private clouds as well. It identifies missing patches and configuration issues. It has a software that which is called Retina Network Community which is to be installed first before actually installing the Retina Cs Community software. It works on windows server 2008 or later versions, Microsoft SQL 2008 version or its later versions and it also requires a .net framework 3.5 to be installed, it is IIS server enabled.

It gives you the option of choosing from a variety of scans with reporting templates which can specify IP address ranges. You could also provide any necessary credentials for scanned assets which may be required may make your reports come out in a readily and organized format including email alerts. Most businesses however may find its system requirements very stringent since it requires windows server.

3. Microsoft Baseline Security Analyzer (MBSA): This is a tool that can perform both local and remote scans on windows servers and desktop. These tools are very efficient because it can identify missing service packs, security patches and any common security misconfiguration. Platforms that support it are windows XP Windows 8 and 8.1, windows Server 2012 and windows server 2012 R2. It is an easy-to-understand tool and a straightforward tool as well. It provides options of selecting a single window machine to perform a scan where you can choose a name, specify IP addresses and even choose a domain. You could choose the platform you want to scan which can either be a Windows, IIS, SQL admin vulnerability, windows update or weak passwords.

5. SecureCheq: This is a tool that can perform local scans on both windows desktops and servers and is capable of identifying many insecure advanced windows settings such as COBIT, ISO, CIS standards. It deals majorly on common configuration errors which are related to OS hardening, communication security, data protection issues, audit logs and user account activities. Its free version can only perform less than 24 scans which is about a quarter of what its full version scans. SecureCheq is a simple tool which lists all the checked settings including passed or failed results. Even though it is easy to use and its ability to scan for advanced configuration settings, it cannot reach deep to scan general windows vulnerabilities and network based threats. But it however complements MBSA well enough by scanning for basic threats and performing a follow up scan using securecheq.

6. Qualys freeScan: This tool can perform about 10 free scans of URLs and IPs of local servers and machines on the internet. It can be downloaded from web portals which can be installed and run on virtual machines for scanning internal networks. It can scan for issues in SSL, and vulnerabilities in their related networks.

It may seem first see an online tool which appears to do scan via internet if you put in the local IP address, it prompts you to download to your system via virtual machines like VMware or VirtualBox image. This tool allows you to scan local networks and gives an interactive report of the threats and patches.

7. Wireshark: Wireshark, previously called Ethereal, is one of the most popularly used tools for network vulnerability testing or assessment. This is because it gives you a clear picture of happenings on your network. It works in promiscuous mode in order to capture all the traffic on a TCP broadcast domain. It has features of customized filters that can be configured to intercept specific traffic such as communication between two IP addresses, UDP-based DNS queries on that network.

Data obtained can be dumped into a capture file for later review. It can also look for stray IP addresses, unnecessary packet drops spoofed data packets and any suspicious single IP address. Although wireshark gives one a clearer and broader picture of the network activities, it however does not have its own intelligence and should therefore be used as a data provider.

8. Nmap: This has remained one of the most popular scanning tools for over a decade now. It has the capability of crafting data packets and perform scanning to a TCP granular level such as ACK, SYN scans etc. some of the characteristic of this tool include

  • Algorithms for built-in signatures designed to guess OSes and its versions based on the TCP handshake
  • It can detect remote devices on the network as well as firewalls, routers, and their models
  • It can check for open and running ports and which ports can be exploited for simulation of attacks
  • It gives results in plain text and verbose
  • It is scripted to automate routine task and obtain evidence for audit reports

9. Metasploit: Metasploit is a tool that comes to play after scanning and sniffing have been done. It provides the following capabilities;

  • It is a rigorous tool for performing scans against a set of IP addresses.
  • It can be used for anti-forensics
  • Programmers can write codes that can be used to exploit vulnerabilities and to test it on Metasploit if its working
  • It is a commercially available tool for performing virus attacks.

10. Aircrack: This is a network scanning tool that acts as a sniffer, packet crafter and decoder. It targets a wireless network by subjecting a packet traffic to capture vital information about a certain underlying encryption. A Decryptor is then used to perform a brute-force on the captured file to find passwords. Aircrack can be found in kali-linux which is the most preferable.

11. Nikto: This is an interactive open source tool for scanning websites because it supports HTTPS and HTTP. Nikto works by

  • Crawling a website like a human would do in a little amount of time
  • It uses a technique known as mutation to create combinations of various HTTP tests to perform an attack.
  • It finds critical loopholes like improper cookie handlings, XXL errors, upload misconfigurations etc.
  • It dumps all the findings in a verbose mode which can also help in knowing more about vulnerabilities in a website.

Care should be applied when interpreting Nikto logs because it can result in too many things getting noticed and can trigger a false alarm.

12. Samurai framework: It is used to for deep-diving after a baseline check has been done by Nikto. It is a powerful scanning utility which can be used to target specific set of vulnerabilities. It is pure penetration testing tool which focuses on other penetration tools such as WebScarab for HTTP mapping.

13. SQLmap: This tool is a first-generation tool capable of exploiting SQL injection errors but it can as well take over the database server. It works for speedy fingerprinting of the database to find underlying OSes and file system to fetch data from the server.

Note that a regular scheduled network vulnerability scan can help an organization to identify loopholes and weaknesses in a network even before any cybercriminal can perform a seeming attack. The aim of performing a network vulnerability is to identify devices on your network without compromising the systems on your network. Therefore, ensure to conduct a periodic network vulnerability scan on your network in order to discover and mitigate and possible weaknesses on you network before it can be exploited.

Why do you need the services of a Network Penetration Tester?

A network penetration tester is specially and specifically with trained the expertise to effectively conduct penetration testing and network assessments. Note that is a penetration is improperly conducted, it could be detrimental to your organization and its daily operations. Some of the skills a Network security specializes in are;

  • Data breach prevention
  • Application security
  • Security control testing
  • Gap analysis maintenance
  • Compliance testing and analysis

Who do you contact?

To get a range of services ranging from certifications and trainings in vulnerability and penetration testing and many more courses. We at Soutech web consults have a team of professionals that cannot only train you and your staff on vulnerability and penetration testing which is an entity of cyber security but also conduct them. Endeavour to visit us at soutech web consults or subscribe to our website to find out we can help your organization and your business mitigate any form network vulnerabilities by just implementing any of our test processes and technologies.

Vulnerability Testing: A Detailed Guide-SOUTECH guide

One of the major challenges which the cybersecurity world is facing is the way vulnerabilities are classified or grouped. Many security vendors, professionals and product developers have given different names the same type of vulnerabilities and it has grown to become a confusing idea to security practitioners when performing tests. This is the reason why some organisations such as CVE (Common Vulnerabilities and Exposures have come together to develop a common language for vulnerabilities.

The CVE which is sponsored by the Mitre Corporation, has set up a standard for which naming security vulnerabilities conventionally in other to make it easier to discuss, perform and document. A complete list of CVE for vulnerability testing can be downloaded from CVE.

CVE standard has been deployed by many security products to name but a few such as;

  • Nessus Security scanner
  • STAT (Security Threat Avoidance Technology
  • Internet Scanner by ISS (Internet Security Systems)

Types of Vulnerability Scanners

Vulnerability scanners can be classified into;

  1. Host Based vulnerability scanners
  • It identifies the issues that are inherent in the host system.
  • This process of scanning is performed by using host-based scanners to check for the vulnerabilities.
  • When the host-based tools load the mediator software to the target system, it traces the events that have occurred and sends the report to the security analyst for analysis and decide the next move.
  1. Network Based vulnerability scanners
  • This process is performed using Network-based Scanners.
  • The function of the network-based scanners is to detect the open ports, identify the unknown services and active and running ports.
  • It then gives a result of all the possible vulnerabilities that are associated with these services.
  1. Database Based Vulnerability scanners
  • The database -based vulnerability scanners will identify the security loopholes in the database
  • Here, tools and techniques are applied to test if the database is susceptible to SQL injections. The tester performs an SQL injecting SQL queries into the database in to read any sensitive data from the database. If there are any loopholes, the cyber security expert then updates the data in the data and tries to patch the security issue.

Steps for Performing Vulnerability Testing

The full methodologies on how to perform Vulnerability testing can be found in my previous article on vulnerability testing. I will describe briefly the steps that can be used to carry out any vulnerability test.

1.Check for Live Hosts: Here we have to check if the host is alive on the network. We can also

  • detect firewalls in the network
  • Probe for open ports such as UDP and TCP ports and other ports
  • TCP ports such as 1-111, 135,139, 443, 445 etc.
  • UDP ports such as 53, 111, 135, 137, 161 and 500

Whether or not the target is alive or offline, the scan can still be done.

2. Detect Firewalls: Here we try to determine there is a firewall in front of the target system. This is because some systems may appear to be offline but in the actually sense they are just protected by firewalls to be off and can still be open to attacks.

This test also attempts to gather a lot of network information from the target network especially when doing UDP and TCP probing.

3. Determine Open services and ports: In this step, we try to scan the UDP and TCP ports in other to discover the ports and services that are open. The ports to be probed are UDP and TCP ports 65-535 and in most setups, it is recommended to use the best scan probes to save the network bandwidth and the network time. So during the performance of an indepth scan, the use of full profiled scan probes are recommended.

4. Detection of Operating Systems and Versions: This involves discovering the OS versions and the services in other to optimize it. Once the process of UDP and TCP port scanning have been over, the pen tester uses different techniques in other to identify the OS that is running on the target host and network.

5. Perform a profiled Vulnerability scan: A profiled scan is applied in order to get an optimized vulnerability scanning result. Profiled scans include;

  • Best scan to get popular ports
  • Quick Scan to get most common ports
  • Firewall scan by performing stealth scan
  • Aggressive Scan by performing full scan, exploits and for DOS attacks

6. Developing a detailed Report: There are different formats to generate reports and the outputs of risk analysis and remediation suggestions. You can read the the OWASP full vulnerability scan documents to get a template for presenting your reports.

Vulnerability Testing Tools

Vulnerability testing tools can be classified into  Host-based tools and Data-based tools. I will describe a few tools which are efficient for performing vulnerability assessment.

Category

Tool

Description

Host-Based STAT It scans multiple systems on the network.
  TARA An acronym for Tiger Analytical Research Assistant. It is a unix-based system scanner which detects a set of known vulnerabilities in the local host of the network.
  Cain and Abel It can be used for cracking HTTP passwords and for retrieving passwords by sniffing the network.
  Metasploit It is an open source platform on linux for developing, testing and exploit of codes.
  WireShark This is an open Source network protocol analyzing tool that runs on both Linux and Windows platforms. Used to sniff the services running on the network.
  Nmap This is also an open source utility tool for carrying out security audits.
  Nessus This is an agent-less platform for auditing, reporting and carrying out patch management integration.
Database-based SQL diet A tool door for the SQL server for performing dictionary attacks.
  Secure Auditor It enables a user to carryout enumeration, network scanning, auditing and also perform penetration testing and forensic on the operating systems.
  DB-scan It is a tool used for the detection of trojans on the database, and also detecting hidden trojans by performing baseline scanning.

 

Advantages of Vulnerability Assessment

The common advantages of performing vulnerability assessments are;

  • There are readily available open source tools for performing vulnerability assessments.
  • It provides a platform to identify, detect and curb almost all vulnerabilities inherent on any system.
  • Some of the afore mentioned tools are automated for scanning.
  • These vulnerability assessment tools are easy to run on a regular basis.

Disadvantages of Vulnerability Assessment

  • There is an increase in the rate of false positive results
  • A vulnerability assessment tool can easily be detected by an Intrusion Detection System (IDS)/Firewall.
  • Sometimes recent and latest vulnerabilities can be hardly noticed.

Vulnerability Assessment vs Penetration Testing

Vulnerability Assessment Penetration Testing
Functionality To discover Vulnerabilities To Identify and exploit known vulnerabilities
Mechanism For discovery & scanning Perform simulations
Focal point Considers breadth over depth Considers depth over breadth
Coverage of Completeness High Low
Cost of Use Low to Moderate High
Tester House staff An attacker or Penetration Tester
Tester Knowledge High Low
How often is being run Run after every single equipment is loaded Run once in a year or quarterly depending on organizations policy
Results provided Gives partial and inconclusive details about the Vulnerabilities It gives a complete detail of all the  identified vulnerabilities

When performing vulnerability testing, you must know that it depends on two major mechanisms which are vulnerability assessment and penetration testing which I have been able to differentiate summarily. Now, these two test methods differ from each other in the areas of the tasks they perform and the weight of their performance levels.

However, if one must achieve a comprehensive and well detailed vulnerability testing with reports, a combination of both methods is always recommended.

We at Soutech web consults have a professional team that can carry out well organized and detailed vulnerability testing on your organization. Do well to contact us today on our website.

 

 

 

 

 

 

 

 

 

 

All you need to know about Penetration Testing: Soutech Ventures

Penetration which is colloquially referred to as pen test is a simulated attack that is being performed on a computer system or its network infrastructure with permissions from management to probe for security vulnerabilities, and a potential means of gaining access to data and other features on the system.

Penetration testing helps one to find out the vulnerability of a system to an attack and if the defense mechanism created are sufficient and which defense mechanisms or techniques employed that can be defeated. A typical penetration testing process focuses on finding vulnerabilities depending on the nature of the approved activity for a given engagement.

A security testing will never prove the absence of security flaws in a system but it can sure prove their presence.

 Brief History of Penetration Testing

In the mid-1960s, for over 50years and more, as the sophistication of networks increased, white hat hackers have been putting in work to make sure computer systems are protected from unauthorized access by hackers. They understood if hackers gain access into their systems, they could even destroy information networks asides stealing information. As computers began to gain the ability to share data or information through and across communication lines, the challenge to protect information increased. These lines if broken and data compromised, contained or stolen.

As early as 1965, computer security experts warned the government and business outlets that because of the increasing capability of computers to share information and exchange vital data across communication lines, there could be an inevitable attempt to penetrate those communication lines during exchange of data. In the year 1967, in the annual joint computer conference which had over 15,000 cyber security experts in attendance, there were serious deliberations that computer communication lines could be penetrated by hackers. They coined the term penetration which has perhaps become a major challenge in computer communication today.

This meeting brought the idea of actually testing systems and networks to ensure that integrity is increased as the expansion of computer networks such RAND corporation which first discovered a major threat to internet communications. The RAND Corporation aliased with the Advance Research Projects Agency (ARPA) located in the US to produce a report known as The Willis Report named after its lead author. The Willis Report discussed this security issue with a proposition of policies to serve as countermeasures in security breaches.

From this report however, the government and organizations started to form teams with the sole responsibility of finding weaknesses and vulnerabilities in the computer networks and measures to protect the systems from unauthorized or unethical hacking or penetration.

Today, there are numerous and specialized options that are available for performing penetration testing. Many of these systems include tools that a range of features for testing the security of the operating system. For example, we have Kali Linux which can be used for performing penetration testing and digital forensics. Also contained in it are 8 standard tools such as burp suite, Nmap, Aircrack-ng, Kismet, Wireshark, the Metasploit framework and John the Ripper. Kali Linux has all these tools and many more and for a system to contain all this sophisticated tools goes to show how much sophisticated today’s technology has gradually become and how many hackers are finding ways to create problems for computer-driven networks and computing environments most the especially the internet.

Objectives of Penetration Testing

The objectives of an intense pen test involve

  • Determining how an attacker can find any loopholes to unlawfully gain access to the systems assets that can be of harm to the fundamental security of the systems logs, files.
  • Confirming that all the applicable controls like the vulnerability management methodologies and segmentation required for the good functioning of the system are in place

Types of Penetration Testing

  1. Black box penetration testing: Also referred to as blind testing. Here, the client does not give out any prior information of the system architecture to the pen tester. It may offer little as regards value to the pen tester since the client does not provide any information. It can require more money, more time as well as resources to carryout
  2. White box penetration testing: Also known as Here, the client provides the pen tester with a comprehensive and complete detail of the network and how is being applied.
  3. Grey box penetration testing: The client may provide incomplete or partial information of the system network.

Stages of Penetration Testing

There are basically 5 stages of a penetration test.

1. Reconnaissance and planning: This stage involves gathering intelligence such as network, mail servers and domain names in the bid to understand how the target system works and the potential vulnerabilities it is facing.

It also involves a thorough definition of the scope and the goals of the penetration test, including the systems that are to be addressed and the methods of testing to deployed.

2. Scanning: This stage requires an in-depth understanding of how the target applications will respond to any attempt of intrusion. Scanning can be performed in the following ways:

  • Static analysis: This is a process involves a careful inspection of the codes in the application and how it behaves when it is run. These tools have the capability of scanning the entire code in a single pass.
  • Dynamic Analysis: It involves a careful inspection of the codes in the application when in the running state. It is a more practical approach to scanning in that it gives the real-time view of the applications performance.

3. Gaining Access: In this stage, the pen tester uses web application attack techniques such as SQLs, XXLs and backdoors to unravel the vulnerabilities on the target system. In a quest to understand the damages they can cause on the target, the tester will try to exploit the vulnerabilities discovered by intercepting traffic, stealing data and escalating privileges etc.

4. Maintaining Access: The stage aims at achieving a persistent presence in the exploited system using the known vulnerabilities. Advanced threats which are capable of remaining on the system for months are logged into the system into to monitor changes, enhancements and any new information being loaded onto the system.

5. Results and Analysis: In this stage, all the results obtained from the penetration test are compiled comprehensively and in details. This includes;

  • All the vulnerabilities that have been exploited
  • All sensitive data that has been accessed
  • The amount of time spent during maintaining access without being detected.

The security personnel then analyses the results in a bid to where necessary reconfigure the organization’s WAF settings and any other application security flaws. This is done to patch all the vulnerabilities and to protect information against any future attacks.

Classification of Penetration Testing

1. External Penetration Testing: An external penetration tests is targeted at the assets owned by an organization that are accessible to and on the internet. Examples of such assets can be,

  • The organizations website
  • Domain name servers
  • Emails
  • Web applications

The major goal of the external pen test is to gain access and extract data.

2. Internal Penetration Testing: It attempts to mimic an attacker actually launching an attack on the network to find vulnerabilities or loopholes.

It involves an examination of the IT systems of an internal network for possible traces of vulnerabilities which can affect the confidentiality, integrity and availability, and thereby giving the organisation the clues to take steps to address such vulnerabilities.

Penetration Testing Services

I will describe 4 distinct penetration testing service offerings that we can provide you

  1. Vulnerability Scanning: This scanning technique provides a very transparent and mature offer but the biggest challenge always lies on whether to resell a service offering or to buy that can be used to internally scan the clients systems and networks. Every regulation requires scanning which is the first and easy step taken towards achieving security assurance. This is because all regulated customers need to scan.
  2. Penetration testing of Infrastructure: This offers tools such as Metasploit or Core Impact, that can be used to perform live exploits. Live ammunitions are used so you have to orchestrate or organize the test with the client in such a way that the amount of disruption during the tests is minimized. The pen tester should endeavor to test all externally visible IP addresses because it is what the bad guys want in order to penetrate the system and network. The tester should also attach to the conference room network which is one of the softest parts of the customers’ defense.
  3. Penetration of Applications: This is a very important step which involves an attempt to break into the applications because so many attacks are directly targeted at applications. Web applications such as HP’s WebInspect and IBM’s AppScan can be employed, but the tester can also find ways to exploit the application logic errors. Nothing stands a skilled application test because once an initial application is compromised, a direct access to the database where valuable data is easy. If the tester can access the database, then the customers system is owned already and scripts can be written to block every loop holes by the attacker.
  4. User Testing: This part of the penetration test is always fun for the penetration testers because they get to see how gullible and vulnerable most users are. The test may involve sending fake email messages to customer service representatives in a bid to gather information that can be used to penetrate their facilities. They even drop thumb drives at the parking lot and watch out for people that will plug them. Social engineering is one of the key ways of information gathering and should never be underestimated. Social engineering can be used on the client in order to catch them off guard.

Standards for Penetration Testing Methodologies

There are many accepted industry methodologies that may guide and help the pen tester through any test.

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • OWASP Testing Guide
  • The National Institute of Standards and Technology (NIST)
  • Penetration Testing Execution Standard
  • Penetration Testing Framework

These frameworks have set standards that any penetration testing activity should follow as should strictly be adhered to guide the pen tester whenever necessary.

A typical penetration activity is detailed and must be carried out in an organized fashion. This is because organisational data and assets are very important and delicate things to handle therefore there is a need to have an orgnised team of professionals to handle your penetration testing services.

We at SOUTECH web consults are the perfect consulting firm for carrying out your penetration testing. We have professional staff and a team to conduct a well detailed and professional penetration testing. Subscribe for our services today.

 

Performing a Detailed Penetration Testing: Soutech Ventures

Pen tests as we already know are intended to identify and confirm actual security breaches and to report such issues to management. This ensures that an organization experiences a balance in business and a good network security to ensure the smooth operation of business.

Just to reiterate as this is a follow up article to my basics on penetration testing, penetration testing colloquially called pen test refers to an ethical hacking method which is used to perform security testing on a computer network of an organization. It involves a lot of methodologies which I have already explained in my previous write up which is designed to explore a network for potential known vulnerabilities and to test them if they are real. A properly performed penetration test allows a network professional to fix issues within the network in order to improve the network security and provide the needed protection for the entire network against future cyber-attacks and intrusions.

The terms vulnerability assessment and penetration testing are often confused and I have made an attempt to differentiate them because they mean different things.

Pen tests involve methods require using legal permissions to exploit the network while vulnerability assessment requires evaluating the network, its systems and services for potential security problems. While a pen test is designed to perform simulated attacks, vulnerability assessments only require pure analysis and vetting of an organizations network for vulnerabilities. Note that no attack is launched.

Penetration Testing Services

I will describe 4 distinct penetration testing service offerings that we can provide you

1.Vulnerability Scanning: This scanning technique provides a very transparent and mature offer but the biggest challenge always lies on whether to resell a service offering or to buy that can be used to internally scan the clients’ systems and networks. Every regulation requires scanning which is the first and easy step taken towards achieving security assurance. This is because all regulated customers need to scan.

2. Penetration testing of Infrastructure: This offers tools such as Metasploit or Core Impact, that can be used to perform live exploits. Live ammunitions are used so you have to orchestrate or organize the test with the client in such a way that the amount of disruption during the tests is minimized. The pen tester should endeavor to test all externally visible IP addresses because it is what the bad guys want in order to penetrate the system and network. The tester should also attach to the conference room network which is one of the softest parts of the customers’ defense.

3. Penetration of Applications: This is a very important step which involves an attempt to break into the applications because so many attacks are directly targeted at applications. Web applications such as HP’s WebInspect and IBM’s AppScan can be employed, but the tester can also find ways to exploit the application logic errors. Nothing stands a skilled application test because once an initial application is compromised, a direct access to the database where valuable data is easy. If the tester can access the database, then the customers system is owned already and scripts can be written to block every loop holes by the attacker.

4. User Testing: This part of the penetration test is always fun for the penetration testers because they get to see how gullible and vulnerable most users are. The test may involve sending fake email messages to customer service representatives in a bid to gather information that can be used to penetrate their facilities. They even drop thumb drives at the parking lot and watch out for people that will plug them. Social engineering is one of the key ways of information gathering and should never be underestimated. Social engineering can be used on the client in order to catch them off guard.

 

The Qualifications of a Penetration Tester

The task of penetration testing can be performed by a qualified third-party agent as long as they are organizationally independent. What I mean is that they must be organizationally separate from the management of the client or the target system. Example, if we use a case study of a PCI DSS company as our assessment entity and as the third-party company carrying out the assessment, they cannot conduct the pen test because they’re involved in the installation, maintenance or as support to the target systems.

The following guidelines can be useful in your choice for a good and qualified penetration tester

Certifications for a penetration tester: The certifications which a penetration tester hold is a very indicative guide to their level of competence and skill. While these certifications may not be required, they can indicate a common body of knowledge for the tester. These are the few among’st many certifications a penetration tester can have;

  • Certified Ethical Hacker (CEH)
  • Offensive Security Certified Professional (OSCP)
  • Global Information Assurance Certification (GIAC)
  • Computer Information System Security Professional (CISSP)
  • GIAC Certified Penetration tester (GPEN)
  • EC-Council Security Analyst (ECSA)
  • Licensed Penetration Tester (LPT)
  • GIAC Exploit Researcher and Advanced Penetration tester (GXPN)

Always remember that before any test begins, all parties are recommended to be involved such as the organization, pen tester, the assessor where applicable. They all must be aware of the types of test being performed i.e. external, internal, network layer or application and how the test will be performed and the target.

Steps to Perform a Detailed Penetration Testing

1.Scoping of the organization: The responsibility of the organization is to the adequately define the critical systems. The normal recommendation is that the organization works hand in hand with the pen tester whenever it is applicable. The assessor also plays major role here to verify that none of the components are overlooked and also to determine if there are additional systems to include in the scope. The scope of the penetration test should include the critical systems, the access points and the methods for segmentation.

2. Documentation: All components within the scope of the documentation should be made available to the tester whenever necessary. Documents include,

  • Application interface documentation
  • Guides to the implementation

This will help the tester to understand the functionality of the system. Other information which the organization needs to supply the tester should include

  • Network diagram. showing all the network segments.
  • Data flow diagram
  • Detailed list of all services and ports that are being exposed to the perimeter.
  • List of the network segments in isolation

A typical network diagram showing      the  network architecture

 

The pen tester uses all this information to assess and identify all unexpected attack vectors and any insufficient authentication controls.

3. Rules of Engagement: Before any test begins, it is very important to agree and document on conditions and terms in which the test is being performed and the extent to the level of exploitation. This gives the pen tester the authority to the test environment and to make sure the organization has an understanding of test and what to expect from it. The following are what to consider as rules of engagement

  • Window time will the test be performed?
  • What are the known issues in the system and issues with automated scanning? And if so, will such systems still be tested?
  • Any preferred methods of communication about the scope and any issues that will be encountered in the course of the test.
  • Any security controls could detect the testing?
  • Are there passwords or any sensitive data to be exposed during the test.
  • If the equipment to be used by the tester will pose any threats to the systems in the organization.
  • Any updated OSes, service packs and patches and if the tester should provide all the IP addresses for which the test will originate.
  • What steps the tester should take when he detects any flaw or loophole.
  • Will the tester retain any data obtained during the tester?

4. Third-party Hosted/Cloud environments: The following should be added to the rules of engagement.

  • Before test commences, if the service-level agreement requires any approval from the third-party.
  • Web management portals that are provided to manage the infrastructure by the third-party should not be included unless noted in the scope.

5. Criteria for success: Pen testing is supposed to simulate a real-world attack with the aim of identifying the extent an attacker can go to penetrate the systems. Therefore, defining the success criteria for the pen test will allow the entity to program limits for the pen test. Success criteria should be included in the rules of engagement and should include

  • Restricted services or data should be directly observed in the absence of access controls
  • Level of compromise of the domain being used by legitimate users.

6. Review of past vulnerabilities and threats: this involves a review and a consideration of all the threats and vulnerabilities that were encountered in the last 12 months. It is more like an historical look into the organizations environment since the last assessment was performed. This information is very important to give insights on how to handle the current vulnerabilities. Depending on whether it is a white box, grey box or black box test that is to be performed, these are not to be included in the review.

  • Vulnerabilities being discovered by the organization and have not be solved within a certain time.
  • Compensation controls preventing the discovered vulnerabilities
  • Upgrades or deployments that are in progress
  • Threats and vulnerabilities that have led to a possible data breach
  • Valid remediation of pen test in the past years.

7. Segmentation: This is done by conducting test used during the initial stage of the network penetration such as port scans, host discovery. It is performed to verify that all the isolated LANs do not have access to the database. Testing each of these unique segments should ensure that security controls are working normally as intended. The pen tester should check the LAN segments that they have access to the organization and restrict access.

8. Post Exploitation: This means taking actions after an initial compromise of the system. It refers to the methodical approach of making use of pivoting techniques and privilege escalation to establish a new source of attack. This can be done from a vintage point in the system in order to gain access to the network resources.

9. Post- Engagement: the following activities should be done after the engagement or testing are being performed:

  • Remediation best practices
  • Retesting all the identified vulnerabilities

10. Cleaning up of the work Environment: After the pen test has been performed, it is necessary to do a thorough cleanup of the working environment. The tester does some documentation and informs the organization of any alterations that have been made to the environment. These include but not limited:

  • Installed tools by the tester on the organizations system
  • Created accounts during part of the assessment
  • Changed passwords for accounts
  • Any additional documents not related to the organization

11. Reporting and Documentation: Report helps an organization in their efforts to improve upon their security posture and also to identify any areas that are vulnerable to threats. A report should be structured in a such a way that it the test is clearly communicated, how it was carried out. The report should be done in the following steps;

  • Report identified vulnerabilities
  • Any firewall mis-configurations
  • Report of detected credentials that were obtained through manipulation of the web application.The service of penetration testing is a typical learning experience for everyone in the organization that is involved in it as well as the tester. The testers get to discover and learn what it is that works and what does not work and is not obtainable to the entity being tested. They can also learn how to find ways to adapt to the defenses of the customer. The client i.e the organization gets to learn of what they should have known and done that is less effective and finally learn and appreciate what is applicable. The pen tester now tries to pick the pieces and build a strong and long-term relationship with the client.

We at soutech web consults are the perfect consulting firm for carrying out your penetration testing. We have professional staff and team to conduct a well detailed and professional penetration testing. Subscribe for our services today.

 

 

 

Why do you need a Vulnerability Test? Concepts and Methodologies

First of all, let us understand what a vulnerability is. I’ll define a vulnerability as any form of loophole, a weakness or mistake that can be found in a system security design, its implementation, security procedures, or its control that can lead to systems security policy violation. A vulnerability can make it possible for cybercriminal or attacker to gain unauthorized access to the system.

As we already know, confidentiality, integrity and availability which are the three cores of IT security. Once any or all of these elements are compromised, then one can say there is a security vulnerability. Infact, a single security vulnerability has the potential of compromising one or all of these elements. For example, the confidentiality can be compromised if there is an information disclosure vulnerability while the compromise of integrity and availability can be as a result of remote code execution.

What is Vulnerability Testing?

It can also be referred to as vulnerability assessment which is a software testing technique that is conducted in order to evaluate the inherent risk in an IT system and measures employed to reduce or curb the probability of the event.

Vulnerability testing has some similarities with risk assessment and these assessments can be performed following some steps as highlighted below.

  • Developing a catalogue for assets and resources in the system.
  • Assigning rank orders to quantify resources by value and importance.
  • Identifying the potential threats and vulnerabilities to the resources.
  • Eliminating totally or mitigating the high ranked vulnerabilities for the most valuable resources.

Vulnerability testing depends majorly on 2 mechanisms

  • Vulnerability assessment
  • Penetration testing

Objectives of Vulnerability Testing

The common goals and objectives of risk and vulnerability assessments are as follows;

  • To get an accurate inventory of all data and IT assets.
  • To prioritize organizational IT and data assets according to the importance and criticality to the organization
  • To identify and document all the potential risks, threats and vulnerabilities to the organizational infrastructural assets.
  • To prioritize the potential risks, threats and known vulnerabilities based on their impact or criticality on the IT or data assets being affected.
  • To identify and minimize the vulnerability window of the organizational IT and data assets according to the minimum acceptable tolerance level.
  • To curb, mitigate or remediate the identified risks, threats and vulnerabilities and properly plan and budget them based on the criticality of the IT and data assets.
  • To check for compliance with the updated information security laws, regulations, procedures and mandates
  • Just as explained previously, it helps to identify lapses, voids and gaps in the organizations IT security framework and architecture by looking out for specific recommendations.
  • To identify the potential risks, threats and vulnerabilities that an organization’s is susceptible to and to find ways to justify the cost of all the security countermeasures and solutions to be adopted in order to mitigate, eliminate or reduce the identified risks, threats and vulnerabilities.
  • To provide an objective assessment and prompt recommendation to help define the organizations goals and objectives for performing risk and vulnerability assessment.
  • It helps organizations to understand the return on investments (ROI) whenever funds are to be invested in the IT security infrastructure.
  • To scan operating systems, application softwares and the entire network for known vulnerabilities such as insecure authentications and software designs.

                                 Scope of Vulnerability Testing

 

  1. Black Box Testing: It involves performing vulnerability testing from an external network with no prior knowledge of the internal network infrastructure and systems.
  2. White box testing: It involves performing vulnerability testing within an internal network with prior knowledge of the internal network infrastructure and systems. White box testing can also be referred to as internal testing.
  3. Grey box testing: It involves performing vulnerability testing from either an external or internal network with little knowledge of the internal network infrastructure and system. It involves the combination of black box ad white box testing.

Elements of Vulnerability Testing

  • Information Gathering: This can also be referred to as reconnaissance and it deals with obtaining as much information as possible about an IT environment. Information such as Networks, IP addresses, versions of operating systems in use etc. and it is applicable to the 3 scopes of vulnerability assessment.
  • Detection of vulnerability: This process involves the use of vulnerability scanners to scan the IT environment to identify the unknown and potential vulnerabilities.
  • Information analysis and planning: It involves the analysis of all the vulnerabilities that have been identified and further devising a means to penetrate into the network and the systems.

Types of Vulnerability Test

  1. Predefined Tests: These is a vulnerability test that is designed to discover some common vulnerabilities in databases and its environments. Predefined tests can be customized to suit the needs or requirements of an organization. Predefined tests include;
  • Configuration Tests: It checks a database for all configuration settings realted ti security. It looks out for common flaws and mistakes in database configurations. Such configuration issues include;
  • Privelege which include; system level rights, privilege access to database and users, rights of use and creation of objects
  • Configuration: Which include parameter settings for the database and parameter settings for the system level.
  • Authentication: It includes, use of accounts by users, use of remote logins, password policies.
  • Version: This includes, versions of the database and patches for the database.
  • Object: It involves sample databases that have been installed, database layouts that have been recommended and ownership of the databases.
  • Behavioral Tests: This test type checks and analyses the security posture and wellbeing of the database environment. It does this by observing the database when it is in real time mode and checking how information is manipulated. Some of the behavioral tests include;
  • Violations of access rules
  • Failures in excessive logins
  • Errors in the excessive SQL
  • Access to default users
  • Logins at after hours
  • Execution of DDL, DBCC commands from the client side of the database
  • Calls for stored procedure checks
  • Ensures user ids are not accessed from multiple IP addresses
  1. Query- based vulnerability tests: This test type can either be a pre-defined test or a user-defined test that can be created easily and quickly by modifying SQL queries which can be run against database entities or resources.
  2. CVE (Common Vulnerabilities and Exposures) Tests: This test type monitors and exposes common vulnerabilities from the MITRE corporation and further adds the results of the test for related vulnerabilities that are related to the database.
  3. CAS-based Tests: This test type can either be a predefined test or a user-defined test which is based on the template of a CAS item found in the OS script command. It uses the collected data. Users can therefore check which of the template items and tests against the contents in the CAS results.

Vulnerability Testing Methodologies

  1. Setup:
  • Begin the documentation process of all assets
  • Secure permissions to credentials and assets
  • Perform tools update
  • Configure the tools
  1. Execute the Test
  • Run the tools to begin execution
  • Run all the data packets captured (A packet is a unit of data that is crafted to be routed from a source to destination). If a file whether email, HTML, or URL request is being sent from a particular point to another on the internet, the TCP layer of TCP/IP will divide the file into small chunks each having a sequence number on the headers for efficient routing. Now, these small individual chunks are referred to as packets. On the destination end, the packets reassemble to form the original file that was sent while running the assessment tools.
  1. Analyze the vulnerabilities:
  • Define and classify the system resources as well as the network
  • Prioritize the resources based on their importance such as High, Medium, low
  • Identify all potential threats to the assets
  • Based on the priorities, develop a strategy to first handle the most prioritized problems
  • Define and implement measures to mitigate or minimize the consequences of the occurrence of an attack.
  1. Form a Report: Develop a report of all the steps you took to arrive at your results. The report is also important in order to guide to aid future understanding of the system and as well to report to the management of the organization.
  2. Remediation plans: This process involves developing measures and taking the appropriate steps to fix the vulnerabilities.

Responsibilities of a Vulnerability Tester

  1. Unit management such as Information Security Coordinators and Unit IT supervisors
  • They support and enforce the standards, approve and submit the annual risk assessment documents to management
  • They determine the person who maintains the documentation.
  • They also request for the internal audits, procure and assign the necessary resources that are needed to implement the standards and polices.
  • They notify the users and support staff who are involved in performing the test.
  • The also request for any exceptions
  • They supervise and coordinate the vulnerability test and also the remediation processes.
  1. The System administrator and Computing device Administrator
  • They implement the best practices which are needed to comply with the test.
  • They support and comply with the policies.
  • They scan all the systems in the network for compliance to standards devices.
  • They monitor the systems actively for any available patches in other to remediate tasks that can affect the user.
  1. Information security Officer
  • These people approve and oversee the all the vulnerability scans.
  • They review and approve the use of any alternative scanning tools when required.
  • They conduct reviews and risk assessments annually.
  • They authorize the removal of network devices from the network when needed.

 Vulnerability testing focuses more on determining loopholes and weaknesses in an IT infrastructure. In my next article i will try to shed some more light on the tools which can use to perform vulnerability since we already have the standard methodologies to follow in order to perform a detailed vulnerability test.

Soutech ventures offers courses that can better equip and train you on all you need to know with practical hands-on knowledge on vulnerability assessment. Subscribe to our CEH course today on www.soutechventures.com/courses

 

 

A step by step Guide for IT Auditing: SOUTECH Web Security- Penetration Testing company in Nigeria

IT audit attempts to evaluate the controls surrounding data as it relates to confidentiality, integrity, and availability. IT audits ensure that confidentiality of information, ensures the integrity and availability which is a key factor to recovering from an incident.

This is a follow up article to on IT audits but I will be dissecting more on the methodologies and steps to performing audits

 

One of the challenges that audit managements and IT auditing have faced overtime is that it ensures IT audit resources are readily available to conduct IT audits. It audits require a lot of technical skills unlike financial audits, for example, an IT auditor will need a lot of training in web applications in other to audit a web application. Likewise, if they want to an oracle audit, they need to be trained efficiently as well as Windows platforms.

Another problem that audit management faces is in the management of IT auditors, because this because they have to track the timing when compared with the objectives of the audit as well as follow-up time on the measures of corrective actions that the clients take when responding to any previous recommendations and possible findings.

One of the important factors in IT auditing and one in which audit management struggles with consistently, is to ensure that adequate IT audit resources are available to perform the IT audits. Financial audits quite unlike IT audits are very intensive in terms of knowledge, for example, if an IT auditor is performing a Web Application audit, then they need to be trained in web applications; if they are doing an Oracle database audit, they need to be trained in Oracle; if they are doing a Windows operating system audit, they need to have some training in Windows and not just XP, they’ll need exposure to Vista, Windows 7, Server 2003, Server 2008, IIS, SQL-Server, Exchange.

 

Another factor that audit management faces is the actual management of the IT auditors, for not only must they track time against audit objectives, audit management must allow for time to follow-up on corrective actions taken by the client in response to previous findings and/or recommendations.The following are the things that an IT expert needs to do before beginning an audit;

  • Perform a review of the organizational structure of the IT assets
  • Perform a review of all IT policies and procedures
  • Perform a review of all the IT standards
  • Perform a review of the IT documentations
  • Perform a review of the organization’s BIA
  • Conduct an interview the authorized personnel
  • Observe and monitor the processes and the performance of the employees
  • Examine the testing of controls, and the results gotten from the tests.

Steps to Perform IT Audits

1. Understand the Audit Subject Area

  • Perform a tour of all the facilities related to audit
  • Perform a review of the background materials
  • Review the IT and business strategic plans
  • Conduct an interview for the key managers in order to understand business
  • Review audit reports that have been in existence
  • Identify regulations and where they have been applied
  • Identify the areas that have been outsourced

 2.  Perform an Audit Engagement Plan Vocabulary

Subject of the Audit: The area that is to be audited. An example is the information systems related to sales

The objective of the Audit: The purpose of performing the audit. An example is determining if the sales database is safe against data breaches, due to inappropriate authentication, access control, or hacking.

Scope of the Audit:  Streamlining the audit to a specific system, function, or unit, or period of time. An example is the is determining if the scope is constrained to Headquarters for the last year.

3.  Perform Risk Assessment: Risk-Based Auditing

Check Inherent Risk: Determine the susceptibility of the system to a risk. An example is a bank’s inherent risk of being robbed.

Control the risk: If a problem exists that will not be detected by an internal control system. Still using the bank case as an example, if a thief accesses a customer’s account at Money Machine and is not detected

Detection of Risk: An auditor does not detect a problem that does exist. Example as in the case of the bank, if a fraud takes but it is not detected.

Perform an overall risk auditing: Combine all the audit risks.

4.   Audit Engagement Risk Analysis

5.   Prepare an Audit Engagement Plan

  • Develop a risk-based approach
  • Include audit objectives, required resources, timing, scope
  • Comply with all applicable laws
  • Develop an audit program and procedures

6.  Add Detail to Plan

7.  Evaluate Controls:

8. Classification of IT controls

  • Corrective controls: It involves fixing the problems to prevent future problems by using:
  • Contingency planning
  • Backup procedures
  • Detective Controls: These involves finding any form of fraud when it occurs using:
  • Hash totals
  • Check points
  • Duplicate checking
  • Error messages
  • Past-due account reports
  • Review of activity logs
  • Preventive Controls: Preventive control measures include:
  • Programmed edit checks
  • Encryption software
  • Access control softwares
  • A well-designed set of procedures
  • Physical controls
  • Employ only qualified personnel

9.  Evaluate Controls: Simple Control Matrix

  • Test the Vocabulary

Compliance Testing:  A compliance test should take this form

  • Are there controls in place and are they consistently applied?
  • Check access control
  • Ensure program change control
  • Procedure documentation
  • Program documentation
  • Software license audits
  • System log reviews
  • Exception follow-ups

Substantive Testing:  Check the following:

  • Are transactions processed accurately?
  • Is data collected correct and accurate?
  • Double check processing
  • Calculation validation
  • Error checking
  • Operational documentation

If the results for the compliance testing are poor, the substantive testing should increase in type and sample number.

Compliance Testing: It should check the following

  • Control: Is production software controlled?
  • Test: Are production executable files built from production source files?
  • Test: Are proper procedures followed in their release?
  • Control: Is access to the sales database constrained to Least Privilege?
  • Test: Are permissions allocated according to documentation?
  • Test: When persons gain access to the database, can they access only what is allowed?

Substantive Testing

  • Audit: Is financial statement section related to sales accurate?
  • Test: Track the processing of sample transactions through the system by performing calculations manually
  • Test: Test error conditions
  • Audit: Is the tape inventory correct?
  • Test: Search for sample days and verify complete documentation and tape completeness

 Tools for IT Audits

ISACA has Standards and Guidelines related to Audit

  • Section 2200 General Standards
  • Section 2400 Performance Standards
  • Section 2600 Reporting Standards
  • Section 3000 IT Assurance Guidelines
  • Section 3200 Enterprise Topics
  • Section 3400 IT Management Processes
  • Section 3600 IT Audit and Assurance Processes
  • Section 3800 IT Audit and Assurance Management
  • Translate the basic audit objectives into specific IT audit objectives
  • Identify and select the best audit approach to verify and test controls
  • Identify individuals to interview
  • Obtain departmental policies, standards, procedures, guidelines to review
  • Develop audit tools and methodology

IT General Controls Check List

1. Documentation of employees and the organization

  • Draw an organizational Chart
  • Company
  • IT Department
  • Current Phone List/Company Directory
  • Job Descriptions for the IT Department
  • Sample of Employee Evaluation Form
  • List of all the terminations/ disengagements in the last 12 months.
  • Checklist of newly hired employees
  • Termination Checklist
  • IT Project List – Is it being planned, completed in the last 12months on its ongoing?
  • Review of the past year’s management response letter

2.       Documentation of IT policies and procedures

·   Obtain a network architecture diagram and documentation

·   Obtain a network diagram

·   Obtain a diagram and Lists of hosts and servers that are running financial applications

·   Change the management policies and procedures

·   Make an inventory of network hardwares and softwares

·   Determine the computer operations, its policies and procedures

·   Layer down security policies

·   Enforce password policies

·   Acceptable Use Policy

·   Layer down incident response policies

·   Get a curriculum for security awareness training

·    Configure firewalls and rule sets

·    Obtain software policies and procedures

·    Setup remote access policies

·    Setup policies for emails, instant messaging, internet usage

·    Develop a disaster recovery and business contingency plan

·    Setup policies for data backup and data recovery

·    Get backup logs

·    Offsite Tape Rotation Logs

·    Obtain a listing of IT related insurance coverage

·    Get copies of vendor contracts and service level agreements

·    Deploy an organized Help Desk with help desk request tracking forms and trouble tickets

·    Report open and closed tickets

·    Employ batch processing

 

When performing an IT audit, the responsibility of the auditor general is to check if the IT system complies with government IT policies, procedures, standards, laws and regulations. Also, the auditor general should endeavor to use IT audit tools, technical guides and recommended resources by ISACA where appropriate. The resources recommended by ISACA (Information systems Audit and control association should encourage IT audit staff and the team as a whole to be certified. Certifications include but a few;

  • CISA (Certified Information systems Auditor)
  • CIA (Certified Internal Auditor)
  • CISM (Certified Information Security Manager)
  • CGEIT (Certified in the Governance of Enterprise IT)

The Audit reports

After a successful audit process, the IT auditor needs to do a detailed documentation. Here is a list of a few things an auditor needs to include in the audit.

  • Plan and prepare the scope and objectives for the audit
  • Describe the scope of the audit area
  • Draft and audit program
  • Get down the steps performed and gather the audit evidence of the audit
  • If the services of other auditors and IT experts were used and what their contributions were.
  • Document your findings, make conclusions and recommendations
  • Document the audit in relation with document dates and identification
  • Report obtained as a result on the audit performed
  • An evidence of the review for audit supervisory

The audit results should be submitted to the organization upon exit where you can take out time to discuss in details your findings and recommendations. You should be certain of the following;

  • That all the facts and findings noted down on this report are accurate
  • That the recommendations you’ve made are cost-effective, more realistic and there are alternatives which should be negotiated with management
  • That the dates for the recommended implementation will be agreed.

There are some other things you need to consider when you’re preparing to present your final report. You need to consider the audience and if the presentation is going to be done to the audit committee. The audit committee may not be really notice the minutia that goes into the business report. Your report should be done in a timely manner so as to give way for any form of corrections.

Finally, if you come across a significant finding in the course of the IT audit, you should inform management immediately.

Always subscribe to Soutech Ventures where we can handle all your IT solutions especially in the areas of IT audits.

Also enroll for a cyber security, ethical hacking training at SOUTECH.

Secure Connections: What you need to know about SSL Certificates: SOUTECH Cybersecurity Tips and training in nigeria

The first purchase using an online transaction took place in a pizza hut, where the customer purchased a large pepperoni pizza with extra cheese and mushrooms. But 20years later on, ecommerce has become a bustling economy with over $1.2trillion sales in the year 2013.

The growth in online purchases was solidly built on the foundation of trust. By this I mean that people have grown to trust that when they make purchases on websites, these websites are proven to be legitimately and largely secured because of the Secure Socket Layer (SSL) certificates often found on the URL bar of your browser as a little green padlock.

An SSL certificate indicates first of all that there is a secure connection between your personal device and the company website. It also verifies that the provider is who they claim to be. It is very important that you understand the role of an SSL certificate to prevent you from being a prey to scammers and cybercriminals. This is because, not all the sites you visit that have SSL certificates as protection are created equal.

Certificate Authorities are known to provide SSL certificates and website owners purchase SSL certificates from these Certificate Authorities (CA). Different types of SSL certificates provide different levels and layers of security but there have been issues overtime. The issue is that in as much as these certificates provide that safety padlock that you have on your browser along with HTTPS (where “S” means “Secure”) also found on the address bar, the security levels provided by these certificates differ to a large extent. This is the reason why I’m trying help you understand what type of SSL certificate a website uses especially when you want to do any financial transactions and anything that is related to your personal financial credentials.

I’ll throw some more light on the types of certificates and how they work.

Types of Certificates

  • Domain Validator (DV): The domain validator simply verifies the owner of a site. In this case, the CA just has to send an email to the email which the website was registered with. This is done in order to verify the identity of the website owner. Many cybercriminals make use of the domain validator because they can obtain it easily and by so doing make the website appear to be very secure a lot more than it actually seems. Over time, cybercriminals have taken to using DV certificates to lure users to phishing websites i.e. websites that look legitimate but are crafted for the sole purpose of stealing a user’s sensitive data.
  • Organizational Validators (OV): The process of obtaining an OV takes a longer period. For and OV certificate to be obtained, the CA needs to validate some basic information such as the organization, the physical location of the organization and its website domain.
  • Extended Validator (EV): This is the highest level of security and often the easiest to identify with. The process of issuing an EV certificate tries to increase the level of confidence in the business by making the CA perform an enhanced review of the applicant. This process of review involves an examination of corporate documents, confirmation of the identity of the applicant and the checking through the third party’s database for information. This adds on the browser of the URL, the “S” that is a part of HTTPS, the company’s name in green and also the padlock.

Now take at these URLs and try to notice the difference. Now the first is the DV certificate, the second is an OV certificate which actually looks like the first. Only difference is the “.” Before the com.

Now the last one clearly is an EV certificate.

What can you do to be safe?

Now that you know what an SSL certificate is, its importance as well as the three different types. You have also known that an DV- enabled site poses a huge risk to be scammed, I’ll give out a few tips on how to reduce the risk when performing any form of online transaction that involves your sensitive credentials.

  1. Be Alert: Now the fact that a website has a padlock or HTTPS just by to its URL is not a guarantee that it is certified safe for financial transactions. Users are used to looking out for these two things before performing any transaction which is the more reason why the cybercriminals go through the trouble of obtaining the SSL certificates to which is obviously make it look legitimate.
  2. Look out for the SSL certificate type that a website has: The first thing you should do is to look for any visual cues that indicates security like a green color and a lock symbol in the address bar of your browser. Just a quick reminder once again that it is only an EV-enabled website that has the company name in the address bar. However, browsers do not clearly display the difference between a DV and an OV certificate so to enable you tell the difference, there is an open source tool (https://safeweb.norton.com/) developed by Norton that can help you. All you have to do is to simply copy the URL paste it directly into the tool. The tool will tell you if the site is a DV, OV or EV-enables and more explicit results to tell you if the site is legitimate and safe.

  1. Perform transactions only on OV and EV-enabled websites: If you analyze the URL on the tool I just explained above, and it gives you a result saying that the site has a DV certificate, have a rethink as regards conducting any transaction with that site. Now if it is an OV or EV-enable site, then you can conduct your transaction with confidence that your business information is safe.

The deployment of online transactions has come to stay and will not be phased out anytime soon. People will have to bear with the crude task of combatting with cybercriminals as regards phishing. I will tell you that knowing the risk before time keeps you knowledgeable on becoming a victim of phishing websites.

You can subscribe to our well detailed course in ethical hacking at soutech web consults to be learn about cybersecurity and how you can stay protected at all times

 

Protect yourself from Cyber Espionage: SOUTECH Ventures cyber security tips and techniques

Think of espionage with characters like James Bond, whereby you have to disguise yourself and to travel halfway around the world, infiltrating organizations to grab sensitive information. Although the James Bond character is just a fictional representation, such methods of spying however are becoming quite extinct. With the advancement of digitized data, we’re swiftly shifting towards the version of cyber-spying.

Espionage in recent times depicts the spying process entirely. Since Organisations and institutions store almost all their data on systems, cyber spies just stay on the confines of their computer desk and trot around in an attempt to hack into those systems.

Cyber espionage has over the years been a criminal case where authorities have to prosecute users to avoid them installing antivirus softwares and other security measures on their computer systems.

What is Cyber Espionage?

It is also called Cyber Spying and it is the act of using the internet to obtain sensitive secrets and information of an individual, a rival, competitor, a group or government for personal,  political and economic advantages.

A few Trends in Cyber Espionage

As revealed in Volume 20 of Symantecs Internet security Threat Report (ISTR), Regin and Turla were two highly versatile forms of malware that were being used in espionage.

Till date, Regin is one of the most sophisticated pieces of malware which has the characteristics of a chameleon by providing attackers with tools like screen captures, remote access, deleted file recovery network snooping,  and stealing as well.

On the hand, Turla works in a way that attackers use watering-hole tactics and spear-phishing  to launch attacks on the embassies of former Eastern Bloc countries and governments  as well.

 

Attackers have remote access to infected computers via Turla by helping them steal files, connect to servers, delete files and hosting spywares online.

Spear-phishing increased by 8% in the year 2014 and it came in form of spams with a few number of high-volume recipients because few individuals were targeted. As a result of these findings, the need to educate employees within organizations on best practices as regards internet usage has increased.

Who performs cyber Espionage?

Equation group and Hidden Lynx were the few prominent attack groups that were being highlighted by ISTR. And in addition to these attack groups, there are entities called the state actors which are acting on the behalf of government bodies, hacktivists, patriotic hackers, data thieves and scammers etc. are all involved in cyber espionage. While some attackers are after stealing of business intellectual property, others are after sensitive data belonging to government and some going as far as launching attacks on energy grids, industrial systems and petroleum pipelines.

How Cyber Espionage is Performed

The process of carrying out cyber espionage is often a very complex process and does not just involve dumping some malware on a target system, it involves a more sophisticated process whereby the chose their targets and the type of information they’re aiming to steal and look forward to cause some level of damage.

Infiltration is not just the process where the attacker tries to exploit some zero day software vulnerability in the quest to gain access to an organizations network but he tries to find a software vulnerability within the network of an organization and also the network of individuals working in the organization. An attack of this sort sometimes requires some human factor of social engineering like phishing campaigns in order to succeed.

As you may know already, when an attacker wants to target a person, they will try to go online and carry out some reconnaissance on them, they look for social media sites, blogs or anything that will give them some extra information on their victim’s interests. They often use any information gathered to narrow their phishing campaigns towards areas that may be attention-catching to their targets. Once they have succeeded in getting their attention, they can go ahead to lure them into opening the emails, clicking on the malicious links or downloading some malicious software onto their system.

If the victim is able to complete that particular task, the malware will be installed on the computer of the victim thereby giving the attacker access to the network where they can perform their intended mission of espionage.
How to keep your organization and Information safe from Cyber espionage

  • Protect your Passwords: Always protect your passwords because it is a very handy weapon in the hands of a cybercriminal. If a cybercriminal gets a hold of your password, username and email address, they can use specially crafted tools to crack your password. The use of Two-factor authentications when available are also advised. You can read more on password protection.
  • Be on the watch for any forms of phishing attacks. Educate yourself on the downsides of phishing. And always try to identify spoofed emails. Read more on phishing.
  • Learn more about software security. Always perform software updates on a regular basis once there are any available updates. Softwares are usually patched of loopholes- the reason updated versions. So, leaving your programs or softwares outdated can create room for loopholes which an attacker can harness.
  • Protect your social media accounts: Like I said earlier, attackers often do research on their targets before making any attempts to attack so always ensure to that the privacy settings of your social media accounts are in check. Always prevent any personally information from public view and be wary of people you do not know trying to be contact with you.
  • Bring Your Own Device (BYOD):Always ensure that you put in place some kind of device control mechanism that will protect you against data leakage. This will not only allow certain external devices but it will also encrypt your data. When data is used later on a different system inside the company’s environment, the 7mdash standard automatically decrypts it and makes it usable but when loaded on a system without a device control mechanism, it will become automatically useless.
  • Ensure that a device control mechanism is put in place such that it can safeguard your system against data leakage. Not only can it only allow certain (USB) devices to be inserted, it will also encrypt the data. When the data is later used on another system inside the company’s environment, the data will automatically be decrypted 7mdash; and thus usable — but when copied to a system that does not have the Device Control Mechanism installed, it will be useless.

There has been no concrete manual on how to ensure protection from targeted attacks of intellectual property. In environments where this type of attack is small-scaled, it can appear completely undetected. Staying security-educated via security vendors’ websites such as soutech ventures keeps you appraised with new threats and how to protect yourself. You can be well educated on how to keep your intellectual property from cyber espionage.

 

 

Cybersecurity and Ethical Hacking training: Protect yourself From Phishing scams- SOUTECH Web Consults

I will define phishing as an online con game where a cyber criminal disguises as a trusted entity and attempts to obtain sensitive information such as passwords, user account names, credit card credentials from a user via email which is often for malicious purposes.

A person who takes part in this sort of crime is known as a phisher. To throw more shade, they can use SPAM, email messages, malicious websites as well.

So How Do You Know It is a Scam?

Phishing can take different forms where the cyber criminal may trick you by luring you into giving them your personal details via

  • Social media messages (Whatsapp, Facebook, twitter, LinkedIn, etc.) and other popular sites like dating sites.
  • IMs
  • Text messages
  • Internet Chat rooms.

Sometimes they can go to the extent of luring you to install a malicious software or program often known as spywares. These spywares have background payloads which can track and record your passwords and other information you may enter on your computer through keyloggers.

I’ll list a few warning tips and signs you should look out for as concerning Phishing;

  • Phishers always disguise to be legitimate companies and use emails to request for your personal information and they have people on standby to respond through their malicious websites. They have been known to always make use real company logos and slogans and often a spoofed email address.
  • These emails may take the form of a message from your bank, a customer care agent or help desk support soliciting for money.
  • Often times they can use a call to action which you may get that your account has been shut down and that you need to log in your details immediately in order to stop it from happening. They may also demand for your personal information so they can verify your identity.
  • The phishing websites can look very original and remarkably legitimate because they make use of copyrighted images from the original websites belonging to the organization.
  • If you look at the URLS and messages, you will notice they are often bogus or being misspelt including the company names.

Phishing Countermeasures

So now that you know the various forms in which Phishing can take, I’ll explain in just a few tips how to stay protected.

  • The first thing to do when you receive any emails from your financial institution, check the URL of the website, copy it and paste in your browser and ensure it https:/ verified at the beginning of it in the task bar. https means it is a protected or secure website.

A Typically Phished URL

 

  • Always check the email header example to know the sender of the mail and other details you can capture from the header. I’ll use Gmail for instance to demonstrate to you how to check the email header.

Login to your Gmail>>Open the message>>Click on the dropdown button close to the reply tab>>Click on “Show Original”

 Illustration Of a typical Email Header

When you do this, you can see the header. Other email platforms have their own paths to get to the headers. You can do a little research on it if you are a yahoo, Hotmail etc. users.

You can boycott all these procedures if you just need the email id by just checking the top of the email to take note of the email id.

  • Do not give out any of your personal information via email, social media chatting platforms, text messages or instant messaging platforms.
  • Some financial institutions send monthly review of your account statements and require that you download and view them. Criminals also take this form to send programs that have keyloggers and spywares attached to them.

So, do not download any program or file from a suspicious email. You can as well block them.

To block any suspicious mail also using Gmail as template;

Login to Gmail>>open the message>>Click on the dropdown button close to the reply tab>>Click on Block

 

Blocking a suspicious email

Remember to always stay protected, stay alert against all forms of online malicious threats. Stay glued to our well-informed journals to get more tips on how to stay protected. You can subscribe to our Ethical Hacking course in SOUTECH ventures to get more grounded information on Internet security.

 

Google Chrome has developed patches to fix 30 vulnerabilities

Google chrome has developed stable channel updates mainly for Linux, Mac, and Windows desktops thereby patching 30 security flaws such that if an attacker can exploit them, they can have full control of a system.  In a press release on June,5 2017, 5 highly rated flaws among a host of other vulnerabilities were singled out which included

  • out of bounds read in version 8
  • type confusion in version 8
  • use after in print preview
  • Address spoofing found in Omnibox
  • Use after free in Apps Bluetooth flaws

Google Chrome 59.0.3071.86 contains a lot of fixes and modifications although there may be restrictions to access details of the flaws and links until majority of users are updated with a patch with all the flaws.

The release also had it that, Google retains restrictions if there exist bugs in the third party library which other projects may also be depending on but have not yet been fixed.

Computer users and admins are hereby advised to update all the affected systems immediately.

STAY PROTECTED.

 

Two-Factor Authentication: What you don’t know can harm your IT infrastructure( Softwares and Hardware Devices)

Employing secure passwords is now more important than you could ever think. The fact that passwords have substantial monetary values attached to them, gives hackers the reason to hack them. Data breaches and password leaks have constantly developed media attention over the years, thereby leaving millions of user accounts vulnerable or susceptible to being accessed by cybercriminals.

In order to create an extra layer of security to prevent easy access by hackers, you will need to understand the importance of the two-factor authentication mechanism and employ it. This is simply because, a cybercriminal needs more than just your username and password credentials to perform attacks. The truth is that you may be actually using the two-factor authentication without knowing what it actually is. A common example where this mechanism is deployed is your ATM cards as it uses both your card itself and your 4-pin number.

I’ll quickly explain the concept of the 2FA (a brief for Two-factor authentication) which I’ll be using more frequently in this writeup.

What is the 2FA?

The 2FA is an extra layer of security which can also be referred to as multi-factor authentication which requires not only a username and password but also requires something that only a dedicated user has on them.  By this I mean a piece of information only they only should know and can provide by hand whenever its needed. An example is a physical token.

                      

How do you deploy 2FA?

Based on the definition above, A 2FA mechanism should require the following of you,

  1. It should be something that you know and are used to ex- A Pin Number, a pattern or password.
  2. It should be something that you have example; A credit or ATM card, a mobile phone or security token (a key fob or USB token)
  3. Finally, it should be something that is unique to you example, A bio-metric authentication such as a voice print and a fingerprint.

            Core components of a Two-Factor Authentication

How Strong is a Two-Factor Authentication?

As you well know, nothing is in its actual sense 100% safe or secure, and as such account is still prone to hacking through some social engineering means such as a shoulder surfing and other password recovery options. Take a instance if you’re performing a password reset in cases where you forgot your password, retrieving it by email can totally bypass the 2FA mechanism. Now if an attacker has access to your email account which you linked your 2FA to, he can capture your password directly to perform an attack on you.

My emphasis is that you always monitor your email account for phishing emails and those ones that carry messages requesting for password changes.

What are the downsides of this security mechanism?

The shortcoming of this security mechanism is that the new hardware tokens which take the form of key fobs and card readers always need to be reordered and this can slowdown business for the company. This is so because customers are always wanting and waiting to gain access to their own private information using this means of authentication.

                          A Typical Hardware Token

Tokens are also usually small and can be easily lost thereby causing more problems for everyone especially when clients are on the waiting list for them.

I’ll also shade a little light on some password security measures you should know coupled with the 2FA

  1. Many or millions of people have taken to using birthdates, phone numbers, addresses and words as passwords. These are the passwords that can easily be cracked by performing dictionary attacks and brute force attacks.
  2. Avoid using the same password across multiple accounts.
  3. Take it as a culture to employ user passwords that are 8 characters at least and always make use of a unique combination of both lowercase and uppercase letters, numbers, stringed characters and numbers as well.

In Conclusion, the use of the 2FA mechanism can go a great length to lower the number of cases of phishing via emails and online identity theft, because the hacker will require just more than the users name and password credentials as explained earlier.

Using a Two Factor Authentication process can help to lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the users name and password details.

To get more information on this and many more security information, we at Soutech web Consultants have a comprehensive list of courses that cover all you may need to know about online security and basic internet safety tips you should know as well as the countermeasures.

Subscribe to our ethical Hacking Course today via www.soutechventures.com/courses to learn a course today.

Smart Passwords: The key to Information Security and why you should create it well and guard it.

Hello dear reader, in my previous journal on two-factor authentication, I discussed in detail about the two-factor authentication mechanism which I have decided to follow up with a discussion on password attacks.

In real life, we find ourselves having to use passwords every time. Our banking credentials (ATMs, mobile apps etc.), our personal computers, mobile devices are all password driven.

As a key is to a driver, so is a password to a hacker. Although passwords do not seem to have much value but the personal and confidential information which they conceal and store give them much value. So always look at your password more like digital keys which are gateways to your personal life, your network of friends, family, colleagues, contacts, photos, videos, emails, bank and payment details among a host of other private information.

If you have a weak password i.e. a password that can easily be guessed therefore taking poor security measures could give a provide information to the hacker. However, you can frustrate the efforts and attempts of a hacker in breaking into your system by implementing strong password security measures.

The mechanism which hackers use to grab your passwords are not some magical or exotic methods. Sometimes they do password guessing, information form social media and can employ some password cracking techniques.

Dictionary Attack

A dictionary attack can be performed using a dictionary file containing a list of the common words that are often combined in passwords. Weak passwords such as those with words and phrases are the easiest for this program file to guess. To keep your account protected from a dictionary attack, the solution is to avoid the use of words and phrases as passwords.

Furthermore, I’ll list a few other ways to stay protected from this attack which are;

  1. Ensure not to use the same password across different applications and websites
  2. Do not write down your passwords on your diaries or notepads or share them with anyone
  3. Make use of the 2FA (two-factor authentication) whenever an extra layer of protection is required in your account. This is important because if a hacker discovers your password, they will still need to do a second factor approach to hacking your account.
  4. Develop a policy to change your passwords regularly. A policy can be a 3 months policy.

Security Tips on Social Media

One of the goldmines for information gathering is our social media accounts through our status updates, location sharing, likes, comments and posts. All these online activities go a long way to provide information about our personal lives. So, think about getting a new job, getting a new pet, moving to a new apartment in another location, and you may want to share all this experiences and activities. Also think about telling your contacts about your new friends, or displaying the name of your high school. These as well are all personal details which the hacker can readily grab to perform an attack.

Let me share a few Password and social media tips

  • Do not broadcast your personal details which maybe clues to compromise your password.
  • Avoid using your personal information of any sort in your password
  • If you observe that someone on your contact that you do not know sends you links, just quietly block them from your contacts.
  • Ensure to report any spam account you notice. When you do this, the social networking site takes note of such accounts and removes them.
  • Employ the use of Norton Safe Web for Facebook. This is free application from Norton that helps to scan your newsfeeds for any kind of malicious link and informs you of any potential threat.

Password Crackers

A password cracker attempts to crack a password by using brute force method. It tries a combination of a million characters repeatedly until the password is discovered. Short passwords as well as simple passwords are easier and faster to guess by a password cracker. Meanwhile, a long password and complex password will take a longer time and can be frustrating to crack. In cases such as this, the hacker may likely deploy the dictionary attack because of the long time it will take for it to crack the password. I always advice the use of passphrases. Passphrases are passwords that consist of a sequence of words put together.

Creating Complex Passwords

  • Avoid using your phone numbers, your birthdays or family members and your SSN or your name, the name of a pet as well.
  • Avoid the use of commonly used passwords such as; ‘12345’, ‘incorrect’, ‘password’, ‘qwerty’ and words like ‘apple’
  • Always use the combination of uppercase and lowercases, including numbers, symbols as well.

 How to create a complex password

  • Never use phone numbers, addresses, birthdays, your SSN or your name, the name of a family member or pet in your password.
  • Use a combination of uppercase and lowercase letters, numbers and symbols in your passwords.
  • If you must use short phrases and words always misspell them including abbreviations. If you decide a word like ‘eleven’ you can decode it like this ‘e13v3n or a word like ‘I love You’, you can use ‘1l0v3y0u’ to make it some-worth complex. Take time to explore your options.
  • There are online password generators you can also use to assist your decision on passwords

Password security tips for your Mobile devices

  • Ensure the use of passwords on your mobile devices to prevent unauthorized persons from gaining access to your personal information. You can opt for an extra layer of security that is beyond the usual 4-digit pin. If use an iOS user, you can change it to lengthy alphanumeric codes which in your iPhone settings.

  • Ensure your device auto-locks when you’re not using it. It can be timed as well.
  • There are apps as well that can provide mobile security on your phone just to get an extra security to sensitive information on your phone. Some can also lock the applications.

 

What to do if you think your password has been stolen

Once you noticed your account has been hacked;

  • Frist thing to do is to determine the type of attack that was done, if it was an online breach or from a POS.
  • Try to monitor the compromised account or accounts especially when your banking accounts are involved.
  • Then you can go ahead to change your password to a complex one and do that across all your accounts.
  • Implement the two-factor authentication whenever there is a provision for it.

There are courses that can help you learn more about internet protection, your passwords and other information you may need to stay protected from any form of cyberattack. Subscribe to an Ethical Hacking course which is a well packaged course to guide you through cybersecurity.  Contact US TODAY

Penetration Testing Training in Nigeria(Certified Ethical Hacking, Certified Penetration Tester,Certified Expert Penetration Tester and the Metasploit Pro Certified Specialist )

Expert Penetration Testing Course Overview

SOUTECH Web Consults Penetration Testing Training, delivered in the form of a 10 Day Boot Camp style course, is the information security industry’s most comprehensive penetration testing course available. You will learn everything there is to know about penetration testing, from the use of network reconnaissance tools, to the writing of custom zero-day buffer overflow exploits. The goal of this course is to help you master a repeatable, documentable penetration testing methodology that can be used in an ethical penetration testing or hacking situation. This penetration testing training course has a significant Return on Investment, you walk out the door with hacking skills that are highly in demand, as well as up to four certifications: CEH, CPT, CEPT and the MPCS!

HOW YOU’LL BENEFIT:

  • Gain the in-demand career skills of a professional security tester. Learn the methodologies, tools, and manual hacking techniques used by penetration testers.
  • Stay ethical! Get hands-on hacking skills in our lab that are difficult to gain in a corporate or government working environment, such as anti-forensics and unauthorized data extraction hacking.
  • Move beyond automated vulnerability scans and simple security testing into the world of ethical penetration testing and hacking.
  • More than interesting theories and lecture, get your hands dirty in our dedicated hacking lab in this network security training course.

After SOUTECH’s Penetration Testing Training course, you will be prepared to take (and pass) up to 4 certifications:

  • CEH – Certified Ethical Hacker
  • CPT – Certified Penetration Tester
  • CEPT – Certified Expert Penetration Tester
  • MPCS – Metasploit Pro Certified Specialist

Prerequisites:

  • Firm understanding of the Windows Operating System
  • Exposure to the Linux Operating System or other Unix-based OS
  • Firm understanding of the TCP/IP protocols.
  • Exposure to network reconnaissance and associated tools (nmap, nessus, netcat)
  • Programming knowledge is NOT required
  • Desire to learn about Ethical Hacking, and get great penetration testing training!

Course Cost: N750,000 ( 10% Discount for Educational and Group Training)

Duration: 10 Days

Weekday Option- Mon-Fri( for 2 weeks)-( 9am-3pm dialy)-

Weekend Option-  Sat- 9am-5pm and Sun- 2-6pm( 5 weekends)

Making cool cash online: smart insider secrets to making sales like a wizard- SOUTECH Tips, Techniques and Tools

WHO WANTS TO BE A MILLIONAIRE?

Just before you start walking tall and wearing that millionaire smile, let me explain. This is not your typical who wants to be a millionaire TV shows were Frank Edoho will ask you some question and you get the answers right to become a millionaire while the spectators cheered at you. Yeah in this program, we have targeted audience as spectators only that there will be no Frank or questions to answer.

HAVE YOU HEARD OF AFFILIATE MARKETING?

Affiliate marketing is a performance-based and how it works is simple. An existing business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts. Technically, four core players are involved in this industry: the merchant (also known as ‘retailer’ or ‘brand’), the network (that contains offers for the affiliate to choose from and also takes care of the payments), the publisher (also known as ‘the affiliate’), and the customer. The market has developed in density, resulting in the development of a secondary tier of players, including affiliate management agencies, super-affiliates and specialized third party vendors.

This is one of the oldest forms of marketing whereby you refer someone to any online product and when that person buys the product based on your recommendation, you receive a commission.

WHAT HAS AFFILIATE MARKETING GOT TO DO WITH ME BE BECOMING A MILLIONAIRE?

It actually has a lot to do with you becoming a millionaire, for instance; you earn N1 as commission-based from any product you recommended, if 1 million Nigerians orders a product via your referral or affiliate link, you have automatically entitled a millionaire. Now I know you will be thinking “that was easy said”. Yeah, way so easy but it is not too good to be true, it is real and require some efforts to achieve. Eventually, the efforts will only cost you a three (3) days intensive training on Website Design and another three (3) days in Essential Digital Marketing training plus 30 days mentoring and support. You will learn how to use the underlying power of web presence to draw “targeted Audience” to you while embedding significant strategies that that will make you a millionaire into your affiliate business. Surprise? Please don’t be, what you never knew is that you can run a successful e-commerce business without carrying any inventory at all? In fact, it’s pretty straightforward to run a full blown online store without worrying about storing or shipping anything physical at all. Drop-shipping has been proven as one most effective way to carry out such e-commerce business. It is a typical online store where you take orders on your own website, but your vendor or distributor is responsible for shipping the product to the end customer.

LET ME GUESS YOU WANT TO ASK ME; HOW DO YOU START?

There are many online companies who sell products such as homeware, electronics, clothing, accessories, web-hosting spaces, or some other service, and they usually offer an affiliate program. For instance, Yuboss is an affiliate program by Yudala where a Youboss member gets products at a slightly cheaper rate, and also gets a commission for selling them through his/her affiliate link. You can simply sign up for any affiliate program and get your unique tracking link. Whenever you want to write about their products/service, all you need to do is simply use this special tracking affiliate link to recommend the company’s site, and if someone make an order via your link, you receive a commission.

HOLD ON, HOLD ONE, HERE COMES THE BIG BOOM

Before you start registering for affiliate programs and start sending your links to individuals, you need to know this hidden secret. First imagine, that Konga is not an e-commerce store, rather, an affiliate for other e-stores? Yeah, according to Philips consulting online shopping report of 2014, the following findings was made;

  • Warehouses are located in Lagos, but also operate from other major cities. In addition, it is common to have thousands of merchants scattered across the nation to facilitate service delivery.
  • On average, the leading online stores achieve about $2 million worth of transactions per week i.e approximately N1.3biilion per month.
  • Not less than 500 orders are placed in a day with each retailer (nationwide);
  • Currently, no fewer than 300 nationwide deliveries are made in a day with each retailer;
  • Items being returned to the online store are an infrequent occurrence; presently, no more than 20% of delivered items are returned to the seller;
  • Online merchants most often make use of their own delivery facilities and staff to convey items to customers; however, external couriers such as DHL, UPS and Fedex are sometimes used for out-of-state deliveries.
  • Over 38% Nigerians shop online with 43% Nigeria agrees that their in-store purchase has reduced since the introduction of online shopping in Nigeria.
  • Some major challenges faced by online retailers is poor customer service culture, city navigation and logistical issues, and under-stocked items.

NOW YOU KNOW WHERE I WAS HEADING

So let’s rephrase the question; what if you become one of the highest seller/reseller in e-commerce simply by participating in an affiliate program in a different concept. Take a look at www.buyallsoftwares.com. Buyallsoftwares.com is actually an e-store where you can purchase any type of software you want in Nigeria. You can have an e-store like buyallsoftwares.com where you can display products from different e-store you are affiliated with.

WAIT! FIRST THING FIRST

I understand you want to jump into affiliate marketing immediately, but there are skills you will need to in order to stand and remain standing tall.

Soutech Web Consult has design training courses that will advance your knowledge into becoming a successful affiliate marketer. These training includes; Digital Marketing and Website Designing of which you will be trained in relevant areas in order to acquire necessary skills to effectively utilize this secret. You learn how to build your own e-store, discover selling products that will be profitable to market and most returned products, including how your customers can contribute in increasing sales.

A lot of people always misunderstand “niche marketing.” Niche marketing means focusing on a specific target market – electronics, clothing, homeware, etc. Niche marketing does NOT imply targeting the smallest market probable, which is what most people do. Remember these words: BIG MARKETS ARE BETTER.

See you at SOUTECH

SOUTECH Web Consults Training Courses

Web Design, Ethical Hacking, Networking, Mobile App Development, Project Management, Graphics and Branding, Advance Excel for Bankers/Statisticians and Research Experts and many more!

Click here for details:  https://www.soutechventures.com/courses/

How to get to google first page online: SEO Tips and Tricks

HOW GOOD IS YOUR SEO?

If websites are like cars, then SEO is more like an engine that drives a car. A good performing car is a result of a well-serviced engine. In other words, if your engine is not in good shape, then your car is as good as bad itself. This make me ask you a direct question – How sound is your SEO? Knowing the state of your SEO takes more than just running a search on your domain name. Though it is good practice to check if your website is indexed by some popular search engines like Google, Yahoo, and Bing, it requires some specific skills and practice to ascertain how good is your search engine optimization.

Most of these skills and practice requires some amount of training in Website Design and Digital Marketing and you can enroll for either of these courses at Soutech Web Consult, Area 1, Abuja.

So you want to know how good is your SEO? Here are some processes you will need to effect or observed.

DOMAIN NAME

All SEO starts from a domain name. There should be a good amount of analysis on the domain name you intend to use and the type of extension. For instance, while a .com extension is strongly recommended for most domain name www.getinternet.net is a more suitable domain for an Internet Provider company and www.givehelp.org is a good suggestion for an NGO. When acquiring domain name avoid buying a domain name that contains special characters (i.e www.get-internet.net). It is also advisable not to buy a domain containing numeric characters. The easier it is to pronounce a domain name verbally, the better it is for a search engine to crawl it in.

WEBSITE STRUCTURE

Just like any well-planned building has a blueprint, so as a good website should have a well-structured sitemap. A sitemap is being neglected even by some Web developers, but thanks to Google Webmaster. In order to successfully enlist your website to Google webmaster so you be found on the web, you will need to add/upload you website sitemap into Google Webmaster. It is good practice to have a proper sitemap and update it each time new pages are added to your website. Just in case you are wondering, sitemap enables search engines to read and get familiar with your web pages for proper indexing and optimization.

KEYWORDS

If you would want to be seen, heard of and talked about, then you must understand the power behind A keyword. It is a word or phrase that is a topic of significance allowing searchers to identify and verbalize their problem or topic in which they’re looking for more information. Using the right keywords goes hand to hand with your domain name. choosing the right keywords starts with your domain name because your domain is going to be the first keyword the search engine will optimize. The content of your websites and details of your business/services also plays significant roles when choosing keywords. An example of wrong keywords is when your websites talk about Internet and Web applications but your keywords are on Groceries.

Having a web presence for your business and services is a development for the future, but there is need to employ professionals when it comes to web presence otherwise your web presence will end up as web-unknown. You manage your website and SEO by yourself,  though you will need to learn some skills. I recommend taking a Website Design and Digital Marketing training at Soutech Web Consult, at SoutechWe only train you in the relevant areas, fast and conveniently design for you.

You can as well hire us for professional web development services.

Contact

Building a fully responsive, functional and interative website using Content Management System- Website Design Training in Nigeria. SOUTECH

Building website using CMS is fun and simple as playing a video game. You will have access to some graphic interface which saves you the stress of coding, drag and drop functionality that eliminates time waiting and WYSIWYG editors so you do not need to refresh your browser all the time for testing.

Most CMS are shipped with fewer default plugins and components that can be use in developing websites, whilst you can install additional plugins to use at will. The CMS with the largest number of downloads and installation still remains WordPress. WordPress is the real deal when it comes to open source CMS. It has robust plugins of various functionalities and the largest number of website templates.

There are some plugins that could be extremely useful when you install a WordPress CMS and ready to start building your website.

LOGIN AND SECURITY:

When building websites with CMS, there are always some serious concerns when it comes to login and security. For instance, you will want to control access to your users and administrative roles as well. Some level of programing knowledge might be required to implement certain protocols in order to safeguard and control your WordPress dashboard (backend). However, some developers has already created plugins that will do all those painstaking tasks for you. Some important plugins that could be useful in this aspect are;

Wordfence: is great for beginners and pro users alike that covers login security, security scanning, IP blocking and WordPress firewall and monitoring. It performs a deep server scan of a website’s source code of the and compares it to the Official WordPress repository for core, themes and plugins.

Login LockDown: records the IP address and timestamp of every failed login attempt. If more than a. certain number of attempts are detected within a short period of time from the same. IP range, then the login function is disabled for all requests from that range.

Sucuri: offers a free plugin that is available in the WordPress repository. This plugin offers various security features like malware scanning, security activity auditing, blacklist monitoring, effective security hardening, file integrity monitoring, and a website firewall. It is a security suite meant to complement your existing security posture.

SEARCH ENGINE OPTIMISATION (SEO)

The advancement of a good web present resides on an effective SEO management. This includes keywords, tags, image descriptions etc. Some of the plugins that can manage your WordPress website SEO are:

WordPress SEO by Yoast: is a best free SEO plugin for WordPress. This single plugin takes care of many aspects of your WordPress website’s SEO. It can be used to add meta value for homepage and single post, perform social SEO, create sitemap file and Control indexing of your website.

SEMrush: Unlike others which are plugin, this is a web based tool. Think of SEMRUSH as a complete SEO suite for people with or without SEO skills. The most popular feature of SEMRUSH is, it let you do the complete site SEO audit which helps you to identify SEO issues that are preventing the organic growth of your blog.

 

SOCIAL MEDIA INTEGRATION

One of the reasons why WordPress has become the developer’s choice is capability of diverse plugins, such that can be integrated into your website easily. Below are some useful social media integration plugins;

Sumo Share: offers multiple apps designed for increasing traffic. It is precisely made for WordPress, and has a lot of options for customizing the social buttons that you add to your website. It comes with a meek interface that makes choosing where to place the icons easy. It’s a free plugin that also has a premium version with advanced features for $20 a month.

Smart Website Tools by AddThis: is a neat plugin which requires that you register on the AddThis service in order to use it. It offers numerous placement options for your social media icons. You can make use of five of them for free, while a premium version that offers you another five cost $12 per month

WP Social Sharing: is a well arranged plugin supporting 6 of the big social media networks, including Facebook, Twitter, Pinterest and LinkedIn. The great thing about it is that it’s mobile-friendly and allows easy resizing for mobile devices. It also supports shortcodes, and enables you to modify the text for your social media buttons.

Jetpack: is a great plugin for your social media needs, with an easy-to-use but actual sharing component. But it’s also much more than that, as it contains 34 other modules, adding numerous functionalities to your WordPress website.

COMMUNICATION

Communication is a dynamic feature that circles a good website. In order to keep your website alive and dynamic, you will need to install some communication plugins such as;

Subscribe Me The free Subscribe Me plugin makes it easier for your visitors to use some of the most popular feed reading applications or services to subscribe to your feed, by adding a popup that lets them choose which service they want to use.

Contact Form 7: manages multiple contact and other forms, allows you can customize the form and the mail contents easily with simple markup. The form also supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering, etc.

Zendesk Chat (Formally Zopim Live Chat): is one of the most popular live chat services available to WordPress users. It is easily installed thanks to a dedicated WordPress plugin, available for free from the official repository. Zopim’s chat boxes are among the most stylish you will find, with beautiful, customizable layouts and themes.

WP Live Chat Support: the only completely free option in today’s list of best live chat plugins for WordPress – though you can unlock additional features by upgrading to the Pro version for $39.95.

 It is also a good practice explore the WordPress plugins directory and if possible test some plugins to see how they work for you. You will be amazed on what you will discover. Do not forget that it is advisable to deactivate and uninstall any unused plugin. Also adapt the practice of updating any outdated plugin in order to enhance the security of your WordPress website.

Becoming a WordPress expert is easy at Soutech Web Consult, Soutech has design a complete CMS Website Design package that makes enables you to become a WordPress CMS Expert.

Do you want to become an expert website designer? Be able to build websites for school, churches, institutions, government agencies,hotels and just for about any body.?

What to become a partner and start reselling softwares? visit : www.buyallsoftwares.com

 

 

5 Steps to hacking(ethical hacking)- SOUTECH Cyber security tips, techniques and tools guide 2017

The 5 Phases Every Hacker Must Follow- Part 1

Originally, to “hack” meant to possess extraordinary computer skills to extend the limits of computer
systems. Hacking required great proficiency. However, today there are automated tools and codes
available on the Internet that makes it possible for anyone with a will and desire, to hack and succeed.
Mere compromise of the security of a system does not denote success. There are websites that insist on
“taking back the net” as well as those who believe that they are doing all a favor by posting the exploit
details. These can act as a detriment and can bring down the skill level required to become a successful
attacker.
The ease with which system vulnerabilities can be exploited has increased while the knowledge curve
required to perform such exploits has shortened. The concept of the elite/super hacker is an illusion.
However, hackers are generally intelligent individuals with good computer skills, with the ability to create
and explore into the computer’s software and hardware. Their intention can be either to gain knowledge
or to dig around to do illegal things. Attackers are motivated by the zeal to know more while malicious
attackers would intend to steal data. In general, there are five phases in which an intruder advances an
attack:
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

Watch out for Part 2.

Attend a Comprehensive Certified  Ethical Hacking ver. 9 Training at SOUTECH 

Job Roles after taking the course

  • Security Analyst
  • Security Operations Center (SOC) Analyst
  • Vulnerability Analyst
  • Penetration Test Expert
  • Cybersecurity Specialist
  • Threat Intelligence Analyst
  • Security Engineer

Click Here for details.

Curled from EC-Council

Local Web Development via a server: Learn how to start developing websites- SOUTECH

So you have just found web development interesting and want to learn or you are a beginner in web development? Whichever category you belong; you will definitely find this article interesting and useful. During my first three months as a beginner in web design, I recall how difficult it was for me to see my codes displayed on the browsers as intended. Most times the HTML display just fine while some PHP and JavaScript will not display as intended and I often wonder what is it that I am not doing right, that before I meet a good friend called “Local Server”. Off cause, PHP is a server-side language, so you will definitely need a server to run it.

Local Server

Local Server often called a localhost is a software with some built-in functionalities that make your website looks just like it should when it is been hosted on a live server. You will need a local server if you intend to install and run a Content Management System on your computer. It can be accessed by pointing your browser to 127.0.0.1 or http://localhost, at some point you might need to add a port i.e. http://localhost:8080. To install a local server on a windows computer you have an option to choose between XAMPP (X-Cross-Platform, A-Apache, M-MariaDB, P-PHP and P-Perl) and WAMP (Windows, Apache, MySQL, PHP). I prefer XAMPP which works just fine for me and other developers find it to be awesome. Don’t worry both packages are open source.

Functionality

The two regular functions often used are the server (which is apache) and database (MariaDB). The Apache server which is known to be the best server in the world, serving HTTP document over the internet allows your website to be published locally for testing. MariaDB is one of the most popular open source database servers created by the original developers of MySQL, it allows for database creation when building a data-driven website.

How to install

We will use this guide to install XAMPP on our local server. So with no wasting of time head straight tohttps://www.apachefriends.org/index.html choose the version of XAMPP you prefer to download (I suggest you choose the one with a widely used PHP version).  After the download is complete, you need to open the folder where you saved the file, and double-click the installer file.

First, you will be prompted to select the language you wish to use in XAMPP. Click the arrow in the drop-down box to select your desired language from the list, then click OK to continue the installation process.

If you are using Windows 7 or higher, you will see a pop-up window, warning you about User Account Control (UAC) being active on your system. Do not panic, just click OK to continue the installation.

Next, you will see the Welcome to The XAMPP Setup Wizard screen. Click Next to continue the installation.

The next dialogue screen will allow you to choose which components you would like to install. To run XAMPP properly, all components checked need to be installed. Click Next to continue.

It is time for you to Choose Install Location screen. Unless you would like to install XAMPP on another drive, you should not change anything. Click Install to continue.

Relax while XAMPP extract files to the location you selected in the previous step.

Once all of the files have been extracted, the Completing The XAMPP Setup Wizard screen will appear. Click Finish to complete the installation.

Click Yes to open the XAMPP Control Panel after you have click Finish in the previous screen.

You now have a local server.

A local server is idle for testing when building websites and web applications. XAMPP needs to be configured properly for better functionality. To learn more about building web applications and testing with a local server, I recommend you enroll in a web design training at Soutech Web Consult.

Ten Deadly Sins of Cyber security: SOUTECH Web Security Tips and Techniques Guide

1. Introduction
The Information technology (IT) revolution has made it easier to communicate and  disseminate information over long distances and in real time. IT has entered into major realms of a person’s life like education, occupation, commerce and entertainment. The speed, convenience and efficiency associated with IT have made it the lifeline of most organizations, government agencies, professionals and  individuals. Whether you take a look at banking and finance, energy, health care, utility services and communication, IT has revolutionized every sphere of business activity and service delivery. The services sector, in particular has been one of the major beneficiaries of the IT revolution. Banks now offer multiple channels for interacting with their clients such as branch, Internet, mobile, phone and teller machines which make financial products more attractive, and banking more convenient for customers. In this case, banking industry customers are networked to their bank in one way or another.
1.1 Cyber Security
Information Technology and its significance in the business world have become ubiquitous. Today’s business environment is comprised of service industries that are completely dependent on their IT infrastructure. For example, the air traffic control industry is critical to the “normal” functioning of airlines so any disruption in their “traffic control systems” can cause errors that could result in accidents and could even lead to loss of life. Conversely, a power breakdown resulting from a disruption in a company’s IT infrastructure could bring all “operational” activities to a standstill.
The explosive growth and dependence on Information Technology has also provided a veritable breeding ground for cyber crime. Information Technology has made it easier for unscrupulous entities to deceive, steal and harm others through cyberspace. The ease with which these cybercrimes can be committed has raised concerns regarding information confidentiality, integrity and availability. Therefore, the importance of cyber security cannot be overstated. Cyber security involves protection of the data on all
computers and systems that interact with the Internet. It is possible to achieve this level of protection by ensuring proper authentication and maintaining confidentiality, integrity and access controls. In addition, non-repudiation of data is a crucial element of cyber security.

2. Vulnerabilities
The evolution of Cybercrime is evident when one examines how technologically advanced the scope and nature of common attacks have become. Cybercriminals have a more sophisticated modus operandi and purpose. Information can be stolen through social engineering techniques like phishing, or via direct attacks, installing malware through browser tools, ad-links, and key loggers among others. Cybercrime is steadily evolving into a well-organized but still very illegal business activity. In spite of these advances, adherence to a standard of IT Security fundamentals can facilitate appropriate handling of cyber threats.
2.1 Ten Deadly Sins of Cyber Security
i. Weak passwords
The most fundamental, but often overlooked premise of cyber security is strong passwords. Many users still use insecure passwords.

Some of the insecure password practices include
a) Using all letters of same case,
b) Sequential numbers or letters,
c) Only numerals,
d) Less than eight-characters,
e) Predictable characters (such as name, date of birth, phone number)
f) Common passwords for different online accounts.
Now, the question is, “What makes users use predictable passwords irrespective of perceived threats?” Consider the number of accounts that require a user to “login,” throughout a user’s daily routine. Social networking sites, bank websites, official web applications, databases and email ids.
Some of the reasons for using predictable and insecure passwords include:
a) Easy to remember
b) Lack of uniformity in password policy across websites.
A strong password must be a combination of letters, numerals and special
characters and must not be less than eight characters long. A password should
not be predictable. Users must employ different passwords for each of their
individual online accounts.
ii. Phished
Do you respond to e-mails asking for account information? If your answer is,
“Yes.” then you are more likely [than not], to be a victim of a phishing scam. Phishing is a common method of identity theft that utilizes fake e-mails which are sent to customers to acquire sensitive user information.
Example:
Mr. “XYZ” has a savings account with Target bank. Last weekend, Mr. XYZ received an e-mail from customersecurity@targetbank.co.uk with a subject line, ”Update your Target bank online access.”
The e-mail stated that the bank had recently upgraded its services and requested that the recipient fill out a “Customer Update Form” on the link  http://www.targetbank.com. Since Mr. XYZ assumed that the email came from his own bank, he clicked on the provided link. The link took him to a website which appeared to be identical to Target bank’s website. Mr. XYZ filled out the web form containing personal
information as well as authentication details, which the “Customer Update Form” required.
A day later, when he logged on to his online account at https://www.targetbank.com, he was shocked to find that all the funds in his account had been drained.
Mr. XYZ was the victim of a simple phishing scam. Let’s review some basic details that Mr. XYZ missed in the email. First, the mail did not address him by his name; instead, it used “Dear Customer”. Second, the email id ended with “co.uk”, while ideally it should have ended with “.com.” Third, the link, “http://targetbank.com” lead to a fake site www.malicious.ie/userdetails.asp. Finaly, banks usually do not ask customers to reveal “access details” through email.
This is the type of example that can be shared with an employee while training them not to respond to or click on links provided in a “suspicious e-mail.”

iii. Lack of data back up
A user can lose data in events such as hardware or software failure, a virus attack, file corruption, accidental file deletion, application failure, damage of partition structure, or even damage due to power failure. Appropriate data backup procedures allow a user to restore data in times of crisis. There are many ways to backup data such as storing it on CD or DVDs drives, thumb drives, and external
hard disks. Users can create a complete system backup by using a disk image 1. Another secure way to back up data is to employ an online backup service whose main business function is to host uploading and downloading of files as well as file compression and encryption. The basic premise behind backing up data is to make “backed up” data available for later use. Depending upon the changes in
data, a user may schedule backup activity on an hourly, daily or weekly basis. Users can make use of backup options available on a backup utility to verify that all data is properly copied
1 A disk image is a complete sector‐by‐sector copy of the device and replicates its structure and contents
It is not uncommon to “back up your back up” by creating multiple copies of data, so that in case one backup copy is damaged, another copy could be used. Data, which has been backed up, must be adequately protected from malware, Trojans or other cyber threats by using anti-virus solutions and regular updates. Another process, which can prove to be valuable, is to store a copy of data at an offsite
location to safeguard data from any disaster at current premises. While recovering backup files, it is a good idea to have a data recovery software in place to retrieve files from external hard drives.
iv. Insecure Internet Browsing
A Web browser is the gateway to the Internet and is one of the most widely utilized applications. Web browsers are embedded with scripts, applets, plugins and Active X controls. However, these features can be used by hackers to infect unprotected computers with a virus or malicious code. For example, web browsers allow plugins like a flash viewer to extend functionality. Hackers may create malicious flash video clips and embed them in web pages. Vulnerabilities in a web browser can compromise the security of a system and its information. To control security threats, a user may:
a. Disable active scripting in the web browser

b. Add risky sites encountered under restricted sites zone
c. Keep Web browser security level at medium for trusted sites and high for
restricted sites
d. Uncheck the AutoComplete password storage feature in AutoComplete e. Avoid downloading free games and applications as they may have in-built spyware and malware
f. Use anti-spyware solutions
Cyber threats that originate as the result of web browser vulnerabilities, can be controlled by using the latest versions of the web browser software, or by installing updates and configuring settings to disable applets, scripts, plugins and Active X controls.
v. Use of pirated software
Do you use pirated operating systems and/or software?
If your answer is, “Yes.” then you are more likely [than not], to be vulnerable to cyber-attacks.
The ease of availability and often low cost of pirated software can entice users to install pirated software on their computers. However, pirated software may not have the same configuration strength that is available with “genuine software.” The threat to individuals and companies from the risk of privacy, identity or data protection breaches and the exposure of financial implications in the cyber space
make the purchase of “genuine software,” a must. Pirated software may be used to harvest Trojans and viruses in computer systems and since the software is “unsupported” the user is deprived of technical support. Another downside is that software updates are not available to those who have installed pirated software. We purchase software for its functionality and pirated software may lead to frequent interruptions and has even been documented to cause damage to your hard disk. Users who purchase and install genuine software products will benefit from technical support, product updates, un-interrupted services and in the long run; cost savings.
vi. Misuse of Portable storage devices.
The last few years have seen an increased usage of portable storage devices. These devices have brought improvements in working practices, but they also pose a threat to data via theft or leakage. These devices have high storage capacity and can easily be connected to other devices and/or to network
resources. Users can use portable storage devices to download software, applications and data by connecting to official networks. Portable storage devices may also be used to download privileged business information and sensitive customer information. Organizations can restrict the use of portable storage devices to selected users or selected set of devices. “The loss or theft of portable devices can lead to loss or “leakage” of sensitive business and/or user information. “
An example:  In 2007, a leading provider of a Security Certification lost a laptop containing names, addresses, social security numbers, telephone numbers, dates of birth and salary records of employees. In this case, the sensitive business information could have been encrypted to protect data from leakage, even if the device was stolen.

vii. Lack of proper encryption If a user does not have the proper network security practices in place, they are essentially inviting malicious entities to attach their system. Whether a system is a wired or wireless network it is crucial for the proper security safe guards to be in  place to assure safe operations while the computer is active in a live session on the web. Some of the risks that one can expect from an unsecured network include:
a. Unauthorized access to files and data
b. Attackers may capture website traffic, user id and passwords,
c. Attackers may inject a software to log user key strokes and steal sensitive information
d. Unauthorized access to corporate network. (In the event that the user’s network is connected to a corporate network.)
e. A users IP address could be compromised and unauthorized users may use it for illegal transactions. (User network may be used to launch spam and virus attacks on other users.)
A network can be secured by using proper encryption protocols. Network
encryption involves the application of cryptographic services on the network transfer layer, which exists between the data link level and the application level. Data is encrypted during its transition from the data link level to the application level. Wired networks use Internet Protocol Security, while Wireless Encryption Protocol is used to encrypt wireless networks.
viii. Lack of regular updates
Cyber threats are always on the horizon. New versions and updates of security products are released on a regular basis with enhanced security features to guard against latest threats. A user can make use of recommended practices to improve defense against cyber-attacks. Users may also keep track of latest versions of software to improve performance. Since some software developers only issue updates for the latest versions of their software, a user that is using an older version, may not benefit from the latest updates. One of the crucial ways to reduce vulnerabilities is to regularly update the system’s network security devices and related software.
ix. Using Wireless Hotspots
Wireless users often look for convenient ways to gain Internet access, and public Wi-Fi hotspots provide quick, easy and free access to the Internet. What can be more convenient than that? A resourceful wireless user can find Wi-Fi access points at public places such as Cyber café’s, universities, offices, airports, railway stations and hotels. However, these Wi-Fi hotspots may be insecure. Some of the
risks involved in connecting to Wi-Fi hotspots include:
a. Users may be required to use the ISP that is hosting the Internet access for the business that is creating a particular access point. Not all ISPs provide secure SMTP for sending e-mail. In other words, it is possible that any e-mail that is sent and received by users via a “random” hot spot could be
Ten Deadly Sins of Cyber Security August 2010
All Rights Reserved. Reproduction is Strictly Prohibited intercepted by other users sharing the same hot spot. (All users in the same hot spot are sharing the same network.)
b. If a user’s wireless card is set to ad-hoc mode, other users can connect directly.
c. If the access point does not use encryption technology like WEP, other users with a Wi-Fi card could intercept and read the username, passwords, and any other information transmitted by a user.
While using public access points it is safe to use secure websites protected by the Secure Sockets Layer. Using infrastructure mode is safer than ad-hoc mode as it uses access controls to connect to network. A Virtual Private Network (VPN) is a secure way for a user to connect with their company network. (VPN creates secure access to private network over public connections.)
x. Lack of awareness/ proper training Internet and wireless technologies have revolutionized the daily routine of users. With the aid of this new technology, users can conduct transactions, access bank accounts and reserve airline tickets in few minutes. The downside of this new technology is that there are also incidents of data breach and transaction frauds. Cyber security is becoming an issue of major concern. However, users can avoid most of the risks by employing simple precautions. (Lack of awareness is a major hurdle in the safe use of the cyberspace.) Selection of weak passwords is one of
the most fundamental errors committed by users. Unaware users are tempted to reveal authentication details through phishing. Inadequate firewall protection, lack of regular software updates can make systems vulnerable to cyber threats. Users may take precautions by adhering to cyber security tips given on websites of banks, regulatory organization, security product developers, and information
security departments such as SOUTECH VENTURES. Organizations can create awareness among employees through regularly scheduled meetings, training programs and workshops.
3. Conclusion
The proliferation of information technology has also presented the criminals with more attack
vectors. Consequently, cybercriminals make use of every possible vulnerability and opportunity to exploit and launch attack. For example, web feeds designed for productive use of users in meeting information requirements may be used by cybercriminals as attack vectors. Cybercrime can be countered by proactive cyber security initiatives. Creating awareness among users is crucial to limit threats in cyber space. Convergence of laws related to cyber security across international boundaries could also assist in the appropriate handling of cybercrime.

Attend a cyber security training course in Abuja or take online class in cyber security/ ethical hacking TODAY!

Call 08034121380 to book a class or Visit

What most Nigerian Businesses are Missing ” Getting Your Business Found Online via Google”

WHAT NIGERIAN BUSINESSES AND SERVICES ARE MISSING

The internet has been a power tool and has played a significant role over years in transforming people, businesses, and services. The social media, for example, has made communication easy in various ways, nevertheless, it has also aided businesses and services to global recognition. Yeah, now you know where I am heading.

Applicable Strategy

So you want to know what your business and services are missing? Well, before I tell, I would like you to ruminate about the word “CONSISTENCY”, does it ring a bell? It should if you belong to the team “expanding my business”. Now imagine that you wake up in the morning and try to login to your Gmail account, google wasn’t available, and wouldn’t be until noon and you need to send a very important email. If you are thinking like me, you would look for another email provider that will allow you to send your important email.

Now you have an alternative while Gmail in the other hand has a competitor, that is exactly what will happen when your business is not available to a customer at a given time. Unfortunately, I would not talk about consistency in your business and services, rather a consistency in what will bring prospective clients to your targeted list.

Missing the Internet

Do you know that Amazon.com has vendors in almost every city in the USA and UK? But over 85% of their customers patronizes them via the internet. Customers spend more time online because it is easier to locate items through web search function, it is convenient (no rush), and they can choose to pay upon delivery. Taking your business and services to the internet doesn’t only globalized you, it breaches the limit of services you can offer your clients and keeps your clients close to you.

You must apply the consistency theory when taking your businesses and services to the internet. Over 7 million Nigerians use social media every day, yeah! So you need to make over 7 million Nigeria know about you, and you’re are going to remind them about your business and service every day.

Statistics of Nigerians using Facebook.com

Facebook has announced that the social media networking giant has 16 million active users in Nigeria, 6.3 per cent up from June 30, 2015. The announcement coincides with Facebook’s Friends Day, a celebration of Facebook’s 12th anniversary which was marked on Thursday, February 4.

Facebook is the largest social networking company. As of January 2016, Facebook’s monthly active users reached 1.55 billion, or 22 per cent of the entire world’s population. Facebook’s other services have 900 million users (WhatsApp), 800 million users (Facebook Messenger) and 400 million users (Instagram), globally, according to Statista, a leading statistics company on the internet.

Statistics of persons using google.com search for shopping

While smartphones are becoming a vital part of online shopping across the globe as a result of mobile devices, new findings from Google’s consumer Barometer tool released Wednesday has revealed that 85% of people in Nigeria use smartphones for product research as against 30% using computers and 6% using tablets respectively.

Google with their search engine gain insight into what Nigerians need economically and what they are looking for, whatever you search for in Nigeria on Google is with Google because they know your location, save what you search, personalize it for you, and use it for marketing purposes. So if you want to start online marketing practices in Nigeria you need basic knowledge about Google Search Engine and other Google services if you want customers from Google. Google Services are Search Engine, YouTube, Google Plus, Google play, Google Drive, Google Events, Google Map, Google Analytics and more.

Why you need to consistency use Digital marketing (3Ts)Tips, Tools, Techniques to put your business online

Facebook is the second most visited by Nigerians where people make friend and communicate socially with others,  it has up to 16 million users in Nigeria and have been making real money from Nigerians as customers. Some Nigeria Facebook users think Facebook is free because they share photos, videos and communicate with others without paying Facebook. The fact is that the owner of Facebook Mark Zuckerberg is among the ten richest person on earth as at August 2016, you probably don’t know he makes money through advertisements on Facebook. When you see ‘ Sponsored ‘ on a page or post the owner of the post paid facebook for that because the owner of the post want to reach more people.

Nigerians access YouTube Video Sharing website because of the contribution of mobile ISPs (Internet service providers) in Nigeria and the NCC (Nigeria Communication commission) by providing broadband Internet service to people almost everywhere. Globacom recently offer subscribers 10 gigabytes of data at just N2500 with a validity of one month for individuals and businesses. YouTube is owned by Google

Soutech Web Consult has created a package that will enable your business and services benefit from what other Nigerians are missing. It includes building an effective web presence for your business and training on how to grow and remain at the top using technology and the internet.

Learn how to put your business on first page of google today.

Attend SOUTECH Professional Digital Marketing Training today. Call 08034121380 to book a seat.

Order a home training kit for N7,500 ( UPS Courier Delivery next day any where in Nigeria)

 

Why you should start digital marketing TODAY: SOUTECH Ventures business growth guide

WHY YOU SHOULD “SWITCH” TO DIGITAL MARKETING

Digital marketing has not just been proved as the substratum of marketing, it also encases how cost effective marketing can be done, with a higher rate of an outcome. Technology itself has taken over a seemingly command over almost everything. Today, technology has adopted a face of digitalization, which has suddenly started looking like a quicksand, where everything has been absorbed and turned into a new digital world. Today the concept of digital marketing with or without organic and inorganic techniques, allows individuals and entities to bring their businesses and services on the internet and establish it by means of online marketing.

Digital marketing refers to advertising and promoting businesses, services, and brands through digital media channels. A digital media channels can be any platform that can deliver information electronically, such as websites, social media, mobile, e-mails, radio, television, billboards.

The Cost Effective Marketing

Regardless the size of your pocket, digital marketing can help in establishing your business portfolio in a more productive manner, where every resource spent would generate value. The “switch” to digital media is being driven by marketing agencies, business owners and consumers alike. The increasing demand to show quantifiable results has made going digital a dream for every marketing agency.

The cost of digital marketing is very low to an extent, especially for business owners. Having an effective web presence whilst engaging customers in conversations through social media and e-mail marketing, are low-cost alternatives to print advertising. In a simple illustration I would say; if you are to share flyers to some people using print media, each flyer has a cost and there is no guarantee that a person you give a flyer will gain interest. But in digital marketing, all you need is one flyer in soft-copy which can be broadcast to as many persons as possible.

You should be where you can be found

The easiest way consumers can find your business is by whipping out their phone and search for products or items they intend to purchase, if your digital marketing strategy is effective and using the right keywords appropriately, your business and services will experience a robust growth globally. While every business has some kind of product and every product needing promotion, promotions must follow a strategy starting with a unique approach called digital marketing. No marketing techniques had ever had the kind of reach that digital marketing has achieved. For instance, any update you make on social media networks like facebook, in no time it will be notice and conversation will start on that update. In the instance of digital marketing, that update could be a new product or about a new service.

Taking the first step

A good approach to digital marketing, I would say starts by having a website that does the following:

  • Adequately represents your business and brand (look and feel, messaging)
  • Adequately speaks to your target audience
  • Can be found by searchers on top search engines
  • Is up-to-date and easily navigable
  • Provides multiple channels for customer communication
  • Connects to other marketing efforts

Of great importance is the need to be consistent. If you are not consistent in your digital marketing approach then you might not get your desired results.


Also focus is very key to getting on top of google search engine results. There is nothing as using a good content marketing strategy to attract your potential customers and clients to your website.

Soutech Web Consult is an I.T company that specialized in providing solutions in both I.T and E-business. At Soutech, a Training on Digital Marketing will shape your knowledge towards engaging in effective digital marketing.

Click Below:

Enroll for a digital marketing training today.

 

Cybersecurity Tips: How to erase/delete your self from the internet: SOUTECH Ethical Hacking Tips

If you’re reading this, it’s highly likely your personal information is available to the public. And by “public” I mean everyone everywhere. And while you can never remove yourself completely from the internet, there are ways to minimize your online footprint. Here are five ways to do it.

Be warned however; removing your information from the internet as I’ve laid it out below, may adversely affect your ability to communicate with potential employers, friends and relatives.

Seeking to escape the internet? While online notoriety thrills some people, for others, it can become a great burden. Erasing yourself completely is not always possible, but if you follow these steps, you can certainly come close.

Attend SOUTECH Live or Online Training by following below link

5 tips to help you prepare for CEH exam success : SOUTECH Ventures Live Class and Online Class Training

IT security breaches have regularly made news headlines over the past 12 to 18 months. These hacks can be extremely costly. Businesses are now making their IT security a top priority to ensure they are protected from hackers. This means the demand for IT security professionals has soared and Ethical Hackers are among the most highly sought after.


The role of Ethical Hacker is one of the most exciting in IT currently with an average salary of £72,500 (according to itjobswatch.co.uk). Ethical Hackers are at the forefront of IT security and the top of their field. They work directly to stop malicious hackers, using many of the same techniques. But crucially, once they’ve spotted a gap in security, they close it to protect the business.The biggest and most trusted certification for Ethical Hackers is EC-Council’s Certified Ethical hacker certification. As the title suggests, it proves you have the skills of an Ethical Hacker. In order to pass the CEH exam, you’ll need to prove skills in areas like malware threats, session hijacking, SQL infection and cryptography. This shows you can identify gaps in a business’s security and ensure they cannot be exploited.

To help you get your CEH certification and prove you have all the ethical hacking skills required, we’ve compiled 5 of the most useful tips to help you prepare for the tough CEH exam.

1. Get familiar with the exam

It’s important to get familiar with the exam before attempting it. EC-Council’s CEH website can help you do this. It has CEH FAQs, a breakdown of the exam format and duration, plus an extensive background of the CEH certification and regulations. I’d also recommend using the website for reference during your studies, or if you have any queries about the exam. If you still want more information, take a look at our previous post on CEH v9 FAQs.

Due to the sensitivity of the knowledge the CEH is teaching you( SOUTECH does a monthly CEH taining- Abuja class and online classes)

Image courtesy of EC-Council

And as a very basic tip, but a point definitely worth mentioning, make sure you know which version of CEH you’re studying for. EC-Council recently updated the CEH curriculum to version 9.

2. Use a study guide

EC-Council offer a series of study guides for their CEH exam. These are on five different topics within ethical hacking, which includes “Attack Phases”, “Linux, Macintosh & Mobile Systems”, “Secure Network Infrastructures”, “Threats & Defense Mechanisms” and “Web Applications & Data Servers”. As they’re official from EC-Council, you know you can trust the information. Each book covers its topic thoroughly, giving you plenty of knowledge to tackle it in the exam.

You can contact us for several study guide or take an online training today at pocket friendly prices

3. Take an official CEH course

Sitting an official CEH course will put you in the best possible position for the exam, following a method proven to help people gain as much knowledge and skills as possible. If you choose an official classroom based CEH course, you’ll benefit from a qualified expert instructor. You’ll have access to the instructor’s expert knowledge when you have questions. Whilst you’re also with other students who’ll be in the same situation, asking similar questions and boosting your motivation.

4. Test yourself with practice questions

The best way to assess your readiness for the CEH exam is to try a practice test. You’ll get immediate feedback and it’ll help you make the connection between your studies and the end goal of gaining knowledge and skills and passing the exam, relating your knowledge to specially designed questions.

Skillset offer CEH practice tests in 52 different skill areas. From Cryptanalytic Attacks to Computer Viruses to Session Hijacking, this incredible detail means you can study CEH comprehensively. Also, each topic has a series of more advanced levels allowing you to test the depth of your knowledge for each topic area.

There is also a practice test on the EC-Council website. As it comes straight from the creators of the CEH exam you know the questions will be useful and could be a basis from which to build your revision, and assess your readiness for the CEH exam. I wouldn’t use this resource too early in your studies, but as a check to see whether your knowledge is well-rounded enough for the exam.

5. Get involved in a forum

Using a forum is a great way to connect with many like-minded people who are currently studying for the same certification or who have sat it in the past. You’ll learn from their queries and experiences helping you get ideas for your own studies. However, bear in mind that not everyone is an expert.

TechExams has one of the largest CEH forums, with people that have passed and those who have found barriers and difficulties whilst studying. Here, you’ll be able to find help and information regarding what skill areas you should concentrate on to gain the most from the certification. Not only will this help you pass the exam, it’ll help you focus on the most useful topic areas to help you on the job in the future.

Take a CEH course in abuja today, or enroll for an online training from the confort of your home.
Click below to check out course details:
www.soutechventures.com/certified-ethical-hacking-training-in-abujanigeria/

Certified Ethical Hacking Certification training center in Abuja Nigeria- Live class and online training

Certified Ethical Hacking Certification

CEH-Cert-Mokcup-02-1A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

The purpose of the CEH credential is to:

  • Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
  • Inform the public that credentialed individuals meet or exceed the minimum standards.
  • Reinforce ethical hacking as a unique and self-regulating profession.

About the Exam

  • Number of Questions: 125
  • Test Duration: 4 Hours
  • Test Format: Multiple Choice
  • Test Delivery: ECC EXAM, VUE
  • Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)

CERTIFIED ETHICAL HACKER TRAINING PROGRAM

Most Advanced Hacking Course

 divider
 The Certified Ethical Hacker program is the pinnacle of the most desired information security training program any information security professional will ever want to be in. To master the hacking technologies, you will need to become one, but an ethical one! The accredited course provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization. As we put it, “To beat a hacker, you need to think like a hacker”.
 This course will immerse you into the Hacker Mindset so that you will be able to defend against future attacks. The security mindset in any organization must not be limited to the silos of a certain vendor, technologies or pieces of equipment.

This ethical hacking course puts you in the driver’s seat of a hands-on environment with a systematic process. Here, you will be exposed to an entirely different way of achieving optimal information security posture in their organization; by hacking it! You will scan, test, hack and secure your own systems. You will be taught the five phases of ethical hacking and the ways to approach your target and succeed at breaking in every time! The five phases include Reconnaissance, Gaining Access, Enumeration, Maintaining Access, and covering your tracks.

Underground Hacking Tools

The hacking tools and techniques in each of these five phases are provided in detail in an encyclopedic approach to help you identify when an attack has been used against your own targets. Why then is this training called the Certified Ethical Hacker Course? This is because by using the same techniques as the bad guys, you can assess the security posture of an organization with the same approach these malicious hackers use, identify weaknesses and fix the problems before they are identified by the enemy, causing what could potentially be a catastrophic damage to your respective organization.

We live in an age where attacks are all susceptible and come from anyplace at any time and we never know how skilled, well-funded, or persistent the threat will be. Throughout the CEH course, you will be immersed in a hacker’s mindset, evaluating not just logical, but physical security. Exploring every possible point of entry to find the weakest link in an organization. From the end user, the secretary, the CEO, misconfigurations, vulnerable times during migrations even information left in the dumpster.

About the Program

 Our security experts have designed over 140 labs which mimic real time scenarios in the course to help you “live” through an attack as if it were real and provide you with access to over 2200 commonly used hacking tools to immerse you into the hacker world.

As “a picture tells a thousand words”, our developers have all this and more for you in over 1685 graphically rich, specially designed slides to help you grasp complex security concepts in depth which will be presented to you in a 5 day hands on class by our Certified EC-Council Instructor.

The goal of this course is to help you master an ethical hacking methodology that can be used in a penetration testing or ethical hacking situation. You walk out the door with ethical hacking skills that are highly in demand, as well as the internationally recognized Certified Ethical Hacker certification! This course prepares you for EC-Council Certified Ethical Hacker exam 312-50.

What is New in CEH Version 9 Course

  • Focus on New Attack Vectors
    • Emphasis on Cloud Computing Technology
      • CEHv9 focuses on various threats and hacking attacks to the emerging cloud computing technology
      • Covers wide-ranging countermeasures to combat cloud computing attacks
      • Provides a detailed pen testing methodology for cloud systems to identify threats in advance
    • Emphasis on Mobile Platforms and Tablet Computers
      • CEHv9 focuses on the latest hacking attacks targeted to mobile platform and tablet computers and covers countermeasures to secure mobile infrastructure
      • Coverage of latest development in mobile and web technologies
  • New Vulnerabilities Are Addressed
    • Heartbleed CVE-2014-0160
      • Heartbleed makes the SSL layer used by millions of websites and thousands of cloud providers vulnerable.
      • Detailed coverage and labs in Module 18: Cryptography.
    • Shellshock CVE-2014-6271
      • Shellshock exposes vulnerability in Bash, the widely-used shell for Unix-based operating systems such as Linux and OS X.
      • Detailed coverage and labs in Module 11: Hacking Webservers
    • Poodle CVE-2014-3566
      • POODLE lets attackers decrypt SSLv3 connections and hijack the cookie session that identifies you to a service, allowing them to control your account without needing your password.
      • Case study in Module 18: Cryptography
    • Hacking Using Mobile Phones
      • CEHv9 focuses on performing hacking (Foot printing, scanning, enumeration, system hacking, sniffing, DDoS attack, etc.) using mobile phones
      • Courseware covers latest mobile hacking tools in all the modules
    • Coverage of latest Trojan, Virus, Backdoors
    • Courseware covers Information Security Controls and Information
    • Security Laws and Standards
    • Labs on Hacking Mobile Platforms and Cloud Computing
    • More than 40 percent new labs are added from Version 8
    • More than 1500 new/updated tools
    • CEHv9 program focuses on addressing security issues to the latest operating systems like Windows 8.1
  • It also focuses on addressing the existing threats to operating environments dominated by Windows 7, Windows 8, and other operating systems (backward compatibility)
 Ready to take the training check below link:

Building your own website today: Expert Opinion and Guide- SOUTECH Ventures

eCommerce WebsiteTHE CONCEPT OF BUILDING A WEBSITE ON YOUR OWN?

It is a great idea with wonderful experiences and you can do it. Apart from building websites for a fee to prospects, you can as well build yours and earn money from it in so many different ways.

To build a website, you will require some set of skills, but that doesn’t mean you will have to spend years in an institution or on training, no! you can acquire the skills you need within days or weeks of web design training from Soutech Ventures.

To build a website you must put into consideration, some processes and implementations in order to achieve your desired result. Few of the processes you must consider are as follows.

Functionality – This is a very important aspect of website building. Functionality has to do with what the website can do. The functionality of a website is the interactive part of the site – that which allows the visitor to respond in some way, thus turning the visitor into a customer. for instance, online chat, membership, registration, social media integration, online payment integration, email and sms notification, newsletter system, online booking – these are functionalities.

UX/UI – The functionality determines the design which is the visual-graphic display of the website. UX/UI is an abbreviation for user experience (UX) or user interface (UI). It gives your visitors the look and feel, making them understand exactly what your website is all about. When building a website, it is very important that your design should be friendly, easy to access and concise, otherwise your visitors will find it difficult to access information on your website.

Hosting – After you have completed the design of your website, you will now want to make it go live to the world, a hosting server is what you will need. When choosing a hosting server, you will have to consider traffics, functionality and features on your proposed website. These include files, access and security. The country of the hosting server is also to be considered as well. At a point you may require the help of an expert to host, manage or administer your website for you.

Responsive Website Design: When creating websites there is need to create websites that can adapt to various screen sizes i.e phones, tablets, laptops, desktops, TV screens etc.

Soutech Ventures has been proven reliable in Web Development for over the years, and we deliver to our customers’ expectations. Join one of our training sessions today and become an expert in website designing.

What Next:

Get a complete home video/slides/book training kit on how to design a website

 Click Here – Nationwide Delivery within 24hrs.

Attend a hands-on training at SOUTECH website design training program in Abuja. Contact Us Today. Click here to attend a training today.

Click here to start making MONEY TODAY- Become a software reseller

Click here to get a website today

Mobile Application Development Services- Click here

Kindly share this article.

How to become a mobile application development expert- SOUTECH Ventures

A little bite of history: 

With mobile device manufactures each having its own preferred development environment, a growth mobile phone application developments that are World Wide Web capable and a large population of HTML savvy developers, there has arisen web-based application frameworks to help developers write applications that can be deployed on multiple devices.

There are several ways to build mobile applications, and using a framework

 A framework is the base of your future application. Its usage greatly simplifies the whole development process. Instead of writing an application from scratch and dealing with large portions of code to make your application work on different platforms – you use a framework. Here’s a list of framework for mobile app development:

Also what is a hybrid application(Hybrid Mobile Applications. Hybrid development combines the best (or worst) of both the native and HTML5 worlds. We define hybrid as a web app, primarily built using HTML5 and JavaScript, that is then wrapped inside a thin native container that provides access to native platform features.

 Bootstrap is a free, open-source. Front – End framework used for creating websites & web applications. It contains HTML and CSS based templates for forms, buttons, typography, navigation and other interface components, as well as other optional JavaScript extensions.

2. Apache Cordova

Apache Cordova is a popular Mobile Development Framework. Cordova enables software programmers to build applications for mobile devices using HTML5, CSS3, JavaScript, Android, iOS, Windows Phone.

3. Ionic

Ionic is a Free open source. It offers a library of mobile-optimized HTML , CSS and JS components, gestures, and tools for building highly interactive apps. Built with Sass and optimized for AngularJS.

4. Framework 7

It is an HTML framework for building iOS and Android apps . Framework 7 is a opensource framework to develop hybrid mobile apps. It has Full Featured HTML Framework for Building iOS & Android Apps.

5. PhoneGap

PhoneGap is an open source framework for building fast, and easy mobile apps . It built hybrid application with HTML, CSS and Javascript.

6. Appcelerator Titanium

Appcelerator Titanium is an open-source framework. It allows create mobile apps on platforms including iOS, Android and Windows Phone from a single JavaScript codebase.

7. jQuery Mobile

It is an HTML5-based user interface system designed to make responsive web sites and apps. JQueryMobile is a robust mobile development framework. It is used to build cross-mobile platform app. JQuery Mobile supports a wide range of different platforms, from a regular desktop, smart phone, tablet.

8. React Native

React Native built mobile apps only with JavaScript. It uses the same design as React, letting you to compose a rich mobile UI from declarative components. it builds native iOS and Android apps with JavaScript.

9. Kendo UI

The Kendo UI framework builds, interactive and high-performance websites and applications. The framework comes with a library of UI widgets, client-side data source, an abundance of data-visualization gadgets, built-in MVVM library.

10. Onsen UI

Onsen UI is an open-source UI framework. It is based on PhoneGap and Cordova. Onsen UI allows the developers to create mobile apps using CSS, HTML5, and JavaScript.

What Next:

Get a complete home video/slides/book training kit on each of this framework and start developing mobile apps:  Click Here – Nationwide Delivery within 24hrs.

Attend a hands-on training at SOUTECH Mobile Application Development training in Abuja. Contact Us Today. Click here to attend a training today.

Click here to start making MONEY TODAY- Become a software reseller

Click here to get a website today

Mobile Application Development Services- Click here

Kindly share this article.

Professional Training Videos for Microsoft, Comptia , AutoCAD, Graphics and Branding, SPSS, Motivational in Abuja, Nigeria

Soutech Ventures is primarily an Information Technology Firm, which was created to be the numero uno in business promotion development & implementation, eBusiness & IT systems integration and consultancy industry of the Nigerian Economy and to partners worldwide.
We have over 50+ discounted training kits on any industry subject: DVD Packs( Minimum 20hrs training hands-time videos)

Inline image 2Inline image 7Inline image 1Inline image 3Inline image 4Inline image 5Inline image 6

 
Cost: 6,500 Each including next day shipment via courier
 

Payment can be made via Bank deposit/transfer.

Account Details
diamond bank

DIAMOND BANK
SOUTECH VENTURES
0054227379

Debit/Credit Card Payment

*Please remember to notify us after successful payment or sending a payment notification directly to this email address: contact@soutechventures.com, 08034121380

 Some titles

  1. 50+ Motivational Audio Books by John Maxwell and Brain Tracy
  2. Advance Blogging for cash Training -Make Money Online
  3. Advance Website Analytics, Tracking, Audit and Security
  4. Advanced Excel Training course for Statisticians and Accountants
  5. AUTOCAD Full Training Course
  6. Boostrap Website Developer Course
  7. Branding- Building Brands and Increasing Revenue for Business Executives
  8. Building Enterprise eCommerce-Online Store Websites
  9. Building Mobile App with AngularJS and Ionic
  10. Building Online Website Forums
  11. Business Analysis
  12. C# Complete Developer Course
  13. Cloud Computing Training Course
  14. CMS- WordPress and Joomla Theme Developer Course
  15. Complete Email Marketing Course+ Free 1mil Email Database
  16. Complete Voilin Training Course
  17. CompTIA A+ Computer Repair, Maintenance and Upgrade
  18. ComTIA Linux Training
  19. CompTIA N+ Networking Training
  20. CompTIA Security Training
  21. CompTIA Security+ Training
  22. Computer Literacy for Windows
  23. Core Javascript Master Developer Course
  24. Dreamweaver Professional Training Course
  25. Drupal Advanced Training Course
  26. Creating Web Application
  27. Cybersecurity and Ethical Hacking
  28. Digital Marketing Research
  29. Dreamweaver Professional Training Course
  30. Drupal Advanced Training Course
  31. eBusiness Technologies-
  32. eHR- Building a Company Team for World Impact
  33. Entrepreneurship- Smart Business Models for Business Growth and Success
  34. eProcurement and Online Payments- Tools, Tools and Techniques
  35. Game Developer Training Course
  36. How to Make Massive Cash as a Web designer and Developer
  37. How to Start a Company and Become Global Within 3 Months
  38. Internet Marketing Training Course
  39. Java Application Development Course
  40. Joomla Developer Full Training Course
  41. Learning to Use The Macintosh Computer
  42. Microsoft Office 2013 Full Training Program
  43. Microsoft Sharepoint Training
  44. Microsoft Visio Studio Training Course
  45. Mobile Application Developer Course-Andriod, iOs, Windows
  46. Mobile Marketing Advance Course- SMS, Robo Calls, ShortCode
  47. Oracle Training Courses
  48. Sales Secrets for Small Business
  49. SPSS Professional Training
  50. Strategic Negotiation
  51. User Experience Fundamentals for Web Design

SOUTECH Professional Web Design Solutions and Training: in Karu,Nyanya, Asokoro, Wuse, Garki,Abuja

Website Design Solutions and Training in Karu Nyanya Wuse Garki Lugbe Abuja Nigeria

SOUTECH Web Consults – (a smart and budding Information Technology (IT) firm with innovative, intelligent, knowledgeable and experienced consultants, trainers and developers.

To be efficient in IT service delivery and management you need  core practical training from SOUTECH Web Consults to help you in:

  • Critical thinking and problem solving skills
  • Communication skills
  • Collaboration skills
  • Creativity and innovation skills

We look forward to training you in the following courses.

Core courses- 2 Weeks(4 Days Training + 2 Weeks Mentorship)
Cost: N30,000 Each
===========================================================
1. Website Design and Basic Internet Business
2. eBusiness Technologies and Application
3. Digital Marketing and Client Renternship 
4. Mobile App Development
5. IT Project Management 
6. Business Branding and Development
7. eMail and Mobile Marketing Solution 
8. eCommerce Websites Development
Certificate Courses-3 Days Intensive Bootcamp
Cost: N12,000 Each
===========================================================
1. Copywriting
2. Information and Business Marketing
3. Business Start Up Guide
4. SEO,SMO,SMM
Advanced Courses- 1 Month with Optional 2 Months Internship
Cost: N50,000 Each
===========================================================
1. PHP and Portal Development Training
2. ERP and CRM Integration,Application
3. Business Analysis and Intelligence
4. Hybrid Enterprise Mobile Application Development
5. Graphics and Branding
6. Multimedia Solutions
Contact us for training,partnership and solutions.
Venue: SOUTECH VENTURES, Kano Street, Along Shehu Shagari mosque, Area 1, Abuja
  • Real-life application and understanding
  • Conducive learning environment
  • Participants get a Certificate of Training
  • Restricted and interactive classes
  • Service comes with all necessary softwares
  • Soft copy training(Videos and eBooks) materials will be available
  • Qualified and experienced facilitators
  • Get a full Audio recording of the training (No need for refresher class)
  • Full certification course (Good for your CV)
  • Job/Internship placement support (Optional)
  • Customized soft copy of training materials will be provided
  • Organized and efficient training process
  • Tea/Cofee Breaks and Snacks to be provided
  • Conducive air conditioned learning environment and Parking Space

Solar and Inverter Training in Abuja- SOUTECH

Call NOW to book your training.

Highlights

  • Five days solar and inverter training
  • Training holds in weekday and weekend batches
  • Course outline includes:
    • Introduction to renewable energy (global and domestic perspective)
    • Energy mix and energy balance
    • Components/makeup of RES – solar panels, inverters and batteries
    • Stress test analysis
    • Basic installation guidelines in RES installation
    • Safety measures/procedure basic tools
    • Safety wears
    • Basic installation
    • How to install 0.8RV – 7KVA series panel (solar application)
    • Market analysis (business potential)
    • Global and local demand
    • How to identify and make opportunities
  • Participants will get a certificate upon completion of training
  • Training materials will be provided
  • Conducive learning environment
  • Experienced tutors

Details

SOUTECH Solar & Inverter is an engineering company renowned for creating reliable power solutions to apartments through the creation and installation of high-tech inverters and other renewable energy innovations. They are fully armed with personnel that know their onions and have gained reputation in ensuring an excellent service delivery. We are offering customers a professional solar and inverter training. At a time where all aspects of life rely on power, this training is available to a wide spectrum of individuals. Training is focused on renewable energy, their components, mode of utilization and possible business opportunities that can emerge from this field. Training holds in weekday and weekend batches and participants can select the most convenient batch for them.

Cost: N50,000

MON-Friday.

Call 08034121380 to attend this months batch.

All courses comes with 30 days weeks mentorship program to ensure you get the best and become an expert in the field of training.

Highlights

  • Venue: SOUTECH VENTURES, b8, First Floor, 2XL Mall, beside Zenith Bank, 3rd Avenue, Gwarimpa, Abuja
  • Real-life application and understanding
  • Conducive learning environment
  • Participants Abuja, get a Certificate of Training
  • Restricted and interactive classes
  • Service comes with all necessary softwares
  • Soft copy training(Videos and eBooks) materials will be available
  • Qualified and experienced facilitators
  • Get a full Audio recording of the training (No need for refresher class)
  • Full certification course (Good for your CV)
  • Job/Internship placement support (Optional)
  • Customized soft copy of training materials will be provided
  • Organized and efficient training process
  • Tea/Cofee Breaks and Snacks to be provided
  • Conducive air conditioned learning environment and Parking Space

Registration Procedures

  1. Pay Training fee before training start date( to claim discounted fee)
  2. Upon confirmation of your registration,payment, an electronic receipt  will be sent to your mail.
  3. Commence your  training at SOUTECH Training Venue

Payment can be made via our through Bank deposit/transfer.
Account Details
diamond bank

DIAMOND BANK
SOUTECH VENTURES
0054227379

or Pay via debit/credit cards throw below link

Pay Now

*Please remember to notify us after successful payment or sending a payment notification directly to 08034121380

 

Professional IT Courses Training in Abuja: Web Design, Ethical Hacking, Networking, Mobile App Development, Project Management

SOUTECH Web Development Consults – (a smart and budding Information Technology (IT) firm with innovative, intelligent, knowledgeable and experienced consultants, trainers and developers.

To be efficient in IT service delivery and management you need  core practical training from SOUTECH Web Consults to help you in:

  • Critical thinking and problem solving skills
  • Communication skills
  • Collaboration  skills
  • Creativity and innovation skills

We look forward to training you in the following courses.

 

COURSES Duration

(Live Class- Practical)

Follow Up Contact(Project) Mentorship

 

Cost
Professional Website Design(HTML,CSS,WordPress) 3 days( 20hrs) 1 month 30 Days 40,000
Website Development( Javascript, PHP or Python Options)   — web design is a prerequisite 5 days( 20hrs) 2 months 30 Days 60,000
Digital Marketing and SEO 1 days( 6hrs) 1 month 30 Days 50,000
eBusiness and eCommerce 1 days( 6hrs) 1 month 30 Days 20,000
Blogging for Profit 1 days( 6hrs) 1 month 30 Days 15,000
Website Design + Digital Markering Combo 5 days( 25hrs) 1 month 30 Days 60,000
Mobile Application Development( HTML,CSS,iOnic,Phonegap,AngularJS)- Andriod,iOs,Blackberry  Development– web design is a prerequisite

Advanced Mobile App Dev- 100k- 8 Contacts

4 days( 20hrs) 2 month 30 Days 50,000
Web Design + Digital Marketing + Mobile App Development( 3 in 1) 8 days( 40hrs) 2 months 30 Days 100,000
Microsoft Office Training( Word, Excel, PowerPoint) 2013/2016 6 days( 20hrs) 1 day 30 Days 50,000
Certified Ethical Hacking(CEH ver 9) and Cybersecurity 4 days( 20hrs) 1 day 30 Days 70,000
Certified Information Systems Security Professional(CISSP) 4 days( 20hrs) 1 day 30 Days 70,000
ITIL ver 3(Information Technology Infrastructure Library) 4 days( 20hrs) 1 day 30 Days 40,000
Corporate & Product Graphics and Branding( Corel/Photoshop) 4 days( 20hrs) 2 day 30 Days 40,000
MS Project and Primavera 4 days( 20hrs) 1 day 30 Days 50,000
Advanced Excel 2013/2016 3 days( 15hrs) 1 day 30 Days 40,000

 

All courses comes with 30 days weeks mentorship program to ensure you get the best and become an expert in the field of training.

Highlights

  • Venue: SOUTECH VENTURES, Kano Street, After Shehu Shagari Mosque, Area 1, Abuja
  • Real-life application and understanding
  • Conducive learning environment
  • Participants Abuja, get a Certificate of Training
  • Restricted and interactive classes
  • Service comes with all necessary softwares
  • Soft copy training(Videos and eBooks) materials will be available
  • Qualified and experienced facilitators
  • Get a full Audio recording of the training (No need for refresher class)
  • Full certification course (Good for your CV)
  • Job/Internship placement support (Optional)
  • Customized soft copy of training materials will be provided
  • Organized and efficient training process
  • Tea/Cofee Breaks and Snacks to be provided
  • Conducive air conditioned learning environment and Parking Space

Registration Procedures

  1. Pay Training fee before training start date( to claim discounted fee)
  2. Upon confirmation of your registration,payment, an electronic receipt  will be sent to your mail.
  3. Commence your  training at SOUTECH Training Venue

Payment can be made via our through Bank deposit/transfer.
Account Details
diamond bank

DIAMOND BANK
SOUTECH VENTURES
0054227379

or Pay via debit/credit cards throw below link

www.soutechventures.com/payments/

*Please remember to notify us after successful payment or sending a payment notification directly to 08034121380