A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

 

Our Approach

 

Saitech IT Solutions follows a structured approach based on best practices and well-developed methodologies to ensure objectives are met. Saitech approach to ethical hacking service(PT) is based on a combination of in-depth methodologies and continual innovation to ensure a thorough check of the customer's network for vulnerabilities.

Saitech IT Solutions proposes the following service to meet the objective of the customer.

 

Ethical Hacking (Penetration Testing)

 

Black Box PT, Finding Vulnerabilities, Finding open ports for outside, Exploiting the found Vulnerabilities if time permits, Reports & Recommendation

 

Penetration Testing by Saitech is a systematic and structured high-end analysis, testing and reporting exercise conducted in order to:

 

Highlight the vulnerabilities associated with the customer's network infrastructure, Mapping the found vulnerabilities with OWASP-Top-10 vulnerabilities, Provide recommendations for mitigating the identified vulnerabilities, Provide workaround in case of non availability of a patch from the vendor, to minimize the potential impact in case of vulnerability assessment

 

Penetration Testing Methodology

 

Black Box Penetration Test (Ethical Hacking Service) cycle would pass through a series of tasks, specially designed to identify the security vulnerabilities in assets exposed to the public domain. Every stage of the methodology generates an output that may serve as a piece of information for individual reporting or as input for a subsequent task.

 

Black Box Penetration Test (Ethical Hacking Service) comprises five phases

 

Enumeration, Network Surveying, Port Scanning, System Finger-printing, Router ACL, Firewall Testing

 

Vulnerability Discovery

 

In this phase, the Saitech PT team identifies, understands and verifies the weaknesses, misconfigurations and vulnerabilities of target hosts and maps the profile of the environment with the information gathered. This task involves:

 

Running vulnerability assessment tools against target hosts, Discovery and enumeration of the vulnerabilities of target hosts, Matching of discovered vulnerabilities to services, Collection and categorization of all vulnerabilities according to applications and operating systems, Mapping the found vulnerabilities with OWASP TOP 10 Vulnerabilities

 

The Saitech team will use various commercial/non-commercial/proprietary tools to discover and enumerate vulnerabilities at different levels such as OS, Services & Applications.

 

Gaining Access and Privilege Escalation (Subject to the customer's Approval)

 

Attempting Brute Force: The Saitech team will run various brute-force attacks to attempt the acquisition of passwords and discover weak passwords of Applications, Services and OS accounts.

IP Attacks: In this step, the Saitech team will run various DOS, DDOS and other attacks on discovered and enumerated services.

 

Following points are valid if fully exploited

 

Leaving Traces & Privilege Escalation

 

Reporting and Documentation

 

The found vulnerabilities will be mapped with OWASP TOP 10 latest vulnerabilities, Summary of OS / Service / Application Vulnerabilities discovered using automated tools, Summary of manually identified vulnerabilities, Traces left behind on compromised hosts, Recommendations for vulnerability (and impact) mitigation