Step 1 – (Intelligence Gathering)
The information-gathering phase consists of service enumeration, network mapping, banner reconnaissance and more. Host and service discovery efforts results in a compiled list of all accessible systems and their respective services with the goal of obtaining as much information about the systems as possible.Host and service discovery includes initial domain foot printing, live host detection, service enumeration and operating system and application fingerprinting. The purpose of this step is to collectively map the in-scope environment and prepare for threat identification.
Step 2- (Threat Modeling)
With the information collected from the previous step, security testing transitions to identifying vulnerabilities within systems. This begins with automated scans initially but quickly develops into deep-dive manual testing techniques. During the threat-modeling step, assets are identified and categorized into threat categories. These may involve: sensitive documents, trade secrets, financial information but more commonly consist of technical information found during the previous phase.
Step 3 – (Vulnerability Analysis)
The vulnerability analysis phase involves the documenting and analysis of vulnerabilities discovered as a result of the previous steps. This includes the analysis of out from the various security tools and manual testing techniques. At this point, a list of attractive vulnerabilities, suspicious services and items worth researching further has been created and weighted for further analysis. In essence, the plan of attack is developed here.
The reporting step is intended to deliver, rank and prioritize findings and generate a clear and actionable report, complete with evidence, to the project stakeholders. The presentation of findings can occur via Google Hangouts/Skype or in-person – whichever format is most conducive for communicating results. At Khanna Security Security, we consider this phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly.
Step 5 (Reporting)
We consider the reporting phase to mark the beginning of our relationship. Khanna Security strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with remediation knowledge resources, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.
Step 6 (Re-Testing)
After patching and fixation of the vulnerabilities by their web administrator or the concerned person who is responsible in this aspect. We do the re-scan for the vulnerabilities and if we found further any vulnerability then we will follow the same process from step 1 to step 6. If no vulnerability were found we issue the VAPT certificate to the client.
BLACK BOX testing
- In black-box testing, penetration testers are not given any specific scope by the organization and are not accompanied by any internal member from the organization.
- In this type of testing NIC-Security penetration testers act as real-time black hat hackers and tries to penetrate the organizations’ network infrastructure using all possible means of hacking.
>Pricing for Black box testing normally depends on the scope of the project and also the features of the project. It normally is high priced as time spends on penetrating on the application is more as compared to the white box testing. .
WHITE BOX testing
- white-box testing the organization defines the entire scope of work including the number of IP based devices and also their IPs. NIC-Security penetration testers will only focus on the IPs defined in the scope.
- Penetration Tester or any representative from the organization will be associating the penetration tester in the organization. In white-box testing, the entire VAPT process will be monitored by the representative from the organization.
Pricing for White box testing is normally INR 7000/- per IPs based Device.