Your assignment is to write a penetration testing plan. Be sure to adhere to the

Question

Your assignment is to write a penetration testing plan.

Be sure to adhere to the following requirements when completing your penetration testing plan:

The plan should contain an Executive Summary, Overview, Scope, Assumptions, Rule of Engagement and Signature.

The plan should be 8 - 10 pages

Be sure to focus on the structure, format and overall presentation of the testing plan.

When completing each section of the plan, be sure to address the following:

Does the summary address what this pen test is all about?

 Does the plan represent the desires of the organization/leadership and address what they are hoping to achieve?

Overview (just like the template)

What are the purpose and goal?

Which laws are in play?

Which guidelines is the tester(s) going to use?

The Scope, where is the focus going to take place. (what systems, what network, what business functions)

The Assumptions, basically what is the viewpoint of the tester(s), from which perspective are they going to approach the plan.

Rule of engagement the most important section. What are the limits, what is the communication structure, is there a communications blackout

Explanation / Answer

Answer- Overview of What is Penetration Testing?

We can figure out the vulnerabilities of a computer system, a web application or a network through penetration testing.

A penetration test tells whether the existing defensive measures employed on the system are strong enough to prevent any security breaches.

Causes of vulnerabilities:

What are the purpose and goal?

Why Penetration testing?

You must have heard of the WannaCry ransomware attack that started in May,2017. It locked more than 2 lakh computers around the world and demanded for ransom payments in the Bitcoin cryptocurrency. This attack has affected many big organizations around the globe.

With such massive & dangerous cyber-attacks happening these days, it has become unavoidable to do penetration testing on regular intervals to protect the information systems against security breaches.

So, penetration testing is mainly required because:

– Financial or critical data must be secured while transferring it between different systems or over the network.
– Many clients are asking for pen testing as part of the software release cycle.
– To secure user data.
– To find security vulnerabilities in an application.
– To discover loop holes in the system.
– To assess the business impact of successful attacks.
– To meet the information security compliance in the organization.
– To implement effective security strategy in organization.

Example-- E-commerce Penetration Test Case Study

Case Introduction

The Client is a level-one merchant and retailer of women’s clothing. Client has three unique brands running on multiple e-commerce web sites. Brand A runs on a third-party e-commerce platform written using a Java platform with Apache Tomcat and IBM’s DB2 database and utilizes a content-delivery network for image distribution. Brand B and Brand C utilize an in-house coded e-commerce shopping cart written in ColdFusion with Microsoft SQL and share the same underlying code. All brands submit cardholder data for processing over HTTPS. All sites are hosted at a third-party hosting provider on dedicated systems. The Client’s firewalls have integrated intrusion prevention features. Client has exclusive control of the code and the content. Product Managers update product information using staging servers in the corporate environment, and the updates are promoted to production by IT support staff. Client has full control of DNS.

Description of Environment

The environment for Brands A, B, and C is comprised of five networks. The web DMZ contains the firewalls, DNS servers, load balancers, and web servers for all brands. Only the load balancers are NAT’d and have publicly routable IP addresses.

The application tier contains the Apache Tomcat and ColdFusion middleware servers. It is segmented from the DMZ and database tiers using firewall access controls. The database tier contains the Microsoft SQL and IBM DB2 servers. It is segmented from the application tier using firewall access controls. The management network is used for backups, patch-management servers, NTP Servers, network-traffic analysis devices, and syslog collectors. The management network is accessible using jump boxes with two-factor authentication from the corporate network over a point-to-point VPN.

Pre-Engagement Activities (Planning)

Once the engagement is confirmed, the Pen Test Company scheduled a kick-off call and provided the Client with a testing questionnaire and test-authorization form to be completed before the next meeting.

The kick-off call is generally used to review the rules of engagement, define the success criteria, and review the methodology to be used.

The web applications for Brand A and Brand B will be completely in scope. The web application for Brand C is presumed to be an exact copy, exclusive of product information and look and feel. The tester will sample the web application for Brand C to verify that the applications are the same as Brand B. If it is determined that there are material differences between Brand B and Brand C web applications, Brand C will be brought fully into scope.

Pen Test Company have agreed that testing will be conducted against the production systems, as no suitable staging or review system is publicly available. Because of this limitation, testing must be performed with the intrusion prevention system enabled. However, because the timeline for testing cannot accommodate the time required to use techniques that might bypass the IPS, the Client has agreed to remove any blocks enabled by the system during testing.

For this engagement the Client has requested that additional rules of engagement include that testing be limited to non-peak hours, and any attempts to run exploit code on the remote systems be performed only after notifying the Client. Also, any accounts created by the tester or successful orders placed in the system must be identified at the end of each day’s testing.

All parties have agreed that no further testing is required if the penetration tester is able to extract data from either of the databases or obtain shell access on any server in the web farm.

Engagement Phase (Discovery and Attack/Execution)

The penetration tester began by comparing the scope provided by the Client. Any differences in scope were noted and investigated.

The penetration tester then gathered information on the target organization through web sites and mail servers, public records, and databases. This open-source intelligence (OSINT) gathering is an important next step in confirming scope and determining that all the appropriate assets have been included in the test. Newly discovered assets were vetted by the Client to determine whether they should be included in the penetration test. During this phase of the assessment, an additional disaster recovery site was identified in DNS, and Client confirmed this to be a warm backup in the event of failure of the primary sites. All relevant assets were added to the scope.

Once the assets were confirmed, the penetration tester enumerated the publicly available services provided by the targets. The tester actively tried to obtain usernames, network-share information, and application-version information of all running services and applications. In this phase, the penetration tester began to spider and map the applications, with and without credentials, in preparation for the exploitation phase.

Main vulnerabilities identified were:

High:

Apache Tomcat Manager Application Deployer Authenticated Code Execution

Cross-site scripting (reflective)

Directory traversal

Medium:

Deprecated protocols - SSLv2, SSLv3

SSL weak ciphers

Internal IP address disclosure

Low:

IPS not enabled for disaster-recovery site

Slow HTTP denial-of-service attack

Post-Engagement (Post-Execution Phase)

At the completion of this examination, the penetration tester met with the Client to describe the preliminary results of the test and address any immediate concerns in advance of the report. The post-execution phase focused on analyzing the identified vulnerabilities to determine root causes, establish recommendations and/or remediation activities, and develop a final report where all vulnerabilities noted during the test were documented even though the vulnerabilities did not have an impact on the cardholder data environment.

The penetration test report was presented to the Client and it was discussed how the Client could remediate the vulnerabilities noted during the penetration test.  

The Client corrected all High and Medium-severity vulnerabilities within a 90-day window and the Pen Test Company provided documentation of successful remediation to the Client.

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.