As a penetration tester, you
are hired as a consultant by a small- to mid-sized business that is interested
in calculating its overall security risk today, January 1, 2012. The business
specializes in providing private loans to college students. This business uses
both an e-Commerce site and point-of-sales devices (credit card swipes) to
collect payment. Also, there exist a number of file transfer operations where
sensitive and confidential data is transferred to and from several external
partnering companies. The typical volume of payment transactions totals is
approximately $100 million. You decide that the risk assessments are to take
into account the entire network of workstations, VoIP phone sets, servers,
routers, switches and other networking gear. During your interview with one of
the business’s IT staff members, you are told that many external vendors want
to sell security networking products and software solutions. The staff member
also claimed that their network was too “flat.” During the initial onsite
visit, you captured the following pertinent data to use in creation of the
Penetration Test Plan.
·
Non-stateful packet firewall
separates the business’s internal network from its DMZ.
·
All departments–including
Finance, Marketing, Development, and IT–connect into the same enterprise
switch and are therefore on the same LAN. Senior management (CEO, CIO,
President, etc.) and the Help Desk are not on that LAN; they are connected via
a common Ethernet hub and then to the switched LAN.
·
All of the workstations used
by employees are either Windows 98 or Windows XP. None of the workstations have
service packs or updates beyond service pack one.
·
Two (2) Web servers containing
customer portals for logging in and ordering products exist on the DMZ running
Windows 2000 Server SP1, and IIS v5.
·
One (1) internal server
containing Active Directory (AD) services to authenticate users, a DB where all
data for the company is stored (i.e. HR, financial, product design, customer,
transactions). The AD server is using LM instead of NTLM.
Write a six to eight (6-8)
page paper in which you:
1.
Explain the tests you would
run and the reason(s) for running them (e.g. to support the risk assessment
plan).
2.
Determine the expected results
from tests and research based on the specific informational details provided.
(i.e., IIS v5, Windows Server 2000, AD server not using NTLM)
3.
Analyze the software tools you
would use for your investigation and reasons for choosing them.
4.
Describe the legal
requirements and ethical issues involved.
5.
Using Visio or its open source
alternative, provide a diagram of how you would redesign this business’
network. Include a description of your drawing.Note: The graphically depicted solution is not included
in the required page length.
6.
Propose your final recommendations
and reporting. Explain what risks exist and ways to either eliminate or
reduce the risk.
7.
Use at least three (3) quality
resources in this assignment.Note: Wikipedia and similar Websites do not qualify as quality resources.
Your assignment must follow
these formatting requirements:
·
Be typed, double spaced, using
Times New Roman font (size 12), with one-inch margins on all sides; citations
and references must follow APA or school-specific format. Check with your
professor for any additional instructions.
·
Include a cover page
containing the title of the assignment, the student’s name, the professor’s
name, the course title, and the date. The cover page and the reference page are
not included in the required assignment page length.
The specific course learning
outcomes associated with this assignment are:
·
Perform vulnerability analysis
as well as external and internal penetration testing.
·
Demonstrate the ability to
describe and perform penetration tests on communication media to include wireless
networks, VoIPs, VPNs, Bluetooth and handheld devices.
·
Use technology and information
resources to research issues in penetration testing tools and techniques.
·
Write clearly and concisely
about Network Penetration Testing topics using proper writing mechanics and
technical style conventions.
