PPN Financial is a brokerage firm operating within rental space on the first and second floors of a commercial building. A small IT staff manages their local networking infrastructure, comprising of internal and externally facing web servers, databases, VoIP, client PC, and backup servers. Also, the access layer provides wireless connectivity on a separate VLAN for the employees and a small publicly accessible lobby. The infrastructure is connected to the Internet over lease-linesfrom the demarcation point (sample topology below). The company is concerned about becoming a victim of a cyber-attack but to date has been hesitant to invest heavily in its security infrastructure. Given a recent uptick in the level of cyber-attacks nationally and the legal requirements for protecting customer data, PPN Financial has contracted your company to perform a Penetration Test of their company to justify additional expenditures.
PART 1 – Penetration Test Documentation
Use the Penetration Testing Template below to document the penetration test to be completed at PPL Financial. Use the knowledge gained over the semester and include sample screenshots from the information contained in your JB Labs to guide the design of your Penetration Test.
PART 2 – Penetration Test Report (A section in the Template below)
After you have “conducted” the test, several vulnerabilities were identified and are listed below. Use this information to generate your response to the company in the Report Section of the template.
Main vulnerabilities identified were:
1. As the pen-tester, you were able to obtain vital information via telephone calls to the receptionist and the helpdesk via social engineering.
2. Due to weak password settings on local servers on the extranet, it was possible to compromise accounts on this network. However, you were unable to use these accounts to gain access to the central intranet.
3. It was possible to perform a man-in-the-middle attack using ARP poisoning, but the attack was not able to extract any sensitive information.
4. It was possible to compromise old user accounts that were created but had never been in use on the network. The compromised accounts did allow access to one internal file server.
5. Other vulnerabilities were outdated software and` unencrypted protocols active on the network.
The Penetration Testing Documentation is used for multiple purposes:
a. Provides a clear explanation of the need for the test to upper management, identifying the legal, financial, public image, and social impact of a security breach and how your intended solution addresses their security concerns.
b. Outlines the steps/phases that will be conducted in the execution of the test.
c. Identifies the level of testing that will be conducted – White, Grey, or Black.
d. Definitively outlines the scope of the test, identifying which Application and Network Layer components will be tested and the impact the test will impose on the organization.
e. Identifies which internal and external resources will be utilized in the execution of the text and the composition of the testing team.
f. Gives the projected cost of the tools that will be used during the test.
g. Provides descriptions of sample reports used to inform administrators of the risks and vulnerabilities identified during the test and recommends a remediation strategy.
General explanation of Components
Executive Summary: This overview of the Penetration Test Proposal is created for senior managers, CEO, directors, and other stakeholders. It is written in non-technical language and explains the regulatory need and benefit and results of the penetration test.
Scope and Methodology of Testing: What areas, internal and or external, of the company will be tested (Application and or Network layer) to complete the penetration test. Items within this section could include (Vulnerability assessment for the internal or external network, Web Applications, Wireless Network infrastructure, Firewalls, Routers, Physical Security, Social Engineering, Security Policies, Virtualization, etc.). The test conducted should be listed in a phased approach in the order in which they will be conducted.
Results/ Deliverables: This section outlines what the deliverable report generated from the test entails and is directed towards the IT staff within the institution and should contain a description of the common vulnerabilities, security risk, and countermeasures that should be implemented to mitigate the observed risk.
Expected Expenditures: A detailed listing of any associated cost generated from the execution of the penetration test. ONLY HARDWARE AND SOFTWARE COST ARE REQUIRED FOR THIS PROPOSAL.
References: A comprehensive list of current references that support the information presented.
Additional resources to be used as a guideline:
a. Table of Content (ToC) – Create the ToC listing the main topic headings and sub-headings used in your proposal.
b. Abstract – Create an Abstract describing the company’s threat exposure explaining the need for the implementation of the Penetration Testing resources outlined in the proposal you have drafted. In simple terms, describe/state how the company will benefit from the implementation.
c. Formatting – Since this is a formal document, it must be formatted appropriately. Page number the document, create Header/Footer, insert company logo (create your company logo) at appropriate page location, spell-check the entire document. You may use APA style for this project. Abstract and ToC pages should be numbered in Roman Numerals (not counted towards total page-count). Apply regular page-numbering to the remaining document (Page 1 and up)
d. Terminology – Use this section to help non-technical readers understand the technical jargons used in the document.
e. References – Make sure to cite all used documents, graphics, etc., that were not your creation.
f. Cover page – Create an appropriate title for the cover page, stating phrases like: “PPN Financial Penetration Testing Proposal”,” Prepared by Your Name”, “Your Company’s Name”, and the “Date/Semester”.
Submit a hard copy to your professor and upload a digital copy to Blackboard Dropbox as instructed by your professor.