Assignment Task

Introduction

Regular penetration testing is essential to help identify and eliminate gaps in security defences. This assignment is the simulation of a company that is new to penetration testing. The company (NewBizz Ltd) we are simulating does not have a great deal of experience in cyber security. The manager and senior manager are keen to understand how secure their system is.  The management team intend to share this report with software developers, SOC analysts and the IT manager. Only the senior management team is aware that the penetration testing is ongoing. As a penetration tester, you are authorised to perform a full exploitation of the network.  

Test details 

This section should clearly provide a comprehensive demonstration on how all tests were performed. The tests should be grouped by similarities, when possible, to avoid unnecessary repetitions. After a clear demonstration of the test performed for each vulnerability (please note that this is not a tutorial exercise), the report should present the risk of the given vulnerability, it’s impact on the overall security of the estate under penetration testing, remediation recommendation with appropriate references. The references can be given as links, as endnotes. The objective of this section is twofold. Firstly, to provide technical details that will allow the technical team to fully understand the specific commands used to exploit any weakness. The technical team should be able to reproduce the attack providing that they have the system build for it, as described in the ‘scope and methodology’ section. Secondly, to provide easy to understand remediation instructions to allow the technical team to improve the security posture of the estate. These changes will, of course, a consequence of the strategic direction set by the senior management. 

Tasks to perform during the technical testing  

1. Appraise the security posture of a network by analysing the network configuration and application security using appropriate tools where necessary. 
2. Critically evaluate the configuration of network security devices to achieve a desired security posture recommending adjustments where appropriate. 
3. Critically evaluate the security posture of web applications to achieve a desired security posture recommending adjustments where appropriate. 
4. Demonstrate a comprehensive understanding of vulnerability exploitation techniques. 
5. Assess the results of system security tests and recommend appropriate mitigation strategies – which may include possible design and configuration changes