Penetration Plan

Topics: Computer security, Security, Risk Pages: 8 (2140 words) Published: April 26, 2013
Running Head: E-commerce Sales

Unit 1
E-commerce Sales
Penetration Test Plan

Tom Moccia
IT542 Dr. Matthew North
Kaplan University
March 19, 2013

Table of Contents
Goals and Objectives4
Unanswered Questions10
Authorization Letter11


This Vulnerability and Penetration Test Plan is designed specifically for E-commerce Sales and is designed to determine what steps need to be taken to secure and protect the network against malicious attacks. This Vulnerability and Penetration Test will cover numerous aspects of the E-commerce Sales information technology infrastructure including the production e-commerce web application server and the Cisco network. The e-commerce web application server will act as the external point of entry into the WAN and LAN where the following occurs:

• Ubuntu Linux 10.04 LTS Server (TargetUbuntu01)
• Apache Web Server running the e-commerce web application server • Credit card processing

The E-commerce Sales network covers five sites, Norfolk, Tampa, Indianapolis, Seattle, and West Covina which all connect with the corporate headquarters. This test will be an intrusive test, but will not compromise any data that falls outside of the authorization letter without additional written permission from E-commerce Sales. No customer payment information will be compromised and if vulnerabilities are found that would endanger customer financial information the client will be notified immediately. All testing will take place outside of normal business hours, which is documented in the schedule and milestone breakdown section of this plan.

Goals and Objectives

The ultimate goal of the Vulnerability and Penetration test will be to determine what risks are present in the E-commerce network. As per the network diagram provided the objective will be to evaluate the e-commerce web application server and the Cisco Network including the five remote locations. This will be accomplished by testing not only the web servers, but firewalls, access points and if applicable wireless networks (Searle, n.d.).

The objective is to provide E-commerce Sales a comprehensive report of what vulnerabilities exist and classify them by degree of risk potential to the organization as a whole. After the testing and report is complete E-commerce Sales will have reports to help them: ▪ Improve their security of all the technical systems. ▪ Identify and classify vulnerabilities that exist. ▪ Independent analysis without bias.

▪ Amend their security plan and acceptable use policy accordingly.


The Vulnerability and Penetration test will provide direction to E-commerce Sales to improve security of their system and improve business practices. To accomplish the goals and objectives set forth Moccia Security Consulting will use a comprehensive methodology to generate proper reports. The Penetration test will include three phases as illustrated in Figure 1, test preparation, testing, and test analysis. [pic]

(Bacudio, Yuan, Chu & Jones, 2011)

Considering this Penetration Test Plan details most of the Test Prep Phase, this area of the plan will detail information gathering (footprinting), vulnerability analysis, and vulnerability exploits with test analysis being detailed in the reporting section of this plan.

Information gathering, also known as footprinting is the passive, non-invasive gathering of the target organizations network and application details. These techniques include but are not limited to: • DNS Query: With knowledge of a domain name testers can obtain associated IP addresses. • Reverse DNS Query: With an IP address range testers can obtain...

References: Bacudio, A., Yuan, X., Chu, B., & Jones, M. (2011). An overview of penetration testing. International Journal of Network Security & Its Applications, 3(6), 19. Retrieved from
Dobison, M. (2011, September 9). Retrieved from
Federal Office of Information Security. (n.d.). Study: A penetration testing model. Retrieved from
Infond Securite Informatique. (2010, May 20). tutorial footprinting - passive information gathering before a pentest. Retrieved from
Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006, June). Penetration testing: Assessing your overall security before attackers do. Retrieved from
Penetration Testing Execution Standard. (2012, October 13). Pre engagement. Retrieved from
Penetration Testing Execution Standard. (2012, October 13). Reporting. Retrieved from
Searle, J. (n.d.). Ami penetration test plan. Retrieved from (2010). Penetration testing tools listing. Retrieved from[pic]
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Essay on Penetration Test plan
  • Penetration Test Ecommerce Company Essay
  • Export Plan Essay
  • Operational Plan Essay
  • Action plans Essay
  • Financial Plan Essay
  • business plan Essay
  • Communication Plan Essay

Become a StudyMode Member

Sign Up - It's Free