Running Head: E-commerce Sales
Penetration Test Plan
IT542 Dr. Matthew North
March 19, 2013
Table of Contents
Goals and Objectives
This Vulnerability and Penetration Test Plan is designed specifically for E-commerce Sales and is designed to determine what steps need to be taken to secure and protect the network against malicious attacks. This Vulnerability and Penetration Test will cover numerous aspects of the E-commerce Sales information technology infrastructure including the production e-commerce web application server and the Cisco network. The e-commerce web application server will act as the external point of entry into the WAN and LAN where the following occurs:
• Ubuntu Linux 10.04 LTS Server (TargetUbuntu01)
• Apache Web Server running the e-commerce web application server • Credit card processing
The E-commerce Sales network covers five sites, Norfolk, Tampa, Indianapolis, Seattle, and West Covina which all connect with the corporate headquarters. This test will be an intrusive test, but will not compromise any data that falls outside of the authorization letter without additional written permission from E-commerce Sales. No customer payment information will be compromised and if vulnerabilities are found that would endanger customer financial information the client will be notified immediately. All testing will take place outside of normal business hours, which is documented in the schedule and milestone breakdown section of this plan.
Goals and Objectives
The ultimate goal of the Vulnerability and Penetration test will be to determine what risks are present in the E-commerce network. As per the network diagram provided the objective will be to evaluate the e-commerce web application server and the Cisco Network including the five remote locations. This will be accomplished by testing not only the web servers, but firewalls, access points and if applicable wireless networks (Searle, n.d.).
The objective is to provide E-commerce Sales a comprehensive report of what vulnerabilities exist and classify them by degree of risk potential to the organization as a whole. After the testing and report is complete E-commerce Sales will have reports to help them: ▪ Improve their security of all the technical systems. ▪ Identify and classify vulnerabilities that exist. ▪ Independent analysis without bias.
▪ Amend their security plan and acceptable use policy accordingly.
The Vulnerability and Penetration test will provide direction to E-commerce Sales to improve security of their system and improve business practices. To accomplish the goals and objectives set forth Moccia Security Consulting will use a comprehensive methodology to generate proper reports. The Penetration test will include three phases as illustrated in Figure 1, test preparation, testing, and test analysis. [pic]
(Bacudio, Yuan, Chu & Jones, 2011)
Considering this Penetration Test Plan details most of the Test Prep Phase, this area of the plan will detail information gathering (footprinting), vulnerability analysis, and vulnerability exploits with test analysis being detailed in the reporting section of this plan.
Information gathering, also known as footprinting is the passive, non-invasive gathering of the target organizations network and application details. These techniques include but are not limited to: • DNS Query: With knowledge of a domain name testers can obtain associated IP addresses. • Reverse DNS Query: With an IP address range testers can obtain...
References: Bacudio, A., Yuan, X., Chu, B., & Jones, M. (2011). An overview of penetration testing. International Journal of Network Security & Its Applications, 3(6), 19. Retrieved from http://airccse.org/journal/nsa/1111nsa02.pdf
Dobison, M. (2011, September 9). http://www.fireworkswebsites.com.au/images/example-penetration-security-testing.pdf. Retrieved from http://www.fireworkswebsites.com.au/images/example-penetration-security-testing.pdf
Federal Office of Information Security. (n.d.). Study: A penetration testing model. Retrieved from http://www.slideshare.net/kushwahaa/a-penetration-testing-model
Infond Securite Informatique. (2010, May 20). tutorial footprinting - passive information gathering before a pentest. Retrieved from http://www.infond.fr/2010/05/toturial-footprinting.html
Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006, June). Penetration testing: Assessing your overall security before attackers do. Retrieved from http://www.sans.org/reading_room/analysts_program/PenetrationTesting_June06.pdf
Penetration Testing Execution Standard. (2012, October 13). Pre engagement. Retrieved from http://www.pentest-standard.org/index.php/Pre-engagement
Penetration Testing Execution Standard. (2012, October 13). Reporting. Retrieved from http://www.pentest-standard.org/index.php/Reporting
Searle, J. (n.d.). Ami penetration test plan. Retrieved from http://www.smartgrid.epri.com/doc/AMI-Penetration-Test-Plan-1-0-RC3.pdf
Wirelessdefence.org. (2010). Penetration testing tools listing. Retrieved from http://www.wirelessdefence.org/Contents/PenTest_ToolsList.htm[pic]
Please join StudyMode to read the full document