Penetration Plan
Running Head: E-commerce Sales
Unit 1
E-commerce Sales
Penetration Test Plan
Tom Moccia
IT542 Dr. Matthew North
Kaplan University
March 19, 2013
Table of Contents Scope 3 Goals and Objectives 4 Tasks 4 Reporting 7 Schedule 9 Unanswered Questions 10 Authorization Letter 11 References 13
Scope
This Vulnerability and Penetration Test Plan is designed specifically for E-commerce Sales and is designed to determine what steps need to be taken to secure and protect the network against malicious attacks. This Vulnerability and Penetration Test will cover numerous aspects of the E-commerce Sales information technology infrastructure including the production e-commerce web application server and the Cisco network. The e-commerce web application server will act as the external point of entry into the WAN and LAN where the following occurs:
• Ubuntu Linux 10.04 LTS Server (TargetUbuntu01) • Apache Web Server running the e-commerce web application server • Credit card processing
The E-commerce Sales network covers five sites, Norfolk, Tampa, Indianapolis, Seattle, and West Covina which all connect with the corporate headquarters. This test will be an intrusive test, but will not compromise any data that falls outside of the authorization letter without additional written permission from E-commerce Sales. No customer payment information will be compromised and if vulnerabilities are found that would endanger customer financial information the client will be notified immediately. All testing will take place outside of normal business hours, which is documented in the schedule and milestone breakdown section of this plan.
Goals and Objectives
The ultimate goal of the Vulnerability and Penetration test will be to determine what risks are present in the E-commerce network. As
Unit 1
E-commerce Sales
Penetration Test Plan
Tom Moccia
IT542 Dr. Matthew North
Kaplan University
March 19, 2013
Table of Contents Scope 3 Goals and Objectives 4 Tasks 4 Reporting 7 Schedule 9 Unanswered Questions 10 Authorization Letter 11 References 13
Scope
This Vulnerability and Penetration Test Plan is designed specifically for E-commerce Sales and is designed to determine what steps need to be taken to secure and protect the network against malicious attacks. This Vulnerability and Penetration Test will cover numerous aspects of the E-commerce Sales information technology infrastructure including the production e-commerce web application server and the Cisco network. The e-commerce web application server will act as the external point of entry into the WAN and LAN where the following occurs:
• Ubuntu Linux 10.04 LTS Server (TargetUbuntu01) • Apache Web Server running the e-commerce web application server • Credit card processing
The E-commerce Sales network covers five sites, Norfolk, Tampa, Indianapolis, Seattle, and West Covina which all connect with the corporate headquarters. This test will be an intrusive test, but will not compromise any data that falls outside of the authorization letter without additional written permission from E-commerce Sales. No customer payment information will be compromised and if vulnerabilities are found that would endanger customer financial information the client will be notified immediately. All testing will take place outside of normal business hours, which is documented in the schedule and milestone breakdown section of this plan.
Goals and Objectives
The ultimate goal of the Vulnerability and Penetration test will be to determine what risks are present in the E-commerce network. As
References: Bacudio, A., Yuan, X., Chu, B., & Jones, M. (2011). An overview of penetration testing. International Journal of Network Security & Its Applications, 3(6), 19. Retrieved from http://airccse.org/journal/nsa/1111nsa02.pdf Dobison, M. (2011, September 9). http://www.fireworkswebsites.com.au/images/example-penetration-security-testing.pdf. Retrieved from http://www.fireworkswebsites.com.au/images/example-penetration-security-testing.pdf Federal Office of Information Security. (n.d.). Study: A penetration testing model. Retrieved from http://www.slideshare.net/kushwahaa/a-penetration-testing-model Infond Securite Informatique. (2010, May 20). tutorial footprinting - passive information gathering before a pentest. Retrieved from http://www.infond.fr/2010/05/toturial-footprinting.html Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006, June). Penetration testing: Assessing your overall security before attackers do. Retrieved from http://www.sans.org/reading_room/analysts_program/PenetrationTesting_June06.pdf Penetration Testing Execution Standard. (2012, October 13). Pre engagement. Retrieved from http://www.pentest-standard.org/index.php/Pre-engagement Penetration Testing Execution Standard. (2012, October 13). Reporting. Retrieved from http://www.pentest-standard.org/index.php/Reporting Searle, J. (n.d.). Ami penetration test plan. Retrieved from http://www.smartgrid.epri.com/doc/AMI-Penetration-Test-Plan-1-0-RC3.pdf Wirelessdefence.org. (2010). Penetration testing tools listing. Retrieved from http://www.wirelessdefence.org/Contents/PenTest_ToolsList.htm[pic]