Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Page 1 of 9
CSCI 632
2. Penetration Testing....................................................................................................................4
2.1 Purpose ..............................................................................................................................4
2.2 Scope .................................................................................................................................4
2.3 Methodology .....................................................................................................................5
2.4 Restrictions........................................................................................................................5
Page 2 of 9
CSCI 632
1. EXECUTIVE SUMMARY
[Your Company Name] was engaged by [Client Name]to conduct a penetration test and
presents the business and technical findings in this report. The assessment was conducted
from [date]to [date], [year].
Page 3 of 9
CSCI 632
2. PENETRATION TESTING
2.1 PURPOSE
The purpose of performing a penetration test is to ensure that an individual or
organization is able to identify vulnerabilities or weaknesses in networked
environments, web applications and physical premises so that they may be
addressed (Tang, 2014). Moreover, penetration test provides evidential proof of any
weaknesses that cyber-criminals could exploit, and furthermore the potential impact
that a successful breach could cause a company. It helps businesses focus on the
key security issues that they have in their systems and security policies and to iron
out any insecure working practices.
Even with robust security policies and procedures in place there is often very little
assurance that all of the controls businesses believe have put in place are actually
implemented, never mind implemented correctly. That's even before the company
actually employs a penetration testing firm to conduct attacks that are
representative of how a malicious person would set about attacking the
organisation.
2.2 SCOPE
IP addresses included in penetration testing:
[Input IP address range that was included]
Page 4 of 9
CSCI 632
2.3 METHODOLOGY
[Your Company Name]’s assessment methodology [Input a paragraph describing
your methodology and the benefits to the client]
2.4 RESTRICTIONS
During this assessment, the following types of tests were not performed:
Denial of service attacks
Brute force attacks
Attacks that would lower the security posture of systems
Details
[Input detailed description of penetration test finding]
Impact
[Input the impact of penetration test finding]
Page 5 of 9
CSCI 632
Recommendation
[Input recommendation to remediate penetration test finding]
Details
[Input detailed description of penetration test finding]
Impact
[Input the impact of penetration test finding]
Recommendation
[Input recommendation to remediate penetration test finding]
Details
[Input detailed description of penetration test finding]
Page 6 of 9
CSCI 632
Impact
[Input the impact of penetration test finding]
Recommendation
[Input recommendation to remediate penetration test finding]
Page 7 of 9
CSCI 632
Once the connection was established to the consultants listening server the
consultant demonstrates accessing internal websites through this user’s browser and
logs into the user’s webmail without needing to provide any authentication.
[Paste screenshot of browser pivoting, Lab 7, Part 3, Step 51]
4.2 RESULTS
Out of 10 users 5 users opened the phishing email(50 percent) and 3 users clicked
the link (30 percent). Only one user (10 percent), Alice had a vulnerable web
browser. This vulnerability opened a remote connection into the internal network
through Alice’s workstation. It should be noted that while most users did not open
the attachment all that is needed is one user in order for an attacker to gain a
foothold inside the internal network.
[Your Company Name]recommends that [Client Name] do the following to
increase the overall security posture.
1. Guide users in effectively identifying suspicious emails.
2. Educate users on what to do and who to notify if they encounter a suspected
phishing email.
3. Educate users on what NOT to do if they receive a suspicious email.
4. [Input recommendation to remediate phishing test findings]
Page 8 of 9
CSCI 632
APPENDIX A – REFERENCES
Page 9 of 9