Penetration Testing Portfolio: Task 1 and Task 2 Instructions

The Assignment Task:

This is an individual assessment comprised of three parts. Task 1 and Task 2 will carry respectively 30% and 50% of the overall module mark. Task 1 will assess your understanding of the process of penetration testing and in particular of information gathering, target profiling and vulnerability identification and assessment. Task 2 will assess your ability to conduct a full-scale penetration test. 

All parts are small academic reports and as such the following report structure is expected for each milestone report:

1.Introduction, where you will discuss your plan for solving the problem introduced by the module team

2.Main Body, where you will develop your arguments

3.Conclusions, where you will critically discuss your findings

4.References, aim for an average of 20 references (yes, 20 for each task! Not just task 2)

You are expected to demonstrate an insight into the implications of the problem introduced in each task by using clear and concise arguments. The reports should be well written (and word-processed), showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be brief but informative. 

During the teaching weeks you will have the opportunity to submit draft copies of your portfolio activities. The module team will provide general (not individualised) feedback based on your draft copies and advice regarding your progress (if it is deemed necessary). The deadline for the complete Portfolio is the 02.01.2020.

Task 1 – Standard Operating Procedure for PenTesting

Task 1 is weighted at 30% of the overall module mark. Again, you will be awarded a preliminary mark out of 100%, and the weighting will be done as part of the portfolio. It should take you approximately 15 hours to complete to complete this task. It is expected that the report for this task of the portfolio will be in the region of 1000 – 1250 words. You are expected to critique the published penetration testing methodologies and derive to a benchmark you will use for designing and developing your Standard Operating Procedure (SOP), including a decision-making tree (please put this in an appendix), to describe the phases of: intelligence gathering, target profiling, vulnerability identification, target exploitation and post exploitation. An SOP is defined as a set of step-by-step instructions compiled by an organisation to help workers carry out routine operations. The SOP should be appropriate for task 3, which is the penetration test of a single Linux target, offering several network services.

The deadline for DRAFT Task 1 is on the 16.11.2018 by electronic submission via StudyNet. You will then receive general formative feedback, allowing you the opportunity to reflect on your activities and improve your work where necessary. The final copy of Task 1 should be included in the final Portfolio. Although there are no allocated marks for references and bibliography you are expected to use appropriate peer reviewed sources for developing your arguments, and the Harvard referencing style as per the University regulations. If you fail to do so you will receive an overall fail grade for this task regardless of how well you have performed in the other assessment criteria.

Task 2, Assessment Criteria Mark Available Mark out of 100%

PenTest Methodology Discussion 6 20

SOP for PenTesting 12 40

Decision Making Tree 12 40

Total 30 100

Please note that if you fail to design an appropriately structured SOP, you will be penalised. Please note that if you fail to design an appropriately structured decision-making tree, you will be penalised. Both are very well defined notions/structures. Examples will be provided through StudyNet.

Task 2 – Penetration Test

Task 2 is weighted at 50% of the overall portfolio mark. It should take you approximately 25 hours to complete. It is expected that the report for this task of the portfolio will be in the region of 1500 words, plus the appendices. You are expected to conduct a penetration test against a target system that will be provided to you. You are required to present your findings in a factual manner to convince decision makers of a large corporation on business strategies. The target system will be accessible via the infrastructure in LB154. The PenTest rig you will have to use for this activity will also be setup in LB154. During the module, you will also receive instructions on how to setup the same PenTest rig in your home computer or laptop. Everyone will get a dedicated target which will be a clone of the same VM.

Overall Portfolio Conclusion and Reflection

The overall portfolio conclusion, offering your reflection on the undertaken activities and the encountered problems carry 5% of the overall portfolio mark.

There is no DRAFT for this Task. The FINAL deadline for Task 2 and for the WHOLE portfolio is on the 02.01.2020 by electronic submission via StudyNet. 

Task 2, Assessment Criteria Mark Available Mark out of 100%

Please note you are not required to provide an activity narrative (a narrative on your intelligence gathering activities). You are required to provide an attack narrative for each attack you will perform. During the narrative, you will have to explain your reasoning behind the attack (supported by your intelligence gathering findings), the exploit(s) that you have chosen to use and the vulnerability(s) you will be attempting to exploit. This will lead you to the vulnerability detail and mitigation discussion for each vulnerability in each attack narrative.

Module Learning Outcomes ASSESSED BY THIS ASSIGNMENT:

Knowledge and understanding of:

1.a range of current computer security techniques and of how the principles of systems security methods are embodied therein,

2.essential facts, concepts and principles of systems requirements for secure operations and practices, Ability to:

3.apply computer systems risks, vulnerabilities, threats analysis, and software security,

4.apply particular computer security techniques to analysis and testing

5.analyse and solve problems in secure systems design and implementation

6.achieve familiarity with methods of secure systems development and to exercise critical evaluation of information accessed from a wide variety of sources