This Assignment assesses the following module Learning Outcomes (from Definitive Module Document):
1. The ethical issues relating to penetration testing and how to incorporate them operationally.
2. A deep and systematic application of the tools, methods and procedures (theoretical and methodological) used within the cyber security arena in the context of a penetration test
3. Work in teams (as leader or member) adapting to changing requirements for effectively communicating the results of a penetration test. Assume that you are working as a consultant for an SME which is building its capability in penetration testing. You are part of a small team of three (3) consultants who are preparing to deliver a white-box penetration testing project. Your client has asked your employer to conduct the penetration test against a web server and its relevant web application (online shop), which is hosted on Amazon AWS.
In this context, this assignment has two tasks:
Task 1 is an individual task that will assess your understanding of the statutory and ethical issues surrounding penetration testing on the aforementioned scenario.
Task 2 is a group task that will assess your understanding of the pentest process itself.
Please ensure that in completing these tasks you deploy the techniques you have been taught in your course and, especially, in this module. If you produce work that is not concise and to the point, then marks may be reduced.
Task 1 (Individual work)
Task 1 is an individual exercise. It is expected that this task will be in the region of 1500 words. You are expected to: Comment on the statutory and ethical considerations of a penetration tester working in the UK. Undertake research and critically compare the published penetration testing methodologies (such as OWASP, PTES, OSSTMM…) in order to deduce their applicability for this scenario. Please note that your task is to critically compare existing methodologies against the scope of this scenario. As a result, we are not expecting you to provide an overview of them, not to provide a critique on types of PenTests and certainly not to tell us what is your favorite “pentesting color” (white, black, grey). In order to undertake the comparison, you will have to justify your comparison criteria.
Your comparison criteria should be extracted from the scope of the scenario that has been described above.
If you fail to provide references using the Harvard referencing style as per the University regulations, your work will be marked as superficial and it is unlikely to obtain a pass grade.
Task 2 (Group work)
Task 2 is mainly a group exercise and you will form teams of three students, by using the self-sign capability of studynet. As a group, you will have to decide on how you will manage this task, what roles you will each have and how you will manage change during the lifecycle of this assignment. The Group Management section of the report is an individual activity and should be treated as confidential information. Each student is expected to report on group management activities.
Discrepancies between group members will affect the grades. Note that on the field, a customer does not care about problems and issues. The customer will expect a report for his money. In reporting for the Group Management Section, it is important to focus on the solutions your group will implement in order to deliver on time, and not on the problems.
You are expected to work together and develop: a Standard Operating Procedure (SOP), an attack tree, These will describe how you plan to undertake the penetration test of the web server which is described in the scenario of this assignment. In particular, the SOP should address: intelligence gathering (target profiling), vulnerability identification and analysis, and target exploitation (including post exploitation).
An SOP is defined as a set of step-by-step instructions compiled by an organisation to help workers carry out routine operations. The SOP must explain what activities you would undertake if you were asked to deliver the web app penetration testing project of this assignment. The SOP is expected to have the following example structure.