logo

Pen Testing | Questions and Answers

This is an individual assessment comprised of two tasks. Task 1 assesses understanding of statutory and ethical issues surrounding penetration testing and the process itself. Task 2 assesses ability to conduct a full-scale penetration test.

8 Pages619 Words55 Views
   

Added on  2022-07-28

Pen Testing | Questions and Answers

This is an individual assessment comprised of two tasks. Task 1 assesses understanding of statutory and ethical issues surrounding penetration testing and the process itself. Task 2 assesses ability to conduct a full-scale penetration test.

   Added on 2022-07-28

ShareRelated Documents
Running head: PEN TESTING
Pen Testing
Name of the Student
Name of the University
Author’s Note
Pen Testing | Questions and Answers_1
1
PEN TESTING
Task 2
Part 1 – Group Exercise
Answer to Question 1:
The old web-server or website was not decommissioned due to negligence of the IT staffs
and it was reused for hosting the new website of the company.
Answer to Question 2:
No the privileges was not assigned according to the job requirement to each of the
employees. The assigning of privilege based on the job role would cause the employee to limit
access to reach the web server and restrict them to exploit the vulnerability.
Answer to Question 3:
No vulnerability assessment or pen testing was performed on the hosted web server and
this caused the system to become vulnerable. Performing the penetration testing on the system
would help the IT staff to identify the weakness and eliminate the issue related with the
vulnerability with the application of updates, patches and removal of the old vulnerable web
page.
Answer to Question 4:
No accounts of the ex-employees has been deleted from the old defaced website and they
have the privilege of getting access of the organizational information. The attacker intruded into
the system with the account of an old employee and compromised the security system of the web
server.
Pen Testing | Questions and Answers_2
2
PEN TESTING
Answer to Question 5:
The IT staff or the server admin was notified about the attack automatically during the time of
critical changes made in the server since there was no intrusion detection system used and the
server was installed outside the DMZ zone. The hacker also modified the system log files for
covering the track and not getting traced.
Answer to Question 6:
No IPS or IDS and web application firewall was installed for restricting the outside users
to access the server and thus the server was vulnerable to different types of attack from the
internal or the external threats.
Answer to Question 7:
There was no backup plan created for performing a regular backup of the file system and
information residing in the web server. The attacker had sufficient time to take backup of the
defaced website and thus relied that the attacker has already taken backup.
Answer to Question 8:
The lack of installation of the intrusion prevention system and monitoring application
/device resulted in not configuration of automatic configuration. Thus when the attacker deleted
the log files no notification is generated and the attacker performed the exploit without getting
detected. The rc.d file in Linux is used for controlling the starting of the different services on the
server.
Answer to Question 9:
Pen Testing | Questions and Answers_3

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
The main reason for not decommissioning the older
|8
|449
|13

Microsoft Data Access Components Vulnerability Report
|5
|801
|430

Microsoft Data Access Components (MDAC) Vulnerability Report
|4
|1091
|417

Computer & Network Security Analysis Report- Unix Environment
|10
|810
|122

Penetration Testing Penetration Testing
|52
|9148
|85

Design of System Components and User Interfaces
|15
|2493
|98