ASSIGNMENT BRIEF This is an individual assessment, which carries 20% of the overall module mark

Subject:Computer SciencePrice:18.99 Bought3

Share With

ASSIGNMENT BRIEF

This is an individual assessment, which carries 20% of the overall module mark. The task will assess your understanding of the process of penetration testing as a method of systems security evaluation, and in particular you will focus on the preparation phase, where the pen testing scope is discussed and evaluated, a standard operating procedure (SOP) is devised and agreed with the client, and an Attack Tree is prepared and shared with the pen testing team, in order for them to follow it, when decisions need to be made during the test.

All academic reports that you write as part of your coursework assessments are in fact technical reports, and as such the following report structure is expected:

1. A professional title page
2. A Contents page with page numbers, and also numbers for each section or subsection
3. A professional layout of the whole report, with numbered sections and subsections headings, and indentation for subsections as well
4. An Introduction (which obviously will be numbered as 1.0), where you will introduce the topics of penetration testing types, methodologies involved, and then the you introduce the report itself
5. Main Body, where you will develop your arguments, by critically discussing and analysing the topics you introduced in the introduction. You will draw conclusions as you analyse.
   1. Pen Testing Methodologies
   2. Standard Operating Procedure
   3. Decision Making Tree (or Attack Tree)
6. Conclusions section, where you summarise the conclusions previously drawn, evaluate those conclusions, and make recommendations, or draw lessons for the future
7. References, aim for an average of 12-15 references for the report
8. Appendixes

 

You are expected to demonstrate an insight into the implications of the problem introduced in the task by using clear and concise arguments. The reports should be well written (and word-processed), showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be academic and informative.

 

The Assignment Task – Developing a Standard Operating Procedure and Decision Tree for a System Security Test (Penetration Testing)

 

It is expected that the report for this task will be in the region of 1250 words. You are expected to critically analyze the published penetration testing methodologies and derive to a benchmark you will use for designing and developing your Standard Operating Procedure (SOP), including a decision-making tree (please put this in an appendix), to describe the phases of: intelligence gathering, target profiling, vulnerability identification, target exploitation and post exploitation. An SOP is defined as a set of step-by-step instructions compiled by an organization to help workers carry out routine operations. The SOP should be appropriate for task 2, which is the penetration test of a single Linux target, offering several network services.

 

Submission Requirements:

You will submit a report of your practical work that you have done to prepare for your test, including the specific Standard Operating Procedure (SOP) and the Attack Tree that you have developed as part of this preparation.

This assignment is NOT an essay on pen testing methodologies, SOPs, and Decision Trees. It is a report on your practical work to scope and plan a system security test (penetration test).

 

 

 

Criteria	Fail (< 40)	Pass (40 – 49)	Reasonable (50 – 59)	Good (60 – 69)	Excellent (>70)
Assignment 2	Little or no analysis of system testing methodologies, with no explanations of what type of pen test would be conducted.  Little or no plan with either very limited or no evidence of SOP or Attack Tree plan Lack of originality.	Reasonably clear definitions of ‘the different phases of a Pen Test but underdeveloped arguments. Basic SOP and basic decision-making tree.	Clear understanding of the different phases. SOP offers advice an appropriate usage of tools. Complete decision-making tree but may contain some errors.	The SOP demonstrates a good   understanding of the processes, covering all key issues, offering a very good understanding of the implications. The decision-making tree contains no errors.	Excellent understanding and exposition of the penetration test issues that shows insight and draws together various techniques and tools. No errors. SOP and decision-making tree can pass professional scrutiny.

 

Assignment 1, Assessment Criteria	Mark out of 100
A critical evaluation of Pen Testing methodologies, based on your test type	20
Critical discussion of existing SOP’s, and develop an SOP for your own Pen Test	40
Critical discussion of Decision-Making Trees and develop an Attack Tree for your own Pen Test	40
Total	100

 

Marks awarded for:

 

 

Report Guidelines

 

1.Introduction (about 200 words)

Write two paragraphs

 

In the first and bigger paragraph, you will introduce the concept of the pen testing methodologies and why they are developed. Here, you will set the scene for the topic that the whole Assignment 2 will be about. So, you explain what penetration testing, and what the planning phase entails (SOP and Attack Tree as the outcomes of the phase). However, in order to do that, you need to establish what type of penetration testing you are going to conduct. You can do this here, or you can do it in the beginning of the next section. The point is that you have to establish this first, before you can analyze methodologies.

 

Then, in the second paragraph, you explain what the report contains, using the writing model in brackets - (“This report describes and analyses the penetration testing methodologies…... with the purpose of establishing the …... and then developing a ……”). This paragraph is shorter, because it is just to tell the reader what comes next and to add flow to the report, by making the connection with the next section. (Two or three references in this introduction section can be a very good start).

 

 

2. Main Body Section 1 (choose a good heading for this section, about Pen Testing Methodologies. Please don’t call it Main Section 1. Write a meaningful heading) (about 350 words)

In this section, you will describe and analyze penetration testing methodologies. Explain the pen testing methodologies with purpose. There are a few pen testing methodologies to choose from. The methodologies range from OWASP, to OSSTM, and to PTES.

 

You need to establish what you think is the most appropriate Standard Operating Procedure for penetrating testing described by those methodologies (obviously, do not write “I think”). The actual penetration test in the assignment will target a Linux server, for which you know the IP address. That is how much you know. So, based on how much you know, you need to establish if this is black-box or white-box testing, or even grey-box one. You will use your logic to decide, but whatever you decide, should help you to choose with reasons, the methodology to use. This is how you give purpose to your writing – reaching conclusions based on the analysis. (In this section, you can easily have at least 4-5 references).

 

For Example

 

PTES has some very distinct phases for the penetration test and it is very simple to follow as a result.

 

The advantage of this methodology is that it links very well with the type of the black box test that will be conducted in the Assignment.

 

As a result, (conclusion here).

 

3. Main Body Section 2 (write a good heading here, about choosing your best SOP) (about 350 words)

In this section, you will address the criterion ‘SOP for Pen Testing’, explanation, analysis, and selection.

 

You will explain here what a standard operating procedure is from the pen testing point of view (as a concept), what it involves, and then the main steps based on different methodologies. You will see that PTES can be the clearest and simplest framework for running a pen test, and yours is simple as well, so maybe that is the right one? That is for you to argue. A definition of SOP for Pen Testing. Define it in a professional way with your own words.

 

You will also look at other sources of SOP for Pen Testing, will analyze them, and then in the end will come up with the most suitable SOP that you will consider for testing the security of a Linux server.

 

4. Decision Tree Analysis for Penetration Testing (250 words)

You will not have to write a lot in this section. You can do it with half a page, about 250 words. You will describe what a decision tree for Pen Testing is (one or two reference). Then describe some attack trees with examples, and you will develop one with reasons. As an example, for an attack tree, choose one for a penetration test, and not how to pick a lock. Then you create your own, based on the example. Another three references can be easily squeezed in here. An attack tree is like a flow chart of actions that will happen during the attack

 

You will put the developed attack tree in the appendix. Of course, you do not have the experience to produce one from scratch. So, you are going to read from one, use it as an example to do your own, and explain it, based on the interpretation of the scenario. Marks will be deducted if not produced with very good logic in the actions that you have explained.

 

5. Conclusions (100 words)

 

In this section, you will lay down your conclusions, most of which you have already drawn in the previous two sections. Keep it short to 100 words, because it will be just a summary of lessons drawn from this report. You will reinforce what you have already discussed, and you will present in a concise form.

However, the conclusions section is not a closing statement, but a summary of conclusions. Write them separately, and not in one paragraph that is difficult to read.

 

6. References

 

In Harvard format please list the sources of reference, that you have used in the report.

 

7. Appendices

 

7.1 Appendix A Detailed SOP for Penetration Testing

 

7.2 Attack Tree (or Decision Tree) for pen testing a Linux Server