• Scope of Work for Penetration Test
Assignment Requirements:
You work for EGS Testing Solutions; your company is involved in testing related to access control systems. A large, private fitness club contacted your company because their Web server was hacked. The fitness club has a corporate office with 50 workstations, 4 application servers, 2 e-mail servers, 2 Web servers, and 129 franchisees with 10 workstations and about 3,500 members at each location. Except for the equipment at the franchisees' locations, all other equipment resides at the central headquarters.
The fitness club was unsure whether the Web server hacking took place because of the former administrator, who quit under less than amenable circumstances, or if an external party had found their "Achilles heel." The perpetrator was able to access the corporate Web server by using the remote login of the Microsoft (MS) Windows network administrator.
Once the hack was realized, the administrator was forced to shut down the connections to all their 129 franchisees that needed access to the corporate Web server. The franchisees require access to the Web server to review their customers' personal information, fitness progress, and goals as well as to share information with the corporate headquarters in a secure manner. Members and club staff also make periodic payments for dues and services using this system, including credit card payments.
Your company has been engaged to provide a cost-effective solution that would allow the new administrator to do the following:
• Control access to resources by preventing unauthorized users from logging in to privileged areas.
• Audit and review user activities to prevent future hacks that could compromise network integrity.
• Change the existing system to strengthen it as necessary.
• Add technology, as necessary, to detect security breaches.
To be able to develop a cost-effective solution, your company must focus on developing a reasonable and cost-effective testing plan to identify any weaknesses in the network.
Develop a comprehensive and ongoing vulnerability and penetration test plan. Include solutions in the test plan for unauthorized access in the corporate workstations, application servers, mail and Web servers, and wireless routers.