--%>
Assignment Help - homework help

Evaluate the security of an it infrastructure


Assignment:

Penetration tests are attempts to evaluate the security of an IT infrastructure by safely trying to exploit operating system vulnerabilities, service and application flaws, improper configurations, or risky end-user behaviors. These assessments have become common across various industries, as they are useful in validating the efficacy of defensive mechanisms and end-user adherence to security policies.

Instead of approaching cybersecurity from the perspective of a defensive tactical team, this assessment will require you to assume the role as a member of an offensive cybersecurity team.

In this task, you will be given a penetration testing engagement plan that you will evaluate based on the business goals and industry best practices and guidance. You will also propose solutions to the gaps in the plan.

Scenario:

Western View Hospital is a 100-bed facility that has been serving the residents of a rural community for over 80 years. The administration recently completed an expansive modernization of the medical and patient records system in an attempt to provide better care for members of the community.

Before the new system can go live, the hospital administration has authorized your firm, Pruhart Tech, to test it for potential vulnerabilities and to ensure the IT infrastructure can secure sensitive patient medical and financial data according to HIPAA compliance requirements. A senior manager at Pruhart Tech has asked a member of your team to develop a penetration testing engagement plan for Western View Hospital that is in alignment with their goals and follows industry best practices. To ensure the penetration testing plan is appropriate for the hospital before it is put into action, your manager has asked you to evaluate the testing plan, provide recommendations for improvements, and propose solutions to any problems you identify.

Write an evaluation of the attached "Penetration Testing Engagement Plan" by doing the following: Need Assignment Help?

A. Evaluate the alignment between Western View Hospital's goals, objectives, functions, processes, and practices and the penetration testing plan by doing the following:

1. Describe each of the following:

  • the client's goals,
  • the client's objectives,
  • the client's functions,
  • the client's processes, and
  • the client's practices.

2. Describe the structure of the penetration testing engagement plan (e.g., scope, test type, approach, and technique).

3. Identify potential misalignments between the penetration testing engagement plan and each of the following:

  • the company's goals,
  • the company's objectives,
  • the company's functions,
  • the company's processes, and
  • the company's practices.

B. Evaluate the penetration testing engagement plan by doing the following:

1. Identify best practices and frameworks for a penetration testing engagement plan designed to meet Western View Hospital's requirements.

Note: You must identify two best practices and two compliance frameworks.

2. Compare the penetration testing engagement plan to the best practices and frameworks identified in part B1.

C. Propose potential improvements and solutions to problems identified in the penetration testing engagement plan by doing the following:

1. Give two specific recommendations for improvements to the penetration testing engagement plan.

2. Give two specific examples of solutions to problems you identified in the penetration testing engagement plan.

Note: Problems can include misalignments between the plan and the client's goals, inappropriately applied frameworks, or failure to use industry best practices.

D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

E. Demonstrate professional communication in the content and presentation of your submission.

The submission provides a description of the client's goals, objectives, functions, processes, and practices that is accurate with sufficient detail.

The submission provides a description of the penetration testing engagement plan structure that is accurate with sufficient detail.

The submission identifies misalignments between the client's goals, objectives, functions, processes, and practices and the penetration testing engagement plan that are factually accurate with sufficient detail.

The submission identifies industry best practices and frameworks for a penetration testing engagement plan that are appropriate for the client's requirements.

The submission provides a comparison of the penetration testing engagement plan to the industry best practices and frameworks identified in part B1 and are supported with specific examples and essential details.

The submission provides 2 improvements to the penetration testing engagement plan that are logical and are supported with specific examples and essential details.

The submission provides 2 solutions to problems in the penetration testing engagement plan that are logical and are supported with specific examples and essential details.

The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available.

This submission includes satisfactory use of grammar, sentence fluency, contextual spelling, and punctuation, which promote accurate interpretation and understanding.

Overview:

Western View Hospital (CLIENT) engaged Pruhart Tech to conduct penetration testing against the security controls within its information environment to provide a practical demonstration of those controls' effectiveness, as well as to provide an estimate of their susceptibility to exploitation and data breaches. The test will be performed in accordance with Pruhart Tech's information security penetration testing methods. Pruhart Tech's information security analyst (ISA) will conduct all testing in coordination with CLIENT's information technology (IT) staff members to ensure safe, orderly, and complete testing within the approved scope. CLIENT's information environment is protected by endpoint antivirus and administrative controls managed by an active directory. The environment contains numerous potential vulnerabilities, which makes CLIENT susceptible to data breaches and system takeovers. Highly important files that contain HIPAA and payment information may be easily accessible and very visible, putting CLIENT at great risk of compliance violation and potentially subject to large fines or loss of business reputation.

Extent of Testing

CLIENT engaged Pruhart Tech to provide the following penetration testing services:

  • network-level technical penetration testing against hosts in the internal networks
  • network-level technical penetration testing against internet-facing hosts
  • social engineering phone phishing against CLIENT employees

Testing Internal Assets

Pruhart Tech's ISA will conduct various reconnaissance and enumeration activities. This will include port and vulnerability scanning, as well as other reconnaissance activities, to try to reveal any security holes, particularly vulnerabilities, that allow complete system takeover on important servers, most critically the McAfee security server for which a compromise could allow a potential attacker to render the endpoint security for the entire internalnetwork inoperable or ineffective. If server compromise can be achieved, directory traversal will be conducted to search for important data such as private patient data. The ISA will use a secure sensor deployed inside CLIENT's facilities to conduct port, service, and vulnerability scanning, as well as other reconnaissance techniques within CLIENT's internal networks. Social Engineering Toolkit (SET) will be used to gain root-level access to multiple critical systems, including the McAfee security server. Testing External Assets

The external phase of the penetration test will focus on the assets that are publicly accessible. Reconnaissance and scanning will be conducted to identify opportunities for intrusion or malicious modification of the systems. Attacks will be launched from Pruhart Tech's network via internet to the externally accessible assets at Western View Hospital using Burp Suite and network scanner Nmap 4.2.

To determine and practically demonstrate the feasibility of gaining physical access to facilities' non-public and high-security zones or gaining unauthorized, authenticated access to CLIENT's workstations, the ISA will conduct phone-based social engineering. Pruhart Tech's social engineer will perform phone-based social engineering with the goal of getting credentials or having CLIENT staff perform tasks on their workstation. This is intended to simulate a malicious actor attempting to gain credentials and a foothold in the environment by a phone call. Pruhart Tech's social engineer will call CLIENT staff members claiming to be a technical support worker authorized to contact CLIENT's personnel to provide critical support. If challenged, the social engineer will then drop information security staff member names in a statement that they are working on their behalf. The social engineer's program will include the following activities:

  • requesting that the user provide their domain username
  • feigning an attempt to perform a technical operation on the user's behalf, and then requesting that the user provide their domain password when the operation "fails"

Request for Solution File

Ask an Expert for Answer!!
Computer Engineering: Evaluate the security of an it infrastructure
Reference No:- TGS03488295

Expected delivery within 24 Hours