Term Paper: Penetration Testing
As a penetration tester, you are hired as a consultant by a small to mid sized business that is interested in
calculating its overall security risk today, January 1, 2012. The business specializes in providing private loans to
college students. This business uses both an e Commerce site and point of sales devices (credit card swipes) to
collect payment. Also, there exist a number of file transfer operations where sensitive and confidential data is
transferred to and from several external partnering companies. The typical volume of payment transactions totals
is approximately $100 million. You decide that the risk assessments are to take into account the entire network
of workstations, VoIP phone sets, servers, routers, switches and other networking gear. During your interview
with one of the business s IT staff members, you are told that many external vendors want to sell security
networking products and software solutions. The staff member also claimed that their network was too flat.
During the initial onsite visit, you captured the following pertinent data to use in creation of the Penetration Test
Non stateful packet firewall separates the business s internal network from its DMZ.
All departments including Finance, Marketing, Development, and IT connect into the same enterprise switch
and are therefore on the same LAN. Senior management (CEO, CIO, President, etc.) and the Help Desk are not
on that LAN; they are connected via a common Ethernet hub and then to the switched LAN.
All of the workstations used by employees are either Windows 98 or Windows XP. None of the workstations
have service packs or updates beyond service pack one.
Two (2) Web servers containing customer portals for logging in and ordering products exist on the DMZ
running Windows 2000 Server SP1, and IIS v5.
One (1) internal server containing Active Directory (AD) services to authenticate users, a DB where all data
for the company is stored (i.e. HR, financial, product design, customer, transactions). The AD server is using
LM instead of NTLM.
Write a seven to eight (7 8) page paper in which you:
1. Explain the tests you would run and the reason(s) for running them (e.g. to support the risk assessment plan).
2. Determine the expected results from tests and research based on the specific informational details provided.
(i.e., IIS v5, Windows Server 2000, AD server not using NTLM)
3. Analyze the software tools you would use for your investigation and reasons for choosing them.
4. Describe the legal requirements and ethical issues involved.
5. Using Visio or its open source alternative, provide a diagram of how you would redesign this business
network. Include a description of your drawing. Note: The graphically depicted solution is not included in the
required page length.
6. Propose your final recommendations and reporting. Explain what risks exist and ways to either eliminate or
reduce the risk.
7. Use at least four (4) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify
as quality resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one inch margins on all sides; citations
22/11/2016 Register now with WritersHub.org!
and references must follow APA or school specific format. Check with your professor for any additional