AY2021 Ethical Hacking and Intrusion Prevention Case Study

AY2021/2022

ETHICAL HACKING & INTRUSION PREVENTION CASE STUDY

ETHICAL HACKING & INTRUSION PREVENTION (CCD2C03) SUBJECT LEVEL: 2

INSTRUCTIONS TO CANDIDATES

1. This case study consists of 6 pages (excluding cover page).
2. This case study contributes 40% of the subject.
3. Breakdown of mark weightage as follows: -
4. 30% Individual effort
5. 10% Group effort
6. This case study is to be done in group of 4 and below. Project group with other number of members (i.e. more than 4, etc.) will only be consider after all groups in your class have fulfilled the earlier condition.

1. Part I – Vulnerability Assessment & Penetration Testing (30% Individual)

Vulnerability Assessment & Penetration Testing Scenario

Vaptlab is a cybersecurity company with its core business in the penetration testing. You have joined this company as a cybersecurity analyst as part of Temasek Polytechnic Student Internship Programme. You have been working there for a while and your supervisor is satisfied with your overall performance. Your supervisor is exploring the option of hiring you as a full-time employee. However, before he can do so, the company director wanted to test your knowledge and competencies in ethical hacking.

Your supervisor would like you to perform a penetration test on one of their virtual machines housed within their Cyber Range.

General Requirements

You are provided with the following information to connect to Vaptlab DR infrastructure:

• IP: 192.168.56.100/24
• GW: Not required
• DNS: 192.168.56.53
• FQDN: vaptlab.xyz

Cyber Range Environment

The environment that are you doing penetration is as shown in the diagram below.

You will be provided with 5 virtual machine samples. These samples contain different types of vulnerabilities. Each team members are to choose 1 unique sample out of the 5. Your task is to perform a vulnerability assessment on it and exploit it’s vulnerabilities. Document your exploitations using the tables provided in Appendix A. Vulnerabilities that are listed but not exploited by you will not be awarded any marks.

You are NOT to perform penetration testing beyond the Case Study scope, such as scanning of other networks and systems. Anyone caught doing so could result in immediate failure of this subject and possible disciplinary action by the school.

2. Part II – Penetration Testing Research (10% Group)

Penetration testing plays an important role in ensuring cybersecurity policies and measures are implemented properly. For this part of the case study, you are to work as a group and research on 1 of the following topics: -

• DevSecOps
• Artificial Intelligence and Machine Learning
• Cloud Security
• Container Security
• Red Teaming
• Pen Testing As A Service (PTaaS)

Do note that you are not limited by the above list. If there is a topic that your team would like to research on that is no in the above, please free feel to consult your tutor. You are to produce a 1-2 pages report detailing your research based on your chosen topic.

3. Report Requirements

Your team is to prepare and submit a report as well as present your key findings to the company director covering your Part I and II activities.

1. Each group must provide a softcopy of the report to the tutor during the lab session

2. Your report shall minimally include the following sections

1. Cover Page
2. Document History
3. Contents
4. Project Scope
5. Executive Summary
6. Part I- Summary of Security Vulnerabilities Assessment by <Student Name>
7. Part I - Vulnerabilities Assessment Detail by <Student Name>
8. Part II – Penetration Testing Research
9. Reflection

3. For the reporting of Vulnerabilities Assessment Detail by <Student Name> section, do note that all fields in the table are needed for the report submission. Refer to the vulnerabilities assessment detail table in Appendix A for the details. During presentation, you will be asked to demonstrate your exploitation method. If you are unable to demonstrate successfully, the affected vulnerability finding may not be awarded any marks.

4. Marks will be awarded for:

• well documented repeatable steps to identify and exploit the type of vulnerability (even if the pen-test is not successful; we will evaluate the process)
• originality and creativity on the conduct of vulnerabilities assessment and exploitation
• usage of different types of tools
• value of exploit e.g. access to privileged account such as root or database admin and their cracked password will be of higher value than a normal user
• recommended steps to prevent the vulnerability
• secure network design recommendations

5. Generally, your report must be formatted with the following requirements:

1. Use A4 page size
2. Use either Arial or Times New Roman font with font size 12 and justify your paragraphs
3. Provide and use colors, section headings, sub-headings, headers, footers, diagrams, etc., where appropriate. Use your own judgment. The report must look professional as you are presenting it to Vaptlab’s senior IT management! Tip: You can refer to this document as a guide in terms of formatting
4. Indicate page number on each page
5. Use single spacing
6. Where information is lacking, students are expected to make and state their assumptions (in their reports and presentation). Exercise your creativity! However, make sure that they are supported with reasonable assumptions and explanations
7. Follow the following naming convention when you submit the softcopy of your report to your tutor

Name the report using the following format: EHIP-P<Practical class number>Group<Group number>, e.g. EHIP-P01-Group01 for Practical class number 01 and Group number 01

6. Be warned that plagiarism is a serious offence!

4. Presentation Requirements

Each group will be given approximately 30 minutes for their presentation. The presentation process is as follows:

• Presentation and demonstration for the findings done by individual student
• Question and answer session after the presentation

Appendix A

Table 1 - Summary of Security Vulnerabilities Assessment by <Student Name>

Table 2 - Vulnerabilities Assessment Details by <Student Name>