I just got off the phone with client this morning who has concerns about possible attacks or may even be currently experiencing an attack. The client is the COO of a small pharmaceutical company that is on the verge of developing a revolutionary new drug to treat pulmonary hypertension. An attack that penetrates far enough to get to the formula would be a disaster for the company. They want a skilled person to carry out some WhiteHat hacking on their systems to find out what vulnerabilities exist or what attacks, if any, are occurring. Our Legal Department will be sending you an e-mail confirming we have all of the proper authorizations and insurance. As you know this is critical in conducting a WhiteHat penetration. The penetration test is being carried out at the request of the COO and is to be kept secret from all employees including the IT department.
1. Design a plan to carry out a white hat penetration test of a company.
(Provides a clear outline of the steps and timeline for the penetration test plan. The steps are logical, provide clarity in how the process will be coordinated so that secrecy is maintained, leaving a minimal traceable footprint. Provides well-documented support for the steps and timeline. The timeline includes plans such as late night attacks. Provides a well-supported discussion of what areas will be included in the penetration testing that may concentrate on attacking software and computer systems including scanning ports, examining known defects and patch installations. Also includes other strategies such as emailing staff to ask for password details, plans to search trash receptacles or other social engineering strategies. Some possible strategies might include leaving USB/flash drives with hidden auto-start software on desks or in the staff cafeteria.)
2. Conduct reconnaissance and footprinting on the companies. Provide as many details about the companies as you can find that will allow me to carry out further footprinting within a iLab.
(Conducts a clear, and thorough reconnaissance and footprinting on at least two companies. Provide at least ten details about each company that would provide inside information for a penetration. Describes how this will assist in hacking into the company. Uses supportive documentation from reliable sites. Provides links to important information.)