7COM1012 – Operating Systems and Networks
You are to answer the following question and submit for evaluation. Some parts of the question will require research beyond the material discussed in the course. This is intended and is part of the assessment. It will also a professional technical report include some practical work in your coursework: One option is to set up a virtual environment to model HertfordFashion network. To set up such an environment you would need to have a computer with 8 GB RAM minimum. Setting up a virtual network can be achieved using one of the visualisation tools such as Virtualbox or VMWare. This would allow you to develop various experiments for penetration testing, ethical hacking etc. Here is a link to download VMWare http://www.vmware.com/uk/ and Virtualbox https://www.virtualbox.org/ To download and setup a virtual network using Virtualbox https://www.virtualbox.org/manual/ch06.html To develop different network attacks and ethical hacking experiments you need to use kali linux . Here is the link to kali linux http://www.kali.org/ Make sure that kali is set up as part of your virtual network as well. You should be able to perform reconnaissance activities using Maltego which can be set up as part of Kali. Nesuss can be used to to carryout vunerability scanning. Metasploit, Meterpreter and Armitage etc. can be used to perform various network and Web exploits. For more information on using Armitage you may check this website http://www.fastandeasyhacking.com/media It is better to perform your experiments in a controlled environment such as a virtual network lab using Virtualbox or VMWare. This is to avoid causing damage or attacking your machine or the network that your computer is connected to.
As one of the biggest names in fashion brands, HertfordFashion is a leading fashion designcompany working on different design products such as clothes, shows and bags. This fashion house is one the most respected brands in the fashion industry and its sharp style is very popular amongst the best dressed celebrities around the globe. HertfordFashion are also involved in designing protective clothing such as motorcycle leathers and space suits. Currently the company has a main office and five branches located at various places in the UK tens or hundreds of miles away from each other. HertfordFashion employs fifteen designers and thirty administration staff. Each of the employees has his/her own computer and/or laptop using either Linux or MS Windows as an operating system. Each office has a local network including various servers, switches and other networking devices. All five offices’ networks are linked together through the Internet and using leased lines as the main communication infrastructure. The projects that the offices work on often involve designing seasonal women clothes, quality leather bags, heavy duty work-boots, diving suits, etc. In each site, various servers were dedicated for certain services and operations such as email, WWW, online sales and e-payments, special graphics design software and processing, data storage, etc. HertfordFashion would like to review its business strategy and current portfolio including asset management and investment. The strategic management office would like to ensure the security of all its assets including fashion designs, data and communication links between the main office’s network resources and the other five branch offices’ local networks. The major concerns amongst the management team are the protection of all their critical designs and preseasonal products, information leakage, harmful malware, and any possible unauthorised access to data and/or design files and network resources. In order to provide the level of security demanded by this solution, HertfordFashion’s security infrastructure should be designed, deployed, and managed with British Standards and International Standards Organization (ISO) guidelines in mind.
The Web server’s API performs storage and all the necessary data processing. The services Web applications and all entities will communicate using the HTTP Protocol, Node.js, MongoDB and a protocol specific to MongoDB. The HertfordFashion’s system architecture is designed to allow the applications to be hosted on up to four distributed entities as follows:
- API (Node.js)
- Web Portal (PHP, Nginx)
- Computer and Mobile Devices
The system was designed to allow easy scaling of each part of the system as required. There is a central server for storage and available for remote access using VPN. The system and added functionalities should be evaluated in terms of their performance with specific client data and security operations. This includes extensive system configuration, performance testing, security assessment and penetration testing for the service applications and servers. This is to ensure that the service applications are not just working but meet the overall objectives of the company and provide an integrated secured suite of useful results that are meaningful and commercially valuable. The management team would like to ensure the security of its designs and data as well as secure communication links between the main office’s network resources and their clients and customers. The major concerns amongst the management team are the protection of all their critical designs and services, information leakage, harmful malware, and any possible unauthorised access to data and/or financial operations and reports. Such unauthorised activities could be achieved through SQL injection and/or cross site scripting XSS attacks.
The management team decided to hire an ethical hacker to test and review the existing network security infrastructure. As an ethical hacker, you have been contacted by HertfordFashion to perform white box automated penetration testing to their operating systems and network infrastructure. This is to perform vulnerability risk threat assessment and to review the security requirements, design and implementation. Your final report should attempt to provide a clear, unambiguous statement of the security architecture quality of HertfordFashion’s service applications and system infrastructure. You will use the penetration testing lifecycle to gather information through several means and sources for footprinting such as Google Earth, Google Hacking, social media networks, public databases, web directories which provide email addresses and phone numbers etc. There are different techniques and tools which can be used e.g. Maltego in Kali, WHOIS Footprinting www.whois.net, DNS Footprinting www.checkdns.net etc. This is to allow an ethical hacker to identify the victim target and to plan its attack and to give him/her a better understanding of the victim’s computer systems and network services. To scan HertfordFashion’s target systems for vulnerabilities identification and analysis you may use Nessus. To exploit the target systems and to launch some attacks you can use Metasploit framework which is available in Kali as well. This process includes a review of the current system and to provide an architectural diagram of HertfordFashion system and network.
You will perform comparisons with relevant standards and be able to identify the major assets, vulnerabilities and risks to attacks. In your report, the company’s online Web-based service through its architecture should be evaluated in terms of its security provisions. The HertfordFashion’s security posture should be presented by identifying its critical information and systems that need to be protected. This is to allow you to propose the necessary security mechanisms and solutions to meet HertfordFashion’s security needs. These efforts will highlight the good practices and findings about this company and consider various technical standards such as ISO information security standards, relevant documents, etc. This is to study and specify the requirement details and evaluation of HertfordFashion’s system architecture and services in terms of meeting the necessary security needs and controls. The final outcomes and results are intended to provide the company with a list of recommendations and any necessary justifications to improve their security. The implementation of any recommendations contained in your report should not guarantee the elimination of all security threats but should allow keeping the risks as minimum as possible. To achieve this, you will need to identify and clarify security issues for the core system, technical review and assessment of system architecture as follows:
- Describe the ethical hacking process and phases and the difference between white box and black box hacking
- Describe the main types of penetration testing and its lifecycle
- Identify HertfordFashion’s major assets and risks to attacks, security assessment to the whole system to support the security requirements
- Identify and assess potential security threats and/or vulnerabilities, with specific attention to malware threats to operating systems, threats to critical designs and financial stored data or during transmission
- Identify technical constraints/requirements of web services and remote access control e.g. authentication and login passwords, authorization and firewalls
- Security concerns of financial operations such as online payments and sensitive data confidentiality and integrity including service availability
- Design and document security controls and mechanisms, data and server replication protection and real-time monitoring of end-user system usage
- Identify technical constraints/requirements of secure content management, data access, rapid recovery and backup e.g. safeguard against disaster
- Procedure for performing security testing of core system and APIs, review of source code and fixing faults that are identified from tests e.g. ‘Field test’ using live customer input, with database(s) located on server(s)
- Finally, you might think of any other security issues that need to be considered.
You will need to produce a security assessment scenario in the form of a professional technical report. Typically, your report might be organized (but not necessarily to be) as follows:
- background information, literature review, scope and limitations
- main body including methods used
- investigations and analysis
- recommendations, unsolved problems
- references (books, conference papers, journal publications, WWW references)
You should clearly state any assumptions that you have made with justification in your report and discuss any alternatives to your proposed solutions.
The write up for this question should
Be your own work – plagiarism will not be tolerated
Use relevant sources, properly referenced throughout
Include a bibliography of references