Management overview, risk assessment, methodology and vulnerability reporting

Management overview, risk assessment, methodology and vulnerability reporting

Question

Management overview, risk assessment, methodology and vulnerability reporting

A good report should typically answer questions and provide the following information:

1. The title includes your student number, module, instructor name, and all other documents required by the university.
2. Table of contents and summary if necessary.
3. The introduction acts as a “map” to the rest of the document, explaining the goal or purpose of the work and explaining how that goal will be achieved. At this point, it is usually helpful to restate the conclusion.
4. Demonstrates background reading of relevant texts at an appropriate level. Evidence of systematic and clear thinking, a sign of good planning and organization.
5. Meaningful writing is presented clearly and carefully (proofreading and grammar checking).
6. Critical writing that compares and contrasts major theories, concepts, and arguments with conclusions based on the evidence presented.
7. High level accurate academic references.
8. Logical and clearly defined structure with headings and subheadings. Graphs and other graphics discussed in the text are clearly labeled and properly displayed.
9. Adhere to normal academic standards, such as length and timely submission.
10. References section listing each source cited in the text.

Management overview and risk assessment (20 points)

Summary

Reports should be targeted at both CEOs who want a high-level overview and technical teams who want to know about specific vulnerabilities found. The summary includes an assessment of the risks facing the organization, clear risk priorities, and other relevant information that we believe the organization should be aware of, as well as how management should address the findings. It should contain clear recommendations. handle. Risk assessment

A recognized risk assessment system should be used to assess vulnerabilities. Regardless of which risk assessment system is used, it is necessary to define impact and abuse criteria, the number of levels and their meaning. For example, if you use CVSSv3 as your scoring matrix, you should clearly explain the differences between low-risk, medium-risk, and high-risk scoring systems.

Methodology (30 points)

We describe the methodology used for each of the two (web/architecture) tests. For each step of the methodology, we explain:

• A test/exploit was performed. Why was the test/exploit performed?
• Expected results
• The tools used to perform tests/exploits include clear descriptions of the commands/steps performed by the tool.

Vulnerability report (50 points)

This section of the report contains a description of the vulnerabilities found.

(a) System vulnerability test (45 points)

You must identify, test, and report vulnerabilities in any of your customer’s systems.

Eventually you will need to gain “root” access to your system. Points are awarded for every valid step taken to reach this point. Penetration Test 05 Machines are rated as moderate or hard and provide a penetration test report.

The report must include a description of any network configuration changes that may help resolve the vulnerability.

(b) Network configuration (5 points)

The report must include a description of any network configuration changes that may help resolve the vulnerability. Firewall rules should be recommended to reduce the risk of exploitation. You must use IPTables to create all recommended rules. Even if you select Windows computers in this section, you still need to create IPTable rules to reduce the risk of exploitation. Windows machines do not use IPTable rules for filtering, so you can use the Linux-based calculator used in the tutorial to create these rules.