|
Programme:
|
BSc Computing with - ALL pathways
|
|
Module Code:
|
LD6047
|
|
Module Title:
|
Ethical Hacking
|
|
Distributed on:
|
Via Blackboard; briefing in lecture.
|
|
Submission Time and Date:
|
To be submitted by 16:00 GMT on [21 Jan 2025]
|
|
Word Limit:
|
Part A: 60% (2000-word report)
Part B: 40% (1500-word report)
|
|
Weighting
|
This coursework accounts for 100% of the total mark for this module
|
Instructions on Assessment:
This assignment consists of two parts
· Part A (60%): 2000 words
· Part B (40%): 1500 words
Assignment Details:
TechSecure Ltd. is a rapidly growing UK-based company that provides secure web-based solutions to clients across various sectors, including finance, healthcare, and e-commerce. As part of their growth strategy, they have deployed a new web application hosted on an Ubuntu server in a cloud-based virtual environment.
The web application handles sensitive client data, including payment information, personal identification, and transaction records. Due to the sensitive nature of the data processed, the company must ensure that the application is secure from cyber threats. Recently, the IT department noticed some unusual activity on the server logs, which raised concerns about potential vulnerabilities within their system.
To address these concerns, TechSecure Ltd. has requested a thorough security assessment of their web application to identify any vulnerabilities before they can be exploited by malicious actors. As part of their internal audit, they have enlisted your help as a penetration tester.
Your Role:
You have been provided access to a simulated environment consisting of:
• A Virtual Machine running Ubuntu, hosting the TechSecure Ltd. web application.
• A Kali Linux system to conduct the penetration test. Your primary objectives are:
Vulnerability Assessment:
1. Use a vulnerability assessment tool of your choice (such as Nessus, Niko, or OpenVAS) to scan the web application hosted on the Ubuntu machine. Identify any weaknesses or misconfigurations that could be exploited.
2. Focus on areas like outdated software, open ports, misconfigured services, or known web application vulnerabilities like SQL injection, Cross-Site Scripting (XSS), and server misconfigurations.
3. Generate a detailed report from the chosen tool that lists the identified vulnerabilities, along with their severity levels and descriptions.
Penetration Testing:
1. After identifying vulnerabilities, attempt to exploit them using Kali Linux to gain access to the target machine
2. Perform. reconnaissance to gather information about the target, such as available services, open ports, and the web server's configuration.
3. Use appropriate penetration testing methods to exploit the identified vulnerabilities and demonstrate how access to the web server could be achieved.
4. Document each step of your process, including screenshots, tools used, and the techniques applied.
Reporting:
1. Compile a comprehensive report outlining your findings, including:
2. A summary of the identified vulnerabilities and their potential impact.
3. The steps taken to exploit the vulnerabilities and gain access.
4. Recommendations for mitigating the identified risks and securing the web application against future threats.
Mapping to Programme Goals and Objectives
This assignment will assess the following learning outcomes:
1. Demonstrate practical skills in conducting vulnerability assessments using industry-standard tools.
2. Apply penetration testing methodologies to gain access to a target system.
3. Analyse and critically evaluate cyber incidents, providing insights into their impact and mitigation
4. strategies.
5. Present a well-researched report, demonstrating the ability to interpret and analyse CVE information.
Module Specific Assessment Criteria and Rubric
The work will be marked out of 100 in line with the University’s marking grades and according to the following assessment criteria:
|
Description
|
Marks
|
|
Part A: 60%
|
|
Task 1: – Vulnerability Assessment (VA)
(suggested word limit for this section is 500 words)
|
|
· Conduct a vulnerability scan on the provided Ubuntu-based web application using a tool of your choice (e.g., Nessus, Niko, OpenVAS).
· Generate a comprehensive report detailing the identified vulnerabilities, including descriptions, severity levels, and potential impacts.
· Include the generated VA tool report as evidence.
|
20
|
|
Task 2: - Penetration Testing (PT)
(Suggested word limit for this section is 500 words)
|
|
· Using the Kali Linux environment, perform. a penetration test targeting the given web application. Your objective is to exploit identified vulnerabilities and gain access to the target machine.
· Document your approach, including reconnaissance, scanning, exploitation, and post-exploitation phases.
· Discuss any challenges faced and how they were overcome. Provide screenshots where necessary to illustrate your process.
|
20
|
|
Task 3: - Ethical Considerations and Security Standards
(Suggested word limit for this section is 600 words)
|
|
· Discuss the ethical implications of performing vulnerability assessments and penetration testing as seen in Tasks 1 and 2. Reflect on the importance of maintaining confidentiality, integrity, and professional conduct throughout the testing process.
· Evaluate how compliance with security standards such as ISO 27001, NIST SP 800- 115, or OWASP can guide the penetration testing process and reporting.
· Explain how ethical hacking practices help in aligning security assessments with industry standards and how this benefits organizations like TechSecure Ltd.
· Connect the insights from Task 3 to your work in Part B, particularly regarding the ethical analysis of the chosen cyber incident.
|
20
|
|
Part B – 40%
|
|
Task 5 – Cyber Incident Analysis (1000 words)
|
|
Scenario:
Choose a significant cyber incident that occurred between 2023-2024. This could be a data breach, ransomware attack, or any other security incident that had a notable impact on an organization, industry, or country.
· Provide a detailed overview of the incident, including when and how it occurred.
· Analyse the statistical impact of the incident, such as data lost, financial loss, or affected users.
· Discuss the countermeasures implemented by the affected organization(s) to mitigate the impact of the incident.
· Include an analysis of the CVE (Common Vulnerabilities and Exposures) that were exploited during the incident, backed by research and evidence.
· Critically assess the effectiveness of the countermeasures and suggest additional steps that could have been taken to prevent or mitigate the incident.
|
40
|
|
Total
|
100
|