This report documents the results from the penetration test of the Ernst and Young Credit Union external website (http://10.55.3.101). Full authorisation has been given to conduct the test, which was carried out in a manner that simulates an attack from a malicious user. The objectives were to:
- establish if a remote attacker could penetrate the security mechanisms of the Ernst & Young Credit Union.
-evaluate the impact of such a breach on the security of confidential information and on the infrastructure of the website. This report contains an overview of the testing process and issues that were found, details of the testing process, results found, the risks associated with the vulnerability and recommendations for rectifying the vulnerability. The results of the test can be of assistance to Ernst & Young when making decisions regarding information security.
1. Overview of Testing Process and Most Serious Security Issues:
1.1 While assessing the security of the Ernst & Young website, it was found that the
“Branch Locator” page is vulnerable to SQL injection attacks. This is a serious vulnerability which involves inserting malicious SQL statements into an input field for execution. By appending SQL statements to the URL of the Branch Locator page, information about the structure of the underlying database was collected. This information was then used to generate further malicious statements. The list of database objects, tables and columns were returned. The
The likelihood of an attack or breach dealing with the current infrastructure of the company’s
A root-cause analysis of the security breach revealed multi-factorial issues at the technical, individual, group, and organizational levels. At the technical level, the applications and web-tools
Phase 6 - conduct a vulnerability assessment according to NIST SP 800-115: Technical Guide to Information Security Testing;
Additionally, visiting these sites opens our computer systems to hacking, theft, and fraud, which could result in a catastrophic breach of confidential data such as client information and employee profiles.
West, J., & Mar, S. (2017). Fundamentals of a cybersecurity program. Internal Auditor. Retrieved from
The purpose of the report is to explore the current vulnerabilities in the information system network and outline potential
The second instalment of lab exercise for the MIS 515, Information Security in Private and Public Sector involved a general fact finding about a selected target. It was intended to get us familiar with the various tools we could use to in assessment of networks and websites. We were asked to follow some steps given to us in the assignment narrative and see what we could find on our own.
While strong security standers are necessary, they must be tested from time to time to evaluate their effectiveness. This is where vulnerability assessments come into play; by performing penetration testing on current systems/networks, security risks can be identified and addressed before cybercriminals are able to take advantage of them (Database Security,
It is recommended that we conduct a test that would simulate that breach. The test results should be anonymous as the goal of the test is to improve the company's security posture in a way that improves the entire company's security. After the test is complete, the results should be used to assist in designing training for employees on understanding and dealing with potential social engineering attacks. After developing the training, new policies and procedures should be disseminated, then the training can include understanding and reviewing the new policies and procedures. After the training is completed another test should be done to measure engagement and effectiveness of the social engineering training. This information should be used to improve training. The goal of the training would be to empower employees with situational awareness skills that would assist them in identifying potential social engineering attempts and how to respond
My paper focuses on a security assessment of Quality Web Design (QWD), which is a very successful company that is well-known for its magnificent and appealing websites; they work
In this era of globalization and cut-throat world of competition, it is virtually impossible to do business without using the internet and web applications. Internet gets used for processing the credit card or debit card sale and even for using to save the data of customers to the merchant’s database for future reference and to send promotional offers to the previous and patron customers. And on the other hand, hackers are trying their best to get the data stored on the merchant’s server by spoofing
The rigorous third-party examinations were administered by the professional IT assurance and compliance staff at 360 Advanced, a respected national Qualified Security Assessor, HITRUST CSF Assessor and Certified Public
In recent years breaches in data security have become common place. When breaches occur, a consumer’s personal and financial information are put at risk. Cyber criminals most frequently target retailers that make a practice of storing a customer’s credit card information beyond the necessary time frame and in many cases do have in the place appropriate security protocols.
This test will simulate an inside attack behind the firewall done by an authorized user who is having standard access
Data systems such as the web application and data servers are faced by a number of threats, some of these threats are discussed below: