Information that is required to conduct the penetration test
The contract is between Maxim Security Solutions (the provider) and Modern Retailers Supermarket (the service buyer or client) for the provision of penetration testing solutions for the client. This penetration testing service seeks to identify and provide a report on vulnerabilities of the security system at the client’s facility.
The client appreciates that 100% security testing is not a possibility because the systems used may be interfered with at one time or the other during the process of implementation (Chaney, Cross, and Demars 38). Both parties also appreciate that in many instances, security breaches are always caused by insiders. The provider may not have control over the activities of the client’s employees (Wilhelm 112). The following information will be required to conduct the penetration test on the client’s systems.
Maxim Security Solutions and Modern Retailers Supermarket have agreed to the followings terms to validate the penetration test:
- Maxim Security Solutions will conduct Security Penetration Test on all the computer systems operated by Modern Retailers Supermarket in order to identify errors in software configurations or security vulnerabilities.
- The provider has express authority to conduct the test within the timeframe provided in the section below. Anything done before or past the provided date should be based on mutual agreement between the two parties.
- The two parties agree that during the period of conducting this test, the mode of communication will be phone calls for emergency issues and e-mails for the reports.
- The client has the right to call off the test at any stage for any reason that it considers justifiable. However, when the decision is only supported by the client, the provider will be entitled to all the initially agreed upon benefits.
- The provider guarantees that it will be responsible and professional when conducting the test in accordance with the existing codes of conduct. It will endeavor to offer its best services to the client in a way that meets the agreed upon standards.
- Both parties agree that internet security is under a continual growth. For this reason, the test done under the specified date may not be relevant after a given period based on the changes taking place in this dynamic field of internet security.
- In case the client fails to follow the advice offered by the provider based on the results of the test, the provider will not be held accountable to losses arising from a possible breach, including but not limited to data loss, profits, business operations, and revenue. It is the responsibility of the client to act upon the recommendations of the report.
- The results of the test are confidential and must be treated as such by both parties. The provider cannot divulge the information to third parties because this may jeopardize the security of this firm.
- The client has a responsibility to protect all pieces of information gathered from the test from being accessed by third parties. If such information is leaked by agents of the client or acts of negligence by the client, then the provider will not be held liable to the resulting damages.
- In case the client wishes to share the information about the test with a third party, then it should inform the provider of its intentions.
Tools and Systems
Maxim Security Solutions will conduct a Penetration Testing Service on all the tools and systems used for communication and data management within the firm (Modern Retailers Supermarket). These include the workstation computers, the database system, the networks, cloud used by the client, and any other gadget that the firm uses to store or communicate with various stakeholders.
Procedures and Timeframes
The Penetration Testing is expected to take 30 days, including the process of writing the report and making all the relevant communications to the client. The procedure for the testing involves diagnosing the systems and tools used for communication, interviewing the employees using these tools, and informing the client of the findings and necessary recommendations (Henry 97).
Penetration Test Report
Findings
The Penetration Testing service revealed a number of weaknesses in the existing systems used by Modern Supermarket. The following are some of the major findings from the test.
- Insufficient authentication needed for the user login in most of the computers used at the firm. This was prevalent among the employees involved in managing online customers
- Administrator username and login enumerations. It was noted that input values at the firm are not properly parsed.
- Most of the employees at the firm have limited knowledge on how to protect their workstations from internal or external intruders. Other than the use of passwords, these employees have no information on how to enhance security of their systems.
Analysis
The findings above leave Modern Retailers Supermarket very vulnerable to vicious attacks. The insufficient authentication needed for login means that anyone who can access the workstations can retrieve, manipulate, or even destroy information available in the firm’s database (Engebretson 42). This may lead to serious financial loss and damages. The problem with administrator username and login enumerations also makes it possible for cybercriminals to seize operations of the data system with ease (Mayne 86).
A major problem identified during the test was the limited knowledge of the client’s employees on issues concerning security of the systems they use. It was identified that most of the employees used their names and dates of birth as their passwords. Anyone can make a simple guess of these simple facts and access information in their systems (Ballad, Ballad, and Banks 46).
It was also observed that most of them knew nothing about security beyond using their weak passwords. They could not detect any breach into the system unless their data was tampered with or lost. The system used within the firm to report and address security breaches in the firm was poor.
Recommendations
The management will need to deploy measures to mitigate the issues mentioned above. The following are the recommendations that the firm should consider implementing.
- The management should insist on sophisticated authentication for user login among all the employees and top managers
- The firm should allow Maxim Security Solutions, or any other relevant firm for that matter, to fix the problem of administrator username and login enumerations.
- Employees of the client will need to undergo a comprehensive training on how they can enhance security of the data they handle. On-job training on issues such as password development, use of firewall to enhance data security, identifying data intrusion, and making relevant reports will be needed.
Works Cited
Ballad, Bill, Tricia Ballad, and Erin Banks. Access Control, Authentication, and Public Key Infrastructure. Sudbury: Jones & Bartlett Learning, 2011. Print.
Chaney, Moses, Ronald Cross, and Richard Demars. Strength Testing of Marine Sediments. Philadelphia: ASTM, 2009. Print.
Engebretson, Pat. The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy. New York: 2013. Print.
Henry, Kevin. Penetration Testing: Protecting Networks and Systems. Ely: IT Governance Publishers, 2012. Print.
Mayne, Paul. Cone Penetration Testing. Washington: Transportation Research Board, National Research Council, 2007. Print.
Wilhelm, Thomas. Professional Penetration Testing: Creating and Operating a Formal Hacking Lab. Rockland: Syngress, 2009. Print.