Scribd Logo
Upload

Welcome to Scribd!

  • PCBrew Case Study

    Uploaded by

    Anubhaw Kumar
    979 views12 pages
    PCBrew Case Study

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PCBrew Case Study

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    979 views12 pages

    PCBrew Case Study

    Uploaded by

    Anubhaw Kumar
    PCBrew Case Study

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Purdue University

    ACE & ACE-HI


    PC Brewing Co. Case Study

    Project Overview
    The Case Study is presented with details about a fictional company. In this scenario you have
    been hired as an ethical hacker to test the security of the company. You will define the scope of
    your penetration test, however, there are 3 main goals of this penetration test that you need to
    determine.

    1. Is the customer data being stored by the company at risk? Can it be compromised?

    2. Is the data regarding the supplies of the company safe? Can someone compromise the
    Inventory Control Systems?

    3. Is the secret recipe of the brew safe?

    Your penetration test will not have any limitations other than time. All tests would need to be
    conducted within the timespan of 72 hours. The test must be completed over a three day
    weekend and when the company comes back from the weekend, you will need to make a
    presentation to the company. Your presentation will need to outline the tools you would expect
    to use during a penetration test along with the output you may find.

    Presentation
    Each person will present their findings to the Executives and Shareholders of PCBrew. This
    can be done in a presentation that is recorded and submitted in the LMS.

    Presentations should be 10-20 minutes in length and may be a recorded PowerPoint


    presentation. Your presentation should present the weaknesses you discovered in the
    company and the exploits you use to compromise devices in route to get to the three objectives.
    Keep in mind that your time limit on the penetration test is 72 hours, it is not realistic to have
    every port fully enumerated on every machine, your scans will need to be targeted and you will
    need to have specific objectives. You may use the provided network map to help you target
    specific machines and provide specific exploits with details.

    You will present your findings in the phases of the penetration tests. Preparation, Scanning,
    Enumeration, and Persistence. As this is from the perspective of an Ethical Hacker, there will
    be no need to exfiltrate data or cover your tracks, but perhaps you may want to say a few words
    on if it is possible in the environment.

    Again, as this is a fictional company, you will need to envision some aspects of this penetration
    tests. You may produce the findings as you would expect them to be found in a real penetration
    test.

    Page 1
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study
    As PC Brew is a mid sized company with a dedicated IT department, some assumptions can be
    made about the environment.
    • Patches are within 3 months of being current.
    • Active Directory is being used for authentication.
    • Network Devices are not guaranteed to be updated, maintained, or properly configured.
    • There are existing vulnerabilities to be exploited.
    • You will not be able to directly compromise the end server with the recipe. You will need
    to pivot and maneuver to get to that server.

    Don’t forget about physical security!

    Getting Started (A little help)


    In this packet you will find some sketches of the layout of the PC Brew offices. These are
    available from the fictional local government website where they were stored improperly, and
    you would be able to locate them via a Google Dork. The website is http://acmeFileStorage.gov
    and the type of documents were .jpg files. In your presentation clarify how you could use
    Google to search for this information as part of your preparation and reconnaissance phase of
    the attack.

    Page 2
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    The Business
    Port Chester Brewing Company
    Company Overview:
    PC Brewing Company currently has three production facilities that include manufacturing,
    warehousing, distribution, storefronts, tasting facilities, rental space, and brewing tours. The
    production facilities are located in West Lafayette, IN, Lafayette, IN, and Port Chester, CT.
    The company has 45 employees total (including a small IT team). With the success of the
    business it has become clear to the executive leadership that cyber and information security
    practices must be put in place to protect the company’s assets.

    Company Products:
    The company currently brews six recipes:
    PC Brew Whooping Crane Craft All American beer with a perfect
    Beer blend of barley and hops

    Blotter Brew A trippy beer with speed and


    smoothness

    Droz Draft A wild flavor full of fun and


    mischief

    Prefrosh Pale Ale A little wound up tight at the


    beginning but finishes well

    Sanskrit Stout Old world flavor chased by some


    hints of Latin

    Moon Beam Belgium White A crisp dirty flavor with a lot of


    concern for your cause

    Page 3
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    PC Brew Org Chart

    Page 4
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Sample Invoice

    Page 5
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Floor Plan

    Page 6
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Floor Plan

    Page 7
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study
    PC Brew Existing Technology
    Current systems include server hardware running Windows and Linux Server, MSSQL Server,
    Active Directory on Premise, Office 365, etc. The networking infrastructure currently in place is
    recent and up to date. It consists of a homogeneous Cisco environment (switches, routers,
    wireless, etc.).

    Other solutions in place include all technology required for brewery control, an inventory control
    system, a custom developed self-paced tour system using android tablets, Windows-based
    PCs, a cloud based phone system from RingCentral, etc.

    Network Diagram

    Page 8
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Systems Diagram

    Page 9
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Security Considerations

    The Cybersecurity Team should address the following areas specifically and
    any others that may be applicable.

    o The recipe is stored on a Windows 2016 server that does not interact directly
    with the internet.
    o The Windows 2016 server is able to be accessed by machines on the local
    network with the correct credentials, but not from outside the local network.
    o The Inventory Control System is connected to a database that connects to the
    internet to order items.
    o All customer data, including ordering information (financial records) are stored on
    the same server with the ICS database.
    o How would you do each of the following:
    ▪ Gain an initial foothold in the network
    ▪ Pivot to a machine that can connect to the targets
    ▪ Compromise the targets (list specific vulnerabilities and exploits)
    ▪ Gain persistence on the target (if you feel it is necessary)
    ▪ Exfiltrate the data (put in a report for shareholders to understand)
    ▪ Recommend remediations for specific fixes. (simply stating you would
    update is not sufficient).

    Page 10
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    App Security Considerations


    Considerations
    • POS Systems are all Square Registers – info here.
    • All tablets are Samsung Galaxy S5e – info here. The tour software is a custom-built
    side-loaded .apk android app.
    • The Inventory Control System is a simple MongoDB 3.0.1 database, hosted on an
    Ubuntu 16.04 LTS server running MySQL.
    • The website is a WordPress site hosted by bluehost.com.
    o Plugins hosted (and possible version number):
    ▪ Bannerize 2.8.6
    ▪ Booking Calendar 1.1.23
    ▪ BuddyPress 1.9.1
    ▪ Contact Form Manager
    ▪ Download Manager 2.7.4
    ▪ Google Drive 2.2
    • Customer data, including payment data stored in Salesforce Salescloud.

    Current Security Posture


    • No formal policies or procedures are currently in place

    Page 11
    Purdue University
    ACE & ACE-HI
    PC Brewing Co. Case Study

    Endpoint Security Considerations


    Primary Areas of Concern
    • POS Terminals
    • Tour Tablets
    • Workstations & Servers

    Considerations
    • POS Systems are all Square Registers – info here.
    • All tablets are Samsung Galaxy S5e – info here.
    • There is a combination of Windows 10 workstations, Windows 2016 servers, and Ubuntu
    Servers
    o Windows 10 Workstations have version 1903 installed currently.
    o Windows 2016 server has version 1709
    o Ubuntu Servers are 16.04 LTS.

    Current Security Posture


    • Microsoft endpoints are using Security Essentials
    • Linux Systems are using Sophos Home Premium

    Page 12

    You might also like