Professional Documents
Culture Documents
Project Overview
The Case Study is presented with details about a fictional company. In this scenario you have
been hired as an ethical hacker to test the security of the company. You will define the scope of
your penetration test, however, there are 3 main goals of this penetration test that you need to
determine.
1. Is the customer data being stored by the company at risk? Can it be compromised?
2. Is the data regarding the supplies of the company safe? Can someone compromise the
Inventory Control Systems?
Your penetration test will not have any limitations other than time. All tests would need to be
conducted within the timespan of 72 hours. The test must be completed over a three day
weekend and when the company comes back from the weekend, you will need to make a
presentation to the company. Your presentation will need to outline the tools you would expect
to use during a penetration test along with the output you may find.
Presentation
Each person will present their findings to the Executives and Shareholders of PCBrew. This
can be done in a presentation that is recorded and submitted in the LMS.
You will present your findings in the phases of the penetration tests. Preparation, Scanning,
Enumeration, and Persistence. As this is from the perspective of an Ethical Hacker, there will
be no need to exfiltrate data or cover your tracks, but perhaps you may want to say a few words
on if it is possible in the environment.
Again, as this is a fictional company, you will need to envision some aspects of this penetration
tests. You may produce the findings as you would expect them to be found in a real penetration
test.
Page 1
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
As PC Brew is a mid sized company with a dedicated IT department, some assumptions can be
made about the environment.
• Patches are within 3 months of being current.
• Active Directory is being used for authentication.
• Network Devices are not guaranteed to be updated, maintained, or properly configured.
• There are existing vulnerabilities to be exploited.
• You will not be able to directly compromise the end server with the recipe. You will need
to pivot and maneuver to get to that server.
Page 2
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
The Business
Port Chester Brewing Company
Company Overview:
PC Brewing Company currently has three production facilities that include manufacturing,
warehousing, distribution, storefronts, tasting facilities, rental space, and brewing tours. The
production facilities are located in West Lafayette, IN, Lafayette, IN, and Port Chester, CT.
The company has 45 employees total (including a small IT team). With the success of the
business it has become clear to the executive leadership that cyber and information security
practices must be put in place to protect the company’s assets.
Company Products:
The company currently brews six recipes:
PC Brew Whooping Crane Craft All American beer with a perfect
Beer blend of barley and hops
Page 3
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Page 4
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Sample Invoice
Page 5
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Floor Plan
Page 6
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Floor Plan
Page 7
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
PC Brew Existing Technology
Current systems include server hardware running Windows and Linux Server, MSSQL Server,
Active Directory on Premise, Office 365, etc. The networking infrastructure currently in place is
recent and up to date. It consists of a homogeneous Cisco environment (switches, routers,
wireless, etc.).
Other solutions in place include all technology required for brewery control, an inventory control
system, a custom developed self-paced tour system using android tablets, Windows-based
PCs, a cloud based phone system from RingCentral, etc.
Network Diagram
Page 8
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Systems Diagram
Page 9
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Security Considerations
The Cybersecurity Team should address the following areas specifically and
any others that may be applicable.
o The recipe is stored on a Windows 2016 server that does not interact directly
with the internet.
o The Windows 2016 server is able to be accessed by machines on the local
network with the correct credentials, but not from outside the local network.
o The Inventory Control System is connected to a database that connects to the
internet to order items.
o All customer data, including ordering information (financial records) are stored on
the same server with the ICS database.
o How would you do each of the following:
▪ Gain an initial foothold in the network
▪ Pivot to a machine that can connect to the targets
▪ Compromise the targets (list specific vulnerabilities and exploits)
▪ Gain persistence on the target (if you feel it is necessary)
▪ Exfiltrate the data (put in a report for shareholders to understand)
▪ Recommend remediations for specific fixes. (simply stating you would
update is not sufficient).
Page 10
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Page 11
Purdue University
ACE & ACE-HI
PC Brewing Co. Case Study
Considerations
• POS Systems are all Square Registers – info here.
• All tablets are Samsung Galaxy S5e – info here.
• There is a combination of Windows 10 workstations, Windows 2016 servers, and Ubuntu
Servers
o Windows 10 Workstations have version 1903 installed currently.
o Windows 2016 server has version 1709
o Ubuntu Servers are 16.04 LTS.
Page 12