BMIS3123 Vulnerability Assessment and Penetration Testing (Practice Exam)

Test

20%

[Duration: 40 minutes]

STUDENT’S DECLARATION OF ORIGINALITY

By submitting this report, I declare that this submitted work is free from all forms of
plagiarism. I understand that I have to bear the consequences if I fail to do so.
Name LIM CHI QING

Student ID 2309233

Programme RIS2

Tutorial 5
Group

Signature LIM

Date 5/3

Learning Outcomes to be assessed:

Q1: CLO1: Explain the differences between vulnerability assessment and penetration
testing, and various methodologies used. (C4, PLO2)

Q2: CLO2: Explain the professional duties and the legal aspects of being a licensed
penetration tester. (A3, PLO11)
 1
BMIS3123 Vulnerability Assessment and Penetration Testing (Practice Exam)

Answer Question 1 and Question 2 based on the following scenario.

UOS Bank (UOSB) is offering e-banking services via UOSB-Connect to its customers. UOSB
Connect is developed in two platforms which are as a web application and a mobile app.
UOSB is managing its own network infrastructure that allows internal and external
connectivity for all employees among all the branches. UOSB-Connect is hosted within its
network. The availability of UOSB-Connect is crucial to provide 24/7 e-banking services to its
customers.

In the effort to provide secure banking services to UOSB customers, UOSB has committed to
protect UOSB’s Information Technology (IT) assets from cyberattacks that may lead to large
scale data breaches or major disruption to UOSB services to its customers. One of the efforts
is to obtain the Payment Card Industry Data Security Standard (PCI DSS) certification. In
compliance with PCI DSS requirements, UOSB has to conduct penetration testing services to
retain the PCI DSS certification.

UOSB is in the process of evaluating third-party vendors to conduct penetration testing

services. Assume that you are the Cyber Security Consultant from Security Wise Sdn Bhd
(Security Wise). You have been approached by UOSB to possibly engage Security Wise to
conduct penetration testing services for UOSB. There are many types of penetration tests
that are offered by Security Wise, which are Network Infrastructure Tests, Application-based
Tests, Cloud Penetration Tests, Social Engineering Penetration Tests and Physical Security
Tests.

Question 1

a) During the meeting with UOSB, compliance to PCI DSS requirements is discussed.
Propose TWO (2) types of penetration tests that are crucial to meet the PCI DSS
requirements. (2 marks)

Network Infrastructure Tests, Application-based Tests

b) Based on your answer in Question 1 a), briefly explain ONE (1) justification for each type
of penetration tests. (4 marks)

Network Infrastructure Tests help evaluate the effectiveness of network security controls,
ensuring that only authorized personnel have access to sensitive information.

Application-based Tests help ensure that UOSB-Connect follows secure coding practices,
 and it helps identify and remediate vulnerabilities that could be exploited to
compromise sensitive information.

2
BMIS3123 Vulnerability Assessment and Penetration Testing (Practice Exam)

Question 1 (Continued)

c) UOSB would like to know more about the penetration testing methodologies or standards
that Security Wise will use to conduct the two types of penetration tests based on
your answer in Question 1 a) to convince UOSB that Security Wise is adopting
industry accepted methodologies or standards. Briefly explain TWO (2)
penetration testing methodologies or standards that are suitable for this case. (4
marks)
PTES (Penetration Testing Execution Standard):
● PTES is suitable for both Network Infrastructure Tests and Application-based
Tests as it offers a structured methodology that encompasses various testing
phases. It helps Security Wise ensure thorough coverage in assessing
UOSB's network and applications for PCI DSS compliance.
OWASP Web Security Testing Guide:
As UOSB-Connect involves both web and mobile applications, the OWASP
Web Security Testing Guide is highly relevant for Application-based Tests. It ensures
that Security Wise follows industry-accepted practices for evaluating the security of
web and mobile applications, aligning with PCI DSS requirements.
 [Total:10 marks]

Question 2

Assume UOSB has agreed to engage Security Wise after an extensive evaluation process
and assume that you are the Team Lead of this project. UOSB has agreed to use known
environment test for the penetration testing. Legal documents or contracts like Master
Services Agreements (MSAs), Statement of Works (SOWs) and Rules of Engagement
(RoEs) usually needs to be confirmed before any penetration testing can be conducted.

a) Briefly explain ONE (1) example of a legal restriction that may be included in the SOW
which will be signed between UOSB and Security Wise. (4 marks)

Legal Restriction in SOW Example: Export Restrictions

In the Statement of Work (SOW) between UOSB and Security Wise, an example of a legal
restriction could be related to export control compliance. This would involve specifying
that Security Wise agrees to comply with all applicable export laws and regulations
during the penetration testing engagement. Due to export restrictions, certain
technologies and tools used in penetration testing may be subject to export controls,
particularly when the testing involves cross-border activities.

3
BMIS3123 Vulnerability Assessment and Penetration Testing (Practice Exam)

Question 2 (Continued)

b) Assume that all the legal documents and contracts have been signed. It is time for you
and your team members to do necessary preparation prior to the conduct of the
penetration tests. During the internal discussion with your team members, one of your
team members is requesting for source codes and Personal Identifiable Information
(PII) of UOSB employees as part of the support resources prior to the penetration
testing. Provide your advice based on your team member’s requests. (6 marks)

Source Codes:

Concerns: Providing source codes may expose sensitive information about UOSB's
applications and systems. This could lead to unintentional leaks of proprietary
information, potential misuse, or unauthorized access.

Recommendation: Instead of providing the entire source code, consider providing relevant
code snippets or documentation that specifically address areas of interest for the
 penetration testing. This ensures the security of proprietary information while allowing
the testing team to focus on potential vulnerabilities.

Personal Identifiable Information (PII) of UOSB Employees:

Concerns: Sharing PII, even for support purposes, poses a high risk to employee privacy and
may violate data protection laws. Exposure of such information could lead to identity
theft, legal consequences, and reputational damage.Exp: name, postal address, bank
account numbers, e-mail addresses

Recommendation: Avoid sharing actual PII of UOSB employees. Use anonymized or

fictionalized data that mirrors the structure of real PII. This allows the testing team to
simulate real-world scenarios without compromising the privacy and security of actual
individuals.

[Total:10 marks]
4