Innovation at PRog
... three distinct sections with each section assigned to a team of students from the XXXXXX class. The teams included the External Penetration Team (EPT), the Internal Security Team (IST), and the Policies, Procedures, and Training Team (PPT). The findings in the report represent a collective “best-effort” of the students to identify security risks and provide suggestions for remediation. The assessment was performed as an academic exercise by students with differing levels of expertise and limited resources, thus the findings and recommendations should not be considered to be comprehensive in nature. The THE CLIENT is solely responsible for its utilization, interpretation, and/or reliance on the information provided. The EPT found that the organization’s network is effectively protected against Internet-based attacks by a Raptor software firewall. Although the firewall prevented most attempts to access the organization’s assets via the Internet, there were notable exceptions. For instance, penetration team members were able to access a system running the Compaq Information Manager and gain valuable information about the server’s configuration and the services running on the system. The EPT also accessed a Lotus Domino mail server and retrieved lists of e-mail accounts, mailing groups, and other information. The information obtained from these systems could potentially be used by an attacker for further attacks. Though the risk posed by the exposure of these two systems is relatively minor, THE CLIENT should reposition the two systems behind the firewall and the configurations should be modified to disable unnecessary services. Overall, the CLIENT’s efforts to protect against Internet-based attacks were excellent. The IST noted several serious security flaws in the areas of wireless network access, password usage, and physical access to the facility. The organization’s use of unsecured wireless access points provides a potential attacker with unrestricted access to the network from areas outside the facility. The use of improperly configured wireless access points completely circumvents the or...