Milestone 2

During the second phase of the project, the team has accomplished a multitude of tasks to help secure the server and to secure the WordPress site. As a team, we have implemented numerous methods to achieve the goal of a secure system including two factor authentication for WordPress, removing root user access to the system, implementing complex passwords for each individual user, scanned the system for vulnerabilities using Wazuh and OpenVAS, and we have updated the Gantt chart to shadow our work more effectively. Furthermore, we have done extensive pen testing on our system to ensure there are no vulnerabilities, except for the one that we will provide for the other team(s). We have used multiple open-sourced methods to scope the system. These methods are, but not limited to, Nmap, Legion, and nikto.

In general, when conducting a vulnerability assessment, the goal is to use the tools available to gather as much information as possible about the environment. Enumerating assets, identifying open listening ports, and comparing the configurations to known CVE’s (common vulnerabilities and exploits) related to the asset settings in question. This will help identify the known vulnerabilities that could be open to exploit by a threat actor.

This process of assessing vulnerabilities differs from a penetration test in the sense that a true penetration test introduces a human element; someone acting as a threat actor to exploit the identified vulnerabilities and gain access to the network or systems. Depending on the established scope of the penetration test and what the threat actor is authorized to perform, the goal would be to obtain information from the compromised systems and/or make changes that would target the integrity of the network or data. In the case of a small business, if resources allow, the organization will benefit from both a vulnerability assessment as well as a penetration test.

There are several tools that can be used for vulnerability analysis, and the following sections will discuss a number of those tools that were used to 1) identify vulnerabilities in the Akwaaba web server environment and 2) attempt to use those vulnerabilities to compromise the confidentiality, integrity, or accessibility of the web server and its data. We have provided a description of these tools. Our goals for milestone 2 were to use these tools to identify and remediate issues with our own instance of the Akwaaba web server, and then create a plan of attack to use against the other teams in the project.

When evaluating tools to be used in the project, the main factors we considered were cost and compatibility. We wanted to use free and open-source solutions in our project, and we targeted tools that were relevant to the analysis of WordPress, MariaDB, Linux, and the other packages installed on the Akwaaba system. We also tried to maintain continuity between our tools by leveraging integrations that can help with functionality, documentation, or reporting. This can be seen specifically in our adoption of Faraday. We believe that the tools we have selected would be functional in implementing vulnerability and penetration testing for both small business and enterprise environments, but we do acknowledge that the options available to an enterprise IT team would be enhanced by the ability to leverage additional resources, including financial resources and labor. This would potentially expand the options available from mostly open-source tools to also include COTS (commercial off the shelf) software options.

Akwaaba is a steakhouse chain with multiple locations throughout the United States. Akwaaba owns a web server hosting an e-commerce site for its restaurants. This project will involve our team of security consultants conducting policy creation, risk assessment, technical plan creation, and offensive efforts against an opposing team. The first phase of the project, milestone 1, was the development of the information security plan for Akwaaba. Also, included in the first phase was risk assessment of the server that our team was assigned. Our team was also responsible in the development and deployment of a technical plan for Akwaaba. We kept on schedule with the use of our Gantt chart because “having a clear view of milestones and key dates you can keep an eye on how things are progressing”. (Kashyap, 2019)

The second phase of the project, Milestone 2, our team was responsible for the implementation of the security program that included the information security plan, configuration of the server after the risk assessment, and research and implementation of the tools necessary for vulnerability analysis and penetration testing. These tools were used on each team member’s device so that it would not interfere with the testing web server. During phase two, the team implemented two factor authentication on WordPress, the removal of root user access to the system, complex password implementation for each individual user, and Wazuh and OpenVAS were utilized in the scanning of the vulnerabilities of the server. The initial toolset that the team created was Nmap, Legion, and nikto. However, upon further research we developed a much broader set of tools including Hydra, WPScan, Sqlmap, Commix, Gobuster, CUPP, Metasploit, BurpSuite, XSser, Faraday, Hashcat, and Nessus. We felt as though we would need many tools to test each vulnerability possibility based on our server based off the thought that “without the right tools, a penetration tester may overlook vulnerabilities or weaknesses in the target system or be unable to effectively exploit them”. (31 et al., 2021)

The third phase of the project, Milestone 3, our team was responsible for the penetration testing and vulnerability testing of on opposing team’s web server. During this phase we were also responsible for the creation of a vulnerability analysis report based on our findings during the scans and pen testing of the opposition’s server. We were also responsible for the forensic report of our server that is protected by our team. During this phase, we had to ensure that our server remained online at all times with little to no down time because part of the C.I.A. triad states “data and information systems are available when required”. (Techopedia, 2013) Throughout this phase, the team worked diligently performing scans using many of the tools that have been listed. Each member used their own choices of tools that were in the toolbox. The faraday application was also used to help keep the team in line with each other’s scans. During the scanning and penetration testing, the team was able to uncover a profound amount of data related to the opposition’s server that will be discussed in depth following this portion of the documentation. It will be said that we did not officially hack the opposition’s system, however, we did uncover many faults and vulnerabilities in their system. It will be said that there was a phishing attempt against our team asking for the log in information for our server. The email that the person spoofed was Professor Privitera. Our team responded with false information that sent the person to a looped video. Also, the VPN that was necessary to access the IP of the system tampered with the systems and application’s abilities to fully test the vulnerabilities of the web server.