College

You are presented with three challenges related to events in a simulated penetration test. Using the Framework for Ethical Decision Making, the EC-Council Code of Ethics, and any other literature on ethical decision-making you find useful, fully describe the following for each challenge:

1. **The factors related to the ethical issue:** Describe any legal factors involved.

2. **The relevant facts:** Include stakeholders, harms, benefits, and available options.

3. **The ethical approach(es) used to evaluate the available options:** Explain why that approach was considered.

4. **How the decision was tested and why the selected option is the best choice.**

5. **What to expect after implementing the decision.**

**Case:**

The following challenges were encountered during penetration testing services for a client. The client was a web developer and hosting company. The client operates their own data center and has a cloud-based expansion capability to support rapid scaling. Although the client is not specified, the Statement of Work (SOW) between the penetration testing team and client [ORGANIZATION] is provided in Attachment B. The SOW is the explicit agreement between the penetration testing team and the client. The SOW authorizes specific activities and sets the boundaries for the penetration testing team. Read and comprehend the SOW before answering the following challenges.

**Challenge 1 - Apache 2.4.23 mod_http2:**

The penetration testing team discovered a client's public-facing custom web application deployed on Apache 2.4.23. The custom web application was built on HTTP/2 and includes the mod_http2 module. Apache 2.4.23 mod_http2 is vulnerable to CVE 2016-8740, and a public exploit exists on Exploit Database EDB-ID 40909. No other public exploits are known. The vulnerability does not restrict request-header length, which allows a remote attacker to force a denial of service through excess memory consumption via crafted CONTINUATION frames in an HTTP/2 request. The discovered server runs a custom production web application which is critical to the client's business operations. The penetration testing team must decide how to proceed.

**Challenge 2 - VPN Access:**

The penetration testing team conducted a phishing attack against the client's employees. The phishing attack requested users to verify their domain login credentials and as a result, collected login credentials from multiple users. The same attack also deployed backdoors on victim workstations. Post-enumeration of an employee's company workstation resulted in the export of their Microsoft Outlook email archive. Examination of that file revealed login credentials to a VPN account that had been created for a vendor. Judging by the recency of the email, it is estimated that the vendor's VPN account is a) active and b) would provide unrestricted access to the client's internal LAN. The penetration testing team must decide how to proceed.

**Challenge 3 - Amazon Web Services (AWS) Server:**

An employee responded to the phishing attack. As a result, their workstation was fully compromised. Penetration testers successfully gained system-level access to the employee's workstation. During post-attack enumeration, the penetration testers discovered documentation for a development network. It was not initially clear where that development network resided, but with additional work, testers discovered the development network resided in an AWS project. The developer's documentation was thorough. It included network topology, IP addresses, operating system version information, and service version information. It also included system and application login credentials, vulnerability testing results, and documentation for installed and failed patches. The penetration testing team must decide how to proceed.

Answer :

Final answer:

Three ethical challenges in a simulated penetration test, namely: Apache server vulnerability, misuse of credentials through phishing, and gaining system-level AWS server access. These can be dealt with by adherence to the EC-Council Code of Ethics and the Framework for Ethical Decision Making, which prioritize areas like legality, confidentiality, and professionalism. The decisions made should prioritize the well-being, interests of the client, and respect boundaries set by Statement of Work (SOW).

Explanation:

This question explores three ethical challenges within a simulated penetration test. These challenges involve: 1) vulnerabilities in an Apache server; 2) misuse of user credentials collected through a phishing campaign; and 3) system-level access to an AWS server through a phishing attack.

Each challenge presents a unique ethical dilemma. For example, with the Apache server vulnerability, the ethical decision lies in how to disclose and address the vulnerability while minimizing impact to the client’s business operations. The misuse of login credentials obtained through a phishing attack calls for an analysis of whether, and to what extent, the testers should utilize these credentials. Finally, in gaining system-level access to an AWS server, penetration testers must decide whether to exploit this access or simply report the findings to the client.

These ethical considerations must be guided by relevant codes of ethics, such as the EC-Council Code of Ethics, which emphasizes areas such as legality, confidentiality, and professionalism. Additionally, the Framework for Ethical Decision Making can be used to evaluate the consequences and implications of various actions, from who will be affected, to the potential harms and benefits of each option.

The penetration testing team should always prioritize the well-being and interests of the client and respect the boundaries set by the Statement of Work (SOW). Testing each decision for potential consequences and evaluating them against ethical principles can guide the team in choosing the best approach. Ultimately, ethical decision making in penetration testing is about balancing the need for security improvements with respect for client boundaries and professional integrity.

Learn more about Ethical Decision Making in Penetration Testing here:

https://brainly.com/question/34137201

#SPJ11