Create a Penetration Testing plan

[ExperimentsInHonesty]

Overview

We need to create a Penetration Test Methodology for Hack for LA projects so that we can integrate routine security testing into each project.

Action Items

• review some websites
• define a process and documentation
  • templates
    • repos
    • hosted applications
    • drives

Resources/Instructions

A site which defines the process https://www.imperva.com/learn/application-security/penetration-testing/

[KHGonzalez]

What are the priorities?

Internal information needs to be audited prior to perform an external penetration testing plan.

Small guide Cybersecurity for Nonprofits: Best practices

First Step - Risk Assessment

Will follow Template / Guide on this link

Inventory all the data that we collect. Where is it stored?

Excel template for information identification and classification has been created.

[ExperimentsInHonesty]

@KHGonzalez Please provide update

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures or links* (if necessary): "Add any pictures or links that will help illustrate what you are working on."

• remember to add links to the top of the issue if they are going to be needed again.

[ExperimentsInHonesty]

@KHGonzalez We have not heard from you since you last commented on this issue, so we are assuming you have left hack for la. If you want to come back and or reassign yourself to this issue, feel free. But in the meantime, I am putting it back into the prioritized backlog.

[sgordi]

Taking lead on this project if that is okay. Below I have a testing methodology I wrote up to get the ball rolling.

**Planning and Preparation:**
    - Define the scope and objectives of the test
    - Identify the stakeholders and their requirements
    - Obtain necessary approvals and sign offs
    - Gather information about the target systems and networks

**Reconnaissance:**
    - Collect information about the target organization, its employees, network, and systems
    - Use tools and techniques like OSINT, WHOIS, and DNS reconnaissance to gather information

**Threat Modeling:**
    - Identify potential threats to the organization
    - Evaluate the impact and likelihood of each threat

**Vulnerability Assessment:**
    - Identify vulnerabilities in the target systems and networks
    - Use tools like network and web application scanners to automate the process
    - Validate the findings manually

**Exploitation:**
    - Attempt to exploit the identified vulnerabilities
    - Test the security controls and response mechanisms in place

**Reporting:**
    - Document the findings and provide recommendations
    - Present the results to the stakeholders
    - Provide a roadmap for remediation

**Follow-Up:**
    - Monitor the remediation process
    - Perform additional tests to verify the effectiveness of the remediation efforts

[sgordi]

Setup a Security Management folder on the shared drive that can be found at DevOps (Communities of Practice)

I also took the liberty of running a web scan on a personal test site with Nikto and posted the log results as a baseline. Although not a complete and thorough scan it's a good starting point for the Ops Team.

@ExperimentsInHonesty
I added a document with the methodology I had written above. Additionally, I wrote a quick info and process doc for Nikto and how it would be used for scanning. I would like to go ahead and start following standard practice and put in a request to scan a hfla site (preferably a temporary test site, if not a site with the least traffic + after hours scan) pending yours and the Ops Team's approval.

These are my initial findings of course and if there are additional steps + precautions you need me to take please let me know.

[sgordi]

Blockers: @ExperimentsInHonesty I did a DNS lookup for the hfla primary site. It appears that the website is proxied by it's DNS provider Cloudflare. This means that the IP that leads to the website isn't the IP for hfla but the IP for Cloudflare's DNS servers.

A vulnerability scan for hfla would have to be in collaboration with the site admin in order to turn off the Cloudflare proxy temporarily to complete the scan. Will document how this process should look like on the Security Management folder.

[JasonEb]

@sgordi any update on this ever since? I see your work at https://drive.google.com/drive/folders/1FqEkm1O5fJrr3UHF42CQcFmzTa9bMquY, it's pretty profound. Not sure if there's anything more you want to share, but looks like we can close this ticket. If there's more to do we can open another one

[chelseybeck]

I'm moving this back to new issue review for refinement. Great work was done here and I want to make sure that it's reviewed and documented in the right place (likely the wiki)

[freaky4wrld]

@chelseybeck please specify your question as of what you are asking here?

[ExperimentsInHonesty]

This issue is being moved to the new issue approval column so that a CoP lead can summarize all the notes that are necessary in order for a new person to take on this issue, and add that to the top and hiding all the comments. The goal here is to make the issue clear for a new person, while taking advantage of all the work that went into it so far.

[chelseybeck]

Leads met and agreed that we should close this issue as there is nothing to pen test when we use cloud services