COMP3320 Vulnerability Assessment and Penetration Testing

2025-06-06 Admin 写评论


Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due

COMP3320 Vulnerability Assessment and Penetration Testing

Assignment (Weighting 15%)

This Assignment is due before 4:00 pm, Tuesday 15 th April 2025.

Vulnerability Assessment and Penetration Test

This assignment encompasses the client management, ethics, and reporting side of vulnerability assessments and penetration tests, while your practical classes cover the “active” components of vulnerability assessments and penetration testing.

The final report for this assignment is due before 4:00 pm, Tuesday 15th April 2025 (before the Week 8 lecture. Late penalties apply from 4:00 pm onwards. See the ECP for details.

[UPDATED 25/2/2025] This assignment simulates a practical VAPT engagement, including the ethical vagaries that occasionally occur, so there are some marks for your solution to two ethical issues that will arise during your engagement. These will require you to research not only the legal ramifications of the issues in question, but also how you will handle the issues, including how you report the issues and the timing for reporting those issues. The details will come with the penetration test stage of the engagement. Your solution to each issue is to be included as separate appendix (each) as part of, and submitted with, to your final report.

Your client is the Davros Industries1 . Davros Industries mines rare earth elements and is enjoying a healthy return from its lithium mining operations due to the surge in domestic battery production as Australia scrambles to meet its 2030 emissions targets.

Davros Industries has engaged your company (you can think up your own company name) to perform a black-box vulnerability assessment penetration test of their systems. You have just completed the kick-off meeting at 4:00pm today and agreed on the Terms of Engagement, including “regular updates” and the final report due no later than 7 weeks’ time (i.e. before 4:00 pm on Tuesday 15th April 2025).

As it is to be a black-box test, you have no technical details at this stage, but in the kick-off meeting you saw one of the participants with a Windows login screen on their laptop. There was a video-conferencing screen in the room with clearly a Windows 10 desktop showing and it remained logged-in and idle for the entire 1-hour meeting and never timed-out. They clearly use Microsoft systems on their corporate network. Their emails come from Microsoft servers, but not M365 (Azure) servers, so they are using in-house mail servers, and you therefore suspect all corporate systems are based on in-house Microsoft servers.

During the meeting you discussed their corporate objectives and difficulties, and you now know they have a working open-cut mine in western Queensland, which is producing above-expected yields for processing into lithium and has attracted both national and international interest. ASD representatives have met with the Davros Industries CISO to advise them that they have detected attempts at clearly malicious traffic to Davros Industries’ Web servers originating from the country of Kamaria2 . In addition, you have discovered, that they made an (ill-advised) attempt to get a lease to mine part of Kakadu (in the national park, Bininj/Mungguy Country) in the Northern Territory, which although rejected, has angered numerous environmental groups.

You have dispatched one of your team to do reconnaissance, find their external facing addresses, and perform a vulnerability scan on them, but as with a real VAPT, you won’t get the results for some days (in our case, next week, when we do the next lecture that will give you a better understanding of the process). In the meantime, you should use this first week to start to gather information for your Threat Analysis (it is black-box, so you will have to consider generic threats, plus the little bit of information you have from your first meeting) and also start considering what you will need to lay out your final report to Davros Industries.

This is a level 3 course; you will not be given a fixed format for your VAPT report. You should review available reports on the Internet and decide how best to get your points across. Your report MUST include a Threat Analysis (and thus the Threat Environment as you see it for Davros Industries), a section on the Vulnerability Assessment, and a section on the Penetration Test.

Again, following a real VAPT process, you can’t do a Vulnerability Assessment without targets (reconnaissance) and you can’t do the penetration test until you have the results of the vulnerability scans. Each of these takes time and you never have everything at the start.

Research

You should research cyber-security threats relevant to the scenario above (Australian, mining, national interest, corporate network, operational network, etc.). What are the likely threat actors, what are their capabilities, what is their intent and their commitment? To save you time in this initial research, your reconnaissance is going to come back advising that the OT networks are running mostly Siemens SCADA equipment with IP (Internet Protocol) between most devices although some devices use MODBUS between the cabinets and the end equipment.

Your search should involve a variety of types of sources OSInt sites (Open Source Intelligence), Journals, and Internet sources. ALL sources MUST be correctly referenced in your report.

From the ECP, you must “compile a report that demonstrates the ability to locate high quality sources of relevant information, to understand complex concepts, to analyse and organise information and ideas and to convey those ideas clearly, concise and fluently; and the ability synthesize a clear and paper of the appropriate level and style.”

This task has been designed to be challenging, authentic and complex. Whilst students may use AI and/or MT technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.

A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.

Final Report

Target Audience

The audience for your report is Davros Industries’ Executives, not technical experts! Your report must be relevant to the Executive. It is the executives who allocates budget for security initiatives.

Technical details should be put in appendices.

Report Length (NOT including images, test outputs, appendices, or references)

The recommended length of the report is 2000 – 2500 words, including the text in any tables that you have created. Try to be as concise as possible.
These 3 pages have 1600 words. So, you are looking at 5 pages of your words in an 11-point font.This content is protected and may not be shared, uploaded, or distributed.

Report Structure

This is a SHORT (in length) assignment. Please do NOT include a formal abstract or any additional “Executive Summary”. This report is targeted at an executive audience. The structure of the main content, e.g. the number of sections, headings etc. is up to you. It is important that the report has a logical flow and is easy to read. Professional and consistent formatting is expected.

Referencing Style

For this assignment, you are required to use the IEEE referencing style, which is simple and widely used, in particular, in the areas of Electrical Engineering and Computer Science.

Assessment – Marking Scheme (15 marks 15% of course – 1% per mark)

Threat Analysis gave the client an accurate picture of the Threat Environment.
3 marks
Threat Analysis gave the client a good picture of the Threat Environment.
2 marks
Threat Analysis gave the client a workable picture of the Threat Environment.
1 mark
Threat Analysis gave the client a poor picture of the Threat Environment.
 0 marks

Vulnerability Assessment was easy to read and included everything for this report.
 3 marks
Vulnerability Assessment was not so easy to read or was missing all the detail needed. 
2 marks
VA was difficult for non-technical readers or was missing important details.
1 mark
VA was highly technical with poor explanations or was missing a critical detail.
 0 marks

Pen Test outcome was easy to read and included everything the Executive needed.
3 marks
Pen Test outcome was not so easy to read or was missing all the detail needed.
2 marks
Pen Test outcome was difficult for non-technical readers or missing important details. 
1 mark
Pen Test outcome was highly technical, poor explanations or missing a critical detail.
 0 marks

[UPDATED 25/2/2025]:

Your solution to first discovery issue is entirely appropriate.
2 marks
Your solution to first discovery issue is adequate but has unnecessary impacts.
1 mark
Your solution to first discovery issue does not resolve all legal and ethical concerns.
 0 marks

Your solution to second discovery issue is entirely appropriate.
2 marks
Your solution to second discovery issue is adequate but has unnecessary impacts.
1 mark
Your solution to second discovery issue does not resolve all legal & ethical concerns.
0 marks

Citations and reference list contains necessary information, IEEE formatting.
2 marks
Minor errors in citations or references, IEEE formatting is used consistently.
1 mark
Many errors or missing citations or references or not in IEEE format.
 0 marks


发表评论

电子邮件地址不会被公开。 必填项已用*标注