You should analyze the given systems focusing on the security aspects and Your work will consist not only in identifying existing vulnerabilities: Security Analyst Assignment, TU, Singapore

Task

You should analyze the given systems focusing on the security aspects. Your work will consist not only in identifying existing vulnerabilities and misconfigurations but also in making an earnest effort to practically demonstrate how such vulnerabilities can be exploited. The report is intended for a technically knowledgeable audience, but it should be introduced by a short executive summary for a broader audience.

Although you are allowed to use automated tools, the company made a specific request to use whenever feasible manual (or scripted) examples in order to demonstrate the attacks, as they provide a clearer explanation of the vulnerability exploited.

Scenario

“EVC” is a manufacturer of components for electric vehicles. They used to run IT services in-house until 3 years ago when in a cost-cutting exercise the activities done by the IT department were outsourced to an external provider called “XPR”.

Therefore, the computers currently used by the company are set up, configured, and managed by the external provider. “EVC” still has a small IT department, which mostly maintains end-user applications. Additionally, the IT department also carries out a range of onsite interventions, sometimes under the guidance of “XPR”.

The IT department does not include any security specialists, but it has raised a concern regarding the security of the systems currently managed by “XPR”. They are worried about potentially vulnerable software installed on the systems despite updates being available for some time.

They raised the issue to the management, which initially ignored the concern. However, after a formal consultation with the worker’s representatives, they agreed that an independent audit should be carried out. They were convinced by the fact that the initial 4-year contract with “XPR” is going to expire in 12 months.

The company has agreed to appoint two security analysts, who will work independently. As one of the two auditors, you are asked to analyze several systems and make an assessment of their security. The systems provided are clones of existing ones and there is no concern of damage you could cause because of your analysis. You are only subject to a standard non-disclosure agreement (NDA).