Penetration Testing Plan

03/30/2019

Google LLC is a technological company from America which specializes in Internet-related products and services. Some of the products and services which are offered by Google include search engines, cloud computing, hardware, software, and online advertising technologies. It is considered among the Big Four companies which also include Apple, Amazon, and Facebook. The organization was founded by Larry Page and Sergey Brin in 1998. The founders were Ph.D. students at Stanford University in California. All facilities are subject to a certain level of risk which can be associated with different threats. The threats may be as a result of natural events, intentional acts by human beings to cause harm or accidents (Maglaras et al., 2018). The owners of companies have the responsibility of limiting or managing the risks arising from the threats to the maximum extent possible.

Tangible Assets

Google is one of the best technology companies in the world with a high number of tangible assets within its premises, especially in the headquarters located in Mountain View, California. The information systems, critical infrastructure, and cyber-related interests to be tested include the software of the company, hardware, system interfaces with consideration of internal and external connectivity, data and information, and people who use and support IT system. The aspects will be assessed because they are crucial to the day to day operations of the facility, and a breach in any aspect may lead to major disruption of services. The aspects which will not be assessed include IT system functional requirements, system users, current network topology system security policies which guide the use of the IT system and the architecture of security of the system. The aspects will not be assessed because of the minimal threat they pose to the system, and low probability of risk to arise from them. Moreover, the disruption of the items does not lead to significant interference in the operation of the organization.

Asset Descriptions

The following is a diagram of the flow of assessment activities:

The assets descriptions are outlined below:

· Hardware- Physical parts of the computers.

· IT personnel- Individuals operating computer systems.

Threat Agents and Possible Attacks

There are several threat agents and possible attacks that may face the organization. the company may be subject to floods which may be as a result of excessive rainfall or overflowing ocean water. Tornadoes are also a possible threat to the organization, and these are violent and destructive rotating winds. Other possible natural threats to the organization headquarters include earthquakes, electrical storms, and avalanches. Electrical storms involve the violent disturbance of the electrical condition of the atmosphere, and such an occurrence can destroy any electrical system. The company also faces the human threat of hacking where people may make attempts to gain unauthorized access to their files. There is also the threat of unintentional acts of inadvertent data entry taking place. Another possible threat is the possibility of malicious software upload by people intending to destroy the reputation of the company (Esteves, Ramalho & De Haro, 2017). There is also the treatment of employees of the organization gaining access to confidential information using their credentials. The other possible threat of environmental nature to the organization is a long term power failure, and this may lead adversely affect them because of the use of technological systems highly dependent on power. Pollution may also affect the environment in which the workers perform their duties. The company also faces the threat of industrial espionage by the competitors. Finally, the spillage of dangerous liquids or chemicals from factories can affect the working environment.

Exploitable Vulnerabilities

The following is the list of exploitable vulnerabilities:

· Failure of removal of identifiers of terminated employees

· Buffer overflows

· The firewall of the company allows for inbound tenet, and the identification of guest is allowed on XYZ server

· The failure of application of new patches to one of the systems with an identified flaw

· The server room uses sprinklers for fire protection but there is no hardware to protect from water damage.

· The possibility of code injection in the system.

· Presence of dangling pointers

Existing Countermeasures

The organization has several existing countermeasures to threats and vulnerabilities. The data and crucial information files are backed up in an offsite location. The backup schedule is also accurate to ensure they do not miss out on any information. There are also arrangements for another location in the event that the primary site is rendered to be inoperable. There are also several procedures which protect against the unauthorized access or use of the computer systems. System monitoring is done on a regular basis for detection of any unusual aspects. The company also has a risk analysis plan and security strategy developed from the risk analysis.

Evaluation of Threats or Impacts on the Business

Prioritized List of Identified Risks

References

Maglaras, L. A., Kim, K. H., Janicke, H., Ferrag, M. A., Rallis, S., Fragkou, P., ... & Cruz, T. J. (2018). Cybersecurity of critical infrastructures. ICT Express, 4(1), 42-45.

Esteves, J., Ramalho, E., & De Haro, G. (2017). To improve cybersecurity, think like a hacker. MIT Sloan Management Review, 58(3), 71.