Dissertation: The Use of Penetration Testing in a Business Environment

The aim of the dissertation is to design and implement a framework for penetration testing and forensic investigation to be used within a business environment.  Through forensic investigation the dissertation will demonstrate the advantages when important policies are implemented, including: keeping a log of work for everything that happens in the network, especially activity that involves sensitive data; proper management of devices; and policy enforcement for the employees and the company.

The framework was built by using concepts from penetration testing and its actual execution. This includes all the steps and utilities that are used, along with guidelines to perform the penetration test. An analysis on how penetration testing will affect the company, the benefits it has and its feasibility for a company to undergo such a test on its network are also carried out. Special attention will be given to what the company will benefit when such tests are carried out and point out the vulnerabilities found on the network. After these vulnerabilities are found, the dissertation further analysis how the company would be able to remove these vulnerabilities and work towards creating a safer network. The tests carried out point out the effects of having such vulnerabilities in a network environment, whether it is a company network or any other type of network. This is important because penetration testing needs to be carried out with a goal in mind, otherwise it will not improve the situation, leading to waste of time and resources.

This framework will also point out how the data stored on the company’s network need to be secure from any type of breach or vulnerabilities.  Failure to do so will place the company’s reputation and clients in jeopardy.

The outcome of this dissertation is a guided penetration testing framework which can be used by companies in a complex environment, without extensive penetration testing experience or expertise, to reduce their network’s vulnerabilities to an acceptable and controlled level.