For this assignment, you will write rules of engagement (ROE) for a penetration test (pen test) based on the CMI network topology, security issues, and
operational activities. The ROE will include a step-by-step procedure to conduct a pen test for CMI without comprising the operational missions and
activities.
This assignment is based on the Cyber Marketing Inc. Case Study provided in this course. The CMI network diagram (Links to an external site.) (opens in a
new browser window) is shown below for your convenience but is also available in the CMI Case Study.Procedures
You will prepare a penetration test ROE agreement to engage with CMI. The ROE is a contractual paper both you and CMI will sign to engage in execution of
the penetration test. As an external pen tester, you will present the ROE to CMI in order to communicate the scope of the work and knowledge in executing
the pen test procedures in detail, including schedule, activities, and security testing procedures. Details in step by step pen test procedures will educate CMI
with expectations of pen test results. CMI will not expect any surprises based on the ROE because the pen test activities will be clearly communicated and
agreed upon between both parties.
Please write 2 pages ( 2 of content and no cover page 1 reference), be detail oriented, APA 6th edition,
Back Story to CMI: Cyber Marketing, Inc. (CMI) is a marketing company that markets its products and services to thousands of its clients across North
America. As a marketing company, the products and services catalog is an important corporate asset to keep up-to-date for its clients. In order to keep its
products and services updated at all times, its corporate IT infrastructure plays an important role in processing data within and between the company and
the clients. The following organization chart depicts the CMI executive management team.For the assignments related to this case study, you will assume
the role of a Cybersecurity Manager at Cyber Marketing Incorporated. You have been educated, trained, and hired to protect the physical, logical, and
operational security of CMI’s corporate information system. CMI has experienced several cyber-attacks from outsiders over the past a few years. In 2013, the
Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company
restored the Oracle database server back online, its lost confidentiality damaged the company reputations. CMI ended up paying its customers a large sum
of settlement for their loss of customer data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for
several days. While infected, the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.2 Million
in revenue and intangible customer confidence.You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to
the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology;
the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate
internal databases is not encrypted.
A bulk of the data processing for your company is handled by Oracle database on a high-end supercomputer. The trusted computing based (TCB) internal
network is situated in a physically separated subnet. This is where all corporate data processing is completed and the internal support team has its own
intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated
physically on a different subnet and shares the corporate data in the TCB network.