WGU D484 Penetration Testing Report
Analysis - Western Governors University
Evaluation of the Penetration Testing Plan
for Western View Hospital
A. Alignment Between Client's Goals and the
Penetration Testing Plan
1. Client's Goals, Objectives, Functions, Processes, and
Practices
Western View Hospital (WVH) is a rural, 100-bed healthcare facility. Its primary goal
in engaging with a penetration testing provider is to ensure the security of patient
data and financial records, with the added requirement of maintaining compliance
with the Health Insurance Portability and Accountability Act (HIPAA), which
governs the protection of Personally Identifiable Information (PII) and
Protected Health Information (PHI) (Department of Health and Human Services,
2023). WVH's IT infrastructure includes both wired and wireless networks, an on-
premises Active Directory (AD) system, and endpoint security managed by
McAfee. The hospital's modernization of its patient record system aims to support a
secure and compliant healthcare environment (Pruhart Tech, 2024)—the hospital's
processes center on data management, regulatory adherence, and efficient
healthcare delivery.
2. Structure of the Penetration Testing Plan
The plan comprises two primary phases:
- Internal Phase: This phase will evaluate potential weaknesses within the
hospital's internal network. Network Mapper (Nmap) will scan for open ports
and vulnerabilities. A specific focus will be placed on critical servers,
particularly the McAfee security server, to assess whether a system
compromise could lead to the exposure of sensitive information (Pruhart Tech,
2024).
- External Phase: This will involve scanning the hospital's externally facing
assets to identify vulnerabilities that could be exploited from outside the
network. Tools like Burp Suite will simulate attacks against the hospital's
public-facing systems (Pruhart Tech, 2024).
,- Social Engineering: A simulated phone-based social engineering attack will
be performed in this phase. The objective is to test whether employees can be
manipulated into providing sensitive information, such as login credentials,
under the guise of IT support (Pruhart Tech, 2024).
3. Misalignments Between the Plan and the Client's Goals
- Regulatory Testing Gaps: One critical gap in the plan is the absence of
specific compliance-related testing for HIPAA and other relevant regulations,
such as the Health Information Technology for Economic and Clinical
Health (HITECH) Act. Since WVH is focused on protecting patient data,
regulatory compliance is a key priority, and the plan does not adequately
address this (Centers for Medicare and Medicaid Services, 2023).
- Limited Social Engineering Scope: While the plan incorporates a social
engineering component, it is confined to vishing. This narrow approach limits
the test's ability to assess the hospital's overall susceptibility to other common
attack vectors, such as phishing emails or USB drops, also widely used in
cyberattacks.
B. Evaluation of the Penetration Testing Plan
1. Best Practices and Frameworks
Best Practices:
- The National Institute of Standards and Technology (NIST) Special
Publication 800-115 outlines a comprehensive approach to penetration
testing, focusing on evaluating physical and logical security measures
(Scarfone et al., 2021).
- Another industry standard, the Penetration Testing Execution Standard
(PTES), provides structured guidelines for conducting thorough penetration
tests, including phases for scoping, vulnerability analysis, and post-test
reporting (Penetration Testing Execution Standard, 2023).
Frameworks:
- HIPAA emphasizes the need for secure handling of e-PHI, particularly ensuring
that data is protected during transmission and at rest (Department of Health
and Human Services, 2023).
- HITECH complements HIPAA by mandating regular audits and other security
measures to protect electronic health records and ensure that organizations
meet privacy and security requirements (Centers for Medicare and Medicaid
Services, 2023).
,2. Comparison of the Plan to Best Practices and
Frameworks
The current plan aligns with some best practices, such as using vulnerability
scanning tools like Nmap for internal assessments, but falls short in other areas. For
instance, the plan lacks a focus on data encryption testing for information in transit
and at rest, which is a critical part of HIPAA compliance (Scarfone et al., 2021). The
social engineering component, while included, could be expanded to incorporate
additional attack vectors, as recommended by PTES and other best practices
(Penetration Testing Execution Standard, 2023). Moreover, physical security testing,
emphasized in both NIST and the Open Source Security Testing Methodology
Manual (OSSTMM), is absent from the current plan, though it is crucial for a
healthcare setting (Open Source Security Testing Methodology Manual, 2024).
C. Proposed Improvements and Solutions
1. Recommendations for Improvements
- Broaden the Social Engineering Scope: To thoroughly assess employee
awareness and the hospital's vulnerability to manipulation, the social
engineering phase should include phone-based attacks, simulated email
phishing campaigns, and physical access attempts (Scarfone et al., 2021).
- Add HIPAA-Specific Compliance Testing: The plan should include tests
designed to precisely evaluate the hospital's compliance with HIPAA, such as
checking for proper data encryption at rest and in transit. This addition would
ensure that the hospital's information systems meet regulatory requirements
(Department of Health and Human Services, 2023).
2. Solutions to Identified Problems
- Solution for Limited Social Engineering Scope: Implement phishing tests
through email in addition to phone-based tests. A well-crafted phishing email
campaign, with spoofed hospital communications, can simulate real-world
threats and better assess staff training and awareness. Incorporating tactics
like USB drops can also test physical access security.
- Solution for Regulatory Gaps: By implementing tools such as Wireshark,
the penetration test can include assessments of data encryption during
transmission, ensuring that WVH complies with HIPAA requirements regarding
protecting sensitive information. Additionally, the test should evaluate how well
the hospital safeguards data at rest (Scarfone et al., 2021).
, Conclusion
The existing penetration testing plan for Western View Hospital has the potential to
address some critical vulnerabilities in its IT infrastructure but requires significant
improvements to align fully with the hospital's goals. Expanding the scope of the
social engineering testing and adding compliance checks for HIPAA and HITECH
would help ensure that the hospital's infrastructure is secure and compliant with
critical healthcare regulations. WVH will be better positioned to protect sensitive
patient information and mitigate security risks by addressing these areas.
References:
Centers for Medicare and Medicaid Services. (2023). HIPAA Security Standards.
Retrieved from https://www.cms.gov/Regulations-and-Guidance
Department of Health and Human Services. (2023). HIPAA for professionals.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html
Open Source Security Testing Methodology Manual. (2024). ISECOM. Retrieved from
https://www.isecom.org/OSSTMM.3.pdf
Penetration Testing Execution Standard. (2023). PTES. Retrieved from
http://www.pentest-standard.org/index.php/Main_Page
Pruhart Tech. (2024). Penetration Testing Plan.
Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2021). NIST SP 800-115:
Technical Guide to Information Security Testing and Assessment. National Institute
of Standards and Technology.
A penetration tester has joined a consulting company that performs tests for several varying
clients. The company has stressed about staying within the scope of the project. What is the
worst thing the tester could face if they go outside their scope?
A. Contract negation
B. Fees
C. Fines
D. Criminal charges
D. Criminal charges
Even though a PenTest is performed with the mutual consent of the customer, the team may
inadvertently violate a local, state, or regional law. This could result in up to criminal
charges.
Contract negation could be part of the results from going outside of scope. In addition to
agreeing on the terms of the test, the team will carefully consider the scope and methods to
be used while testing.
Fees could be part of the ramifications as well. Before doing any active testing, the team
will gather with the stakeholders and outline the terms of the PenTesting process.
Fines could occur and could even be combined with criminal charges. Scope is a massive part
of penetration tests.
A marketing coordinator meets with many high-profile companies to discuss penetration
testing engagements. Which of the following is NOT something they might want to show to
Analysis - Western Governors University
Evaluation of the Penetration Testing Plan
for Western View Hospital
A. Alignment Between Client's Goals and the
Penetration Testing Plan
1. Client's Goals, Objectives, Functions, Processes, and
Practices
Western View Hospital (WVH) is a rural, 100-bed healthcare facility. Its primary goal
in engaging with a penetration testing provider is to ensure the security of patient
data and financial records, with the added requirement of maintaining compliance
with the Health Insurance Portability and Accountability Act (HIPAA), which
governs the protection of Personally Identifiable Information (PII) and
Protected Health Information (PHI) (Department of Health and Human Services,
2023). WVH's IT infrastructure includes both wired and wireless networks, an on-
premises Active Directory (AD) system, and endpoint security managed by
McAfee. The hospital's modernization of its patient record system aims to support a
secure and compliant healthcare environment (Pruhart Tech, 2024)—the hospital's
processes center on data management, regulatory adherence, and efficient
healthcare delivery.
2. Structure of the Penetration Testing Plan
The plan comprises two primary phases:
- Internal Phase: This phase will evaluate potential weaknesses within the
hospital's internal network. Network Mapper (Nmap) will scan for open ports
and vulnerabilities. A specific focus will be placed on critical servers,
particularly the McAfee security server, to assess whether a system
compromise could lead to the exposure of sensitive information (Pruhart Tech,
2024).
- External Phase: This will involve scanning the hospital's externally facing
assets to identify vulnerabilities that could be exploited from outside the
network. Tools like Burp Suite will simulate attacks against the hospital's
public-facing systems (Pruhart Tech, 2024).
,- Social Engineering: A simulated phone-based social engineering attack will
be performed in this phase. The objective is to test whether employees can be
manipulated into providing sensitive information, such as login credentials,
under the guise of IT support (Pruhart Tech, 2024).
3. Misalignments Between the Plan and the Client's Goals
- Regulatory Testing Gaps: One critical gap in the plan is the absence of
specific compliance-related testing for HIPAA and other relevant regulations,
such as the Health Information Technology for Economic and Clinical
Health (HITECH) Act. Since WVH is focused on protecting patient data,
regulatory compliance is a key priority, and the plan does not adequately
address this (Centers for Medicare and Medicaid Services, 2023).
- Limited Social Engineering Scope: While the plan incorporates a social
engineering component, it is confined to vishing. This narrow approach limits
the test's ability to assess the hospital's overall susceptibility to other common
attack vectors, such as phishing emails or USB drops, also widely used in
cyberattacks.
B. Evaluation of the Penetration Testing Plan
1. Best Practices and Frameworks
Best Practices:
- The National Institute of Standards and Technology (NIST) Special
Publication 800-115 outlines a comprehensive approach to penetration
testing, focusing on evaluating physical and logical security measures
(Scarfone et al., 2021).
- Another industry standard, the Penetration Testing Execution Standard
(PTES), provides structured guidelines for conducting thorough penetration
tests, including phases for scoping, vulnerability analysis, and post-test
reporting (Penetration Testing Execution Standard, 2023).
Frameworks:
- HIPAA emphasizes the need for secure handling of e-PHI, particularly ensuring
that data is protected during transmission and at rest (Department of Health
and Human Services, 2023).
- HITECH complements HIPAA by mandating regular audits and other security
measures to protect electronic health records and ensure that organizations
meet privacy and security requirements (Centers for Medicare and Medicaid
Services, 2023).
,2. Comparison of the Plan to Best Practices and
Frameworks
The current plan aligns with some best practices, such as using vulnerability
scanning tools like Nmap for internal assessments, but falls short in other areas. For
instance, the plan lacks a focus on data encryption testing for information in transit
and at rest, which is a critical part of HIPAA compliance (Scarfone et al., 2021). The
social engineering component, while included, could be expanded to incorporate
additional attack vectors, as recommended by PTES and other best practices
(Penetration Testing Execution Standard, 2023). Moreover, physical security testing,
emphasized in both NIST and the Open Source Security Testing Methodology
Manual (OSSTMM), is absent from the current plan, though it is crucial for a
healthcare setting (Open Source Security Testing Methodology Manual, 2024).
C. Proposed Improvements and Solutions
1. Recommendations for Improvements
- Broaden the Social Engineering Scope: To thoroughly assess employee
awareness and the hospital's vulnerability to manipulation, the social
engineering phase should include phone-based attacks, simulated email
phishing campaigns, and physical access attempts (Scarfone et al., 2021).
- Add HIPAA-Specific Compliance Testing: The plan should include tests
designed to precisely evaluate the hospital's compliance with HIPAA, such as
checking for proper data encryption at rest and in transit. This addition would
ensure that the hospital's information systems meet regulatory requirements
(Department of Health and Human Services, 2023).
2. Solutions to Identified Problems
- Solution for Limited Social Engineering Scope: Implement phishing tests
through email in addition to phone-based tests. A well-crafted phishing email
campaign, with spoofed hospital communications, can simulate real-world
threats and better assess staff training and awareness. Incorporating tactics
like USB drops can also test physical access security.
- Solution for Regulatory Gaps: By implementing tools such as Wireshark,
the penetration test can include assessments of data encryption during
transmission, ensuring that WVH complies with HIPAA requirements regarding
protecting sensitive information. Additionally, the test should evaluate how well
the hospital safeguards data at rest (Scarfone et al., 2021).
, Conclusion
The existing penetration testing plan for Western View Hospital has the potential to
address some critical vulnerabilities in its IT infrastructure but requires significant
improvements to align fully with the hospital's goals. Expanding the scope of the
social engineering testing and adding compliance checks for HIPAA and HITECH
would help ensure that the hospital's infrastructure is secure and compliant with
critical healthcare regulations. WVH will be better positioned to protect sensitive
patient information and mitigate security risks by addressing these areas.
References:
Centers for Medicare and Medicaid Services. (2023). HIPAA Security Standards.
Retrieved from https://www.cms.gov/Regulations-and-Guidance
Department of Health and Human Services. (2023). HIPAA for professionals.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html
Open Source Security Testing Methodology Manual. (2024). ISECOM. Retrieved from
https://www.isecom.org/OSSTMM.3.pdf
Penetration Testing Execution Standard. (2023). PTES. Retrieved from
http://www.pentest-standard.org/index.php/Main_Page
Pruhart Tech. (2024). Penetration Testing Plan.
Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2021). NIST SP 800-115:
Technical Guide to Information Security Testing and Assessment. National Institute
of Standards and Technology.
A penetration tester has joined a consulting company that performs tests for several varying
clients. The company has stressed about staying within the scope of the project. What is the
worst thing the tester could face if they go outside their scope?
A. Contract negation
B. Fees
C. Fines
D. Criminal charges
D. Criminal charges
Even though a PenTest is performed with the mutual consent of the customer, the team may
inadvertently violate a local, state, or regional law. This could result in up to criminal
charges.
Contract negation could be part of the results from going outside of scope. In addition to
agreeing on the terms of the test, the team will carefully consider the scope and methods to
be used while testing.
Fees could be part of the ramifications as well. Before doing any active testing, the team
will gather with the stakeholders and outline the terms of the PenTesting process.
Fines could occur and could even be combined with criminal charges. Scope is a massive part
of penetration tests.
A marketing coordinator meets with many high-profile companies to discuss penetration
testing engagements. Which of the following is NOT something they might want to show to
