1.
Project Details
Name of Organization Insurance Commission
Target of Evaluation ELS Web Application and SPARC Server
Project Duration
Start Date
IP Address and Login Credentials
Constraints - Limited to ELS IP only
- No denial of service
Test tools - Nmap
- Burpsuite
- Nessus
- Nikto
- SQLmap
- Wfuzz
- Feroxbuster
(Please declare other tools here)
Methodology Phase 1: Information gathering
Phase 2: Vulnerability Assessment
Phase 3: Vulnerability Identification and
Analysis
Phase 4: Exploitation
Phase 5: Remediation (fixing)
Phase 6: Reporting using OWASP
Guidelines
2. Scope of Work
The assessment included conducting black-box & white-box testing on the Enhanced
Licensing System environment of the Insurance Commission based on the industry
standards and guidelines.
3. Limitation
The scope of this security assessment and penetration test is limited to:
- ELS Web Application
- Host server
- Host operating system
4. Purpose of Test
The purpose of test is to provide security assurance, compliance and best practices
based on industry standards and associations such:
- Offensive Security
- SANS Institute
- Institute for Security and Open Methodologies
- Open Information Systems Security Group
� - National Institute of Standards and Technology
- Payment Card Industry Data Security Standard
5. Approach
The following explains the steps that will be taken during the tests:
- Perform live systems detection on targets
- Gather information about the targets
- Perform unauthorized discovery and mapping of systems, services, or
vulnerabilities
- Identify and assess vulnerabilities detected
- Perform enumeration on targets
- Exploit any known vulnerabilities found for proof-of-concept (PoC)
- Perform detailed analysis on findings
- Calculate and rank risks based on severity and risk factor
- Prepare technical and non-technical reports
6. Timeline
Penetration Test Start Date and Time End Date and Time
Initial Testing (Phase 1-2) Jan 2, 2022 9:00 am Jan 10, 2022 9:00 am
Final Testing (Phase 3-4) Jan 10, 2022 9:00 am Jan 24, 2022 9:00 am
Risk Mitigation & Jan 25, 2022 9:00 am Feb 6, 2022 9:00 am
Remediation
Reporting Feb 7, 2022 9:00 am Feb 11, 2022 9:00 am
Notes:
The above dates are tentative and are the possible dates of completion based on the following
factors:
The Security Consultant / Tester is working full-time on the engagement
Is experienced and credible enough for the job to conduct the assessment and
penetration testing
Technical writing and reporting skills
