Analyzing Risks and Vulnerabilities of Various Computer Systems and Undergoing Exploitation using Embedded Devices.

摘要

Security is one of the most if not the most important areas today. After the several attacks on the United States, security everywhere has heightened from airports to communication among the military branches legionnaires. With advanced persistent threats (APTs) on the rise following Stuxnet, government branches and agencies are required, more than ever, to follow several standards, policies and procedures to reduce the likelihood of a breach. Attack vectors today are very advanced and are going to continue to get more and more advanced as security controls advance. This creates a need for networks and systems to be in an updated, patched and secured state in a launch control system environment. Attacks on critical systems are becoming more and more relevant and frequent. Nation states are hacking into critical networks that might control electrical power grids or water dams as well as carrying out advanced persistent threat (APTs) attacks on government entities. NASA, as an organization, must protect its self from attacks from all different types of attackers with different motives. Although the International Space Station was created, there is still competition between the different space programs. With that in mind, NASA might get attacked and breached for various reasons such as espionage or sabotage. My project will provide a way for NASA to complete an in house penetration test which includes: asset discovery, vulnerability scans, exploit vulnerabilities and also provide forensic information to harden systems. Completing penetration testing is a part of the compliance requirements of the Federal Information Security Act (FISMA) and NASA NPR 2810.1 and related NASA Handbooks. This project is to demonstrate how in house penetration testing can be conducted that will satisfy all of the compliance requirements of the National Institute of Standards and Technology (NIST), as outlined in FISMA. By the end of this project, I hope to have carried out the tasks stated above as well as gain an immense knowledge about compliance, security tools, networks and network devices, as well as policies and procedures.