TEESSIDE UNIVERSITY

IN-COURSE ASSESSMENT (ICA) SPECIFICATION

Module Title: Ethical Hacking Techniques Module Leader: Paolo Modesti

Module Code: CIS04078-N

Deadline Date: 07th Jan 2025

Assignment Title: ICA (100%)
Deadline Time: 4:00pm

Submission Method:
Online (Blackboard) 
Middlesbrough Tower 

Online Submission Notes:

• Please follow carefully the instructions given on the Assignment Specification

• When Extenuating Circumstances (e.g., extension) has been granted, a fully completed and
signed Extenuating Circumstances form must be submitted to the School Reception or
emailed to scedt-assessments@tees.ac.uk.

Central Assignments Office (Middlesbrough Tower M2.08) Notes:

• All work (including DVDs etc) needs to be secured in a plastic envelope or a folder and clearly
marked with the student’s name, number and module title.

• An Assignment Front Sheet should be fully completed before the work is submitted.

• When Extenuating Circumstances (e.g. extension) has been granted, a fully completed and
signed Extenuating Circumstances form must be submitted to the School Reception or
emailed to scedt-assessments@tees.ac.uk.

FULL DETAILS OF THE ASSIGNMENT ARE ATTACHED

INCLUDING MARKING & GRADING CRITERIA
Teesside University

Introduction

This ICA requires to conduct an ethical hack of a given system and submit a report.

Scenario

You have been approached by a non-profit environmental organisation that needs a thorough
security assessment of its IT infrastructure. This organisation frequently handles sensitive
information from whistleblowers and leads significant environmental campaigns, has recently
expanded its network and added several new systems. Among these is a new AI system that helps
with data analysis, data visualisation and decision-making.

The organisation has noticed some unusual suspicious activities in their network and systems and is
concerned about potential security vulnerabilities. They are unsure where the weaknesses might be,
but they suspect that their systems may be at risk.

Your role is to conduct a comprehensive security test, identify any vulnerabilities, and provide
detailed recommendations to enhance their security.

Network and Systems

For your security analysis, they provide details:

The organisation’s network is structured into different segments, each serving a specific function.
However, there might be so some unexplained issues and potential vulnerabilities that require
thorough investigation.

1. External Network (Internet): This is the segment of the network that faces the outside world,
including systems like the organisation’s public website. Recently, the IT team has observed
some unusual traffic patterns, such as unexpected spikes in activity during non-working
hours. They are unsure whether this is normal behaviour or indicative of a potential threat.
2. Central Firewall/Router: A central firewall/router manages traffic between the different
segments of the network. The configuration of this firewall is complex, with a mix of
outdated and newer rules that have not been thoroughly reviewed in some time. Employees
have reported intermittent network issues, such as slow connections and occasional drops,
but the IT team has been unable to pinpoint the cause.
3. Perimeter Network (DMZ): This section of the network includes the organisation’s web
server and email server:
• Web Server: Running on a Linux system, the web server hosts the organisation’s
public-facing website. Recently, the server logs have shown some unusual entries,
which might be related to recent updates, but no definitive cause has been
identified.
• Email Server: Operating on a Windows Server platform, this server handles all
internal and external communications. The IT team has noticed several failed login
attempts, but they have not been able to trace the source of these attempts.

-2-
Teesside University

4. Core Network (Secure Zone): The most sensitive information within the organisation is
stored here. This zone includes:
• Data Server: A Windows Server that manages user accounts, stores confidential
documents, and operates a custom database. There have been some unexplained
entries in the security logs, but their significance remains unclear.
• File Sharing System: An internal system used by staff for file sharing. Some users
have reported difficulties accessing files, with permissions seemingly changing
without explanation. The IT team is unsure whether this is a technical glitch or
something more serious.
• AI & Analytics Server: A Linux-based server running an AI model for data analysis.
The AI system has recently produced some unexpected results. Initially, the team
thought these anomalies were part of the AI’s learning process, but concerns are
growing that something more serious may be at play.
5. Internal Wireless Network: This network segment is where employees and volunteers
connect their personal devices to access the internet and sometimes the organisation’s
email. Although this network was intended to be isolated from the Core Network, there
have been reports of strange connectivity issues and unexplained slowdowns, occurring
randomly.

Client requirements

The client specifically requests that:

- No data should be lost from any system during the pen testing. If any change is done, for a
proof-of-concept, you should also identify a procedure to restore the system to the previous
state, provided the pen-tester has double checked with client that a backup exists, and it is
safely stored.
- The risk of disrupting the services should be minimised during office hours.
- You have a limited number of hours for this task, so your planning should prioritise the key
services and components.
- The pen testing activities should be carried out with FOSS or free software unless such option
does not exist for a specific task. In this case, you should make clear the licence terms and
costs.

Task

You should write a report detailing your plan, with a justification for tools and techniques used, the
results and a complete chronological audit trail of hacking actions taken in line with expected
professional and ethical standards. The report is intended for a technically knowledgeable audience,
but it should be introduced by a short executive summary for a broader audience.

For the practical part, you must carry out a pen testing limited to a given virtual machine (information
about location of the virtual machine is available on Blackboard, under “Assessment”). For the rest
of the work, use the information provided in the scenario, and make the appropriate and reasonable
assumptions if necessary (provide a rationale for it). You can assume that the given component is
deployed in the DMZ.

-3-
Teesside University

The report (approximately 4000 words, submitted in PDF format), should include at least the
following elements (xx% indicates the weight in the mark allocation, total 100%):

1. An executive summary (maximum 300 words) (5%)

2. Demonstration of understanding of the scenario and discussion of how to plan and carry
out the security analysis, with consideration of ethical and legal aspects (15%)
3. Identification of security vulnerabilities (15%)
4. Exploitation of the vulnerabilities (15%)
5. Post-exploitation activities (15%)
6. Reporting of the findings and potential suggestions for countermeasures (10%)
7. Critical reflection on self-performance and the development of skills for employment as a
computer security professional (10%)

The remaining 15% of the final grade is allocated based on the overall quality of the report:
documentation of audit trail, formatting, completeness, readability, and appropriate referencing.

Elements 3, 4, 5, 6 are relevant for the practical part (as you must report the analysis of the given
component) and the results of such activities should be documented and explained, also using
appropriate screenshots.

For the element 6 you should also include countermeasures and recommendations deduced from
the scenario, but they should be clearly separated from ones deduced from the practical
elements.

Learning Outcomes
Students will be assessed on the following learning outcomes:

Personal and Transferable Skills

PTS1. Communicate effectively and professionally to report on system security, attack
models and threats.
PTS2. Create and maintain an audit trail of all processes undertaken during an ethical hack.
Research, Knowledge and Cognitive Skills
RKC1. Apply tools and techniques in a structured, legal, ethical and professional manner to
evaluate system security using ethical hacking methodologies.
RKC2. Demonstrate knowledge of appropriate security analysis techniques, common
vulnerabilities and countermeasures.
Professional Skills
PS1. Identify the professional, ethical and legal issues associated with ethical hacking.
PS2. Operate ethically and within professional guidelines whilst conducting security testing.

-4-
Teesside University

Marking Criteria

Marks are provided as a guidance.

75%/85%/95% Excellent

An excellent answer demonstrating informed judgements about the

task/scenario. Appropriate measures are selected and justified clearly.
Autonomy of investigation is shown.

Demonstrated excellent consideration of relevant professional, legal and

ethical issues with very good linkage to the scenario/task.

A very clear and readable report, with excellent structuring, good use of
grammar and referencing. Document submitted as PDF.

An excellent completion of the practical elements.

65% Substantially correct/appropriate (based on taught material & module

requirements)

A good answer demonstrating informed judgements about the

task/scenario. Appropriate measures are selected and justified.
Autonomy of investigation is shown.

Demonstrated appropriate consideration of relevant professional, legal

and ethical issues in relation to the scenario/task.

A clear and readable report, with appropriate structuring and

referencing. Document submitted as PDF.

A good completion of the practical elements.

-5-
Teesside University

55% Minor errors/omissions/issues

A mostly good answer with only minor errors/omissions/issues. The

answer demonstrates informed judgements about the task/scenario.
Appropriate measures are selected and justified. Some autonomy of
investigation is shown.

Demonstrated sufficient consideration of relevant professional, legal

and ethical issues in relation to the scenario/task with only minor
errors/omissions/issues.

A clear and readable report, with minor errors in writing, structure or

referencing. Document submitted as PDF.

A fairly good completion of the practical elements.

31%-49% Unsatisfactory

A very limited answer. The answer demonstrates some few judgements

about the task/scenario. Few measures are selected and justified. Little
autonomy of investigation is shown.

Little consideration of relevant professional, legal and ethical issues in

relation to the scenario/task.

A report that is difficult to read or comprehend but includes some

attempt at structure and referencing OR document is not submitted as a
PDF.

An insufficient attempt to complete the practical part.

0%-30% Inadequate

The answer barely addresses the task/scenario, if at all.

Little to no consideration of professional, legal, and ethical issues.

A report that is very difficult to read and comprehend and makes no

attempt at referencing.

No or very limited attempt to complete the practical elements.

-6-