Information Security System: 1418361


Penetration testing refers to the practice of analysing a processor system, web application or network to find safety susceptibilities, which a hacker could exploit. Penetration testing can be computerized with software applications or implemented physically [1]. The main aim of pen testing is to recognize security faults. Penetration testing can also be applied to test an administrator’s security strategy, devotion of the same towards agreement necessities, workers’ security cognizance as well as the administration’s ability to classify and reply to security events—the report writer has been appointed at Google to work as a Cyber Specialist. The writer tries to conduct an investigation of the effect which the legal, confidential as well as ethical aspects of Google’s information structure security choices and to display the outcome in the form of a report.


Section 2:-

Question 1:-

Analyse the legal and ethical impact on the company and you as the pen tester if there should be a mistake or vulnerability made during the testing phase.      

Answer 1:-

 The Pen-Test of the company’s infrastructure:-

Legal impact:-

A pen test can similarly highlight the faults in Google’s security strategies. For instance, while a security strategy focuses on avoiding as well as discovering an attack on an enterprise’s structures, where a particular procedure is identified, which might have ejected an online criminal [2]. There are multiple categories of penetration tests.  A software code evaluation for susceptibilities can be an amount of a pen test.  A ping stroke can be a measure of a pen test.  As the authority may predict from its label, a pen test is a dedicated category of information security valuation that reviews how a skill can be penetrated by pretending a cyber-attack. Expert safety specialists apply purpose-built tools and measures to identify susceptibilities that can be inactive as well as invisible simply because software creators and dealers have other objectives. Additionally, these work in a diverse way of thinking than an inspired and a trained hacker. Google is applying internet operators as a means towards additional accurately mark ads near them by tracking their practices without a particular explicit agreement. Google legislatures claim that by eliminating bits from IP location, they are permitting other users to switch because “operators can switch their cookies”. As safety is a non-functional necessity, the software or service may work as intended on its particular but still cover a considerable amount of susceptibilities that makes its usage quite hazardous for any service supplier or user. These susceptibilities can be created from the software artefact itself or effect from misconfiguration of the causally existing infrastructure.  Google has been delivering the applications that have been appealing to large viewers and customers to be simplified on a regular basis. Conversely, the current usage of Google have landed it to view in between the vast debate [3]. The discussion is troubled with the Information Confidentiality being accessible and assumed by the definite Google applications above the internet and the massive amount of individual information Google is keeping on the network-based storage units.

Ethical Impact:-

Informational confidentiality can be defined as the capability to take the facility of the individual and isolated information of the customers while the availability secrecy is to be distributed as the capability of interfering or retrieving the evidence that can be named as an interruption. The masses are relating the Google as “Google is presently the most disreputable search engine, as well as, a quickly expanding business with a growing number of goods. Google‘s increasing importance in the cyber domain has forced multiple individuals to  make queries as well as look at what information Google has access to and if the same is useful or not.

The mainstream of pen testing aids on the marketplace is connected to the manipulation of known susceptibilities, thus focussed mainly on identified breaks [4]. Nevertheless, new previously unidentified susceptibilities in Google information system may affect in its emergency stoppage or damage of documents until remediation is finished.  A Google conduct pen test will similarly uncover beforehand unknown, undocumented susceptibilities identified as zero-day susceptibilities. A safety form is already incredibly practical throughout the decisive phases of improvement as well as progress. Occasionally a technical cover is desired, where the error is a sign of an administrative inadequacy by participating into steady security valuations as well as unceasing training for the workforces. Google companies objectify to reduce the number of serious risks, as well as the vital issues, which might be arising at the initiation or during the progress of a particular project.


This is extensively recognized as well as unstated as one of the most active ways for attackers to target web applications to increase vulnerabilities within the programming [5]. By far, the supreme typical outbreak vector targeting applications is recognized as SQL injection – which includes the implementation of malicious instructions designed to teach or query backend records for evidence. In order to recover user-friendliness, applications implement session management controls like documentation cookies to evade the necessity of repeatedly logging in as well as out for collecting the preferences of the associated operator and to record the relative action.

Conversely, these controls can be susceptible to be misused by hackers looking for hijack periods and to acquire higher freedoms. Verification as well as authorization of faults such as the likes of feeble or default keywords, damaged access control, authorization exploitation, misuse of session management rights are most usually applied by attackers to gain contact to sensitive operator documents. Man-in-the-middle outbreaks take place due to these susceptibilities. Pen testing permits Google to scale the level of safety in communication and data storage. It is vital to note that Google has unique requirements and security attitudes, and that one-size-fits-all penetration testing is not prudent.

These report writers understand the exclusive desires of Google so that they can see the emphasis on their core business, whereas they take care of business safety needs. Penetration testing can be exceptionally appreciated in testing for the entire of these disputes, but it is also vital to recall that every industry will have different and dissimilar needs. There is no one-size-fits-all saturation investigation, so it is sensible to talk over Google business requirements with cyber safety specialists so that they can deal with the kind of analysis that will help analyst the most. In some instances, cyber attackers will attempt to interrupt communications to avoid authentication systems planned to confirm the digital identity of sources. These can permit them to promote so-called MiTM outbreaks. The criticality of informing applications as well as software on a consistent and a steady basis cannot be strained enough as they cover critical covers to shield Google web applications and structures [6]. Attackers frequently use these obsolete applications, procedures, structures, and software to break website and the relative applications.

Question 2:-

2a. Analyse the ethical differences between the three hacking hats.

2b. Recommend on whether the CISO should pay for the data to be returned

Answer 2:-

Answer 2a:-

Differences between the three hacking hats:-

Black Hat:-

These hackers are offenders who apply their hacking abilities to gain access to user documents, business secrets, confidential government information, and everything else they can apply for degenerate purposes. Black hat hackers come in as multiple diversities in terms of several factors of crimes. Some are competent coders who apply their knowledge to gain contact with passwords and hack user documents. Others are speculators, who use interactive engineering to assure clients to give away profound documents. The encounters for law prosecution are that hackers frequently leave little signal, use the processors of unsuspecting fatalities, and cross multiple controls. Although experts occasionally succeed in eliminating a particular hacking site in one nation, a similar operation may have several nodes in several countries, permitting the group to function on a daily basis.

White hat:-

These kind of hackers appoints usage their influences for good rather than malevolent. This kind of hacker is also identified as “ethical hackers,” white hat hackers can occasionally be compensated workers or freelancers working for businesses acting as safety authorities, who identify safety holes through the procedure of hacking. White hat hacker’s work with the similar methods of hacking as black hats, with one exclusion- they do it with consent from the proprietor of the structure first, which makes the procedure completely legitimate. White hat hackers implement penetration testing, test in-place safety structures and perform susceptibility assessments for respective businesses. The Specialized Ethical Hacker is a standard form of professional documentation, whereas Black Hat is a well-known security business conference. In a different background, the hacker may contain similar designers who quickly generate hardware or software at hackathons.

Grey hat:-

These categories of hackers are not integrally malevolent with their targets; they are just considering to get somewhat out of their detections to keep themselves undetected. Generally, grey hat hackers will not abuse the found susceptibilities [7]. Conversely, this category of hacking is still prohibited from measuring because the hacker did not accept permission from the proprietor before bidding to outbreak the system. While the word hacker tends to induce negative implications when mentioned, it is vital to recall that all hackers are not formed equally if the business authority did not take white hat hackers conscientiously seeking out intimidations as well as susceptibilities before the black hats can discover them.

Answer 2b:-


The recommendation is to generate a more comprehensive depiction of the industry and safety threats by systematizing the risk procedure and permitting for more flexibility in the procedure of measuring risks through high-stakes administrative occasions. Many CISOs searches to combine information security solutions to decrease their safety clutter, cut charges, and streamline the controlling of information safety overall. However, there are several concerns CISOs must evaluate to notify these choices, such as dismissals, budgets, incorporation, difficulties within the IT subdivisions.  Applying data analytics in the best probable method is another commendation from the report. This document has become vital in investigating past concerns in order to avoid future outbreaks [8]. Use cases are the flawless techniques to apply the analytics business security team accumulates; responding to a question connected to protecting those critical trade events is an ideal method of parsing over a vast amount of documents. In automating the procedure, the report acclaims a new risk valuation be achieved for every individual new project with a selected budget for follow-up evaluations. The computerization of the procedure allows an earlier turnaround for the valuations and a better picture of the threats involved within every individual project. In certain situations, if the actual project earns a high amount of risk, the safety team would be capable of locating it and investigate the assessment in more depth.


Penetration tests propose unparalleled understanding into an administration’s security efficacy as well as a road map for improving the already existing security. By hiring specialists to prevent a cyber-attack, susceptibilities can be recognized and modified before they are subjugated by a hacker or malevolent insider. This entire discussion addresses the capability of a hacker to gain access to the inside network externally from the firewall by developing internet-facing structures. As an employee of Google, the report writer’s first responsibility is to eliminate security issues and also complete the pen test, which are vital for the well-being of the respective business organization.


[1] D. Stiawan, M.Y.B. Idris, A.H. Abdullah, M. AlQurashi, and R. Budiarto, Penetration Testing and Mitigation of Vulnerabilities Windows Server, IJ Network Security, 18(3), 2016, pp.501-513.

[2] G.P. Kouretzis, D. Sheng, and D.Wang, Numerical simulation of cone penetration testing using a new critical state constitutive model for sand, Computers and Geotechnics, 56, 2014, pp.50-60.

[3] J.M. Hatfield, Virtuous human hacking: The ethics of social engineering in penetration-testing, computers & security, 83, 2019, pp.354-366.

[4] O. Falagush, G.R. McDowell, H.S. Yuand, J.P. de Bono, Discrete element modelling and cavity expansion analysis of cone penetration testing, Granular Matter, 17(4), 2015, pp.483-495.

[5] T. Guarda, W. Orozco, M.F. Augusto, G. Morillo, S.A. Navarrete, and F.M. Pinto, Penetration testing on virtual environments, In Proceedings of the 4th International Conference on Information and Network Security, 2016, (pp. 9-12).

[6] S. Bojjagani, and V.N. Sastry, VAPTAi: A threat model for vulnerability assessment and penetration testing of Android and iOS mobile banking apps, In 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC), 2017,(pp. 77-86).

[7] Z. ÐURIĆ, WAPTT-Web application penetration testing tool. Advances in Electrical and Computer Engineering, 14(1), 2014, pp.93-102.

[8] K.B. Chowdappa, S.S. Lakshmi, and P.P. Kumar, Ethical hacking techniques with penetration testing, International journal of computer science and information technologies, 5(3), 2014, pp.3389-3393.