each case is required to answer each question it is asking. so for case 1 we have 5 questions, case 2 the same 5 questions and case 3 samething.

The document below is the SOW attachment needed.

Requirements You are presented three challenges related to events in a simulated penetration test. Using the Framework for Ethical Decision Making, EC-Council Code of Ethics, and any other literature on ethical decision making you find useful, fully describe the following for each challenge: 1. The factors related to the ethical issue. Describe any legal factors involved. 2. The relevant facts, including stakeholders, harms, benefits and available options. 3. The ethical approach(es) used to evaluate the available options and why that approach was considered. 4. How the decision was tested and why the selected option is the best choice. 5. What to expect after implementing the decision. Case The following challenges were encountered during penetration testing services for a client. The client was a web developer and hosting company. The client operates their own data center and have a cloud-based expansion capability to support rapid scaling. Although the client is not specified, the Statement of Work (SOW) between the penetration testing team and client [ORGANIZATION] is provided in Attachment B. The SOW is the explicit agreement between the penetration testing team and the client. The SOW authorizes specific activities and sets the boundaries for the penetration testing team. Read and comprehend the SOW before answering the following challenges. Challenge 1 - Apache 2.4.23 mod_http2 The penetration testing team discovered a client's public facing custom web application deployed on Apache 2.4.23. The custom web application was built on HTTP/2 and includes the mod_http2 module. Apache 2.4.23 mod_http2 is vulnerable to and a public exploit exists on Exploit Database EDB-ID 40909. No other public exploits are known. The vulnerability does not restrict request-header length which allows a remote attacker to force a denial of service through excess memory consumption via crafted CONTINUATION frames in an HTTP/2 request. The discovered server runs a custom production web application which is critical to the client's business operations. The penetration testing team must decide how to proceed. Challenge 2 - VPN Access The penetration testing team conducted a phishing attack against the client's employees. The phishing attack requested users to verify their domain login credentials and as a result collected login credentials from multiple users. The same attack also deployed backdoors on victim workstations. Post enumeration of an employee's company workstation resulted in the export of their Microsoft Outlook email archive. Examination of that file revealed login credentials to a VPN account that had been created for a vendor. Judging by the recency of the email, it is estimated that the vendor's VPN account is a) active and b) would provide unrestricted access to the client's internal LAN. The penetration testing team must decide how to proceed. Challenge 3 - Amazon Web Services (AWS) Server An employee responded to the phishing attack. As a result, their workstation was fully compromised. Penetration testers successfully gained system-level access to the employee's workstation. During post attack enumeration the penetration testers discovered documentation for a development network. It was not initially clear where that development network resided, but with additional work testers discovered the development network resided in an AWS project. The developer's documentation was thorough. It included network topology, IP addresses, operating system version information, and service version information. It also included system and application login credentials, vulnerability testing results and documentation for installed and failed patches. The penetration testing team must decide how to proceed. ATTACHMENT B Statement of Work to for [ORGANIZATION] Information Technology (IT) Security Reviews \& Assessments The successful proposer will demonstrate an understanding of the objectives for [ORGANIZATION] IT Security Reviews and Assessments and will provide an approach that demonstrates understanding of industry best practices and experience in similar projects. Vendor must propose to provide services and deliverables in the following categories: - Project Management. - Penetration Testing - Internal and External. - Vulnerability Risk Assessment and Analysis. - Social Engineering Mechanism. These services and related tasks are described in more detail in the following sections. ATTACHMENT A must be used as a reference to properly prepare a response to the procurement. This SOW incorporates by reference the terms and conditions of Contract Number RDP[XXXXX] in effect between [ORGANIZATION] and Vendor. In case of any conflict between this SOW and the Contract, the Contract shall prevail. [ORGANIZATION] and Vendor agree as follows: 1. Introduction The primary deliverables under this SOW are related to Information Technology Security Reviews and Assessments for [ORGANIZATION]. The services provided under this SOW are required as [ORGANIZATION] must meet the demands of customer changes and modifications, which may introduce vulnerabilities that were previously non-existent. Consequently, periodic audit of information systems must be carried out by an independent, competent party. Keeping [ORGANIZATION]'s existing systems running as securely as possible is a top priority. 2. Project or Task Objectives Vendor must provide services and deliverables, and otherwise do all thing necessary for or incidental to the performance of work as set forth under this SOW for all services as provided below: - Project Management. - Penetration Testing - Internal and External. - Vulnerability Risk Assessment and Analysis. - Social Engineering Mechanism. 3. Scope of Work and Deliverables Vendor shall provide Services and staff, and otherwise do all things necessary for or incidental to the performance of work, as set forth below. Vendor shall produce the Deliverables as provided in the Tasks as described below. Task 1: Vendor Project Management The scope of Task 1 shall include the following required activities: 1. Be the primary point of contact on all IT Security-related guidance, issues, and concerns. 2. Conduct an initial planning meeting prior to the start of the project. 3. Manage expectations and satisfaction throughout the project. 4. Create and maintain a project plan and measure weekly progress against mutually agreedupon milestones. 5. Participate, along with Vendor team staff, in regularly scheduled Team update/status meetings (as determined needed by the Team). 6. Prepare written status reports at mutually agreed-upon intervals. Deliverables - Task 1 Deliverables related to Task 1 shall be completed no later than [Month Date Year]. 1. Provide bi-weekly project status report for review and consideration. 2. Participate in project team status meetings. 3. Present Final Risk Assessment and Analysis Report to Management and other stakeholders, as required. Task 2: Penetration Testing A vital component in the assessment of the efficiency of perimeter defenses for a network environment is an external vulnerability and network penetration test. In order to conduct daily work functions, any business must maintain a connection to the Internet which requires protections such as firewalls and other security precautions. Additional, as the primary provider of systems to our stakeholders it is critical to look at all information available about [ORGANIZATION] from the Internet to ensure private data remains confidential. Penetration testing be conducted for the [ORGANIZATION]. Task 2: External /Internet Penetration Testing Assessment Vendor shall complete the External/Internet Penetration Testing with very little information provided by [ORGANIZATION] itself. Vendor shall complete assessment by imitating a "hacker" with no inside information regarding[ORGANIZATION] systems present or technologies currently in use. Vendor shall complete the External/Internet Penetration Testing Assessment using the following test types: 1. Search for publicly available information using Internet, newsgroup postings, etc. 2. Search domain registration for useful information. 3. Retrieve public Domain Name Service (DNS) records. 4. Identify systems accessible over the Internet (i.e., web, email, etc.). 5. Conduct port scans. 6. Identify running services. 7. Identify operating systems if possible. 8. Identify web and email service versions. 9. Enumerate systems if possible. 10. Attempt to utilize remote access protocols if available. 11. Email server analysis (i.e., open relay, anonymous email, etc.). 12. Web server analysis (i.e., default configuration, sample scripts, etc.). 13. Website and web application analysis. 14. Conduct vulnerability scans of systems and network devices. 15. Exploit systems when possible. 16. Evaluate test results and identify false positives. Deliverables - Task 2 Deliverables related to Task 3 shall be developed comprehensively for [ORGANIZATION] and completed no later than [Month Date Year]. 1. Submit draft External Penetration Testing Assessment Report for review and consideration. 2. Submit final External Penetration Testing Assessment Report for review and final acceptance. Task 3: Social Engineering Mechanisms Vendor shall conduct an assessment of the security awareness of employees to determine additional network vulnerabilities and potential risks. Vendor through random sampling will conduct this assessment using the following tests: 1. Vendor staff will pose as [ORGANIZATION] staff or other authorized individuals and attempt to gain access to sensitive areas of the organization's infrastructure. 2. Vendor staff will perform an email-based attack attempting to entice [ORGANIZATION] employees into opening or downloading an attachment from an external email address or providing sensitive data such as their authentication credentials. 3. Vendor staff will perform a telephone-based testing of [ORGANIZATION] awareness by requesting passwords or other sensitive information of employees over the phone. Deliverables - Task 3 Deliverables related to Task 4 shall be developed comprehensively for [ORGANIZATION] and completed no later than [Month Date Year]. 1. Submit draft Social Engineering Mechanism Report which includes findings and recommendations for remedy for review and consideration. 2. Submit final Social Engineering Mechanism Report for review and final acceptance. 4. Additional Terms and Conditions Specific to this SOW Vendor will work collaboratively with all necessary project leadership, project staff and project partners assigned to this project. Work products produced by the Vendor for [ORGANIZATION] will become the property of [ORGANIZATION]. Vendor must be able to work collaboratively with [ORGANIZATION] and project partners to gain understanding of their business needs