RHIE Security Assessment
Objectives
Identify security vulnerabilities on target systems that are part of the RHIE
project. Analyze results and compare with known common vulnerabilities. Consult
with members of the RHIE project about remedying any vulnerabilities or unwanted
exposures.
Project Scope
The targets are defined as the HIM, SHR, TS, FR, PR, CR that are hosted in the
National Data Centre in Kigali. The specific IP addresses of that targets will be given
pending the approval of the RHIE team. All other potential targets are off limits and
will not be included in the security assessment. The penetration test will not include
potentially harmful exploits to prevent disruption of production machines. Network
penetration testing will take place after business hours or on weekends CAT
time. The main point of contact for the RHIE team will be Elie Gatete and will be
shadowing the work done. The estimated time to complete the assessment will be 5
weeks from the approval of the RHIE team.
Proposed Process


Intelligence Gathering
o Search for all devices and entry points on the network.
o Document all devices found and compare with existing network
diagrams.
o Document all exposures (e.g. open ports and versions of software)
o Check for security best practices
Vulnerability assessment
o Run vulnerability scanners based on findings above
o Research publicly known exploits/advisories
o Identify potential pathways for attackers
Deliverable
The Security Assessment report will include findings from the assessment starting
with the issues that pose the greatest risk. The report will also contain tools used
during the assessment and related commands. Terminal logs will also be included
so all outputs of given commands will be viewable. All of these items will be
compressed, encrypted and sent to the RHIE team via email. The passphrase will
need to be communicated over a secondary medium, such as Skype or other
encrypted messaging protocols, if GPG email is not an option.