Manualshelf

Operating instructions

ManualsBrandsRicoh ManualsComputer equipmentLD533CG
31323334353637383940
CRP-C0266-01
35
b. Evaluator Penetration testing Outline
The evaluators executed the following evaluator penetration testing to identify possibly
exploitable vulnerabilities.
<Evaluator Penetration Testing Environment>
The testing environment is the same as the environment of the evaluator independent testing.
The configuration figure is also the same as the one in Figure 7-2. This environment is
assumed that the TOE is securely installed and operated according to "Security Objectives for
the TOE" and "Security Objectives for Operational Environment" in this ST. For instance, the
attack via networks from the external network such as the Internet is the exception because
the unnecessary ports are closed in the boundaries of the external network and the internal
network. Under the above conditions, it is assumed that attacks occur using public interfaces
and usual available tools by general users and attackers except for administrators.
Table 7-6 shows the difference between the developer testing and evaluator independent
testing for evaluator penetration testing. It also shows the tools used.
Table 7-6 Configuration Items for the Evaluator Penetration Testing
Component Item Details
Hardware: Toshiba dynabook SS RX1
OS: Windows XP Pro SP3
Browser: Internet Explorer 8.0 (IE8)
Software for Port Scan: Zenmap 4.76
Software for line trace: Wireshark V1.0.6
Unix Access Tool: Cygwin V2.573.23
Computer for
Penetration Testing
Vulnerability Detection Tool: Paros V3.2.13
<Execution of Penetration testing>
For anticipated vulnerabilities identified in Table 7-5 to search for potential vulnerabilities,
Table 7-7 shows the penetration testing that corresponds to this. The evaluator executed the
following penetration testing to identify possibly exploitable vulnerabilities.
Table 7-7 Overview of Evaluator Penetration Testing
No. Overview of Penetration Testing
Anticipated
Vulnerability
T1
Checked opened ports.
V8
T2
Executed a scan of the LAN ports and ensured unnecessary
ports were not open or opened.
V8
T3
Penetration testing on open ports.
V1
T4
Ensured that unauthorised users cannot access to the OS of
the TOE directly via LAN ports from the remote client
computer.
V1
T5
Unauthorised access to document files through the Internet.
V3
T6
Ensured that unauthorised users cannot access to document
files, even if they specify a URL directly using delivered URL
link information.
V3
T7
Obtained information using direct URLs.
V9