This is probably the most dreaded and least techie phase of a penetration test, however, it is the MOST important. It is certainly more fun to hack systems and use cool tools, but at the end the of day the purpose of the penetration test is to provide the client useful information to better protect their assets. Generically, there are two major sections that the report should include; Executive Summary and Technical Report. Sometimes, these are two distinct documents and presented to different audiences. I have provided a link to a sample report from Offensive Security, Appendix A is typically what an executive summary looks like in addition to the example executive summary section. It identifies in a simple format what vulnerabilities exist, their level of risk/impact, recommendations for remediation. There is no real standard, but presenting the data in a manner the target audience can understand and take action is the most important. Executives like data presented in a manner that allows them to quickly see areas requiring immediate attention and others to develop a strategy to address. The technical report or sections of a report will have meticulous detail about each vulnerability with explicit detail on remediating methods.
- This portion of the report or if created as a separate report must have key components that only executives would want to focus. The penetration tester must remember, this individual or team is responsible to a board that ultimately runs the overall business. They may not be thinking about how the tester used Metasploit or SET to compromise a system. The verbiage must be of utmost professional standards, and use graphics that support the written technical report. Most times the CTO will have to explain the report to other non-technical business folks that will determine if the security team gets the funding to fix the identified vulnerabilities based on “risk” to the business. This portion of the report is very important, spend time to get it right.
Items that should be included:
- Overall Posture
- General Findings
- Strategic Roadmap
- The technical report will have much of the information the penetration tester logged during the test. It will be important that the penetration tester took good enough notes that they can be followed to exploit the systems proving repeatable exploitation thus validating the penetration tester findings. By providing repeatable steps to exploitation hopefully will provide the motivation to the technical folks to address the identified vulnerabilities. Geeky talk will work fine in this section, however, the report should have a glossary of terms to make sure everyone is understanding all jargon, etc. the same. Screenshots, and command logs are valuable, along with banner grabs and data snippets will provide the evidence that what the penetration presents as possible is possible. This portion of presenting may prove to be more difficult than the business meeting because the penetration tester is now challenging technical folks aptitude to properly protect their assets. Some teams welcome the help, others struggle to see the power of collaboration and having a third-party help them build a stronger security program. The penetration tester must not take negative reactions personally, present the facts, and strive to have the findings and recommendations understood so the path to remediation is clear and actionable.
Items that should be included:
- Information Gathering Intelligence
- Vulnerability Assessment
- Exploitation/Vulnerability Validation