12 - Report Writing

Question 1

What are the pen testing deliverables?

Answer 1

• Detailed analysis of methodology used
• Pen Testing reports
• Evidence of successful penetration
• Supplementary material to corroborate the findings
• Documentation on remediation of any security flaws found

Question 2

What are the goals of a pen testing report?

Answer 2

• Helps executive management make decisions about implementing security controls
• Helps responsible parties know what security controls and patches to implement
• Show client organization that your team wants to improve company’s security posture
• Provides info from the test execution phase

Question 3

What are the different types of Pen Test Reports?

Answer 3

• Executive: Provides summary of complete pen testing process, outcomes, and recommendations
• Host: Provides details of various hosts that were tested
• Client-Side Test: Provides details of the client-side test, including email template sent, exploit launched, test result, etc.
• User: Provides details all of all the users who were identified and targeted during the testing process
• Vulnerability: Provides details of various Vulnerabilities
• Activity: Provides detailed info about tasks performed during pen testing

Question 4

What are the characteristics of a good pen testing report?

Answer 4

• Concise and easy to understand
• Written in a professional manner
• Must show screenshots of Proof of Concepts (PoC) to show existence of identified vulnerabilities
• Justify recommendations and analysis made by pen tester
• Standard techniques and methodologies should be followed while preparing a report

Question 5

Steps to writing final report:

Answer 5

• Plan the report
• Collect and Document Information
• Write a Draft Report
• Review and Finalize the Report

Question 6

What are some guidelines to Collect and Document the Information?

Answer 6

• Compile and sort all the information collected during each step of pen testing
• Prepare notes after each and every step
• Make a note of information on activity logs and network traffic
• Maintain a list of scanned reports and screenshots for clarity and reference

Question 7

What are some guidelines for Reviewing and Finalizing the Report?

Answer 7

• Rough draft should first be reviewed by peers for a second opinion
• If team has participated in documentation process then the whole team should review and edit it.
• Document and finalize changes properly
• Prepare final report with all changes in a specific format that is widely accepted
• Final report should presented in a professional manner matching the company standards
• Report should mention importance of pen testing to the client
• Recommendations should be made

Question 8

Report Format:

Answer 8

• Cover Letter: Report title and details about author, client, disclaimer etc.
• Document Properties: Title, author, version, date, and time, people involved
• Version History: Record of all tracked changes
• Table of contents: Lists of important dates, page numbers.
• Final Report: Key information on the report timeline
• Summary of Execution: Short, high-level overview. Includes organizations involved, date of test, systems targeted, test results, dicovered vulnerabilities.
• Scope of Project: Ip ranges, social engineered employed, types of networks tested, types of malware permitted
• Evaluation Purpose: Main purpose of test, lists loopholes and security flaws, how testing is done
• System Description:
  
  • Lists all the devices that were used for pen testing.
  • Explains network flow, architecture, and information status of organization
• Assumptions/Timeline: Assumptions made by pen testers in hypothetical situations that helped make decisions in critical areas. Section includes a record of duration and time frames maintained by pen tester.
• Summary of Evaluation: How evaluation process was done
• Summary of Findings: Report on findings, listing the discovered risks and threats
• Summary of Recommendations: Complete description of recommendations and suggestions after thorough research and investigation
• Methodologies: Mentions what methodologies were used during pen testing
• Planning: How the pen testers planned the whole pen testing process, briefs every step in sequential manner, types of research and investigation, lists tools and utilities.
• Exploitation: Lists all vulnerabilities found, how exploitations were carried out
• Reporting: Details about findings and assessment of vulnerabilities found, explains classification of threats and risks, mitigations of risks, final conclusion about the organization’s info system, risk/severity levels based on CVSS ratings
• Comprehensive Technical Report: Detailed technical description of sequential process of pen testing
• Result Analysis: Includes domain name, ports, tests performed, IP addresses, description of service, vulnerability analysis
• Recommendations: Includes pen tester’s suggestions or recommendations, mitigations, prioritizes potential threats and risks
• Appendices: Includes additional information on pen testing, tools and exploits, snapshots, log output, risk assessment methodologies, and vulnerability classification.
  
  • Common Appendices: Required Work Efforts, Research, References, Glossary
• Pen Testing Report Analysis:
  
  • Review: Review all info gathered
  • Determine Security Flaws
  • Analyze the Output
• Prioritize Recommendations: High priority security concerns first

Question 9

How should pen testing team meetings be structured?

Answer 9

• Set up agenda
• Bring up questions about findings
• Assign work sections of the findings to individual members
• Create an action plan and set deadlines
• Consult additional expertise that might be needed

Question 10

How should vulnerabilities be reported in Pen Test findings?

Answer 10

• Detailed description of vulnerability
• An evaluation in terms of “must change” or “Should change”
• Refences to certain resources
• Suggestions for resolving issues

Question 11

What are the different ratings of vulnerabilities?

Answer 11

• High Criticality: Significant Impact
• Medium Criticality: Impact and harming an individual
• Low Criticality: some degree of impact

Question 12

Guidelines on delivering Pen Testing Report

Answer 12

• Must be in PDF format unless said otherwise
• Printed report is best
• Do not send to unapproved staff
• Always deliver to approved stakeholders in person (when possible)
• Avoid sending by email (if possible)
• Ask for signed acknowledgement after submittal
• You must be available 30-60 days after submitting to answer questions

Question 13

What is Cleanup and Restoration?

Answer 13

Clean up any disruptions made to the network while carrying out the pen test

Question 14

How long should the report be stored?

Answer 14

Store for 30-45 days to answer any questions and afterwards destroy it so sensitive info is gone. Destroy all printed and electronic info, any reports, email correspondence, test results, analysis documents

Question 15

Post-Testing Actions for Organizations:

Answer 15

• Develop Action Plan: Address security concerns, reduce misuse or threat of attacks, conduct security checks
• Develop and Implement Data Backup Plan
• Create Process for Minimizing Misconfiguration Chances: Create a config management process
• Updates and Patches: Create patch policy
• Capture Lessons Learned and Best Practices
• Create Security Polices
• Conduct Training