Reporting and Communication Flashcards
Refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.
De-confliction
Refers to the process of communicating between the client and the tester to dial back the intensity of exploits or even stop them all together because of unsafe situations they may be causing
De-escalation
Refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.
Situational awareness
A response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP
HTTP Strict Transport Security (HSTS)
Command can be used on Linux systems to configure password aging for user accounts.
chage
- A high-level synopsis of the test and the results
- Typically, this is the first section of the report and is intended for less-technical audiences
Executive Summary
Section of your written report of findings will usually be constrained by the client’s risk appetite
Findings and remediation
Section of your written report used to identify the standard or guidelines you used to conduct the test
Methodology
- Section of your written report that contains risk ratings
- These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.
Metrics and Measures
Section of your written report that include recommendations
Conclusion
Occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started
Goal reprioritization
- Involves running the value to be hashed through the hash function multiple times
- increases the computation time required to hash each password
Key stretching
