Playing with networked computers beyond the original purpose is fun. But in order to add any value to the administrator’s experience, we need to get to the difficult part: the penetration testing report. We get the fact that this may be boring. It’s a must for any security professional though. Without the report, the actual penetration test is useless. Keep in mind that the report itself is the only tangible product of a penetration test.
Each individual may have his own style of presenting the facts. But there are some general guidelines that you should follow in order to provide an useful report. It must be well written and targeted at the right people. For example, few CEO’s understand the meaning of a meterpreter shell attached to a service running on their machines.
Basically the report needs to have a couple of sections: an executive overview, and a technical summary. The executive overview must be a summary of the attacks, indicating the possible business impact, and possible remedies. Normally this should be a small paragraph. Think about the fact that executives are busy people. The technical summary is targeted to the IT staff, therefore include here the technical details. It should include the adopted methodology, the services provided, as well as results and recommedations for mitigrating the risks.
It is up to you to pick your favorite tool for data collection. You need to document your findings as you conduct the pen testing. Usually, the pen testers collect data by capturing screenshots, taking notes, and logging their activity.
When constructing the pen test report, you need to present the facts. This means avoiding statements that are inflammatory, unsupported by the evidence, speculative, or overly frightening. We know that an insignificant issue may have huge potentian under certain circumstances. But unless there’s actual proof, don’t get carried away.
Detail each of your finding. The things need to be presented as simple as possible. For each finding, describe the threat level, analysis of the issue, the impact if the threat agent was able to exploit the vulnerability, and recommendations.
For each vulnerability, a clear description should be included. You need to add information about the source of the vulnerability, the impact of it, and the likehood of being exploited. The cause of the vulnerability, not the symptoms should be added.
The recommendations are also of paramount importance. Without them, the report cotains only half of the equation. People come to you for solutions. Therefore, based on the risk rating and the target asset, the pen tester should provide an acceptable recommendation with alternatives, if applicable.
To make things easyer for you, we’ve created a penetration test report example.