As you conduct your penetration testing, you will be gathering a great deal of highly sensitive information. You need to ensure that the data is properly handled so that this sensitive information does not fall into the wrong hands. The addresses, network maps, security details, and the vulnerabilities of these and other factors would provide easy network access for a hacker.
Another set of data you should have gathered is a record of all of the activities you performed on the network, systems, and environment. This will help you and the client to identify the activities performed as part of your testing and those of an actual attacker. These might include items such as:
- Access to secure areas.
- Web app compromise.
- Social engineering attacks.
- Compromise of the network with various attacks.
- Pivoting deeper into the network.
- Stealing files.
- Defacing internal sites.
- Evading detection.
Pen Test Data Categorization
Recall that, during the pen test, you categorized your client's assets in order to determine how best to approach exploitation. You should perform a similar task after compiling the results of the test. You can categorize your data in whatever way makes sense to both you and the client. It might be beneficial to categorize your findings in terms of the types of assets they relate to. For example, a successful SQL injection can be categorized as a software issue. You can also create subcategories, like web app issues as a subcategory of software issues.
In addition, you'll also want to create categories based on the severity level of the vulnerabilities and weaknesses that were discovered during your testing. The items that impact the most people, systems, and data are likely to be high-priority items, while those that affect few people, systems, or data are categorized at a lower level.
Prioritization of Results
Depending on the client's needs, their industry, and other factors, you and the client need to work together to prioritize the results of your testing. The most common approach is to categorize items with terms like critical, high, medium, and low severity levels. You may also choose to apply a number scale to items, like 1 for items of low severity and 10 for the most critical items. Be aware that, in some cases, what seems to be the most urgent item might not be quite as urgent based on the organization's need to comply with standards organizations, the existence of older or specialized hardware, or other factors. For example, PCI DSS compliance might be the highest priority for the organization even if there are other vulnerabilities that are marked as a higher severity.
Depending on the client's industry, you might need to consider items such as PII and PHI in addition to other factors such as network accessibility, building accessibility, and the like. These can all influence how you prioritize the results of the pen test. Ultimately, it's important to understand that there is more nuance to results prioritization than just labeling something as "medium" severity because the CVSS says so.
Guidelines for Analyzing Pen Test Data
When analyzing pen test data:
- Gather all of the data you have collected.
- Identify all of the activities you performed to help determine which attacks were carried out by you and which are from attackers.
- Ensure proper handling of all data so it doesn't fall into the wrong hands.
- Categorize data based on the needs of the client.
- This is most often based on the severity level, but could be based on other factors if the client needs it to be.
- Prioritize the results.
- Work with the client to identify which items need to be dealt with first.