- Vulnerabilities should be checked to ensure the content (including risk scores) are relevant for the assessment. The blocks/issues are foundations to work from and should be improved upon where possible to add value.
- Dont copy stock issues from tools like Nessus.
- The executive summary should be written for a non-technical audience - this takes a bit of practice but try to avoid technical lingo as much as possible. You want to ensure that you include a good overview of the assessment results; What the issues are, what an attacker can do with them, what the business risks are and what you recommend the client should do to remediate the issue (root cause etc).
- Ensure you're confirming issues raised by any VA solutions and evidencing the results.
- Try to read the report and make sure that sentences are complete (not missing words), grammar is correct and formatting is consistent. Double check there aren't any rogue placeholders.
Report Data Normalization
Data normalization is a term often associated with databases. In this sense, the database designer is looking to create a cohesive set of data that reduces data redundancy and increases data integrity. Sometimes your data might be presented to the client in a database, so this makes perfect sense. If you are instead creating a document in a text format or other non-database format, you still want to apply those same principles of reducing redundancy and increasing integrity. For example, data from disparate sources that describes the same event can be consolidated to reduce confusion.
Also, the report is likely to be read by a variety of audiences. This might include board members, end users, and technical administrators. They all need to be able to read through and understand your findings and recommendations. So, you need to target your reports to account for these differences. There might be sections for executive summaries for those who only need a high-level understanding. There might be links to more technical information that end users might find too confusing. Essentially, you want to normalize data in the report to make it as clear to the target audience as possible, all while minimizing extraneous information that just contributes to the noise.
You can create a report that includes all of the information from your testing. A typical pen test report includes the sections identified in the following table. These sections can then be pulled together in various combinations depending on the audience. Within the sections you can also have subheadings containing more detailed content that would be better suited for one audience or another. If this is stored in a repository of some sort, the pieces needed for each audience can be pulled into a report designed specifically for that audience.
The amount of risk an organization is willing to accept, or its risk appetite, must be determined by each organization. Risk appetite refers to the amount and type of potential vulnerabilities and threats the organization is willing to tolerate and endure. This is another balancing act as the organization determines how much risk they are willing to endure versus how much it would cost to mitigate the risk and the difficulty of implementing mitigation strategies.
The client's key stakeholders need to determine their risk appetite by answering questions such as:
- What losses would be catastrophic to the organization?
- What processes, technology, or other assets can be unavailable and still enable the organization to function, and for how long?
- What assets, processes, information, or technology must be available at all times, and cannot be made public or be accessed by unapproved persons?
- Are there any circumstances that could result in personal harm to anyone dealing with the organization, be it employees, customers, business partners, or visitors?
Your pen test report should account for the client's risk appetite. For example, you can determine the level of risk a vulnerability poses by using the standard "Probability x Impact" formula. Then, you can compare the result of this assessment to the organization's risk appetite and determine whether or not the risk falls within the accepted tolerance level. You can do this in a number of ways, including visually through charts and graphs. This will help the client organization better understand the impact of a risk than if you had simply quantified the risk without regard to the client's appetite.
Because pen test reports contain highly detailed information about the areas that are vulnerable to attack, you and the client will both need to take precautions to prevent the reports from falling into the wrong hands. If possible, store the reports on a secure server and don't pass the report via external drives. Within the client organization, the file system should be secured so that only the appropriate personnel are able to view the details of the full report. There are likely some parts of the report that need to be made available to additional personnel. For this reason, consider storing reports in repositories where pieces and parts of the report can be secured with varying levels of access.
In addition to access control, encrypting the reports in storage will go a long way toward making sure unauthorized parties cannot read them and glean sensitive data. You also need to determine how long to store the report for in order to minimize the risk it poses. Discuss with the client the expected storage time for the report.
To help maintain document control of stored reports, you should consider implementing the following components in the reports.
The cover page typically includes the name of the report, the version and date, the author (either the name of the person or the organization that is conducting the testing), and target organization name.
This might be just in the electronic version of the document, or it might be printed as a table in the document. In either case, it typically includes the document title, version number, author of the report, and date of the last revision. It might also include other fields such as the names of the pen test team members, names of those who have accessed and viewed the report, approver name if stored in a system that allows documents to be approved or rejected (such as SharePoint), and document classification information (as determined by the testers or target organization as defined in the SOW).
This is typically implemented as a table to track changes made to the report. The tracked information includes a description of any changes that are made, who made the changes, the date of the change, and the updated version number (it might be a full version increment or a "point" version, again based on the terms defined in the SOW).
The following are some best practices for the secure handling of reports:
- Maintain the confidentiality of reports and their contents.
- Maintain the integrity of reports and their contents.
- Ensure reports are always available to the relevant audience.
- Ensure reports are secure in transit across a network.
- Minimize the transmission of reports across a public network like the Internet.
- Ensure reports are secure in storage.
- Protect reports and their contents from accidental disclosure.
- Maintain audit logs for users accessing reports.
- Maintain a chain of custody when transferring ownership of reports.
- Maintain version control for changes to reports.
Report disposition is the formal process of transferring the report to the care or possession of the primary authorized recipient. You are giving the report over to the client, at which point they become responsible for the report and its contents.
The report disposition should include all documentation, multiple copies (possibly printed and electronic), and acknowledgments and sign-off by the recipient. It should be up to the client's authorized recipient to distribute copies. If others request copies from the pen test team, the team should refer them to the authorized recipient.
At this point, after you have given over the report, you should move (not copy, but move) your copy to a backup storage location and remove it from your active work area. This will help protect the data if someone were able to attack your systems and gain access to the data.
Note: "Disposition" can also refer to the general tone of the report or the approach that it takes.