Module 7

Reporting and Discussing the Results

During the entire time you are performing a Pentest an open line of communication should be maintained. This helps to make sure you are staying within the scope and meeting the needs of the client. A clearly defined communication path should be in place. This helps you understand and know who you should be communicating with throughout the test.  Make sure you have:

What could cause you to communicate with the company?

There are three things that could cause you to communicate with your contacts.

The Report

The final report does not have a template that you can follow. Though, the organization you are working for might have one that you wish to use.  No matter what, you should make sure that your report includes the following items:


It is extremely important that this final report be handled with care. It contains a lot of information that could put the organization at risk. The report should only be transmitted using an encrypted protocol and the report itself should be encrypted. If the report is printed make sure it gets destroyed properly! 

Executive Summary

Probably the most important section of the report. This section is probably what a majority of the people will read. This section of the report is usually written for the C-suite executives, so recall they are not technical and should be written in a method that they can easily understand and process what needs to be done. Even though this is the first section that should appear in the report it is best practice to write this section last. When you write the rest of the report first it helps you to finalize your findings, determine your findings and recommendations. 

Scope Details

This section just documents the scope that was outlined and agreed upon. Think of this as away of documenting that for historical purposes. Make sure any scope changes are included.

Methodology

This section is where you can get down to the technical details and clearly outline what you did. Make sure you are included any type of test you included, the tools used and any observations that you found. You can be technical in this section as the audience that will read this will be technical staff and developers. Even though, you can get technical do not include code snipets, reports or other results. This can be included in the appendix and referenced accordingly. Keep in mind you want the report readable and including reports and results of scans will reduce the readability of the document. 

Make sure this section is extremely detailed. Another person should be able to take your methodology and repeat the steps to get to the same results. 

Finds and Remediation

This section is the fun part! This section describes any and all security issues you found. Not only do you state the issues you found, but you need to provide a solution to fix them. This section should contain a detailed write up of the vulnerability, provide a rate using a known reference framework (CVSS for example), prioritize the risk and provide the impact it could have on daily business operations. 

Your findings might include some or all of the following:

Conclusion

This section you just wrap everything up. Summarize your findings and make sure to provided recommendations for future work. Remember, you got paid to do this, so you want to keep that revenue stream open. The conclusion should also contain a comparison of the risk rating identified in the report to what the organization risk tolerance. Recall, not everything that is found can be fixed. The company has a finite amount of resources and this can help them prioritize. 

Appendix

Any findings, results or reports that were generated during the test can be included in this section. 

Wrapping it up!

The report has been delivered and discussed, but your job is not done yet. You need to make sure to remove any tools, backdoors, accounts or anything else you created during your testing. You do not want to leave behind something that could be an issue for the organization in the future. 

Also, if you worked with a team in performing this test the team should meet and discuss what they learned, what can be improved and discuss anything else while the client is not in the room. This is a safe space for the team to discuss anything that can be helpful during the next test.