Ethical Hacking and Penetration Testing Guide
◾ Ethical Hacking and Penetration Testing Guide Remediation Report
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Vulnerability Assessment Summary
- Tabular Summary
|
12
◾ Ethical Hacking and Penetration Testing Guide Remediation Report Next up we have the remediation report, which contains the overall recommendations that once implemented would increase the security of the organization. This is specifically an area of interest for the management class, as they are the ones that are going to enforce the security policies of an organization. As mentioned earlier, these guys may or may not be technical; therefore our remediation report should be very precise and easy to understand. Things that could improve overall security such as implementing SDLC, a firewall, and an intrusion detection system should be recommended. The following is an example of how a remediation report should look like: Vulnerability Assessment Summary Next, we have the vulnerability assessment summary, sometimes referred to as “findings sum- mary.” This is where we present the findings from our engagement. Things such as the overall strengths and weaknesses and risk assessment summary can also be included under this section. “A picture speaks a thousand words” is a brilliant quotation that all of us remember from our childhood, don’t we? Behold, for now it’s time to see the actual use of it. It always helps to include charts in your report, which would give the audience a better understanding of the vulnerabilities that were found. Security executives might be interested in this portion of the report as they would need to enforce the countermeasures. Introduction to Hacking ◾ 13 There are different ways for representing vulnerability assessment outputs in the form of graph- ical charts. Personally, I include two graphs; the first one classifies the vulnerability assessment on the basis of the severity and the second one on percentage. Vulnerabilities by severity Percent of vulnerabilities by severity 8 7 6 5 4 3 2 1 0 Critical Critical High High Medium Medium 29% 21% 0% 50% Low/info Low/info 0 3 4 7 Next, I include a “vulnerabilities breakdown” chart, where I talk about the findings for a par- ticular host followed by the number of vulnerabilities that were found. Vulnerabilities breakdown S # IP Address Hostname Critical High Medium Low/Info 0 0 7 4 14 6 3 2 Services.rafayhackingarticles.net Tools.rafayhackingarticles.net 1 2 192.254.236.66 192.254.236.67 Tabular Summary A tabular summary is also a great way to present the findings of a vulnerability assessment to a customer. The following screenshot comes directly from the “NII Report” and summarizes the vulnerability assessment based upon the number of live hosts and also talks about the number of findings with high, moderate, or low risk. Category Systems vulnerability assessment summary Description Number of live hosts 50 14 6 9 High, medium, and info severity vulnerabilities Number of vulnerabilities 29 |