Ethical Hacking and Penetration Testing Guide
◾ Ethical Hacking and Penetration Testing Guide Writing Reports
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Structure of a Penetration Testing Report
- Table of Contents
|
10
◾ Ethical Hacking and Penetration Testing Guide Writing Reports Now we are going to get into the essentials of the reporting phase, which will teach you about the structure of a report. We have discussed what a good report should look like. I pointed out that knowing your audience was essential. One of the key factors about a good report is that it should meet the needs for each audience and be presented in a clear and understandable manner. The next major part of writing a report is the analysis, where we perform risk assessment and calculate the overall risk to the organization based upon our findings; along with this, your report should also provide remediation on how the risk can be averted. Structure of a Penetration Testing Report Let’s look step by step on how a good report should be laid out. At the end of this chapter, I have provided links to some of the best reports which have been provided to the local mass. Cover Page We start with the cover page; this is where you would include details such as your company logo, title, and a short description about the penetration test. I would suggest you hire a good designer and work on a professional and appealing cover page because if your cover page looks great, it would make a good first impression upon the customer reading it. Table of Contents On the very next page, you should have an index so that the audience interested in reading a par- ticular portion of the report can easily skip to that portion. Introduction to Hacking ◾ 11 Executive Summary As the name suggests, an executive summary is the portion that is specifically addressed to execu- tives such as the CEO or the CIO of the company. The executive summary is the most essen- tial part of a penetration testing report; a good executive summary can make all the difference between a good report and a bad one. Since the executive summary is specifically written to address the nontechnical audience, you should make sure that it’s presented in such a way that it’s easily comprehensible. Following are some of the essential points that you should take into consideration while writing an executive summary. ◾ Since executives are very busy, they have minimal time to invest in reading your reports. Therefore you should make sure that your executive summary is precise and to the point. ◾ Your executive summary should start with defining the purpose of the engagement and how it was carried out. Things such as the scope should be defined but very precisely. ◾ Next, you should explain the results of the penetration test and the findings. ◾ Following this, you should discuss the overall weaknesses in general and the countermea- sures that were not implemented that caused the vulnerability in the first place. ◾ Next comes the analysis part; this is where you should write about the overall risk that was determined based upon our findings. ◾ And, finally, you should write about to what extent the risk would decrease after addressing the issues and implementing the appropriate countermeasures. The following is an example of an executive summary that we wrote for a customer. I would sug- gest you spend some time reviewing the essential points discussed and compare them with the executive summary that follows. |