At the completion of a pentest, the pentest report is a valuable asset for a business. Not only will the report contain a list of vulnerabilities that need to be fixed and remediation steps to follow to reduce the vulnerabilities, but it will also discuss the methodology that was followed for the current engagement and can act as a guide for future penetration tests.
Before jumping into the structure of the report, let’s discuss two important concepts of pentest reports: normalization of data and risk appetite.
Normalization of data
It is important that you document your steps during the penetration test so that you can include them in your penetration report. You should also take screenshots during the penetration test so that you can include the screenshots within the pentest report as well.You also should normalize results so that they are all based on the same scale. For example, some testing tools may use a scale from 1 to 10, while others may use a scale of 1 to 8. You will need to convert the results based on a scale of 1 to 8 to be out of 10 so that all results are normalized and based on the same scale. Also, some tools may report the value of 1 being bad, while 10 is good, while another tool may report 1 as being a good value and 10 is a bad value. In this example, you will need to normalize the data by reversing the scale so that all the data can be plotted on the same chart in the pentest report.
Risk appetite
Risk appetite refers to the level of risk an organization is willing to accept. It is important to understand the organization’s risk appetite because you will need to prioritize the pentest results and provide remediation steps to the customer based on the organization’s tolerance of risk. The recommendations on remediation steps will stem from the results of the vulnerability scan and exploitation, but should also align with the company’s risk appetite. The risk appetite will depend on the function of the organization, for example, if it is an organization that affects public safety then the risk appetite (tolerance) will be low.Report structure
It is important to remember that the purpose of the penetration test is to report on the findings of the pentest and give remediation steps on how to better secure the environment and reduce the risk to attack. The pentest report is a written report of findings and remediation steps that should include the following sections as outlined here.Title page and table of contents
The title page for the report should contain a title for the report, such as “White Box Penetration Testing for Company ABC,” and the name of the company or person who performed the pentest and authored the report. The title page should also show a version number and date for the report.After the title page, the report should include a table of contents that specifies the page references for each of the other parts of the report.
Executive summary
The executive summary is a summary of the pentest for upper-level management or the executive team. It is typically written after the rest of the report has been written. The executive summary contains key information regarding the pentest that you would like to communicate to the executive team, such as the methodology used, the key tasks performed, and a high-level overview of your findings and recommendations.Methodology
The methodology section of the report outlines the types of testing performed during the penetration test, the steps taken during each phase, and how the attacks were carried out. The methodology section also discusses the process used to identify and rate the risks for each vulnerability found and what tools were used by the pentesters.Within the methodology section you should also discuss the metrics and measures used to identify the risk rating for each of the vulnerabilities found during the assessment. For example, you could explain in the risk rating methodology that you are calculating risk by assigning a probability of low, medium, or high to each vulnerability and then assigning an impact of low, medium, or high to each vulnerability. Low has a value of 1, medium has a value of 2, and high has a value of 3.
You can then calculate risk with the following formula:
Risk = probability * impactYou can then display a graphic outlining the scores for low risk (in my example it will be scores from 1 to 3), medium risk (scores 4 to 6), and high or critical risk (scores 7 to 9) as shown.
Graphic designed and created by Brendon ClarkeRisk rating scores for vulnerabilities
Again, this is just an example. You can go with a 4- or 5-number scale for each category of probability and impact, which will give you a bit more variance in the risk rating scores. It is important to show how the risk scores are calculated, and use graphics in your report to help the reader relate to the results. Having a legend showing that low is green, medium is orange, and high or critical is red is also important, as you can use those colors in your findings to draw out critical vulnerabilities.
Findings and remediation
The findings and remediation section of the report is used to discuss the security issues found and the remediation steps to take to fix each security issue. Each security issue should have a paragraph or two describing the security issue and a paragraph describing the remediation steps.For example:
Vulnerability Finding 1: Weak passwords used by user accounts
Impact: High
Likelihood: Medium
Risk Rating: 6
Description: While assessing passwords on the network, it was found that many user accounts are using weak passwords made up of words found in the dictionary. These passwords were easily cracked by the John the Ripper tool.
Remediation: It is recommended that password policies are configured to enforce complex passwords, lock out an account after three failed log-on attempts, keep a password history of 12 passwords, and require passwords to change every 60 days.
Conclusion
The conclusion is the last section in the report and should summarize the results as well as identify any parts of a typical penetration test that were not included in the assessment that the company may want to do in the future. For example, if social engineering was not part of the scope of the penetration test, you could recommend the organization perform social engineering during the next penetration test.In the conclusion of the report, you should also give the organization an overall risk score so that it can compare this result to the overall risk score of future penetration tests. The goal would be to see this risk score get lower with each penetration test.
Secure handling and disposition of reports
The penetration testing report contains a lot of sensitive information about an organization, such as Internet Protocol (IP) addresses of different systems, vulnerabilities that exist for the different systems, and the steps taken to exploit those vulnerabilities. This information is worth gold for a hacker, so you want to be sure to protect and control access to the report.Format
The first point to make about keeping the report secure is that you must store penetration testing reports in an encrypted format to ensure that the information is kept confidential, and there should be a limited number of people who have access to the report. Any hard copies of the report should be kept in a secure location for an agreed-upon time.For the PenTest+ certification exam, remember that the pentest report should always be encrypted, both in storage and in transit.
Storage time
The second point to remember about keeping the report secure is how long the report is stored. The original pentest agreement should specify how long the pentesting organization has a copy of the report in its possession — and it must be stored in a secure location.The purpose for the pentesting organization to hold on to a copy of the report is to be able to answer questions from the customer related to the penetration test. Once the report is no longer needed, the pentest company should securely delete the digital copies and shred the hard copies.