1
00:00:07,181 --> 00:00:08,630
- [Instructor] A
penetration testing report

2
00:00:08,630 --> 00:00:10,250
is very important

3
00:00:10,250 --> 00:00:13,940
because it is the final
deliverable of your engagement.

4
00:00:13,940 --> 00:00:16,010
It is what you're actually paid to produce

5
00:00:16,010 --> 00:00:18,870
as a result of your
penetration testing efforts.

6
00:00:18,870 --> 00:00:21,350
You should always create a report,

7
00:00:21,350 --> 00:00:25,030
even if you're only conducting
an internally-only evaluation

8
00:00:25,030 --> 00:00:26,230
for your own company.

9
00:00:26,230 --> 00:00:28,440
The results of your testing

10
00:00:28,440 --> 00:00:31,340
should be fully documented
for several reasons.

11
00:00:31,340 --> 00:00:36,080
You should also include evidence
of what you actually found

12
00:00:36,080 --> 00:00:38,380
in the penetration testing report.

13
00:00:38,380 --> 00:00:40,620
Now, another thing is that
the penetration testing report

14
00:00:40,620 --> 00:00:44,100
must be clear and detail
the outcome of the test,

15
00:00:44,100 --> 00:00:47,540
and in most cases, include recommendations

16
00:00:47,540 --> 00:00:49,870
on how to mitigate the vulnerabilities

17
00:00:49,870 --> 00:00:51,660
that you actually found.

18
00:00:51,660 --> 00:00:53,120
Now, the audience will vary.

19
00:00:53,120 --> 00:00:56,960
You're gonna have people
that are executives,

20
00:00:56,960 --> 00:00:59,300
that are not probably that technical,

21
00:00:59,300 --> 00:01:02,230
and you probably also
have part of your audience

22
00:01:02,230 --> 00:01:03,730
a very technical crew,

23
00:01:03,730 --> 00:01:07,220
like part of the IT crew for your company

24
00:01:07,220 --> 00:01:09,790
or whoever you're doing
the pen testing for.

25
00:01:09,790 --> 00:01:12,510
So, that's why you should always include

26
00:01:12,510 --> 00:01:16,040
an executive summary that will
be read by senior management

27
00:01:16,040 --> 00:01:18,120
and then the technical details,

28
00:01:18,120 --> 00:01:21,460
you can leave it at the
second portion of the report

29
00:01:21,460 --> 00:01:23,970
and that will be read by the IT

30
00:01:25,086 --> 00:01:27,313
or the information security stakeholders.

31
00:01:29,010 --> 00:01:30,150
Now, these are the high-level

32
00:01:30,150 --> 00:01:31,930
pen testing report development stages.

33
00:01:31,930 --> 00:01:35,350
You start with the report
planning, information collection,

34
00:01:35,350 --> 00:01:38,720
your first draft, then
you review and finalize

35
00:01:38,720 --> 00:01:41,790
and of course, deliver
that pen testing report.

36
00:01:41,790 --> 00:01:43,700
So, starting with report planning,

37
00:01:43,700 --> 00:01:45,200
you have to consider the audience

38
00:01:45,200 --> 00:01:46,910
as I mentioned to you before.

39
00:01:46,910 --> 00:01:48,600
Their need for the report,

40
00:01:48,600 --> 00:01:49,960
whether it's operational planning,

41
00:01:49,960 --> 00:01:52,970
resource allocation, approval, et cetera.

42
00:01:52,970 --> 00:01:56,600
Also, the knowledge of the
report and the topic. Right?

43
00:01:56,600 --> 00:01:59,690
And you also have to know potentially

44
00:01:59,690 --> 00:02:01,630
the personal demographics.

45
00:02:01,630 --> 00:02:06,630
And also, who are the people
that will have some authority

46
00:02:06,900 --> 00:02:09,930
to implement the recommendations
that you are suggesting

47
00:02:09,930 --> 00:02:11,283
in the pen testing report.

48
00:02:13,230 --> 00:02:15,500
You also have to think
about report classification.

49
00:02:15,500 --> 00:02:18,930
You have to be aware that
the pen testing report

50
00:02:18,930 --> 00:02:21,440
will include sensitive information.

51
00:02:21,440 --> 00:02:25,370
And as a best practice,
you should always ask

52
00:02:26,370 --> 00:02:27,910
the people that actually hire you, right,

53
00:02:27,910 --> 00:02:31,860
or it can be your boss, how
the report should be classified

54
00:02:31,860 --> 00:02:35,550
based on the underlying
organization's information security

55
00:02:35,550 --> 00:02:37,773
or information classification policies.

56
00:02:39,720 --> 00:02:42,890
One of the best practices
is also to clearly document

57
00:02:42,890 --> 00:02:45,290
how the report will be distributed

58
00:02:45,290 --> 00:02:46,988
and the type of report delivery.

59
00:02:46,988 --> 00:02:50,190
Like, for example, if
you're sending the report

60
00:02:50,190 --> 00:02:54,070
over an encrypted email
via PGP, or S/MIME,

61
00:02:54,070 --> 00:02:57,970
or you're actually printing
hard copies of the report,

62
00:02:57,970 --> 00:03:00,280
and how many copies you
actually printed it,

63
00:03:00,280 --> 00:03:03,850
who do you actually give that report to?

64
00:03:03,850 --> 00:03:05,360
And you should perform due diligence

65
00:03:05,360 --> 00:03:08,203
to ensure the confidentiality
of the test results.

66
00:03:09,160 --> 00:03:11,570
Make sure that you collected
all the information

67
00:03:11,570 --> 00:03:13,420
in all stages.

68
00:03:13,420 --> 00:03:17,170
The systems used, the tools,
the evidence of exploitation,

69
00:03:17,170 --> 00:03:20,090
how you potentially did
post-exploitation techniques

70
00:03:20,090 --> 00:03:23,220
to move laterally within the organization,

71
00:03:23,220 --> 00:03:26,220
or exfiltrate information, and so on.

72
00:03:26,220 --> 00:03:27,240
You should take notes.

73
00:03:27,240 --> 00:03:28,680
You should capture screenshots.

74
00:03:28,680 --> 00:03:30,780
You should log all activities.

75
00:03:30,780 --> 00:03:32,180
And the information collection

76
00:03:32,180 --> 00:03:34,010
should start from the beginning.

77
00:03:34,010 --> 00:03:36,300
From the moment that you actually start

78
00:03:36,300 --> 00:03:38,663
doing the pen testing,
all the way to the end.

79
00:03:39,820 --> 00:03:41,610
When you're done with your testing,

80
00:03:41,610 --> 00:03:46,460
write a rough draft report
using the relevant information

81
00:03:46,460 --> 00:03:50,470
that you gathered in the
information collection stage.

82
00:03:50,470 --> 00:03:53,160
Now, in the review and finalization phase,

83
00:03:53,160 --> 00:03:55,410
peer review is very important.

84
00:03:55,410 --> 00:03:58,160
If you are actually just
doing this by yourself

85
00:03:58,160 --> 00:04:01,210
and doing pen testing as a self employee,

86
00:04:01,210 --> 00:04:03,640
make sure that you actually
either hire somebody

87
00:04:03,640 --> 00:04:07,940
to proofread your report
and that somebody is trusted

88
00:04:07,940 --> 00:04:09,800
and you actually have a proper

89
00:04:09,800 --> 00:04:12,230
non-disclosure agreement or NDAs

90
00:04:12,230 --> 00:04:15,080
because the report is
actually a sensitive matter.

91
00:04:15,080 --> 00:04:16,760
In many cases, you actually will not

92
00:04:16,760 --> 00:04:18,720
be able to hire somebody.

93
00:04:18,720 --> 00:04:20,370
It all depends on the scenario.

94
00:04:20,370 --> 00:04:22,420
It depends on the environment.

95
00:04:22,420 --> 00:04:25,920
Also, make sure that
you include risk ratings

96
00:04:25,920 --> 00:04:28,260
and at least use things like CVSS,

97
00:04:28,260 --> 00:04:30,540
the Common Vulnerability Scoring System,

98
00:04:30,540 --> 00:04:34,900
to provide some level of urgency

99
00:04:34,900 --> 00:04:39,010
or to at least rank how important

100
00:04:39,010 --> 00:04:41,100
or severe are the vulnerabilities

101
00:04:41,100 --> 00:04:42,970
that you actually have found.

102
00:04:42,970 --> 00:04:44,900
If you're not familiar with CVSS,

103
00:04:44,900 --> 00:04:48,840
I'm sharing a link in here from
FIRST.org which is actually

104
00:04:48,840 --> 00:04:52,350
the Common Vulnerability
Scoring System standard

105
00:04:52,350 --> 00:04:54,193
and the specification document.