Penetration Test Report

Hi all,

I have been an information security consultant/pen tester for about 6 years working with a company that has been an OSSTMM gold team member for about two years and been using the methodology for close to five years now even though we are mainly operating out of Africa where PT is still being regarded as some sort of "black art". Most of our clients are big financial institutions and conglomerates.

Let me cut to the chase. I would like to share with you a VA/PT report framework that i came up with from my experience consulting in this field. It has a bias towards the OSSTM methodology (infact a few points were extracted from it's report). I do not know how reports are structured in other parts of the world, but i do know that other than the engagement itself, the report serves to justify the derived value around these parts.

I have googled for sample reports but to say i came up short is a masterpiece of understatement. What i found were either too verbose and grandiose or downright shallow in content missing out salient but pertinent details in mostly audacious attempts at describing all the technical input and results - Detailed layout, logical flow and visual analysis are conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first we have to jettison the PT myth. Furthermore I am also of the opinion that a VA/PT report should be as simple and clear as it is concise and should cut across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the Open Source Security Assessment Report (OSSAR v0.5) which i hope will complement the OSSTMM. This is something that will be updated as often as i can with new information. I will kindly request members of this group to download it and give an objective opinion on the material. I am very much interested in what this community thinks. Comments (+ve or -ve), suggestions and modifications are welcomed. A review by Pete will also be highly appreciated.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at http://digitalencode.net/ossar/ossar_v0.5.pdf

Looking forward to your feedback.

Thank you

I agree with your points on a report being simple and direct without the
"fluff" that seems to be regarded as necessary by some (most?) PT
vendors (I've already bought the service, I don't need the sales pitch
on what your other offerings are or 4 pages of company history).

Something I would add is that PT vendors habitually provide a "report"
but a "report" isn't what I really need (you are correct that in most
org's "the report serves to justify the derived value around these
parts"). In every PT/VA they *always* come back with something, even if
it's a couple pages of informational "you shouldn't do this" which for
some business reason or another you've been forced to accept on your
LAN/WAN. However, it's always necessary as security manager/CSO/CISO to
take that information and go evaluate it - is the business case still
valid? But a report doesn't help me do that - it gives me a 70 page
document to give to management, who doesn't read it because it's 70
pages and then I have to make heads or tails from it. Assuming you have
some critical, highs, etc in there too makes it even more important to
go evaluate the report contents.

What I really need (speaking as a generic security manager) is
"actionable documentation". Taking my target audience into
consideration, here's what I can find useful.

- An executive report no more than 2 pages in length which I can use as
a talking agenda during a 15 minute briefing. Graphs like "attack
complexity vs mean time to patch" helps identify the quick wins with the
most risk, "% breakdown of criticality levels (critical, high, low,
etc)" to speak to the criticality of our specific attacks, etc. There
are a lot of neat ways to cut up the metrics to help get your point
across to Exec mgmt but a 70 page report is not it.

- A working list of vulnerabilities, their priority, with extra columns
of team ownership (unix, dba, windows, etc). If I got the report you
submitted as part of a real engagement the tables in section 6.4 would
immediately be copied into a spreadsheet, I'd tack on a few columns
specific for my environment like owner, due date, status update, handler
notes, etc, then send to my department heads. So why make that extra
step? Provide that report in an XLS already, easily modifiable, and you
just saved me half a day of copy and paste work. Maybe a DB extract as
well, although it's pretty trivial to export from xls to a csv and
import in your vuln tracking system.

- Break down the vulns in multiple ways. Most PT/VA vendors do it by
criticality, but that doesn't help show me the real picture of my
environment. Are all the high vulns in my web application, and all the
lows in my Unix servers? At least make a stab at trending the data. Even
applying 30 minutes to looking for patterns will pay its weight in gold
with a client. Help them find their process flaws - better server
patching, a particular application that has the majority of the holes,
etc. is where you can really derive good business intelligence, past the
specific action items of remediating the vulns found. And that adds
value to you as an organization which differentiates you from your
competitors.

- Send me something I can modify - doc, csv, xls. PDF is great... but a
bear to transform into what I can disseminate internally to my teams,
management, etc. I wouldn't even suggest sending a 70 page report out to
a non-security guy/gal.

- Examples, screenshots, how-to. That's in the doc towards the back and
is good info - nothing proves your point better than a real example.
Most times mgmt or the business unit will look at you and say "prove it"
or "show me" and those go a long way towards getting them to take
action.

That's my 2 cents, hope it helps,

Daniel


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of fx0ne
Sent: Wednesday, July 08, 2009 12:13 PM
To: pen-test@...
Subject: Penetration Test Report


Hi all,

I have been an information security consultant/pen tester for about 6
years
working with a company that has been an OSSTMM gold team member for
about
two years and been using the methodology for close to five years now
even
though we are mainly operating out of Africa where PT is still being
regarded as some sort of "black art". Most of our clients are big
financial
institutions and conglomerates.

Let me cut to the chase. I would like to share with you a VA/PT report
framework that i came up with from my experience consulting in this
field.
It has a bias towards the OSSTM methodology (infact a few points were
extracted from it's report). I do not know how reports are structured in
other parts of the world, but i do know that other than the engagement
itself, the report serves to justify the derived value around these
parts.

I have googled for sample reports but to say i came up short is a
masterpiece of understatement. What i found were either too verbose and
grandiose or downright shallow in content missing out salient but
pertinent
details in mostly audacious attempts at describing all the technical
input
and results - Detailed layout, logical flow and visual analysis are
conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first
we
have to jettison the PT myth. Furthermore I am also of the opinion that
a
VA/PT report should be as simple and clear as it is concise and should
cut
across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the
Open
Source Security Assessment Report (OSSAR v0.5) which i hope will
complement
the OSSTMM. This is something that will be updated as often as i can
with
new information. I will kindly request members of this group to download
it
and give an objective opinion on the material. I am very much interested
in
what this community thinks. Comments (+ve or -ve), suggestions and
modifications are welcomed. A review by Pete will also be highly
appreciated.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC
carried
out by another fictitious company Cynergi Solutions Inc. All names,
URLs,
IPs, etc are fictitious. Some of the vulnerabilities discussed have
actually
occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at
http://digitalencode.net/ossar/ossar_v0.5.pdf

Looking forward to your feedback.

Thank you
--
View this message in context:
http://www.nabble.com/Penetration-Test-Report-tp24393503p24393503.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Aloha,

I agree with the comments about a too long of a report makes no one want to
read.  Even myself.  It took us numerous times to change our report style
until we were able to come up with a style that works with the Credit Union
Executives, Board Members and their third party vendor that takes care of
their infrastructure.  We did not want to tell them want to do but rather
showed the flaw, give feed back and talk about best practice.  We learned
that Credit Union's will take your recommendations as face value and try to
do what you recommend.  The issue here is that when you recommend and the
Credit Union uses it they can come back to you and hold you responsible for
the recommendation if they were to get compromised.  We did not want to be
in that situation so we stepped back and used the words "Best practice"
which does cover us.

At the end of our report we use the Appendix to show the vulnerabilities in
different formats for ease of reading.  In the actual body of the report we
only highlight the most important.  But we also take it further.  We look
for security policies, backup policies, Business continuity plan, User
polices, vendor policies, firewall policies, Website policies,
infrastructure documentation, inventory documents, user access policy and
PCI compliance training for employees.  We feel if we are going to do an
assessment, the assessment would be as if we were the owners of the business
and what we would want to show the NCUA that we are complying.





On 7/8/09 6:12 AM, "fx0ne" <seyi.akin@...> wrote:

--
Randal Pacheco




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Verbosity is one of the top problems in security today. Everyone is
online, and everyone seems to think everyone else wants to read their
novellas, even though everyone else is sending along their own
novellas as well. Who has the time for all of it? It's narcissistic.

Terseness is a top value in business and on the net, now more than
ever. Commercial and even custom vulnerability reports are filled with
ridiculous amounts of fluff. All the average person wants to know is,
"How do I get rid of this?"

Say that as concisely as possible, and you're good.

--
Bradley A. Barkett

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi guys,

I have been a bit busy of late but recently made some amendments to OSSAR (v1.0) based on the feedback received from forum members. I'm pretty sure I have omitted some suggestions because of my pressing schedule. Therefore, in addition to posting both the pdf copy, an editable version in Open Office odt format is also provided. The documents can be downloaded here:

http://inverse.com.ng/ossar/ossar_v1.0.pdf
http://inverse.com.ng/ossar/ossar_v1.0.odt

Any feedback will be highly appreciated. Thanks

My first recommendation is to get rid of some of the images.  Images  
like padlocks, network devices, etc. have nothing to do with the  
report and are nothing more than filler.  Makes it look cheap.


On Oct 15, 2009, at 2:01 PM, fx0ne wrote:



        Adriel T. Desautels
        ad_lists@...
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------