Preparing the Final Test Report
The major deliverable from any penetration test is the analysis and report delivered to the organization. This report—and prior authorization—is all that really separates penetration tests from hacking. The first section of the final test report must include a detailed description of the penetration test team’s activities, including which methods were used and what areas of the infrastructure were targeted. The next section should contain details of the vulnerabilities they found and what areas were adequately hardened and resisted their attacks. The final section of the report should contain the test team’s final analysis, prioritization of risk, and recommendations for hardening.
The organization uses this report to guide security activities so that the vulnerabilities that represent the most significant risks are addressed. The report is also used to determine budgets for future infrastructure upgrades.
Identify Gaps and Risk Exposures and Assess Impact
In the first section, the penetration testers describe each of their activities and elaborate on any gaps and vulnerabilities they were able to exploit. They combine this information with knowledge of the organization’s security goals to assess the impact of the gaps and vulnerabilities found during testing.
Once those gaps have been identified, they must be prioritized by risk exposure. It is important to keep in mind that the organization has limited resources—time, money, and personnel—available to close security holes, so the testing team’s findings must be presented in a way that makes it easy to decide where to spend those resources.
Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
Once the gaps in an organization’s infrastructure are identified, the next step is to develop remediation plans for closing the most important gaps. These plans will vary depending on the gaps identified and should always involve retesting to ensure that the gaps have been adequately closed. Remediation plans should be listed in order of risk exposure.
Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
Remediation of security gaps can be costly in terms of time, effort, and monetary costs. The final section of a penetration test report should include a breakdown of the costs of remediation, in order of risk exposure. Once the costs have been broken down, an executive summary is a useful tool to include. This summary will give a quick overview of the bottom line: what will it cost the organization in terms of time, effort, and money to close the most important security gaps in its infrastructure?