What does AVORD Penetration Test Risk Reporting consist of?
AVORD uses globally recognised standards such as the Penetration Testing Execution Standard (PTES). The AVORD Penetration test risk reporting simplifies the task of identifying and treating your key cyber risks. For example, all reports are inputted directly into the platform in set fields. For example, the reports cannot be sent until completed correctly to our standards. We strive to increase quality and consistency across the reporting process.
Example of the headings that can be found in the AVORD reporting pageThe Executive Summary
This section communicates to the reader the specific goals of the penetration test and the high-level findings of the testing exercise. Therefor the intended audience will be those who are in charge of the company oversight. Plus strategic vision of the security program as well as any members of the organization which may be impacted by the identified threats.
The executive summary should contain most if not all of the following sections:1
Background
The background section should explain to the reader the overall purpose of the test.
2
Overall posture
This area is a narrative of the overall effectiveness of the test. For example, the pentesters ability to achieve the goals set forth within the pre engagement sessions.
3
Risk Ranking/Profile
The overall risk ranking/profile/score will be identified and explained in this area. Risk Appetite/Tolerance
Penetration Test Risk Reporting – Quality and Consistency
4
General Findings
The general findings provide a synopsis of the issues found during the penetration test in a basic and statistical format. Risk Chart
5
Strategic Roadmap
Roadmaps include a prioritized plan for remediation of the insecure items found. Moreover, this should be weighed against the business objectives and level of potential impact.
Technical Report
This section communicates to the reader the technical details of the test. For example, all of the aspects/components agreed upon as key success indicators within the pre engagement exercise.
The technical summary contains most if not all of the following sections:6
Introduction
Intended to be an initial inventory of: Firstly, personnel involved in the testing from both the Client and Penetration Testing Team. Secondly, contact information, assets involved in testing, objectives of test, scope of test. And Finally, strength of test approach and threat grading structure.
7
Information Gathering
Intelligence gathering and information assessment are the foundations of a good penetration test. For example, a tester locates publicly available information related to the client and seeks ways that could be exploited to get into the systems.
8
Passive Intelligence
Intelligence gathered from indirect analysis such as DNS, Google dorking for IP and infrastructure related information. For example, they can use specifc tools to collect emails about targeted domains. Then use these emails to initiate social engineering or launch other attacks
9
Active Intelligence
This section will show the methods and results of tasks. For example, infrastructure mapping, port scanning, and architecture assessment and other foot printing activities.
10
Corporate Intelligence
Information about the structure of the organization, business units, market share, vertical, and other corporate functions. These should be mapped to both business process and the previously identified physical assets being tested.
11
Personnel Intelligence
Any and all information found during the intelligence collection phase which maps users to the CLIENT organization.
12
Vulnerability Assessment
Vulnerability assessment is the act of identifying the POTENTIAL vulnerabilities which exist in a TEST and the threat classification of each threat.
13
Exploit/Vulnerability
Exploitation or Vulnerability confirmation is the act of triggering the vulnerabilities identified in the previous sections to gain a specified level of access to the target asset.
14
Post Exploitation
One of the most critical items in all testing is the connection to ACTUAL impact on the CLIENT being tested
15
Risk/Exposure
Firstly, once the direct impact to the business is qualified through the evidence existing in the vulnerability, exploitation and post exploitation sections, the risk quantification can be conducted.
16
Conclusion
In conclusion, final overview of the test. It is suggested that this section echo portions of the overall test as well as support the growth of the CLIENT security posture.
Find out more about the AVORD platform