What does AVORD Penetration Test Risk Reporting consist of?

AVORD uses globally recognised standards such as the Penetration Testing Execution Standard (PTES). The AVORD Penetration test risk reporting simplifies the task of identifying and treating your key cyber risks. For example, all reports are inputted directly into the platform in set fields. For example, the reports cannot be sent until completed correctly to our standards. We strive to increase quality and consistency across the reporting process.

Example of the headings that can be found in the AVORD reporting page

The Executive Summary

This section communicates to the reader the specific goals of the penetration test and the high-level findings of the testing exercise. Therefor the intended audience will be those who are in charge of the company oversight. Plus strategic vision of the security program as well as any members of the organization which may be impacted by the identified threats.

The executive summary should contain most if not all of the following sections:

1

Background

The background section should explain to the reader the overall purpose of the test.

2

Overall posture

This area is a narrative of the overall effectiveness of the test. For example, the pentesters ability to achieve the goals set forth within the pre engagement sessions.

3

Risk Ranking/Profile

The overall risk ranking/profile/score will be identified and explained in this area. Risk Appetite/Tolerance

Penetration Test Risk Reporting – Quality and Consistency

4

General Findings

The general findings provide a synopsis of the issues found during the penetration test in a basic and statistical format. Risk Chart

5

Strategic Roadmap

Roadmaps include a prioritized plan for remediation of the insecure items found. Moreover, this should be weighed against the business objectives and level of potential impact.

Technical Report

This section communicates to the reader the technical details of the test. For example, all of the aspects/components agreed upon as key success indicators within the pre engagement exercise.

The technical summary contains most if not all of the following sections:

6

Introduction

Intended to be an initial inventory of: Firstly, personnel involved in the testing from both the Client and Penetration Testing Team. Secondly, contact information, assets involved in testing, objectives of test, scope of test. And Finally, strength of test approach and threat grading structure.

7

Information Gathering

Intelligence gathering and information assessment are the foundations of a good penetration test. For example, a tester locates publicly available information related to the client and seeks ways that could be exploited to get into the systems.

8

Passive Intelligence

Intelligence gathered from indirect analysis such as DNS, Google dorking for IP and infrastructure related information. For example, they can use specifc tools to collect emails about targeted domains. Then use these emails to initiate social engineering or launch other attacks

9

Active Intelligence

This section will show the methods and results of tasks. For example, infrastructure mapping, port scanning, and architecture assessment and other foot printing activities.

10

Corporate Intelligence

Information about the structure of the organization, business units, market share, vertical, and other corporate functions. These should be mapped to both business process and the previously identified physical assets being tested.

11

Personnel Intelligence

Any and all information found during the intelligence collection phase which maps users to the CLIENT organization.

12

Vulnerability Assessment

Vulnerability assessment is the act of identifying the POTENTIAL vulnerabilities which exist in a TEST and the threat classification of each threat.

13

Exploit/Vulnerability

Exploitation or Vulnerability confirmation is the act of triggering the vulnerabilities identified in the previous sections to gain a specified level of access to the target asset.

14

Post Exploitation

One of the most critical items in all testing is the connection to ACTUAL impact on the CLIENT being tested

15

Risk/Exposure

Firstly, once the direct impact to the business is qualified through the evidence existing in the vulnerability, exploitation and post exploitation sections, the risk quantification can be conducted.

16

Conclusion

In conclusion, final overview of the test. It is suggested that this section echo portions of the overall test as well as support the growth of the CLIENT security posture.

Find out more about the AVORD platform

Quality and consistancy is at the heart of everything we do