Академический Документы
Профессиональный Документы
Культура Документы
EC Council
EC-Council
Module XXXXIII
Penetration Testing
Report and
Documentation Writing
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Writing
Documentation report should contain the final result and
recommendations
d i
to rectify
if the
h problem
bl
if occurred
d during
d i
the
h
penetration testing process.
The document report includes:
After documentation, submit the document to the client and get the
signature from them and keep a copy of the report.
report
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary of Execution
The summaryy should p
provide a short, high-level
g
overview of the test.
It should contain the clients name, testing firm, date of test, and so on.
Information about the targeted systems and applications.
End-user test results.
Examine all exploits performed.
performed
The summary should include details of discovered vulnerabilities.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Result Analysis
The results analyzed
y
should include:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recommendations
If yyou simply
p y run a handful of tools and p
provide a report,
p ,
then the company will never want to see you again.
Recommendations
R
d ti
t their
to
th i security
it is
i very important
i
t t for
f the
th
report to be accepted by the customer.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Appendices
Appendices should include:
Contact information.
Screen shots.
shots
Log output.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Executive report
Active report
Host report
Vulnerability report
y
Card Industryy ((PCI)) report
p
Payment
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Executive Report
Generate reports
p
for various hosts,, users,, and vulnerabilities that
were identified, targeted, and exploited during the test process.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activity Report
Generates a detailed report for various executed exploits.
EC-Council
Source: http://www.coresecurity.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Host Report
Generate a detailed report on various hosts that were tested.
EC-Council
Source: http://www.coresecurity.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Report
Generate report
p
on various vulnerabilities that were
exploited effectively during the penetration testing process.
EC-Council
Source: http://www.coresecurity.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Source: http://www.coresecurity.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Source: http://www.coresecurity.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
User Report
Provide information about which links were clicked, when the links
were clicked,
li k d and
d who
h have
h
clicked
li k d the
h link.
li k
Display summarized report on all the users who were identified and
targeted during the testing process.
process
Source: http://www.coresecurity.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://www.coresecurity.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Organization synopsis
Purpose for the evaluation
System description
Summary of evaluation
Major findings and
recommendations
Conclusion
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Format
Your final report
p
must always
y be in PDF format,, unless
otherwise requested by your customer.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delivery
Deliver the report
p
p
personallyy and avoid sending
g the
report by emails or CD-ROM.
A printed report is the best format.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Retention
The pen
pen-test
test information is very sensitive.
sensitive
You should only store it for a certain period of time (3045
d
days
i typical).
is
i l)
You should be able to answer questions during this period.
After the 3045 days, you should destroy the information
from your storage.
storage
This clause is usually mentioned in the contract with the
customer before the engagement begins.
begins
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Pentest reports on discovered vulnerabilities, available options,
recommendations,
d i
and
d suggestions.
i
Recommendations make the most important part of the report
f the
for
th user to
t implement
i l
t for
f improving
i
i the
th network
t
k security.
it
A pen tester should hand over the sensitive information within 45
days or should destroy from the storage.
storage
Create a final report, documenting the test findings.
Deliver the report to the concerned officer.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited