D
OCUMENTATION
F
ORMS FOR
P
ENETRATION
T
ESTS
T
he reports in this appendix will give you a good idea of what security testers do and how they should present findings to managers and IT personnel. The sample reports show how methodical a security tester must be and emphasize that nothing should be overlooked or assumed to be unimportant. Security testers must consider all factors that might affect the security of a business.The two reports in this appendix are sample documents shared by ISECOM. Few organizations give examples of documentation for a security test, so these reports will be extremely helpful. Some material in the reports might be beyond the scope of information covered in this book, but remember that you can delve into any areas in which you aren’t well versed.
The first sample report is an executive summary usually given to management staff, who typically aren’t interested in all the details of a security test. Instead, they want a summary of important areas that they can read over quickly to get the bottom line. For these people, you need to emphasize what problems were found and how they can be fixed. The second sample is the technical report that would most likely be given to IT personnel. This type of report includes details of vulnerabilities and exploits as well as possible solutions for the identified problems. Clients who hire security professionals to assess their organizations want a report that details what was found and offers recommendations to help protect their resources. Documentation—the task most IT professionals hate—is probably the most important part of a security professional’s job. When a team is used to conduct a security test, the person most skilled in report writing should handle creating these reports to management and IT staff.
C5515_C 8/24/2005 16:41:21 Page 369
C5515_C 8/24/2005 16:41:26 Page 370
C5515_C 8/24/2005 16:41:31 Page 371
Documentation Forms for Penetration Tests 3
C5515_C 8/24/2005 16:41:35 Page 372
C5515_C 8/24/2005 16:41:40 Page 373
Documentation Forms for Penetration Tests 5
C5515_C 8/24/2005 16:41:44 Page 374
C5515_C 8/24/2005 16:41:49 Page 375
Documentation Forms for Penetration Tests 7
C5515_C 8/24/2005 16:41:53 Page 376
C5515_C 8/24/2005 16:41:58 Page 377
Documentation Forms for Penetration Tests 9
C5515_C 8/24/2005 16:42:2 Page 378
C5515_C 8/24/2005 16:42:6 Page 379
Documentation Forms for Penetration Tests 11
C5515_C 8/24/2005 16:42:10 Page 380
C5515_C 8/24/2005 16:42:14 Page 381
Documentation Forms for Penetration Tests
C
C5515_C 8/24/2005 16:42:18 Page 382
C5515_C 8/24/2005 16:42:21 Page 383
Documentation Forms for Penetration Tests 15
C5515_C 8/24/2005 16:42:25 Page 384
C5515_C 8/24/2005 16:42:29 Page 385
Documentation Forms for Penetration Tests 17
C5515_C 8/24/2005 16:42:32 Page 386
C5515_C 8/24/2005 16:42:36 Page 387
Documentation Forms for Penetration Tests 19
C5515_C 8/24/2005 16:42:39 Page 388
C5515_C 8/24/2005 16:42:42 Page 389
Documentation Forms for Penetration Tests 21
C5515_C 8/24/2005 16:42:46 Page 390
C5515_C 8/24/2005 16:42:49 Page 391
Documentation Forms for Penetration Tests 23
C5515_C 8/24/2005 16:42:52 Page 392
C5515_C 8/24/2005 16:42:55 Page 393
Documentation Forms for Penetration Tests 25
C5515_C 8/24/2005 16:42:58 Page 394
C5515_C 8/24/2005 16:43:1 Page 395
Documentation Forms for Penetration Tests 27
C5515_C 8/24/2005 16:43:3 Page 396
C5515_C 8/24/2005 16:43:6 Page 397
Documentation Forms for Penetration Tests
C
C5515_C 8/24/2005 16:43:8 Page 398
C5515_C 8/24/2005 16:43:11 Page 399
Documentation Forms for Penetration Tests 31
C5515_C 8/24/2005 16:43:13 Page 400
C5515_C 8/24/2005 16:43:16 Page 401
Documentation Forms for Penetration Tests 33
C5515_C 8/24/2005 16:43:18 Page 402
C5515_C 8/24/2005 16:43:20 Page 403
Documentation Forms for Penetration Tests 35
C5515_C 8/24/2005 16:43:22 Page 404
C5515_C 8/24/2005 16:43:24 Page 405
Documentation Forms for Penetration Tests 37
C5515_C 8/24/2005 16:43:26 Page 406
C5515_C 8/24/2005 16:43:28 Page 407
Documentation Forms for Penetration Tests 39
C5515_C 8/24/2005 16:43:29 Page 408
C5515_C 8/24/2005 16:43:31 Page 409
Documentation Forms for Penetration Tests 41
C5515_C 8/24/2005 16:43:33 Page 410
C5515_C 8/24/2005 16:43:34 Page 411
Documentation Forms for Penetration Tests 43
C5515_C 8/24/2005 16:43:35 Page 412
C5515_C 8/24/2005 16:43:37 Page 413
Documentation Forms for Penetration Tests 45
C5515_C 8/24/2005 16:43:38 Page 414
C5515_C 8/24/2005 16:43:39 Page 415
Documentation Forms for Penetration Tests 47
C5515_C 8/24/2005 16:43:40 Page 416
C5515_C 8/24/2005 16:43:41 Page 417
Documentation Forms for Penetration Tests 49
C5515_C 8/24/2005 16:43:42 Page 418
C5515_C 8/24/2005 16:43:43 Page 419
Documentation Forms for Penetration Tests 51
C5515_C 8/24/2005 16:43:44 Page 420
C5515_C 8/24/2005 16:43:44 Page 421
Documentation Forms for Penetration Tests 53
C5515_C 8/24/2005 16:43:45 Page 422
C5515_C 8/24/2005 16:43:45 Page 423
Documentation Forms for Penetration Tests 55
C5515_C 8/24/2005 16:43:46 Page 424
C5515_C 8/24/2005 16:43:46 Page 425
Documentation Forms for Penetration Tests 57
C5515_C 8/24/2005 16:43:46 Page 426
C5515_C 8/24/2005 16:43:47 Page 427
Documentation Forms for Penetration Tests 59
C5515_C 8/24/2005 16:43:47 Page 428
Documentation Forms for Penetration Tests 60