Penetration testing (or pen testing) should form a crucial part of every cyber security strategy, but to get the most value from assessments, organisations need to ensure that they receive the best quality reports from providers.
Some organisations make the mistake of treating pen testing as a tick-box exercise, merely to satisfy one compliance requirement before moving onto the next. This approach will fail to deliver the security improvements organisations need to keep pace with the latest threats – remedial action is vital.
To help facilitate the remediation process, all externally sourced pen testing should deliver actionable guidance to drive tangible security improvements. This blog outlines five things you should expect from a penetration test report.
1. A detailed outline of identified security risks
Naturally, the first thing to ensure is that all vulnerabilities uncovered during the period of testing are covered in sufficient detail.
To help all key stakeholders understand testing results, a good pen test report will typically include an executive summary highlighting key findings. A more detailed description of the technical details and practical implications of each vulnerability should be outlined later in the report.
A human-led penetration test will uncover complex exposures that sit beneath the surface and are routinely missed by automated scanning tools. In a pen test report, you should expect to see an explanation of where these deeper vulnerabilities lie, which assets are affected, how they were discovered and what an attacker could do if the vulnerabilities are left unaddressed.
2. A business impact assessment
In order to help stakeholders understand the priority level of vulnerabilities identified, pen testing reports should also include analysis of the potential business impact of each issue.
By default, many automated testing tools will assign some level of numerical vulnerability scoring, often mapped to the Common Vulnerability Scoring System (CVSS). However, in isolation, these scores are of limited value – they fail to take into account which vulnerabilities are being actively exploited in the wild and how they relate to an organisation’s specific risk profile.
To enhance value, a pen test report should be compiled by a security expert that can employ a more sophisticated scoring system that assigns both a comparable score (critical/high/medium/low) and an accompanying explanation of what this means for the business in question.
A critical vulnerability, for example, would refer to an issue that could lead to a complete compromise of an asset or network, with potential for significant financial and reputational damage, such as an ecommerce application with an unauthenticated SQL injection flaw. High, medium and low impact vulnerabilities cover all other issues that have potential to impact confidentiality, integrity or availability.
Organisations should also expect to be informed of ‘informational’ issues – any slight deviations from security best practice which, while causing minimal immediate risk, may pose a greater threat in future.
3. Insight into exploitation difficulty
A closely related factor, with implications for risk scoring, is exploitation difficulty. Severity cannot be effectively analysed without looking at whether a vulnerability could be realistically exploited by an attacker.
A key benefit of penetration testing is that it goes beyond the scope of more basic security assessments by not just identifying vulnerabilities, but also attempting to exploit them.
A typical exploitation difficulty scale report will range from easy (where exploitation is trivial and requires basic tools and expertise) to difficult (requiring expert hacking and development skills, as well as significant time and effort). The most advanced vulnerabilities may be assigned a state-level difficulty, whereby attacks may only be theoretical, requiring vast resources to execute an attack.
4. Remediation advice
Identifying vulnerabilities is only half the battle – fixing them in a timely fashion is also essential, and buyers should look for a pen testing partner that provides detailed guidance to resolve each issue as part of the reporting process.
Remediation typically varies significantly in difficulty. Some issues will require simple patches or updates and can be actioned immediately. Others may require reconfigurations or code rewrites from a development team, sometimes necessitating assistance from a partner or vendor. Some issues may simply have no available fix, requiring temporary infrastructure and process changes to mitigate risks.
A good pen test provider will guide clients through this process and provide recommendations on what information needs to be provided to vendors and regulators and which organisations to engage for assistance.
The majority of this information will be provided in the testing report, but to minimise potential risk, critical vulnerabilities should be outlined as and when they are uncovered.
5. Strategic recommendations
Beyond remediation guidance, the importance of strategic recommendations in pen testing reports is often overlooked.
Security should be viewed as a journey, not a destination. Even the most in-depth testing programme will only assess the state of security at a single point in time; with threats constantly evolving and attackers devising new ways to exploit vulnerabilities on a daily basis, organisations can’t afford to only think in the short term.
Starting with an expert opinion on the contracting organisation’s overall security posture, a good pen testing report will go on to provide advice about which areas to consider improving over the longer term. This could include an appraisal of existing security controls, feedback about operational procedures, as well as guidance on which future security investments should be prioritised.
Why choose Redscan for your testing needs?
As a multi award-winning, CREST-approved provider of penetration testing services, Redscan is ideally placed to meet your organisation’s security assessment requirements.
Our team of ethical hacking experts have a deep understanding of how attackers operate and we leverage this knowledge to help organisations mitigate cyber risk. Following each penetration test, we provide clear and detailed reports containing in-depth threat analysis, actionable advice, and complete post-test care to help you make tangible, lasting improvements to your cyber security posture.
Vote for Redscan in the Cybersecurity Excellence Awards!
10 ways to strengthen your organisation’s cyber security in 2020
Redscan shortlisted as a finalist at FStech Awards 2020