Cybersecurity for Beginners 6 - Reporting
Part six in Andy from Italy's Cybersecurity For Beginners series, in this episode we focus on reporting.
In the first article of this series and the subsequent articles I have since published, I gave an overview on the different phases of attack and what they involve. This article focuses on action!
Reporting
There is nothing specific about this stage, not the tools to use, the access you have (hopefully with administrative permissions) to the entire machine and consequently to all the available resources. It all depends on your initial intention, the reason that prompted you to penetrate security systems of the machine, either to make changes to the system, cause disruptions, turn off the machine or ensure if the safety systems were adequate (among other reasons). In this last case, it was probably some sort of commissioned work, so you have to report the results of your penetration testing activities through prepared reports.
There are several templates that you can use if you search online will find plenty of them; Here is a good and comprehensive example from Offensive Security: https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
Let me list the important points of a good report.
- Synopsis
Consisting of a high-level view of the risk from the business point of view. Your contact is a person who doesn't know about technology, or attacks, but who probably is strongly interested in understanding the risks of its business and securing his property. Normally, a good visual communication (images, graphics, etc ...) can help and can be attractive and explanatory. Consider that most readers will have no interest in wasting too much time reading a document that for most he will not understand, they will be focused on the portion of the report addressed to them; non-technical images that can easily understand, attract their attention and encouraging them to read additional information that can enrich the concepts displayed in the images pictures. Try to "exploit" this aspect. - Technical Risk
Normally it is good practice to use a ranking system of some kind, I am quite sure that doesn't already exist a standard system of evaluation though. It's important to expose an idea of the severity of the vulnerability; for example, you could use the same severity level used in the vulnerability details exposed in the CVE cards, NVD or EDB. This chapter is intended for the IT department; Try to describe the problem technically, but not go deeper into details and report the resolution, which will be introduced on the next section of your report. - Probability and Impact
When it comes to probabilities the point becomes quite complex. In my opinion, the probability that a vulnerability becomes a "real" risk depends on many aspects including the type of vulnerability. Another factor that identifies the likelihood of exploitation, is the relevance or the reputation or the success of the system itself; the meaning of this concept is that, probably, the website of your hardware store under your house will not be the target of a hypothetical hacker. On the contrary, he will be more interested in the portal of your favorite television network. The impact appears to be a borderline matter, probably you might publish legal notices on the consequences of unwanted access, on the duties towards a customer in case of data theft or disservice in the event of a system malfunction (caused by illegal activities after the intrusion). - Vulnerability Remediation Options
Where possible, propose solutions to remove the vulnerability. However, this is a tricky point, because there's two sides of the coin, the solution depends on the vulnerability and the needs of the machine's owner. For example, remove the permission to use a specific feature of the system to a user or disable specific service could not be an acceptable solution for the company that manages the system. These resolutions, then, must be evaluated by the owner of the system and its IT department, because, probably, services, permissions, etc. are configured in that specific way for their specific needs.
Conclusion
Not much else to say here, the topic is too big and this is just a baseline, start from here to expand upon your reporting based on your own requirements. I hope I have touched your curiosity and gave you a guideline to approach the fantastic world of cyber security. Good luck!