Penetration Testing mailing list archives
Re: [PEN-TEST] Sample penetration report
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 22 Aug 2000 18:02:00 -0700
The problem with the suggested recommendation is that there is no value add at producing just a Low, Medium, High Risk report, because in some cases saavy customers may just think one is just re-packaging an ISS, CyberCop or ESM report. It is more than just Problem, Effect, Recommendations. The outline takes into account the business model and then one bases their report after it. In some cases, not all sections will be incorporated into the report, and it also depends on what the customer really wants to have at the top of the report. Each section of the outline can be broken out by the following : Executive (High level - BIG BULLETS, THE FOLLOWING IS BROKEN, AND ONE MUST SPEND X TO FIX BEFORE WALL STREET FINDS OUT) IT - (Medium Level - OK, we know about, and this how we will prioritize based on critical systems) Techie (Low Level, How do I fix all this stuff) Is this more what you are looking for?? /mark At 04:03 PM 8/22/00 -0900, Knowledgebase i-Net Security wrote:
Mark of NetworkIce has a cool Recommendation... But for ME It's Not really GOOD coz` if ur going to produce s0me reports it should Be Detailed and a Non very Technical One coZ` for TEchnical People it's Not but if ur talking about some I.T. managers who's that very familiar... w/ that terminologies u have to re defined... it Should be Literaly Understandable... just a Simple Report Like this ONE: LOw risk: Medium Risk: High Risk: Problem: Effect: Recommendation: Remember.... We're Considering ALL Educated and Non security Educated Person that's why they will Avail some Security services.... thanks,, ----------------- On Tue, 22 Aug 2000 17:23:53 Teicher, Mark wrote: >Here is an outline that has been used by several different organizations >over the years and in some cases still being used by some of the larger >type security consulting practices: > > >Executive Summary >Findings >Recommendations > >Introduction >Purpose and Scope >Network Map . >Remote Dial-in Map >Findings and Recommendations > >Organizational and Procedural Issues >Network Security Responsibility >Internal Restrictions >Network-Wide Vulnerabilities >Firewall >Intrusion Detection and Security Monitoring >Host Vulnerabilities >Dial-in Vulnerabilities >Password Issues >Network Vulnerabilities > >Recommendations > >Industry Best Practices >Network Considerations >Network Addressing >Firewalls >Automated Systems >Intrusion Detection and Security Monitoring >Vulnerability Scanning >Host Considerations >System Banners >Dial-in Access >Remote Management of Network Infrastructure Devices >Centralized Security Authority > >Informational Services > >User Authentication . >Passwords >Password Administration >Password Structure and Policy > >Appendix > >Assessment Process Overview >Background >Security as an Operational Process >Security Posture Defined >Assessment Process >Network Discovery >Target System and Vulnerability Identification >Data Analysis and Security Design Review > > >At 03:46 PM 8/21/00 -0400, Christopher M. Bergeron wrote: >>Can anyone point me to a sample penetration test / vulnerability analysis >>report somewhere? What types of things does one usually put in such a >>report? > Send your favorite photo with any online greeting! http://www.whowhere.lycos.com/redirects/americangreetings.rdct
Current thread:
- [PEN-TEST] Sample penetration report Christopher M. Bergeron (Aug 22)
- Re: [PEN-TEST] Sample penetration report Teicher, Mark (Aug 22)
- Re: [PEN-TEST] Sample penetration report The Unicorn (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Sample penetration report Knowledgebase i-Net Security (Aug 23)
- Re: [PEN-TEST] Sample penetration report Teicher, Mark (Aug 23)