Re: [PEN-TEST] Sample penetration report

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

The problem with the suggested recommendation is that there is no value add
at producing just a Low, Medium, High Risk report, because in some cases
saavy customers may just think one is just re-packaging an ISS, CyberCop or
ESM report. It is more than just Problem, Effect, Recommendations.  The
outline takes into account the business model and then one bases their
report after it.  In some cases, not all sections will be incorporated into
the report, and it also depends on what the customer really wants to have
at the top of the report.

Each section of the outline can be broken out by the following :

Executive (High level - BIG BULLETS, THE FOLLOWING IS BROKEN, AND ONE MUST
SPEND X TO FIX BEFORE WALL STREET FINDS OUT)
IT - (Medium Level - OK, we know about, and this how we will prioritize
based on critical systems)
Techie (Low Level, How do I fix all this stuff)

Is this more what you are looking for??

/mark
At 04:03 PM 8/22/00 -0900, Knowledgebase i-Net Security wrote:
>  Mark of NetworkIce has a cool Recommendation... But for ME It's Not
> really GOOD coz` if ur going to produce s0me reports it should Be
> Detailed and a Non very Technical One coZ` for TEchnical People it's Not
> but if ur talking about some I.T. managers who's that very familiar... w/
> that terminologies u have to re defined... it Should be Literaly
> Understandable... just a Simple Report Like this ONE:
>
> LOw risk:
> Medium Risk:
> High Risk:
> Problem:
> Effect:
> Recommendation:
>
>   Remember.... We're Considering ALL Educated and Non security Educated
> Person that's why they will Avail some Security services.... thanks,,
> -----------------
>
> On Tue, 22 Aug 2000 17:23:53
>  Teicher, Mark wrote:
> >Here is an outline that has been used by several different organizations
> >over the years and in some cases still being used by some of the larger
> >type security consulting practices:
> >
> >
> >Executive Summary
> >Findings
> >Recommendations
> >
> >Introduction
> >Purpose and Scope
> >Network Map .
> >Remote Dial-in Map
> >Findings and Recommendations
> >
> >Organizational and Procedural Issues
> >Network Security Responsibility
> >Internal Restrictions
> >Network-Wide Vulnerabilities
> >Firewall
> >Intrusion Detection and Security Monitoring
> >Host Vulnerabilities
> >Dial-in Vulnerabilities
> >Password Issues
> >Network Vulnerabilities
> >
> >Recommendations
> >
> >Industry Best Practices
> >Network Considerations
> >Network Addressing
> >Firewalls
> >Automated Systems
> >Intrusion Detection and Security Monitoring
> >Vulnerability Scanning
> >Host Considerations
> >System Banners
> >Dial-in Access
> >Remote Management of Network Infrastructure Devices
> >Centralized Security Authority
> >
> >Informational Services
> >
> >User Authentication .
> >Passwords
> >Password Administration
> >Password Structure and Policy
> >
> >Appendix
> >
> >Assessment Process Overview
> >Background
> >Security as an Operational Process
> >Security Posture Defined
> >Assessment Process
> >Network Discovery
> >Target System and Vulnerability Identification
> >Data Analysis and Security Design Review
> >
> >
> >At 03:46 PM 8/21/00 -0400, Christopher M. Bergeron wrote:
> >>Can anyone point me to a sample penetration test / vulnerability analysis
> >>report somewhere?  What types of things does one usually put in such a
> >>report?
> >
>
>
> Send your favorite photo with any online greeting!
> http://www.whowhere.lycos.com/redirects/americangreetings.rdct