18.1 Reporting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

19 hours 55 minutes
Video Transcription
I welcome back to the course in the last video, we wrapped up our cryptography lab
in this module. We're just gonna go over reporting. So I just got this one example document for you of your reporting that you might do for a penetration test. And we're just gonna literally go through this document. You can download it. You should be able to download it from the video here.
So we start off with our introduction. So this is basically just who we are. Like, who are you as a penetration tester? What do we do? And, you know, essentially, it is a very truncated version. You know, I've got the Certs and maybe these degrees. It's very, very quick, like your background type of thing.
So what is the scope of the project? Like what we tested? Whatever. He invited a test. And then also, you know what you know. Why were we the ones chosen? Why was our company chosen over other companies? Maybe we specialize in mobile hacking. Or maybe we specialize in you know, I ot devices like refrigerators or something like that. I like you know what we specialize in that
differentiates us from the competition and that that's why we were chosen.
And then we move into the executive summary.
So we want to hit this with some some kind of major headlines, like, Okay, you know, this might affect future revenue. You know, this way, you know, or this might save X amount of dollars for the company this way. And so that way they can quickly see what Executive could quickly see what information is pertinent to them. And they could start planning ahead. Okay, We need to get these things fixed.
Executive recommendations. Hey, these are high priority items. He's actually before we even finished our testing. We need to fix these things medium priority or things like Okay, you know, we've tested and they were only test in a couple days worth. And then, you know, we just need to fix these medium term things in the next couple of weeks or next few days or so.
And any other type of ah further information here, we just kind of list at, like, extra information the executives may want to know and scrolling down here. Now, we're gonna go into the main body of the report,
so we got the introduction, We're gonna have basically outlined all the testing that we did. So you know, we tested the firewalls. We tested the servers, we tested applications, etcetera, etcetera. We're also gonna put a time frame on it, you know, and actually, times and dates that we did all this testing. And if it was different physical off site locations where we test from,
We also put our methodologies. We talked earlier in module one about black Bob White Bach. Excuse me, Box and great. Great box testing. So here you see some examples of that.
Also, any definition. So any type of words that we think they might need to know. So, you know, we're basically just gonna grab him from any any credible website here. We've got O s s t m m in this particular
document here, this template
and that system description. So we're gonna describe their infrastructure as we've been able to see it. So whatever we found, we're gonna basically try to outline their infrastructure
key or critical point. So anything that we thought were basically high value assets, So maybe we found a database of account numbers, you know, like bank account numbers or something like that, or things that were, you know, uh, pretty vulnerable. Right? So here's the critical vulnerability in this system that could be exploited by just, you know, Joey in the parking lot with a laptop. So we need to let them know about it.
What's gonna put the network ranges to the i p address ranges that we've used
for our testing,
many type of configuration anarchist architecture. So we're gonna we're gonna let that document that as well. Excuse me.
Then we're gonna get into a jump into our technical analysis is where we're gonna talk about our CVS and stuff like that. Or if we notice miss configurations way See, for example, on a router they're using, you know, like a Cisco router using, you know, admin and Cisco, Cisco, Cisco, something like that for the default. And they haven't changed it yet. We're gonna let them know about that.
The assessed impact of the current rest. So the risk that we've seen what kind of impact on the system, how easy it is to actually exploit. And then can we medicated or correct it? You know, Is there a patch out there or something like that for
a significant threat. Attack Vector. So what are kind of the things that we think that you know, the bad guys quote unquote can can get in with,
And then basically, we're in a real box by box, Right? So the stages of testing. So Okay, we started with Ricana. Reconnaissance. And here's, you know, the information. And then here is the footprint ng. We did. And then we selected these targets based upon potential vulnerabilities. The time we were allowed for the testing. You know how easy we could exploit those? What's the value of the target? You know, So
are we gonna spend all day, you know, trying to hack a printer when we could,
you know, hack something more valuable
and then get down to security box policy documentation? So what kind of policy do they have in place? What kind of compliance do they actually have to follow? So let's say it's a health care organization, and they have to file a hippo or high tech or something like that.
You know what kind of policies air they mandated by for the company and that were any of those missing?
All right, then just basically any security mechanism, you know, for do we see any counting or auditing in place that stuff and then finally annexes. So we're gonna basically linked to all the stuff we've already put in there. We're gonna you know, just in case somebody accidentally deletes out, like our executive summer, for example, or some kind of
finding that we had as far as, like, a critical vulnerability because they don't want to show it
to the C suite. We can go ahead, just list out those annexes so somebody can catch up on that and then ask. It's like, Hey, wait a minute. You know, this says you had a critical vulnerability, but I don't see anything about them like Oh, yeah, Here's the original copy of the report. I don't know what happened.
So just an ex is sort of kind of listening at all the general information. Also a glossary, because you do want toe define the terminology for everyone to understand.
So I know that was kind of a quick video. I didn't really, you know, reporting kind of various based on the organization, your pen testing with So I didn't want to hit like a Hey, this is exactly how you do it out there, this kind of generic standard template on. And this is a good way to make sure you're crossing all your t's and dot all your I's as far as information that you want to contain
in a pen test report.
But again, this is just kind of a quicker video, and I just wanted to hit on reporting a little bit in the scores just to give it gets you familiar with that again. It is an important part of a penetration test, cause you have to get that information back to the customer so they can rehire you at a later date.
So that actually wraps up the course. This module wraps up the course. So I did want to thank you for watching, and I know it was a pretty long course, and it took some time to go through and everything like that. But I hope you learned some good information that should put you in a great position to pass the certified ethical hacker examination through easy counsel
Up Next
Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By