Penetration Testing for the Executive

Whether you are a veteran security executive who has received hundreds of penetration testing reports, or a part-time security manager whose primary roles lay in traditional business management, it can be difficult to decipher the encrypted text held within some penetration testing reports. The problem exists because there is not a standard for penetration testing reporting inside of the industry. I’ve seen literary works that range anywhere from Dr. Seuss to William Shakespeare. I have peer reviewed reports for associates whose bad grammar could make a first grader wince. The goal here is to identify what makes a penetration test report good, how to interpret the results, and finally how to put them to use in your strategic planning to improve organizational security.There are many frameworks for the penetration testing report, and this is not a discussion of which ones are best. However, an important conversation to have is what elements make a report valuable to the people reading it. As penetration testers, we have to remember we could potentially have every level of an organization reading our reports, from the tactical level where technicians will fix our findings to the leadership level where they need to take responsibility for the security of their organization. First and foremost, the report you receive should tell you the impact a breach on your network would cause. We, as penetration testers, MUST speak to the business impact a breach would have on an organization. A well-conducted penetration test, that simulates an attackers attempt to breach your network, should tell you the data and information that was successfully compromised. This information should be directly relevant to your business. For example, if your organization stores payment card information then this should indicate what, if any, payment card data was compromised. This should also include how many systems were compromised as part of the penetration test.A second, critical, section of any penetration report should be the very detailed “kill chain” on how your organization was compromised, how the data was accessed, and how that information was used to perpetuate additional compromises. This section can be more tactical and should speak to the organizations technicians who would be tasked with remediating the compromise. This section should be riddled with screenshots used as validation of the compromise. We oftentimes joke about how all executives can understand are pictures. However, a far more practical reason for showing pictures in this section is to illustrate the compromise so that technicians at the tactical level cannot “snowball” leadership with confusing jargon.The two elements outlined above represent what I feel are the “must haves” to a good penetration testing report. It is important to point out that other elements may be included, and you should weigh them equally for how they will directly help your organization. It is also important to remember that a penetration test is a “demonstration of exploitability”. This means that if you receive a penetration test report that lists your vulnerabilities, but doesn’t have any demonstrative examples or validation you should challenge those who conducted your penetration test.Now that you have your penetration testing report, you need to be able to execute on your organizations strategic goals for security, using those results as direction. Remember, a penetration test is a “demonstration of exploitability” and you should utilize the results that come out of a test to show the immediate need for security changes. Well rounded organizations that are conducting regular vulnerability management, and patching, should consider those security measures as the “good hygiene” efforts of security. The successful results of a penetration test should immediately highlight security issues that fall outside the identification capabilities of your vulnerability scanner, or assist with identifying issues in your current vulnerability management process. This helps you to prioritize the penetration test results ahead of your normally identified vulnerabilities.Penetration testing can be an integral part of your organizations security strategy when the results are presented in a way that helps your organization visualize and prioritize. Never be afraid to challenge the results of your penetration testing vendor if you do not understand or feel the information is presented in a way that helps your organization strategically. You paid for this information, and should be able to utilize it.