Essential Considerations for Penetration test result presentation

Transcription

1 Essential Considerations for Penetration test result presentation Carlos Ramos 1), Tai-hoon Kim 2) Abstract A penetration test is usually performed to uncover technical weaknesses in a computer installation. Consequently, the test results contain technical implications that may not be easily understood unless they are put into context and explained in business terms. When presenting penetration test results to management, the identified information technology risks must be translated into business risks [1]. This research provides a suggestion on how to effectively present penetration test results. Keywords : Result, Result Presentation, Penetration Testing 1. Introduction Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers. Penetration testing should be performed after careful consideration, notification, and planning. While there are many studies about penetration testing methodology and types of tests that can be performed, not many mention the importance of the penetration testing result. Without clear directions and guidelines, a security report on the result of a penetration test may not get the attention it deserves. When presenting penetration test results, either orally or in writing, it is important that these guidelines be considered. One of the most common presentation problems is the lack of connection between technical findings and business risks. Hence, the key to a successful presentation is to connect the technical findings and IT risks with the business risks. If management doesn't understand the business impact of the test results, they cannot allocate the resources necessary to correct the security weaknesses identified in the test results. In essence, management must understand that a test result showing a compromised system may directly impact stock values and the highest level of management will be held accountable by shareholders [2]. Received(March 12, 2008), Review request(march 13, 2008, Review Result(1st:April 02, 2008, 2nd:April 22, 2008) Accepted(June 30, 2008) 1 Coordinator Professor, Department of Informatics at the Institute of Engineering, Polytechnic of Porto. csr@dei.isep.ipp.pt 2 (Corresponding Author) Professor, Department of Multimedia Engineering, Hannam University, taihoonn@hannam.ac.kr 257

2 Essential Considerations for Penetration test result presentation 2. Related Work After conducting a penetration test, the next task ahead is to generate a report for the organization. The report should start with an overview of the penetration testing process done. This should be followed by an analysis and commentary on critical vulnerabilities that exist in the network or systems. Vital vulnerabilities are addressed first to highlight it to the organization. Less vital vulnerabilities should then be highlighted. The reason for separating the vital vulnerabilities from the less vital ones helps the organization in decision making. For example, organizations might accept the risk incurred from the less vital vulnerabilities and only address to fix the more vital ones. The other contents of the report should be as follows: - Summary of any successful penetration scenarios Detailed listing of all information gathered during penetration testing Detailed listing of all vulnerabilities found Description of all vulnerabilities found Suggestions and techniques to resolve vulnerabilities found The results of the test should be clearly stated and understood for the client. The result documentation should not only include the process of the test, but all of the explanations, comments, and reasons. And professional recommendation should be clearly and completely stated with the results. Records should be in sufficient detail to support the findings and conclusions reached as a result of the testing to: - Provide the organization with a detailed description of the weaknesses and how they were identified and exploited; - Provide an audit log for future testing to provide reasonable assurance that identified vulnerabilities have been addressed; - Demonstrate the possibility and risk of unauthorized access from any determined/willing attacker possessing the skills [2]; The results must be kept strictly proprietary, and not be made public by the testers (this must me contracted before the test begins, in the scope planning), because it s not safe for a company if everyone knows their flaws and vulnerabilities Result presentation

3 The result report of the penetration test is very crucial to penetration testing. Beside of completing the test, the report must be equally complete and fully understood to the client of the test. The whole report should be dated and timed for complete accuracy. There is no actual format for the penetration testing result, but it must include all of the data made during the test (graphs, screenshots, tables, etc.) [Fig. 1] penetration testing result output The resulting should include: 1. Vulnerabilities. The report must include a complete list of all the vulnerabilities found listed from most critical to less critical. The report should not be listed in a random manner, in order for the client to see which vulnerabilities need immediate action, and which are less critical for their organization. Another reason that only professional testers should perform the test is that they must also provide an analysis to the discovered vulnerabilities (e.g. how such vulnerabilities can affect the client s security, and what action should be taken in order to counter them) 2. Tests. The tests part of the report must include the following: - Log files; all log files from tools, software/hardware (e.g. firewalls, IDS, IPS), all of the client s monitoring log files, should be compiled, commented (for clear understanding of the client s management), and presented in the report. - Data files; during the test, a lot of confident data (e.g. passwords, accounts, data bases), might be copied/extracted/edited, so all of that should be stated in the final report, and commented (explaining the reason for such actions). 3. Comparison. Penetration testing, for best results, should be done on a regular basis. If that is done, the penetration tester must compare their result with the past report, and should state their comments, and suggestion in the present report. The suggestions must be detailed and understandable for the client. At the end of testing, the testers should compile and submit a report of their findings. 4. Conclusion 259

4 Essential Considerations for Penetration test result presentation A penetration test is only half-way finished, if the tester were not able to present the result properly. The results of the tests are needed to be presented to the management of the company that they are testing, so the result should be complete and understandable for the management, not only for the testers. The result documentation should not only include the process of the test, but all of the explanations, comments, and reasons. And professional recommendation should be clearly and completely stated with the results. Reference [1] "Penetration Testing Exposed," Information Security, September 2000, p. 88 [2] "Translating Security for Managers," Information Security, May 2001, p. 44 [3] Template=/ContentManagement/ContentDisplay.cfm&ContentID=18815 Carlos Ramos Authors He got his graduation from the University of Porto, Portugal, in 1986 and the PhD degree from the same university in He is Coordinator Professor of the Department of Informatics at the Institute of Engineering Polytechnic of Porto (ISEP-IPP). His main interests are Artificial Intelligence and Decision Support Systems, recently with more emphasis on Ambient Intelligence. He is Director of GECAD (Knowledge Engineering and Decision Support Research Centre), the largest R&D centre of the Polytechnic system in Portugal, and dedicated to AI topics. He coordinates the Ambient Intelligence and Decision Support group of GECAD. Carlos Ramos has about 50 publications in scientific journals and magazines and more than 200 publications in Scientific Conferences. Tai-hoon Kim He received B.E., M.E., and Ph.D. degrees from Sungkyunkwan University. Now he is a professor, School of Information & Multimedia, Hannam University, Korea. His main research areas are security engineering for IT products, IT systems, development processes, and operational environments. 260

5 261