Your CREST Accredited Penetration Test Report

Gavin Wood, CEO at CyberLab, uncovers what a Penetration Test report should provide.

• • What is Penetration Testing?

• • What is a Penetration Testing Report and What Should it Contain?

• • Prevention v Cure

What is Penetration Testing?

Penetration Testing or Pen Testing is a crucial tool in your IT security toolbox. It provides a method for gaining assurance that an IT system or infrastructure is secure through the use of simulated tools and attacks that are used in the real world, to attempt to breach or gain access.

The purpose of the test is to discover any risks and allow you or your security team to act on them before anyone else does.

Typically pen tests are used to identify the level of risk from any hardware or software vulnerabilities and or any configuration issues within your environment.

The output of a Pen Test is usually in the form of a report that will grade any issues or vulnerabilities found so that these can be addressed, and any gaps closed.

What is a Penetration Testing Report and What Should it Contain?

A Penetration Test report, details any threats or vulnerabilities found and the recommended remedial actions.

Threats and vulnerabilities will be ranked in order of criticality. The report will also contain an executive summary and attack narrative which will explain the risks in business terms.

A penetration test report should involve the following areas:

• • Risk and Executive Summary

• • Approach, Scope and Caveats

• • Findings Summary and Remedial Advice

Risk Summary

A risk summary details management and high level issues. These issues will be highlighted into 6 categories: Critical, high, medium, low, very low and informative.

Executive Summary

A executive summary details management and high level issues, breaking down the report details to illustrate the level of risk that is exposed across the systems tested. This will highlight the total number of vulnerabilities identified during the assessment, along with their severity. 

Example:

Approach, Scope and Caveats

This section introduces the in-depth reporting gathered from the Penetration Testing undertaken. It details the approach taken, the scope of engagement, and any limitations identified, such as, anything not attempted which could have risk of impact to service availability or system performance.

Findings Summary and Remedial Actions

The findings summary is where you can find the technical information regarding the assessment conducted. This section is broken down into: summary, technical details, recommendations and systems affected.

Example Penetration Testing Report

Example Penetration Testing Report

 

Prevention v Cure

With the risk of being controversial I am going to make an analogy between Pen Testing and vaccination.

We all know how vaccines work; they are a pre-emptive action against an illness to stop you getting the full affects and or be able counter the actual illness should you come in to contact with it.

A Pen Test is a pre-emptive action that allows you to discover and remediate any issues before someone else does.

Having a Pen Test should be part of your prevention strategy for IT security. Simply put you can’t manage what you can’t see, if you don’t know you have vulnerabilities, you cannot close them down. Pen Testing is an ideal way to give you the visibility of these issues and allows you to take remediation action to correct.

Given that cyber incidents are the 3rd biggest business risk for 2021* (that year’s top risk) and the average cost of remediating a ransomware attack now at $1.85 Million** prevention must be better than the cure!

However, Pen Testing is not a magic bullet, and it does have limitations; it’s a point in time test of the infrastructure. If a vulnerability is introduced after the pen test has been conducted it can still impact on your security. So regular testing is essential, especially after deploying new systems and technologies and as a part of your security continual improvement lifecycle.