What to Expect From a Penetration Test Report
Let’s face it. There are a lot of bad actors out there, and they are working to breach yet another organization’s infrastructure each and every day. That’s why you cannot operate any longer without routine penetration tests for your system.
Just last month, in fact, the media reported that hackers used phishing emails to break into a Virginia bank via two separate cyber intrusions over an eight-month period. The thieves stole more than $2.4 million.
Once you have identified a penetration test provider, give some thought as to your expectations for a penetration test report. Here’s a brief look at the kind of information that you can expect following a penetration test. Information security providers who perform penetration testing typically provide a detailed technical report on the nature of the vulnerabilities found on your system. Some even provide an executive summary that serves as a management tool for understanding the vulnerabilities, risks and recommended actions to be taken.
Critical outcomes that you can typically expect from a penetration testing provider:
• Vulnerabilities should be explained in layman’s terms, so that it is easily understood by senior management.
• The outcome of the test should be explained in business risk terms, not just the associated technical risks and how to address them.
• Short-term (tactical) recommendations should be identified.
• The findings should define the ‘root cause’ as well as long term recommendations (strategic).
• A security improvement action plan should be recommended.
• The provider should be able to offer help with remediation.
• The penetration test findings should be explained in both technical terms that can be acted upon and in non-technical terms, which are relevant to business context. Corrective actions and their justifications must be understood by a range of people — not just the IT team.
• Not only should the report describe the vulnerabilities found but the report should also include the test narrative, which details the process that the tester used to achieve specific results, and the test evidence, which includes the results of automated testing tools and any screenshots of successful exploits.
Penetration testing offers a way of testing the effectiveness of information security controls. It also offers some level of assurance to customers, clients and management about the efficacy of those controls. The information provided by a properly conducted penetration test can be used to better prepare your business against the threat of cyber attack.
Security and compliance has been our core business for decades. Let us help you with your next penetration test. Contact us for a free estimate.
Laurie Head is a co-owner of AIS Network.