Writing reports¶
links: WS TOC - Testing - Index
Before we can write a report we need to value the risks.
Value the real risk¶
First some definitions that are needed for the calculation.
Definitions¶
Each indicator has a score between 1 and 9. 1 means low/small/easy and 9 means high/big/hard.
- Threat agent factors
- Skill level
- Motive
- Opportunity
- Size
- Vulnerability factors
- Ease of discovery
- Ease of exploit
- Awareness
- Intrusion detection
- Technical impact
- Loss of confidentiality
- Loss of integrity
- Loss of availability
- Loss of accountability
- Business impact
- Financial damage
- Reputation damage
- Non-compliance
- Privacy violation
Calculations¶
\(\(\text{Risk} = \text{likelihood} \times \text{impact}\)\)
To find both of those variables several steps are defined:
- First identify a risk
- Assess likelihood factors (threat agent and vulnerability)
- Assess impact factors (technical and business)
- Calculate the risk
- Decide what should be fixed
- Adapt your risk rating model
Then you arrive at this final formula:
\[\text{Risk} = \frac{\text{thread agent factors} + \text{vulnerability factors}}{2} \times \frac{\text{technical impacts} + \text{business impacts}}{2}\]
Write the report¶
The report is structured as follows:
- Executive Summary:
- Provide an overview that is easily understandable, summarizing key findings and recommendations.
- Technical Management Overview:
- Contains more details than the executive summary.
- Describe the scope of the assessment.
- List the targets included and any caveats, such as system availability.
- Provide an introduction to the risk rating methodology used.
- Offer a technical summary of the findings.
- Assessment Findings:
- Target the technical level and include all necessary information.
- For each control tested:
- Write a technical description of the issue found.
- Include a section on resolving the issue.
- Provide the risk rating and the impact value of the finding.
- Document whether a control has been tested and its results.
- Toolbox:
- Describe the methodology used in the assessment.
- Detail the technological tools used for testing.
- Indicate the thoroughness of the assessment and the areas that were included in the test.
Conclusion¶
- Formalism: Make sure to not forget anything
- Multiple techniques : Combine findings where necessary
- Biggest issue: Social engineering
links: WS TOC - Testing - Index