Network Security - Week 5 - Case Study - Reviewing An Assessment Reporting Template
Case Study - Reviewing An Assessment Reporting Template
Case Study: Reviewing An Assessment Reporting Template
This week students were required to review a PurpleSec sample template on vulnerability assessment reporting. The template consisted of…
- Executive Summary
- Scan Results
- Methodology
- Findings
- Risk Assessment - Critical, High, Medium or Low Severity Vulerability
- Recommendations on remediation and security and policy configuration
-The requirements were to analyse the template and describe whether or not it meets the NCSC stated requirements of preparing a baseline to use as a reference point for pen tests? If not, what changes/amendments could be made? -What are the two best lessons/examples presented in the report? -What two things are unnecessary or could be done more effectively?
Having reviewed the template, it was very well put together, clearly written and explaining the processes which would be taken. The only requirement the template was lacking is the authorization and legal considerations. This entails obtaining proper authorization from the relevant parties before conducting penetration testing to avoid legal issues. Also, ensuring compliance with relevant laws and regulations by obtaining the necessary approvals. It is unclear from the instructions given whether or not this was excluded for the purpose of the exercise or done prior to the engagement on a separate document. Regardless, my view is that it should have been covered, in order to tick all the boxes on one document.
The two best examples from the website are:
- Detailed risk assessment presented in a form of a table clearly naming the vulnerability, providing a description of it in a non-technical manner so anyone reading it can understand and of course providing a solution for the vulnerability. I also like that the were sorted in order, highlighting the highest risk first.
- Detailed list of remediations and what action to take. Details included exact versions and types of software updates and their names, rather than just stating “update to latest version”.
The only thing that could have been done more effectively is more eaboration on security polocy. The last section of the report mentions “Security Policy & Configuration”, however the only thing mentioned was the industry best practice passowrd recommendations.
Reflection: This template was very helpful in regards to structuring the vulnerability assessment. It could have also greatly contributed towards the final assignment structure. Unfortnately, I did not see this reporting template until I had already completed my assignment. This is mainly because my main focus was on the final assignment as it was graded, at the expense of not properly reviewing all uploaded material online. This is definitely a learning lesson.