Brochures

560SampleReportV3.0

Description
sample report for SANS GPEN How to present your pentest findings
Categories
Published
of 18
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Sensitive: The information in this document is not to be disclosed outside of Target Widgets, Inc. or PenTest, Inc. without prior written consent of both organizations. Example Pen Test Report ©2008 SANS and Ed Skoudis Internet Infrastructure Network Penetration Test Final Report Prepared for Target Widgets, Inc. By PenTest, Inc. September 15, 2009  Sensitive: The information in this document is not to be disclosed outside of Target Widgets, Inc. or PenTest, Inc. without prior written consent of both organizations. Example Pen Test Report ©2008 SANS and Ed Skoudis 2 Table of Contents 1. Executive Summary.....................................................................................................3 2. Introduction.................................................................................................................5 3. Test Methodology........................................................................................................7 4. Findings.....................................................................................................................12 4.1 High-Risk Findings............................................................................................13 4.1.1 VNC Offers Remote Control of Mail Server Across Internet...................13 4.1.2 Guessable Password Allows for Remote Compromise of Mail Server.....13 4.1.3 Unpatched Windows Machine on DMZ Allows Exfiltration of PII.........14 4.1.4 High-Risk: Unencrypted PII on DMZ Server............................................15 4.2 Medium-Risk Findings......................................................................................16 4.2.1 OpenSSH Flaw Could Allow Unauthorized Access on Linux Server......16 4.2.2 Excessive Open Ports Indicates Lax Firewall Rules and Hardening.........16 5. Conclusions...................................................................................................................18  Sensitive: The information in this document is not to be disclosed outside of Target Widgets, Inc. or PenTest, Inc. without prior written consent of both organizations. Example Pen Test Report ©2008 SANS and Ed Skoudis 3 1. Executive Summary This report presents the results of a penetration test of Target Widget’s Internet Infrastructure performed by PenTest, Inc. from March 8, 2009 to March 22, 2009. The test’s scope focused on Internet-accessible systems on the 192.168.14/24 and 192.168.18/24 subnets, which make up the primary DMZ for Target Widgets. The  project was focused on finding and exploiting server-side vulnerabilities in a network  penetration test to determine Target Widget’s business risk profile associated with Internet-based attacks. Client-side testing, web application manipulation, denial of service, and social engineering were not included in the scope of the project. As described in more detail in the technical findings in the rest of this report, PenTest, Inc. discovered significant security vulnerabilities in the target infrastructure that pose a high-risk to Target Widget’s business.  In particular, PenTest’s personnel were able to  gain access to Personally Identifiable Information (PII) of over 4 million Target Widgets customers.  If a malicious attacker were to exploit these flaws to steal this sensitive information, Target Widgets could face brand tarnishment, government investigations, and possibly fines, with significant impact to its business. Compared to other companies in the widget industry, the security of Target Widget’s Internet DMZ was found to be relatively weak. To address these issues, PenTest, Inc. recommends that Target Widgets employ a series of short-term tactics and long-term strategies to improve security. From a short-term  perspective, PenTest, Inc., recommends that Target Widgets conduct the following actions within one week or less to prevent malicious attackers from compromising the PII: ã   Block inbound Virtual Network Computing (VNC) access to DMZ systems from the Internet, managing them from the local console or internal network until Target Widgets selects and deploys a suitably secure remote management tool. ã   Change the easy-to-guess passwords for all accounts, especially any accounts used for system administration, on machine 192.168.14.21, the mail server on the DMZ. Investigate this machine to determine if malicious attackers compromised the system prior to the PenTest, Inc. project. ã   Update patches of all software on the database server at 192.168.14.57 to lower the chance that it can be compromised. Target Widgets personnel should likewise analyze this machine to determine whether it has been compromised by attackers. ã   Apply an encryption solution to protect all PII stored on sensitive machines, especially on the database server at 192.168.14.57. While these recommendations will deal with the immediate issues discovered during the test, PenTest, Inc. recommends that Target Widgets’ management institute significant changes in the overall security practices of the DMZ environment to ensure that these or related issues do not recur. From a longer-term perspective, PenTest, Inc. recommends that Target Widgets apply the following recommendations over the next thirty-to-sixty days:  Sensitive: The information in this document is not to be disclosed outside of Target Widgets, Inc. or PenTest, Inc. without prior written consent of both organizations. Example Pen Test Report ©2008 SANS and Ed Skoudis 4 ã   Select and deploy a secure solution for remote management of servers across the Internet that relies on strong encryption, such as Secure Shell (SSH), IPsec Virtual Private Networks (VPNs), or Secure Sockets Layer (SSL). The solution should also utilize strong authentication, such as one-time passwords, time-based authentication tokens, or challenge/response tokens. ã   Deploy and configure password-complexity enforcement tools on all DMZ systems to prevent users from choosing easy-to-guess passwords. Once such tools are deployed, require users to change their passwords. ã   Update the patching policy and process of all servers on the DMZ to ensure that critical patches are tested and deployed within 24 hours of release by the vendor. ã   Devise and apply updated hardening documentation for secure configuration of each machine on the DMZ, focusing specifically on disabling unneeded services. ã   Review the filtering rules on border firewalls and routers, reconfiguring the devices to close all unneeded ports and services on both an inbound and outbound  basis. Allow only those ports with a clear, well-documented business need. ã   Determine whether there is a business need to store PII information on the DMZ at all. If such access is not required, redesign the associated applications and network so that PII information can be stored on an internal protected network. ã   Verify the use of encryption for sensitive data throughout the enterprise, ensuring specifically that PII is properly encrypted both in transit across the network and at rest in databases and file systems. Any questions regarding this report or the penetration test it describes should be directed to John Smith, the technical lead of the project from PenTest, Inc., at  jsmith@pentestincorporated.tgt or 555-555-5555.

w-6

Jul 23, 2017
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks