This repository has been archived by the owner on Sep 8, 2021. It is now read-only.
Folders and files Name Name Last commit message
Last commit date
parent directory 聽
聽
聽
聽
聽
聽
聽
聽
聽
聽
View all files
4.0 Reporting and Communication
4.1 Compare and contrast important components of written reports.
Report audience
C-suite
Third-party stakeholders
Technical staff
Developers
Report contents ( not in a particular order)
Executive summary
Scope details
Methodology
Findings
Risk rating (reference framework)
Risk prioritization
Business impact analysis
Metrics and measures
Remediation
Conclusion
Appendix
Storage time for report
Secure distribution
Note taking
Ongoing documentation during test
Screenshots
Common themes/root causes
Vulnerabilities
Observations
Lack of best practices
4.2 Given a scenario, analyze the findings and recommend the appropriate remediation within a report.
Technical controls
System hardening
Sanitize user input/parameterize queries
Implemented multifactor authentication
Encrypt passwords
Process-level remediation
Patch management
Key rotation
Certificate management
Secrets management solution
Network segmentation
Administrative controls
Role-based access control
Secure software
development life cycle
Minimum password requirements
Policies and procedures
Operational controls
Job rotation
Time-of-day restrictions
Mandatory vacations
User training
Physical controls
Access control vestibule
Biometric controls
Video surveillance
4.3 Explain the importance of communication during the penetration testing process.
Communication path
Primary contact
Technical contact
Emergency contact
Communication triggers
Critical findings
Status reports
Indicators of prior compromise
Reasons for communication
Situational awareness
De-escalation
Deconfliction
Identifying false positives
Criminal activity
Goal reprioritization
Presentation of findings
4.4 Explain post-report delivery activities.
Post-engagement cleanup
Removing shells
Removing tester-created credentials
Removing tools
Client acceptance
Lessons learned
Follow-up actions/retest
Attestation of findings
Data destruction process
You can鈥檛 perform that action at this time.