Analysis and Reporting



            After conduction all the tasks above, the next task ahead is to generate a report for the organization. The report should start with an overview of the penetration testing process done. This should be followed by an analysis and commentary on critical vulnerabilities that exist in the network or systems. Vital vulnerabilities are addressed first to highlight it to the organization. Less vital vulnerabilities should then be highlighted. The reason for separating the vital vulnerabilities from the less vital ones helps the organization in decision making. For example, organizations might accept the risk incurred from the less vital vulnerabilities and only address to fix the more vital ones. The other contents of the report should be as follows: -         .          

        •   Summary of any successful penetration scenarios

        •   Detailed listing of all information gathered during penetration testing

        •   Detailed listing of all vulnerabilities found rights

        •  Description of all vulnerabilities found                        

        •  Suggestions and techniques to resolve vulnerabilities found.


Cleaning Process


The cleaning up process is done to clear any mess that has been made as a result of the penetration test. A detailed and exact list of all actions performed during the

Cleaning Up should be verified by the organization’s staff to ensure that it has been done successfully. Bad practices and improperly documented actions during penetration test will result in the penetration test must be kept. This is vital so that any cleaning up of the system can be done. The cleaning up of compromised hosts must be done securely as well as not affecting the organization’s normal operations. The cleaning up process should be cleaning up process being left ,as a backup and restore job for the organization thus affecting normal operations and taking up its IT resources.

A good example of a clean up process is the removal of user accounts on a system

previously created externally as a result of the penetration test. It is always the penetration tester’s responsibility to inform the organization about the changes that

exists in the system as a result of the penetration test and also to clean up this mess.