1. Cover page Pentest Report Outline 2. Report properties 3. Report index 4. Executive summary a....
Fantastic news! We've Found the answer you've been seeking!
Question:
Transcribed Image Text:
1. Cover page Pentest Report Outline 2. Report properties 3. Report index 4. Executive summary a. Project title b. Client name c. Report version d. Author information e. Date a. Client information b. Pentesting company's information c. Pentester information d. Information about any other people involved in the project a. Table of contents, main topics and page numbers, subheadings don't need page numbers b. Table of figures a. Objectives 5. List of findings b. Scope c. Authorizations d. Assumptions e. Timeline f. Summary of test (brief narrative of how attack was conducted end to end), most critical findings, overview of methodology used, high level recommendations a. Summary list of findings in a table, includes vulnerability, affected hosts/devices, impact, risk 6. Findings in detail - for each vulnerability a. Definition of vulnerability b. Root cause of vulnerability c. Proof of concept, description of method used, screenshot, data gathered d. Impact of successful exploit of vulnerability e. Likelihood, how easy to exploit vulnerability, is exploit publically available, does it require physical/WAN/LAN access, is it repeatable f. Resultant risk g. Recommendation for mitigation 7. Supporting documentation a. Methodology b. Tools used c. Appendix, other information you feel would be valuable to reader. This is extra information, not essential information d. References e. Glossary - define technical terms Happy Accident Labs "Smarticle Particles for Better Living" Hi, welcome to Happy Accident Labs. My name is Bill Winnicott and I'm the CIO here. We are a new start-up in Omaha, Nebraska focused on developing miniature (I mean really small) Internet of Things (IoT) devices which will serve as personal assistants, they will do everything from search information on the web, to manage your schedule, to order groceries or take-out when your fridge is empty. We call them smarticle particles. We are real excited and are just about to get our second round of venture capital funding, we can't afford any missteps right now. And, that's why we hired you. Our team is 100% focused on getting to our next prototype so our IT system has been pretty much flung together. It works, and up to this point we have seen little need to change what we are doing. One of our potential investors is very concerned that our intellectual property (IP) may be stolen and a competitor could beat us to market. We don't think that is a possibility but the investor has required that we have a penetration test done prior to him putting his money on the line. We've been told we need a black-box test, hope you know what that means because none of us do. Our chief scientist who is a physicist thought it may have something to do with a cat but we doubt that is the case. So, what we need is a black-box penetration test of our network, we want to know if there are any vulnerabilities we must address to keep our IP safe and secure. We would also like your recommendations of what we should do to address the vulnerabilities you find. When you are complete we need a penetration test report with your recommendations. The scope of the test is our entire organization network. You have permission to conduct the test on all company owned assets but not on the networks of any of our clients or suppliers. This means any services we outsource, such as our public website, can be viewed but you may not attempt to hack it. Our teams can't stop work while you do the test so although you can use any access you gain you are not allowed to impact the operation of any system. If you have any questions let me know. Good hunting. 1. Cover page Pentest Report Outline 2. Report properties 3. Report index 4. Executive summary a. Project title b. Client name c. Report version d. Author information e. Date a. Client information b. Pentesting company's information c. Pentester information d. Information about any other people involved in the project a. Table of contents, main topics and page numbers, subheadings don't need page numbers b. Table of figures a. Objectives 5. List of findings b. Scope c. Authorizations d. Assumptions e. Timeline f. Summary of test (brief narrative of how attack was conducted end to end), most critical findings, overview of methodology used, high level recommendations a. Summary list of findings in a table, includes vulnerability, affected hosts/devices, impact, risk 6. Findings in detail - for each vulnerability a. Definition of vulnerability b. Root cause of vulnerability c. Proof of concept, description of method used, screenshot, data gathered d. Impact of successful exploit of vulnerability e. Likelihood, how easy to exploit vulnerability, is exploit publically available, does it require physical/WAN/LAN access, is it repeatable f. Resultant risk g. Recommendation for mitigation 7. Supporting documentation a. Methodology b. Tools used c. Appendix, other information you feel would be valuable to reader. This is extra information, not essential information d. References e. Glossary - define technical terms Happy Accident Labs "Smarticle Particles for Better Living" Hi, welcome to Happy Accident Labs. My name is Bill Winnicott and I'm the CIO here. We are a new start-up in Omaha, Nebraska focused on developing miniature (I mean really small) Internet of Things (IoT) devices which will serve as personal assistants, they will do everything from search information on the web, to manage your schedule, to order groceries or take-out when your fridge is empty. We call them smarticle particles. We are real excited and are just about to get our second round of venture capital funding, we can't afford any missteps right now. And, that's why we hired you. Our team is 100% focused on getting to our next prototype so our IT system has been pretty much flung together. It works, and up to this point we have seen little need to change what we are doing. One of our potential investors is very concerned that our intellectual property (IP) may be stolen and a competitor could beat us to market. We don't think that is a possibility but the investor has required that we have a penetration test done prior to him putting his money on the line. We've been told we need a black-box test, hope you know what that means because none of us do. Our chief scientist who is a physicist thought it may have something to do with a cat but we doubt that is the case. So, what we need is a black-box penetration test of our network, we want to know if there are any vulnerabilities we must address to keep our IP safe and secure. We would also like your recommendations of what we should do to address the vulnerabilities you find. When you are complete we need a penetration test report with your recommendations. The scope of the test is our entire organization network. You have permission to conduct the test on all company owned assets but not on the networks of any of our clients or suppliers. This means any services we outsource, such as our public website, can be viewed but you may not attempt to hack it. Our teams can't stop work while you do the test so although you can use any access you gain you are not allowed to impact the operation of any system. If you have any questions let me know. Good hunting.
Expert Answer:
Posted Date:
Students also viewed these general management questions
-
Show how each transformation may be accomplished by using a nitrile as an intermediate. You may use any necessary reagents. (a) Hexan-1-ol heptan-1-amine (b) Cyclohexanecarboxamide cyclohexyl ethyl...
-
Use the information from the Northern Cruiseline Data Set. If Northern Cruiseline has a target operating income of $60,000 per month, how many dinner cruise tickets must the company sell?
-
Taxable income and pretax financial income would be identical for Ursula Co. except for its depreciation on equipment purchased in 2014 for $500,000 and estimated costs of warranties. The following...
-
The S.T. Shire Company uses direct costing for internal management purposes and absorption costing for external reporting purposes. Thus, at the end of each year financial information must be...
-
Firms J and K produce compact-disc players and compete against one another. Each firm can develop either an economy player (E) or a deluxe player (D). According to the best available market research,...
-
36. is the return expressed as a percentage of the maximum drawdown O a. Stress VaR O b. Sortino Ratio O c ROMAD O d. Stress return O DEAR
-
Splish Company follows the practice of pricing its inventory at the lower-of-cost-or-market, on an individual-item basis. Item Cost per Cost to Estimated Selling No. Quantity Unit Replace Price Cost...
-
Write at least one paragraphs to discuss inventory management. In your discussion post, you will address the following: 1. What factors in real inventory control are not included in the economic...
-
Create a cover letter highlighting your strength, weakness, achievements and how you are working to manage your weakness?
-
1.) Discuss actions that you found through the reading and your research that managers can take to motivate their employees. 2.) Identify actions that managers can take to improve employee...
-
Explain the concept of income distribution and discuss different theories and policies aimed at reducing income inequality.
-
explain the various leaadership styles and discuss their silent features. which leadership style is best and why?
-
Question No. 3: [5 Marks] Given a sag vertical curve connecting a -1.5% grade with a +2.5% grade on a rural arterial highway, use the minimum stopping sight distance and a design speed of 112 km/h to...
-
1. Using the information from Problem 16-4B, prepare a statement of cash flows for Lim Garden Supplies Inc. using the direct method of presenting cash flows from operating activities. 2. How does Lim...
-
Personal specialties, natural sequence of work, and vertical plane are approaches to which of the following? a. Delegation of authority b. Utilization analysis c. Division of labor d. Both a and b...
-
True or false: The phrase span of control refers to the total number of product and customer divisions under a single managers control. a. True b. False
-
A matrix organization is characterized by which of the following statements? a. It attempts to combine the elements of two organizational forms. b. It requires employees to follow decisions made by...
Study smarter with the SolutionInn App