Tag: Reporting

  • Reporting Tools for Large Penetration Tests

    “Give a pentester a table, they submit one report. Automate making tables, they can submit reports for life.”

    k0pak4

    Displaying findings clearly and concisely is key to making a penetration testing report actionable. The proof of concept allows a client to replicate the finding, and a list of affected targets allows them to properly remediate all assets. On large engagements, there are often findings that affect many hosts; when presented concisely, this can be acted on much more easily. There are already amazing tools out there to scan many hosts and report their findings. (Nessus, Nexpose, and Nmap are examples.) The problem is that none were doing what I was looking for — reporting the affected hosts for one finding, concisely.

    The first two tools described here quickly create tables showcasing the details behind two common findings on large external pentest reports. Clients can also use these tools to verify remediations without having to manually inspect each host. The last tool can be used to turn any list into a sorted table, which works well when you simply need a large table to display many hosts.

    mass-sslscan (https://github.com/k0pak4/mass-sslscan)

    There are several tools that will break down the weak SSL/TLS protocol versions, ciphers, and signature algorithms used in TLS connections. Some of these are web-based, such as SSL Labs, and others are command-line based, such as the SSLScan tool. My mass-sslscan tool runs SSLScan against an entire list of hosts, parses the output of the tool, and creates a table with each host that displays which weak configuration(s) they have. This can also be used in remediation to ensure those servers have had their configurations strengthened. An example of running the tool is shown below:

    mass-sslscan command line
    server-header-scan (https://github.com/k0pak4/server-header-scan)

    On penetration tests, it’s common to find the HTTP server header, which can disclose the web server’s software and sometimes its exact version. This information leakage is typically of low severity, but helps an attacker fingerprint the server, which may disclose a vulnerable version. In more targeted attacks, it might tell them what software to build an exploit for. My tool, server-header-scan, retrieves the server header from each target, and inserts the results into a table with each retrieved value, as shown in the following example:

    server-header-scan command line
    table-maker (https://github.com/k0pak4/table-maker)

    The table-maker is a bit more straightforward. It takes a list, either as a comma-separated list or as a file with one item per line, and turns it into a table with the desired number of columns. This can be useful for extremely large scopes or when discovering many hosts are vulnerable to a specific finding. This results in a csv ready to be opened and pasted as a table, as shown in the illustration below:

    table-maker command line

    If you compile reports for large penetration tests, odds are that you’re going to be pressed for time at some point. My hope is that these tools will make it easier for you to provide more and better information to your customers in a way that helps them understand and act on your findings.

  • What Companies Should be Telling Investors about Cybersecurity

    As a customer, how much do you know about how major corporations handle your personal data? If you’re a shareholder in a company (or several), do you have any idea how well it is prepared for a cyberattack? What is the company protocol for publicizing a security breach?

    For the vast majority of Americans, the likely answer is no on all counts. And here’s the worst part: You won’t find out by reading their official filings with the Securities and Exchange Commission (SEC) or hear the topic come up on a quarterly earnings call.

    A recent study confirmed what a lot of us have known for a while – a lot of publicly traded companies still refuse to reveal the true nature of the threats they face and what they’re doing to mitigate them. Despite increasing pressure from the SEC, the report suggests that most would greatly prefer to stay silent, even after a breach has occurred.

    The report was assembled by the National Association of Corporate Directors (NACD), Security Scorecard, Cyber Threat Alliance, Diligent, and IHSMarkit. These organizations and companies are arguing for more cybersecurity transparency. In my view, this action is long overdue as ransomware and other serious threats grow in both frequency and severity, according to the authors.

    To be clear, as a CEO, I understand why some corporations worry they’ll face a competitive disadvantage if they are too forthcoming about risk. As a professional penetration tester (ethical hacker), I also appreciate their concerns about giving the bad guys in my line of work information that might be exploited or even help cybercriminals better understand the value of data they’ve stolen.

    On the other hand, I am also an investor and a customer. Wearing all these hats makes me frustrated that the government and Corporate America haven’t come up with a solution that puts everyone on a level playing field – including the people who are shouldering much of that risk in the form of their investments.

    In my view, that solution could be as simple as providing answers to three simple questions that would help me, as an investor or potential investor, decide whether to put my money on the table.

    • First, what assets do you have that are most at risk from a cyberattack? This might be intellectual property that can be stolen, customers’ personal information, the money in your corporate bank account, or all of the above and more. And it should address the potential impacts on upstream and downstream vendors and customers. The most important issue here is knowing that the company understands what it has to lose.
    • The next question follows logically: What are you doing to protect those assets? This doesn’t have to be a laundry list that describes each security layer in detail, but it should give readers a sense that the security is appropriate to stop the types of threats it anticipates. Again, what I really want to know is that the company is doing what’s necessary, not just providing a generic response that restates the question.
    • The third and perhaps most important question is whether the security has been evaluated and validated by experts outside the company. Former President Ronald Reagan famously described his policy toward the Soviet Union as “trust but verify” and that’s appropriate in the world of cybersecurity as well. Though we have to trust companies to be candid and truthful, there is a lot of value in having professional third parties provide independent analyses.

    Simply answering these questions is no guarantee that the company won’t be breached, but there is great value in the asking. For one, it keeps cybersecurity top-of-mind in the c-suites, ensuring that it factors into all major company decisions. It also gives policy makers a clear idea about our nation’s cyber resilience and exposes major shortcomings that can be addressed with legislation or regulation. And it provides peace of mind for people who are considering placing their hard-earned money in the company’s hands.

    In the wake of the far-reaching SolarWinds and Colonial Pipeline breaches, now is an excellent time to ask Congress and the SEC to work with publicly traded companies to find a workable disclosure template that better protects all of us.

  • Client Success is Raxis’ Success

    At Raxis, we find communication with our clients is one of the most critical and key components of our service. 

    Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. 

    In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.

    It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them. 

    We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.

    By treating customers like partners, we ensure our success is based on your success. 

    Here are some other posts you might enjoy:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.