Reports such as the one you are about to prepare put information in an order that enables the reader to reach logical conclusions. The vulnerability assessment should include the following sections:
Notice
Include a short statement about the confidentiality of the report, such as something similar to the following: "This report contains confidential and proprietary information. Reproduction of this document or unauthorized use is prohibited."
You will want to include this statement on the cover of the report as well as a privacy statement in the footer of each page. After all, you are holding a report that clearly details the organization's vulnerabilities. Although not required, you may also consider including a table of contents. This helps the readers navigate the document. Anything you can do to make the report easier to read will help with its acceptance.
Executive Summary
The section is designed to give the reader a high-level overview of the vulnerability assessment in one to two pages. Executive summaries usually include the following:
It previews the main points of your report, enabling readers to build a mental framework for organizing and understanding the detailed information in your document. Like it or not, some individuals will not read the entire report. This section will likely be the one that is the most read.
Introduction
The introduction portion of the report is the section that should list all the background information. It should state the purpose of the assessment. Was the assessment performed because of regulatory requirements, due diligences, or in response to a negative event, and so forth. It should also discuss the organization's mission and what information and systems are deemed critical to meet the mission. Finally, it should introduce the team and discuss the skills and expertise that qualified them to perform this assessment.
Statement of Work
This section of the report should contain an overall description of the organization's IT infrastructure and what systems were assessed. It is, in essence, the methodology. It defines the scope of work, tasks, and deliverables that you have agreed to produce in the original scoping document. This section should also include network diagrams, system descriptions, physical and logical layouts, and details about users, locations, and third-party connections.
Note
A picture is worth a thousand words. By adding network diagrams, system descriptions, physical and logical layouts, and other diagrams, your readers will have a much better understanding of the network infrastructure.
This is the location where you'll want to include the OICM and SCM. These are the matrixes you developed to establish critical information types and critical systems. For example, suppose the organization being examined is a state agency. This state agency maintains 10 branch offices and has approximately 2,000 employees. Each of the 10 branch offices connects back to the main office for connectivity to services and to access the Internet.
Modernization has become a big driving concern for the state. The agency has made great strides in automating project bidding. The agency has installed systems that manage the bid process and inform the winning company of its selection as the primary contractor. Most projects are performed by contractors, so one of the agency's primary roles is to prepare and maintain project schedules. A discussion with senior state agency officials helped determine the following critical system and information. The agency's OICM is shown in Table 9.4, and its SCM is shown in Table 9.5.
Information type |
Confidentiality |
Integrity |
Availability |
---|---|---|---|
Internal documents |
Medium |
Medium |
Low |
Customer data |
High |
Medium |
Medium |
Contracts |
High |
Medium |
Low |
Employee |
Medium |
Medium |
Low |
High watermark |
High |
Medium |
Medium |
System type |
Confidentiality |
Integrity |
Availability |
---|---|---|---|
Engineering |
Low |
Medium |
Medium |
Human Resources |
Medium |
Medium |
Low |
Projects |
Medium |
Medium |
Medium |
DMZ/Internet |
Low |
Medium |
High |
High watermark |
Medium |
Medium |
High |
These findings demonstrate that contracts and customer data rank high for the agency. The high watermark is for the confidentiality of this information.
A review of the state agency's SCM shows that availability is the most important system trait. Ideally, these findings should point the team to systems and information that should receive the most in-depth review.
Analysis
This section of the report lists what you found and how you found it. This is the current state of the network. You will want to discuss items of concern that were discovered during the assessment. Because this section follows the statement of work, it should build on what you did during testing. The results of your tests and examinations should be discussed. Overall, this section should stay focused on the importance of security to the organization. It is important to remember to keep your findings balanced. Organizations are not all good nor bad, and the findings shouldn't be either. Comment on what the company is doing right. Even if something hasn't been implemented as a policy but you find one person or department that has developed a method for doing something right, point out this process. Give that person or department praise and even suggest the company use that as a standard. It is good practice to emphasize the good security practices the organization can use to leverage additional security focus for their organization.
If you are not 100% sure about certain findings but believe your findings are correct or require further analysis, you may still include your ideas but you should use words such as "these findings suggest that" or "we are fairly confident that," and so on to indicate the lack of full evidence.
The organization of this material is really your choice. Our preference is to organize it by the 18 classes and categories shown earlier in Table 9.2 or to organize it by impact to the organization. Continuing with the example described in the statement of work, the state agency's documentation was analyzed and ranked as shown in Table 9.6.
Category |
Raw Risk Rating |
Total Risk Score |
---|---|---|
INFOSEC documentation |
Low |
Low |
INFOSEC roles and responsibilities |
Low |
Low |
Contingency plans |
Low |
Low |
Configuration management |
Low |
Low |
Identification and authentication |
Medium |
Medium |
Account management |
Medium |
Low |
Session controls |
Low |
Low |
Auditing |
Low |
Low |
Malicious code protection |
Low |
Low |
Maintenance |
Low |
Low |
System assurance |
Low |
Low |
Networking connectivity |
Medium |
High |
Communications security |
Medium |
Medium |
Media controls |
Medium |
Medium |
Labeling |
Medium |
Low |
Physical environment |
Low |
Low |
Personal security |
Low |
Low |
Education training and awareness |
Low |
Low |
Findings
This section represents the core of this document. It provides detailed recommendations for minimizing the risks that the organization faces. The recommendations must derive logically from the conclusions, be supported both by the conclusions and the data in the discussion, be complete and clearly worded, and be worded so that either a positive or negative response is possible. Give the organization more than one option or possible solution to each vulnerability.
Your recommendations should be ranked in the order of their critical importance. Items to include in this section of the report include
So, how does our example organization fare here? A review of the data from the analysis section indicates that the following six items had medium to high ratings:
Conclusions
This section of the report should serve as a wrap-up. It should offer the overall security stance of the organization and offer a discussion of the benefits of good security practices. The conclusion is the final impression. It is the last opportunity you have to get your point across to management and leave the reader feeling as if he or she learned something and is ready to take action. Leaving a paper dangling without a proper conclusion can seriously devalue what was said in the report. Avoid this pitfall.
For our sample organization, what's most important is to address the issues involving network connectivity. Customer data and contracts could be accessed by individuals who don't have the need to know, thereby endangering the confidentially and integrity of these informational assets. Because systems in the DMZ and those that contain project data were ranked as most critical, controls should be put in place to ensure their confidentiality, integrity, and availability.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template