Contents of a Good Report
Reports such as the one you are about to prepare put information in an order that enables the reader to reach logical conclusions. The vulnerability assessment should include the following sections:
- Notice
- Executive summary
- Introduction
- Statement of work
- Analysis
- Findings
- Conclusions
Notice
Include a short statement about the confidentiality of the report, such as something similar to the following: "This report contains confidential and proprietary information. Reproduction of this document or unauthorized use is prohibited."
You will want to include this statement on the cover of the report as well as a privacy statement in the footer of each page. After all, you are holding a report that clearly details the organization's vulnerabilities. Although not required, you may also consider including a table of contents. This helps the readers navigate the document. Anything you can do to make the report easier to read will help with its acceptance.
Executive Summary
The section is designed to give the reader a high-level overview of the vulnerability assessment in one to two pages. Executive summaries usually include the following:
- Introduction
- Statement of work performed
- Results and conclusions
- Recommendations
It previews the main points of your report, enabling readers to build a mental framework for organizing and understanding the detailed information in your document. Like it or not, some individuals will not read the entire report. This section will likely be the one that is the most read.
Introduction
The introduction portion of the report is the section that should list all the background information. It should state the purpose of the assessment. Was the assessment performed because of regulatory requirements, due diligences, or in response to a negative event, and so forth. It should also discuss the organization's mission and what information and systems are deemed critical to meet the mission. Finally, it should introduce the team and discuss the skills and expertise that qualified them to perform this assessment.
Statement of Work
This section of the report should contain an overall description of the organization's IT infrastructure and what systems were assessed. It is, in essence, the methodology. It defines the scope of work, tasks, and deliverables that you have agreed to produce in the original scoping document. This section should also include network diagrams, system descriptions, physical and logical layouts, and details about users, locations, and third-party connections.
Note
A picture is worth a thousand words. By adding network diagrams, system descriptions, physical and logical layouts, and other diagrams, your readers will have a much better understanding of the network infrastructure.
This is the location where you'll want to include the OICM and SCM. These are the matrixes you developed to establish critical information types and critical systems. For example, suppose the organization being examined is a state agency. This state agency maintains 10 branch offices and has approximately 2,000 employees. Each of the 10 branch offices connects back to the main office for connectivity to services and to access the Internet.
Modernization has become a big driving concern for the state. The agency has made great strides in automating project bidding. The agency has installed systems that manage the bid process and inform the winning company of its selection as the primary contractor. Most projects are performed by contractors, so one of the agency's primary roles is to prepare and maintain project schedules. A discussion with senior state agency officials helped determine the following critical system and information. The agency's OICM is shown in Table 9.4, and its SCM is shown in Table 9.5.
|
Information type |
Confidentiality |
Integrity |
Availability |
|---|---|---|---|
|
Internal documents |
Medium |
Medium |
Low |
|
Customer data |
High |
Medium |
Medium |
|
Contracts |
High |
Medium |
Low |
|
Employee |
Medium |
Medium |
Low |
|
High watermark |
High |
Medium |
Medium |
|
System type |
Confidentiality |
Integrity |
Availability |
|---|---|---|---|
|
Engineering |
Low |
Medium |
Medium |
|
Human Resources |
Medium |
Medium |
Low |
|
Projects |
Medium |
Medium |
Medium |
|
DMZ/Internet |
Low |
Medium |
High |
|
High watermark |
Medium |
Medium |
High |
These findings demonstrate that contracts and customer data rank high for the agency. The high watermark is for the confidentiality of this information.
A review of the state agency's SCM shows that availability is the most important system trait. Ideally, these findings should point the team to systems and information that should receive the most in-depth review.
Analysis
This section of the report lists what you found and how you found it. This is the current state of the network. You will want to discuss items of concern that were discovered during the assessment. Because this section follows the statement of work, it should build on what you did during testing. The results of your tests and examinations should be discussed. Overall, this section should stay focused on the importance of security to the organization. It is important to remember to keep your findings balanced. Organizations are not all good nor bad, and the findings shouldn't be either. Comment on what the company is doing right. Even if something hasn't been implemented as a policy but you find one person or department that has developed a method for doing something right, point out this process. Give that person or department praise and even suggest the company use that as a standard. It is good practice to emphasize the good security practices the organization can use to leverage additional security focus for their organization.
If you are not 100% sure about certain findings but believe your findings are correct or require further analysis, you may still include your ideas but you should use words such as "these findings suggest that" or "we are fairly confident that," and so on to indicate the lack of full evidence.
The organization of this material is really your choice. Our preference is to organize it by the 18 classes and categories shown earlier in Table 9.2 or to organize it by impact to the organization. Continuing with the example described in the statement of work, the state agency's documentation was analyzed and ranked as shown in Table 9.6.
|
Category |
Raw Risk Rating |
Total Risk Score |
|---|---|---|
|
INFOSEC documentation |
Low |
Low |
|
INFOSEC roles and responsibilities |
Low |
Low |
|
Contingency plans |
Low |
Low |
|
Configuration management |
Low |
Low |
|
Identification and authentication |
Medium |
Medium |
|
Account management |
Medium |
Low |
|
Session controls |
Low |
Low |
|
Auditing |
Low |
Low |
|
Malicious code protection |
Low |
Low |
|
Maintenance |
Low |
Low |
|
System assurance |
Low |
Low |
|
Networking connectivity |
Medium |
High |
|
Communications security |
Medium |
Medium |
|
Media controls |
Medium |
Medium |
|
Labeling |
Medium |
Low |
|
Physical environment |
Low |
Low |
|
Personal security |
Low |
Low |
|
Education training and awareness |
Low |
Low |
Findings
This section represents the core of this document. It provides detailed recommendations for minimizing the risks that the organization faces. The recommendations must derive logically from the conclusions, be supported both by the conclusions and the data in the discussion, be complete and clearly worded, and be worded so that either a positive or negative response is possible. Give the organization more than one option or possible solution to each vulnerability.
- Good Best option, most expensive. For example, one unit of the organization has direct connection to the Internet through a router. There is no firewall in place. Buying and installing a Cisco PIX would be a good solution to this potential vulnerability. It would also allow services such as HTTP and SMTP to be moved to a DMZ.
- Cheap Mid-level option, less expensive. Using the preceding example, a cheaper solution may be to install a server with Linux IPTables and use it as a proxy to filter ingress and egress traffic. Not as expensive as PIXLinux is freebut it would require someone with the knowledge and skill to set it up and occasionally monitor.
- Fast Quick and dirty solution, provides a temporary patch. Continuing with the preceding example, you could suggest that an ACL be added to the router. Although it would not provide stateful inspection, it would add additional protection over what is present now.
Your recommendations should be ranked in the order of their critical importance. Items to include in this section of the report include
- Findings
- Category
- Impact
- Details
- Countermeasures
So, how does our example organization fare here? A review of the data from the analysis section indicates that the following six items had medium to high ratings:
- Identification and authentication A review of the identification and authentication policies revealed that although the overall policy structure is acceptable, web users are being authenticated using base64. Although good policy has been developed that requires users to identify themselves, it is also important how the user is identified. Base64 authentication over the Web works by prompting the user for a username and password. This information is then transmitted across HTTP, where it is scrambled using Base64 encoding. The key here is that base64 is a coding process, not an encryption process. Because of this, base64 authentication is inherently insecure. It is easy to decode base64 encoded data, so in reality, base64 authentication is essentially sending the password as plain text. Someone would have to sniff the traffic to capture the authentication. This may be somewhat difficult, but by no means is it impossible. The impact of lost authentication credentials could affect the organization, so it is recommended that this method of authentication be replaced with an alternative challenge response protocol such as NTLM. The time and effort involved in this change is minimal.
- Account management We found account management policies to be acceptable. However, during system demonstrations and the interview process, it was discovered that user accounts were not being removed as policy requires when employees leave or move to other departments. It was also discovered that employees were not having old privileges removed when they transferred to other departments. This has resulted in a type of access creep in that some employees now have potentially more access than their duties require. This situation could be rectified by providing additional policy training to the IT employees who are responsible for the account management duties.
- Network connectivity Network connectivity policies were found to be deficient. Policy did not clearly define what was allowed and what was not allowed. Some third-party vendors are allowed access to the internal network with few controls and although there is a firewall in place, the rule set is not well defined. These issues could potentially threaten the organization and have been deemed a major risk. We recommend that the individuals responsible for the firewall receive training to better configure it. Also, as an immediate stop-gap measure, some additional controls can be put in place by implementing an ACL on the external routers to filter and control traffic.
- Communication security Communication security can be improved by implementing IPSec or other technologies to protect data transmissions that may contain sensitive customer information or financial information. Employees who currently access the organization's network offsite do so by dial-in. VPNs should be considered to secure these communications.
- Media controls Although the organization does have media controls in place, there are existing policies that are not being followed. Some dumpster-diving activities during the assessment found sensitive documents that should not have been thrown into the trash. An immediate patch would be to inform employees of existing media control polices, but a more complete solution should include the placement of shredders in all work areas.
- Labeling Directly tied to the media control findings are the issues discovered with labeling. Some of the documents that were discovered to be improperly disposed of were not properly labeled. Interviews indicated that some individuals were confused about labeling and how certain types of documents should be handled and labeled. Revising these policies and providing training to employees could help this situation.
Conclusions
This section of the report should serve as a wrap-up. It should offer the overall security stance of the organization and offer a discussion of the benefits of good security practices. The conclusion is the final impression. It is the last opportunity you have to get your point across to management and leave the reader feeling as if he or she learned something and is ready to take action. Leaving a paper dangling without a proper conclusion can seriously devalue what was said in the report. Avoid this pitfall.
For our sample organization, what's most important is to address the issues involving network connectivity. Customer data and contracts could be accessed by individuals who don't have the need to know, thereby endangering the confidentially and integrity of these informational assets. Because systems in the DMZ and those that contain project data were ranked as most critical, controls should be put in place to ensure their confidentiality, integrity, and availability.