up

2020-01-22

Reports!

• Two types of Findings
  • Good things!
    • Praise the customer first
  • Bad things
• Three Sections
  • Exec. Summary
  • Summary of testing
  • Executive results

There must be a cover page:

• Always
• With
  • Title
  • Date
  • To
  • Attn
    • What does this mean
  • Form Subject
    • yoooo what does this mean?

Pages:

• Cover page
• Disclaimers
• Table of Contents
• Exec Summary (pages as needed, 1 page preffered, C-Level target aud.)
• Summary of Testing (managers target aud.)
  • Background, scope, objective
  • desc. of env.
  • narrative and timeline of testing
  • non-technical results
• Technical results
  • Divide findings into small small portions
  • Include lots of detail
  • • name
      • Criticality
      • location
      • impact
      • description
      • steps to reproduce
      • recommendations
  • Avoid overly repetitive findings

Threat Actor Motivations:

• Financial Gain
• Political
• Organizational gain
• 4 teh lulz

Threat Actors:

• Organized Crime
• Terrorists
• Governments
• Competition
• Hacktivists
• Cyber Mercenaries
• Disgruntled or Clueless employees
• Customers and Suppliers
• Vendors, partners, consultants

“Tucker: a man and his dreams” a movie about corporate shenanigans

Attack Vectors:

• Social Engineering
  • check out the kali tools
• DOS
• Injection
• Session Theft
• Phreaking
• Misconfigs
• Physical
• Abuse of Functionality

check out mitre