CompTIA PenTest+

CompTIA PenTest+ domain 4: Reporting and communication

March 10, 2022 by Howard Poston

Pentesting reporting and communication

Reporting and communication are a vital but undervalued part of the penetration testing process. The goal of a penetration test is to provide the customer with an understanding of the security gaps and risks in their environment to take action to remediate these issues. If the client can’t understand the tester’s findings, the assessment provides little or no value.

How will reporting and communication help my career?

Reporting and communication is a soft skill that is valuable in every part of cybersecurity (and other fields). Cybersecurity professionals often work as part of teams and communicate technical information with technical and non-technical personnel. Learning how to communicate on complex, technical topics for the layman is a valuable skill beyond the field of pentesting.

What’s covered in PenTest+ domain 4 of the exam?

Domain 4 of the PenTest+ exam covers when and how to communicate and activities after the reporting phase of an assessment (such as cleanup and retrospectives). This domain is worth 18% of a candidate’s score and includes four sections.

Compare and contrast important components of written reports

A written report is the primary deliverable from a penetration testing engagement. This report should provide a comprehensive view of the actions taken by the pentesting team and their results.

This section tests knowledge of best practices for preparing for and generating a pentesting report, including:

  • Report audience: pentesters should be able to write reports that meet the needs of various audiences, including executives, third-party stakeholders, technical staff, and developers.
  • Report contents: this section covers the essential components of a pentest report, such as an executive summary, methodology, and findings.
  • Storage time: this section discusses how long pentest reports should be stored.
  • Secure distribution: this section tests how to securely distribute reports to stakeholders.
  • Note-taking: this section covers methods for documenting pentest activities, such as the use of screenshots.
  • Common themes: this section tests common themes in pentest reports, including vulnerabilities, observations and lack of best practices.

Given a scenario, analyze the findings and recommend the appropriate remediation within a report

Penetration testers identify vulnerabilities and security gaps within an organization’s IT environment and recommend remediation steps. These recommendations enable the client to take full advantage of the assessment to improve its security posture.

Remediation recommendations fall into four main categories:

  • Technical controls: recommendations for technical controls include password encryption, patch management and key rotation.
  • Administrative controls: administrative controls tested include role-based access control (RBAC), the secure software development lifecycle (SDLC) etc.
  • Operational controls: operational control recommendations may include job rotation, mandatory vacations and user training.
  • Physical controls: controls against physical threats include access control vestibules, biometric controls and video surveillance.

Explain the importance of communication during the penetration testing process

Clear communication is essential to the success of a penetration test. A tester needs to know how to communicate regular and unordinary updates to the customer.

The communications topics covered by the PenTest+ exam include:

  • Communication path: this section tests knowledge of techniques for setting up communications to primary, technical and emergency contacts.
  • Communication triggers: this section covers triggers for communications, including critical findings, status reports or indicators of a prior security incident.
  • Reasons for communication: this section evaluates a candidate’s knowledge of reasons for communication, such as situational awareness, identifying false positives or criminal activity.
  • Goal reprioritization: during the pentesting process, the team might make discoveries that require assessment goals to be prioritized. This section tests knowledge of when reprioritization may be necessary and how to communicate it.
  • Presentation of findings: this section tests knowledge of how to present the findings of a penetration test to various audiences, such as technical personnel and executives.

Explain post-report delivery activities

The pentesting process doesn’t end with completing the assessment and delivering the report. A pen test team also needs to perform cleanup actions and take time to retrospect the process.

This section of the PenTest+ includes the following topics:

  • Post-engagement cleanup: this section covers tasks such as removing shells, tester-created credentials and tools from customer systems.
  • Client acceptance: after an assessment, the client needs to accept the results and officially end the engagement.
  • Lessons learned: this section explores techniques for performing retrospectives on engagements and extracting lessons for continuous improvement.
  • Follow-up actions/retesting: a penetration tester may be asked to follow up and retest certain findings after the engagement is complete.
  • Attestation of findings: a penetration tester may need to attest to the accuracy and completeness of the report on the assessment’s findings.
  • Data destruction process: this section tests proper processes for deleting customer data after an engagement is complete.

For more information on the PenTest+ exam, see the full CompTIA PenTest+ (PT0-002) exam objectives.

Sources

 

Posted: March 10, 2022
Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published.