topic Re: Vulnerability Assessment/Reports in Member Support

Vulnerability Assessment/Reports

JJordan — Sun, 29 Oct 2017 14:40:09 GMT

Would anyone out there have a vulnerability assessment/report they could provide to me so I can get a better understanding of what information, format and the length one should contain?

Thank you,
Justin Jordan

Re: Vulnerability Assessment/Reports

Anonymous — Sun, 29 Oct 2017 14:46:24 GMT

i think maybe you can find a good information in google about it and can find good samples

take a look at this one and you can find many others:

https://www.giac.org/paper/gcux/241/public-servers-vulnerability-assessment-report/101868

Re: Vulnerability Assessment/Reports

Wvipersg — Sun, 29 Oct 2017 15:03:16 GMT

Honestly there are many formats, but one things to keep in mind is what scoring type you use or want. My advice is to use one that matches what you use in your risk management program. Using government NIST for example then use CVSS model. Many of the main line vulnerability scanning softwares out there allow you to set preferences on reporting and provide different types of report formats, PDF, CSV, and excel as examples . Hope that helps?

Re: Vulnerability Assessment/Reports

robinfoprotech — Sun, 29 Oct 2017 15:04:17 GMT

I've found it useful to have a go with one of the scanners as this will give you an actual live report. Openvas is a free one that you can download and will just require a virtual machine to get started. GFI Languard and Nessus offer 30 day + evaluations to have a go with a paid product. The report results differ with the type of device and scan you perform. What are you wanting to do a report on?

Re: Vulnerability Assessment/Reports

chuckers — Sun, 29 Oct 2017 15:05:54 GMT

Appendix K of the NIST Guide for Conducting Risk Assessments provides with a list of potentially all the information that your report should include. The length of the report is dependent on your writing style but should be long enough to cover the requirements that you are seeking to fulfill and with enough detail to show that you know what you are talking about.

Re: Vulnerability Assessment/Reports

ciphercodes — Sun, 29 Oct 2017 15:17:09 GMT

If you are looking for a scan report then these are some the items the report should have.

Executive Summary (This should list the findings based off risk rating usually 1-5 - 5 being most severe)
Discovered Assets/Hosts
Open Ports
Threat Summary and Mitigation per host
Differential Report (If you want to compare the report to a previous report)

Re: Vulnerability Assessment/Reports

BloomingOnion — Sun, 29 Oct 2017 15:59:29 GMT

You can run one using Qualys on an IP that you own and see the type of information provided. Not sure if you were referring to a completed report with risk assessment. That would depend on risk profile and business as others have eluded.

Re: Vulnerability Assessment/Reports

Mdevaraj — Sun, 29 Oct 2017 16:01:20 GMT

I am assuming its a VA/PT report , not VA alone . I suggest to refer to some sample reports from EC-Council , OWASP & SANS.org .

Please refer to link below .

https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

Thanks

With Regards ,

Mdevaraj

Re: Vulnerability Assessment/Reports

Mdevaraj — Sun, 29 Oct 2017 16:02:55 GMT

PT is a next or further step to VA , other way to explain is , VA is the first step to PT .

Re: Vulnerability Assessment/Reports

JJordan — Sun, 29 Oct 2017 18:46:34 GMT

Thank you for your help!

Re: Vulnerability Assessment/Reports

JJordan — Sun, 29 Oct 2017 18:46:56 GMT

Thank you for your help!

Re: Vulnerability Assessment/Reports

Frank_Mayer — Sun, 29 Oct 2017 21:44:30 GMT

The Defense Security Service has an actual template that you can use located at URL:

www.dss.mil/documents/rmf/Risk_Assessment_Report-Template_Sept_2016.docx

This template is consistent with guidelines outlined in the NIST SP 800-30, Guide for Conducting Risk Assessments

Re: Vulnerability Assessment/Reports

DGreen — Sun, 29 Oct 2017 23:20:01 GMT

JJordan,

I know you are looking for a sample report and I think some of the responses have pointed you in the right direction. However, when creating your report keep the following things in mind:

1. Know your audience. This will guide you in your writing style and whether you should be super detailed or give the executive message.

2. Identify the message you are trying to convey and shape your report accordingly.

3. Align your report to the business. (I believe you should highlight risks associated with systems with the most value (check the BIA) and those with the most exposure (DMZ hosts). Protect your crown jewels.)

4. Keep the report as short as possible. If a lot of details are required, then add it to a secondary report. Most people will not read a long report.

5. Ensure you have established metrics for your program so management and administrators know who well they are executing.