So, you’ve completed a vulnerability assessment and a penetration test to ensure that your web and network security is up to par.
All you have to do now is wait for the report. What you get instead is a hundred-page essay chock-full of technical jargon and figures from which you can barely extract any useful information.
You and your IT department are at a loss as to how to address the issues raised in the report, wasting valuable time that could be spent on more revenue-generating activities.
Here’s how to get 5–20x more value out of your cybersecurity post-assessment report, according to our guide.
1. The Executive Summary will set the tone from the start
Return the executive summary if it’s difficult to understand. This is not up for discussion. For your executives, a third-party security team should be able to summarize what they did, how long it took, provide an overview of the findings and their thoughts on the test.
The executive summary must be communicated in such a way that you understand the severity of the situation and decide on who is adequately prepared to oversee the remediation.
The executive summary should not be filled with technical jargon that makes it difficult for you to comprehend and take action.
To supplement what you would have read in the executive summary, always inquire, “How did we perform for an organization of our size?”; “How were we able to come to a passing/failing report?”
You’re paying for more than just someone to run a Nessus scan or Network Detective Collector on your network; you’re also paying for their analysis. Request it.
2. How to make sense of colour-coded risk ratings
When you hire a third-party cyber assessment company, they usually set their own priorities and it may or may not correspond to your company’s scale.
For example, information leakage of a customer’s credit card details in a bank is often rated much higher in comparison with other types of businesses.
So you ask,
- What do the risk ratings mean?
- If a high-risk vulnerability is reported how quickly should we resolve that issue?
- Which vulnerabilities are putting our most critical assets at risk?
When you’ve made sense of the risk ratings, a well-scoped assessment report should be distributed to various departments within your organization. Ensure that you delegate authority to the appropriate departments.
Don’t drop a large report on everyone and expect people to understand how it applies to them, especially when it comes to technical findings. Otherwise, you’ll be burdening people with unnecessary work.
3. You’ll be given suggestions, but you should dig deeper
Third-party assessors will provide recommendations on how to go about resolving problems, but focus more on the findings.
Rather than requesting that your IT staff or cybersecurity experts fix, say, cross-site scripting issues identified in the report, work on how to manage cross-site scripting.
For example, define cross-site scripting so that you and your IT department can understand how it works in your language. Return to the other instances identified in the report and see if you can find any similarities that are related to cross-site scripting.
There could be a specific way you’re doing output that’s causing vulnerabilities in your network or web application. You could, for example, use response.write code in your app that is chain-connecting vulnerabilities to cause cross-site scripting.
So you ask, where do we really have cross-site scripting, and why do we have it? Is it something that violates our coding guidelines? You’ll begin to notice larger design flaws in your applications and network development, testing, and design processes.
It’s like sweeping dust under a carpet if you only fix the vulnerabilities identified in the report and don’t understand anything else (like the analysis). What happens the following year when another assessment is conducted and the same vulnerabilities are discovered?
Don’t make your security efforts frugal by trying to plug little holes in your ship while being unaware of other holes because you didn’t bother to look. You must shift your focus and begin looking at vulnerabilities at a higher level, as well as addressing them.
4. Managing Upwards
Following the initial assessment and testing, you should consider re-testing, which can be more valuable than the initial assessment because it allows you to see how successful you were in making your applications more robust and secure.
If your IT department can complete remediations quickly enough after the re-test, they can adjust the report along the way to reflect, for example, that three high-risk findings were discovered and resolved within a week.
Because the remediation was part of the final report, time is saved by not having to explain how exploitable a vulnerability is to upper management. Work is easier to manage when you can respond to it right away.
Furthermore, your IT department will have a recorded step-by-step guide of how to recreate an exploit, which they can now use to recreate a penetration test to ensure vulnerabilities have been fixed.
Get a report that outlines what you and your IT team should focus on and how to resolve the issue. You should be aware of how your company could be exploited as well as the timeframe in which you must resolve zero-day vulnerabilities