The Executive Summary

00:00

hello and welcome to another penetration testing, execution Standard discussion. Today we're going over what I think is one of the most important components of any report, and that is the executive summary. So today, the primary objective is to discuss what an executive summary is,

00:18

as well as an example summary layout that was provided by the Pee test standard.

00:23

So the executive summary will communicate to the reader the specific goals of the penetration test and the high level findings of the testing exercise. Remember the audience of the executive summary?

00:36

Our decision makers, individuals that may not be security savvy folks that have oversight and strategic vision and, you know, their overall going to be aware of the security program, pushing management, pushing initiatives and objectives.

00:50

But there may be other individuals in the organization that are not tied to cyber security or tied to understanding that language that may need to consume it like a CEO or a CEO or a CFO. So the executive summary is meant to be the information that will help them to make decisions

01:06

and ensure that they reduced risk according to their risk tolerance and their risk appetite.

01:11

Now, a summary layout will involve the following sections. You'll have a background and so this should explain to the reader the overall purpose of the test Details on the terms identified within the pre engagement section relating to risk countermeasures. Testing goals should be present to connect the reader to the overall test objectives

01:30

and the relative results.

01:32

Remember, if you can explain it without some details here, if you can cut down on certain lingo and you can simplify it and make it direct, that is the goal overall posture of the organization. So this will be a narrative of the overall effectiveness of the test and the pen testers ability to achieve the goals set forth within the pre engagement session.

01:51

We'll get into risk ranking in a risk profile, and so this can be a score qualitative quantitative in nature that will be identified and explained in this area. And so in the pre engagement section, you will need to identify scoring mechanism and the individual mechanism for tracking and grading risk.

02:08

Various methods from fear and dread and other custom rankings

02:12

can be consolidated into environmental scores and defined, and so you need to give them a number. You need to give them a metric and where they can measure where they sit, the client and where they can improve and how they can improve and what that looks like. General findings are not getting into the deep, deep technical,

02:30

but providing the synopsis of the issues found during the test. In a basic and statistical format,

02:37

graphic representations of the target's tested testing results, processes, attacks in areas, success rates and other trend doble metrics, as defined with Ian pre engagement meeting, should be present. In addition, the cause of the issue should be presented in an easy to read format. Again, we're dealing with individuals

02:55

who are decision makers

02:59

who have often times limited capacity as faras for meetings and things of that nature because they've got so much to do and so keeping it simple, keeping it concise, keeping it direct and making it informative are the key goals of your executive summary.

03:14

Now, the recommendation summary is the section of the report that should provide the reader with a very high level understanding of the tasks needed to resolve the risks,

03:23

um identified, and the general level of effort required to implement the resolution path suggested So the section will also identify the waiting mechanism used to prioritize the order of the road map. Following so strategic road map is what follows that

03:38

and that road map should include a prioritized plan for remediation of the insecure items found and should be weighed against the business objectives, level of potential impacts, all that thing, the things we were evaluating. Criticality of systems

03:50

risk levels of systems should be MATT directly to the goals identified, as well as the threat matrix created in the Pee Test Threat modeling section.

03:59

Now, by breaking up into predefined time objective based goals, the section will create a path of action to following various increments. And so this is great for a decision maker because you're not only telling them what the problem is, you're not only showing them what the problem is, you're defining for them what you think would be the best practice

04:17

progression in moving through the problems and addressing them based on metrics based on numbers based on a weight based on a risk. It's not just we feel that 12 and three is beneficial. We say we know 12 and three is beneficial because these were critical systems and they do X, y and Z for the organization, and we think they can be addressed in this manner.

04:36

And this is the order in which we think it should be done.

04:39

So all of that information should culminate into an executive summary. If you could keep this report under 15 pages, 10 pages as minimal as possible to convey the information is beneficial if you throw a

04:53

ah 35 45 55 page report in front of an executive team and you expect that to be read and you expect that to be consumed and taken into

05:01

their minds and understood

05:04

you're living a dream there. At that point, you've got to keep it again concise. I think that anything under 15 pages is best 20 pages maximum when you're putting together such a summary. So that's why it's important to be concise, be direct and just give them exactly what they need to make a decision, recommendations and all.

05:24

So let's do a quick check on learning.

05:26

True or false. The executive summary should include all technical details as laid out in every aspect of the penetration test and the efforts that we took is the tester.

05:38

Well, if you need some additional time, please pause the video. This is a false statement. So the executive summary should not include all technical details that should be concise to the point and general with respect to the information and feedback that is provided. So in summary, we discussed what an executive summary waas

05:56

and we discussed an executive summary layout example. Now again,