Netragard’s Reporting Process
Unlike many security vendors, Netragard’s reporting process encompasses more than the delivery of canned reports containing mediocre project summaries and poor technical reporting. Netragard’s reporting process is multi-faceted, engaging our customers on multiple levels.
Active Project Engagement
Netragard provides customers with the option of interacting with active projects through our project management portal. This portal enables customers the ability to be alerted to critical issues in near real-time, enabling customers to quickly respond and remediate against these issues.
In addition, customers can upload and download files relevant to the project, send project managers requests, and be appraised of general project status through a wiki page. All data collected is destroyed, pursuant to NIST 800-88, at the completion of a project.
Final Project Report
At the completion of the active testing portion of a project, all data relevant to the project has been input into Netragard’s project management portal. A number of data points available for each identified vulnerability, disclosure, or informational findings have been set, allowing easy identification and correlation of high to low data.
As part of Netragard’s project report, our Research Team strives to provide customer’s with a compelling and accurate representation of the project as it unfolded. This method of summarization allows customers to clearly understand the methodologies used to achieve exploitation of vulnerabilities and identification of disclosures and informational findings. Providing customers with a clear, readable, and easily understandable summarization of the project enables our customers to further identify possible failings in internal security policies and procedures.
In addition to a clear summary of the project, Netragard’s Research Team provides highly detailed information for all risks identified, ranked in order from most to least critical. All identified risks are clearly named, and contain a summary description of the risk, exploitation details (including code, tools used, and methodology), and remediation methods. In cases where a vendor patch or known workaround is not available, Netragard will strive to provide the best possible method of remediation known at the time of the report writing.
Risk Weightings & Matrix
To properly understand our findings, recognize that the risk of your systems being compromised is comprised of two parts. We call the first Documented Risk. This is the vulnerability of your systems to the specific attack we have performed. Our results are reported on a 1-10 scale with a 10 indicating that we found your system already compromised when the assessment was run, and a 1 indicating almost no vulnerability to the specific attack. This number is based on our experience with the attack technique and accepted industry standards.
The second measure, Probability of Occurrence, is more subjective. It is the likelihood that an attacker will use the technique described in our protocol. As attack techniques become better known and hackers share information about them, the skills
required to perform an attack generally decrease, while the probability of that type of attack increases.
We express our findings using a score calculated from the Documented Risk and the Probability of Occurrence. Scores that range from 1-3 are LOW, 4-6 is MEDIUM and 7-10 is HIGH. An indicator of 10 represents the discovery of a compromised system. The score only represents the average value of all issues discovered and does not reflect the probability or ease of penetration of your infrastructure.
Netragard provides a unique Risk Matrix to illustrate the risk posed by each of the discovered issues. Clearly, high vulnerability and high probability provide the greatest risk of a successful attack. Understanding both factors is crucial to properly defending your environment while spending your IT security dollars wisely.