Methodology cleanup

xml/source/snippets/report/methodology.xml

@@ -1,49 +1,91 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<section id="methodology" xml:base="methodology.xml" break="before" inexecsummary="yes">
+<section id="methodology" xml:base="methodology.xml" break="before"
-    <title>Methodology</title>
+  inexecsummary="yes">
-    <section id="planning">
+  <title>Methodology</title>
-        <title>Planning</title>
+  <section id="planning">
-        <p>Our general approach during this penetration test was as follows:</p>
+    <title>Planning</title>
-        <ol>
+    <p>Our general approach during penetration tests is as follows:</p>
-            <li><b>Reconnaissance</b><br/>We attempted to gather as much information as possible about the
+    <ol>
-                target. Reconnaissance can take two forms: active and passive. A
+      <li>
-                passive attack is always the best starting point as this would normally defeat
+        <b>Reconnaissance</b>
-                intrusion detection systems and other forms of protection, etc., afforded to the
+        <br/>
-                network. This would usually involve trying to discover publicly available
+        We attempt to gather as much information as possible about the target.
-                information by utilizing a web browser and visiting newsgroups etc. An active form
+        Reconnaissance can take two forms: active and passive. A passive attack
-                would be more intrusive and may show up in audit logs and may take the form of a
+        is always the best starting point as this would normally defeat
-                social engineering type of attack.</li>
+        intrusion detection systems and other forms of protection, etc.,
-            <li><b>Enumeration</b><br/>We used varied operating system fingerprinting tools to determine
+        afforded to the network. This usually involves trying to discover
-                what hosts are alive on the network and more importantly what services and operating
+        publicly available information by utilizing a web browser, visiting
-                systems they are running. Research into these services would be carried out to
+        newsgroups, etc. An active form would be more intrusive and may show up
-                tailor the test to the discovered services.</li>
+        in audit logs and may take the form of a social engineering type of
-            <li><b>Scanning</b><br/>Through the use of vulnerability scanners, all discovered hosts would be tested
+        attack.
-                for vulnerabilities. The result would be analyzed to determine if there are any
+      </li>
-                vulnerabilities that could be exploited to gain access to a target host on a
+      <li>
-                network.</li>
+        <b>Enumeration</b>
-            <li><b>Obtaining Access</b><br/>Through the use of published exploits or weaknesses found in
+        <br/>
-                applications, operating system and services access would then be attempted. This may
+        We use various fingerprinting tools to determine what hosts are visible
-                be done surreptitiously or by more brute force methods.</li>
+        on the target network and, more importantly, try to ascertain what
-        </ol>
+        services and operating systems they are running. Visible services are
-    </section>
+        researched further to tailor subsequent tests to match.
-    <section id="riskClassification">
+      </li>
-        <title>Risk Classification</title>
+      <li>
-        <p>Throughout the document, vulnerabilities or risks are labeled and
+        <b>Scanning</b>
-            categorized as:</p>
+        <br/>
-        <ul>
+        Vulnerability scanners are used to scan all discovered hosts for known
-            <li><b>Extreme</b><br/>Extreme risk of security controls being compromised with the possibility
+        vulnerabilities or weaknesses. The results are analyzed to determine if
-                of catastrophic financial/reputational losses occurring as a result.</li>
+        there are any vulnerabilities that could be exploited to gain access or
-            <li><b>High</b><br/>High risk of security controls being compromised with the potential for
+        enhance privileges to target hosts.
-                significant financial/reputational losses occurring as a result.</li>
+      </li>
-            <li><b>Elevated</b><br/>Elevated risk of security controls being compromised with the potential
+      <li>
-                for material financial/reputational losses occurring as a result.</li>
+        <b>Obtaining Access</b>
-            <li><b>Moderate</b><br/>Moderate risk of security controls being compromised with the potential
+        <br/>
-                for limited financial/reputational losses occurring as a result.</li>
+        We use the results of the scans to assist in attempting to obtain access
-            <li><b>Low</b><br/>Low risk of security controls being compromised with measurable negative
+        to target systems and services, or to escalate privileges where access
-                impacts as a result.</li>
+        has been obtained (either legitimately though provided credentials, or
-        </ul>
+        via vulnerabilities). This may be done surreptitiously (for example to
-        <p>Please note that this risk rating system was taken from the Penetration Testing Execution
+        try to evade intrusion detection systems or rate limits) or by more
-            Standard (PTES). For more information, see:
+        aggressive brute-force methods.
-            <a href="http://www.pentest-standard.org/index.php/Reporting">http://www.pentest-standard.org/index.php/Reporting</a>. </p>
+      </li>
-    </section>
+    </ol>
+  </section>
+  <section id="riskClassification">
+    <title>Risk Classification</title>
+    <p>Throughout the report, vulnerabilities or risks are labeled and
+      categorized according to the Penetration Testing Execution Standard
+      (PTES). For more information, see:
+      <a href="http://www.pentest-standard.org/index.php/Reporting">
+        http://www.pentest-standard.org/index.php/Reporting
+      </a>
+    </p>
+    <p>These categories are:</p>
+    <ul>
+      <li>
+        <b>Extreme</b>
+        <br/>Extreme risk of security controls being compromised with the
+        possibility of catastrophic financial/reputational losses occurring as a
+        result.
+      </li>
+      <li>
+        <b>High</b>
+        <br/>High risk of security controls being compromised with the potential
+        for significant financial/reputational losses occurring as a result.
+      </li>
+      <li>
+        <b>Elevated</b>
+        <br/>Elevated risk of security controls being compromised with the
+        potential for material financial/reputational losses occurring as a
+        result.
+      </li>
+      <li>
+        <b>Moderate</b>
+        <br/>Moderate risk of security controls being compromised with the
+        potential for limited financial/reputational losses occurring as a
+        result.
+      </li>
+      <li>
+        <b>Low</b>
+        <br/>Low risk of security controls being compromised with measurable
+        negative impacts as a result.
+      </li>
+    </ul>
+  </section>
 </section>