Assessment Front Sheet

HR90 47— Ethical Hacking Fundamentals

The candidate should produce written evidence in the form of a security assessment report; the report must include as a minimum the following sections:

• Test Scope
• Rules of engagement
• An Executive Summary
• Vulnerability Report
• Proof of Exploit
• Remediation Report

The test scope should be determined by the lecturer, the candidate should obtain the scope by means of an interview or questionnaire.

During this process the candidate and lecturer should agree and sign off the rules of engagement.

The executive summary should be written with a target audience in mind of non advanced computer users at an executive level. Candidates may wish to make use of graphs, charts and other visual aids to identify business risks as a result of the vulnerabilities found. Perform target information gathering reconnaissance.

The vulnerability report should be written with a target audience in mind of advanced technical support/developers and should include appropriate references to standard classification systems such as MITRE CVE, WASC or OWASP.

The proof of exploit section should provide enough general information for the recipients of the report to carry out the attack in order to re-create the vulnerability.

The remediation report should include short term/long term remediation recommendations