Attestation of Findings

(OBJ 5.5)

Attestation

• Involves formal validation or confirmation provided by an entity to assert the accuracy and authenticity of specific information
• Crucial in internal and external audits to ensure the reliability and integrity of the following
  • Data
  • Systems
  • Processes

Attestation of Findings in Penetration Testing

• Used to prove that a penetration test occurred and validate the findings
  • Signifies that the findings are actually valid
• May be required for compliance or regulatory purposes (e.g., GLBA, HIPAA, Sarbanes-Oxley, PCI DSS)
• Includes a summary of findings and evidence of the security assessment
• Evidence helps to prove that identified vulnerabilities and exploits are valid
• The difference between attestation and the pentest report?
  • Attestation includes evidence
    • Evidence to show that an exploit actually happened.
    • Might be a ti down with them and go over all the details from the report and pull out your evidence to show them what you did and how you did it.
    • Can also include bringing out detailed reports, data, logs, explanations, or even some of your exploit code to show them the risk that they have and how you are able to go about exploting them.
    • Take into account that, sometimes you will not leave the evidence with the organization, it could only be showing them some of your custom code to be able to perform an exploit, but not leaving a copy of that with them, only show it during an attestation meeting
  • Report focuses on findings and recommended remediation
    • Will show them the findings and a remediation that you recommended, but not necessarily the way you exploited that vulnerability.
    • May be kept by the organization.
• A letter of attestation may be provided to prove the occurrence of the penetration testing, especially when required by third parties interested in network security

Types of Attestation

• Software Attestation
  • Involves validating the integrity of software to ensure it hasn't been tampered with (altered maliciously)
  • Example:
    • By installing a software update, a system might use cryptographic techniques to verify the update's digital signature. If the signature is valid, it attests that the update is authentic and hasn't been tampered with since it was sign by the vendor
• Hardware Attestation
  • Validates the integrity of hardware components to confirm they haven't been tampered with
  • Example:
    • The Trusted Platform Module (TPM) can be used to attest that a computer hasn't been tampered with.
      • It can store measurements of the computer's hardware and firmware configurations, and these measurements can be checked at boot time to ensure that they haven't changed unexpectedly.
• System Attestation
  • Validates the security posture of a system, often related to compliance with security standards
  • Example:
    • Ensuring compliance with ISO 27001 or SOC 2 compliant
    • Gets costumer confidence that their data is being handled securely

Attestation in Audits

• In internal audits, attestation evaluates organizational compliance, effectiveness of internal controls, and adherence to policies and procedures
  • Example:
    • The Internal auditor may provide attestation on the accuracy of
      • financial records,
      • the effectiveness of risk management strategies,
      • adherence to internal policies and procedures
• In external audits, third-party entities provide attestation on financial statements, regulatory compliance, and operational efficiency
  • Example:
    • An external auditor may provide attestation on a company's annual financial statements to confirm that they present a true and fair view of the company's financial position.
    • This attestation is crucial for stakeholders such as:
      • Investors
      • Creditors
      • Regulators
• Attestation builds trust, enhances transparency, ensures accountability, and is essential for stakeholders in making informed decisions