What if you could launch an automated phishing attack on your own organization? Okay, maybe not a "real" one, but one that looked real enough to determine where your phishing vulnerabilities lie?
Core Security's new version of its Impact penetration testing tool comes with an exploit module that, like an effective phish, lets you build fake emails that look legitimate. It's a way to test both how well your end-user anti-phishing education and policy and anti-phishing tools are working.
Client-side pen testing is becoming more important these days, with targeted attacks on the rise, including so-called spear phishing of a targeted user or organization. And version 6.2 of Core's commercial penetration testing tool, released today, is the latest anti-phishing weapon to help enterprises and users to defend themselves. The newest version of the open-source Opera browser, 9.1, also released today, comes with links to the PhishTank "community watch" fraud-protection service for identifying phishing sites, in real-time. (See Report: Phish Jump and Startup Finds Phish in Browsers.)
"Client-side exploits are where the threat is these days, and not testing for them is leaving the largest area of exposure wide open," says HD Moore, director of security research for BreakingPoint Systems. "I would expect any company that provides penetration testing to at least offer client-side exploit attempts as part of their service."
The downside, however, is it can get a little personal with users. "It tends to be high-visibility on the employees -- even if they aren't caught by the exploit, they wouldn't appreciate being targeted."
Scottish Re, a re-insurance company based in the U.S., has been running the Impact penetration tool for two years and conducts employee awareness training on phishing. "I can see how this [phishing feature] could be helpful," says Mark Odiiorne, CISO and senior network systems manager, who says he may set up the new upgrade soon to get familiar with it. "If this is something we find we are having more problems with, we could take advantage of it [the phishing exploit]."
The Impact phishing module lets you get email addresses, generate names, and send emails that look legit, says Mike Yaffe, director of product marketing for Core, which offered a "rudimentary" phishing email function in version 6, he says. "Now you have this level of automation, where you can do this in a few clicks," he says, with templates that reflect the latest trends in phishing and social engineering exploits. It also lets you automatically generate email to a group of "targets," but with personalized content on each recipient. (See Six Hot Security Products.)
The big tradeoff of pen-testing, however, is you can inadvertently crash or interrupt your business systems and applications, so not all companies are willing to use the tools themselves, or they keep it limited to the lab.
Impact Version 6.2 also comes with encryption and authentication enhancements, as well as support for testing networks with IBM AIX-based systems and Internet Explorer 7 and existing customers get the upgrade as part of their subscription service. Impact is priced at $25,000 per year for training, support, and exploit updates. It runs on Windows 2000 and XP, and includes exploits for Windows XP, Windows 2003, NT4, Windows 2000, Solaris, OpenBSD, Mac X, and Linux.
The new Opera browser, meanwhile, comes with real-time phishing detection via PhishTank.
Kelly Jackson Higgins, Senior Editor, Dark Reading