Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2010
05:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Penetration Testing, Vulnerability Scanning, And The Big Picture

New technologies aim to show organization's overall security posture

Getting a handle on an organization's true security posture can be like pinning down a moving target. But new features and technologies are becoming available that bring organizations closer to a true picture of where their actual risks lay -- and what they should do to about them.

Penetration testing firms Core Security and Rapid7, for instance, are rolling out new products and features that bring pen testing and vulnerability scanning to a different level. Core Security's new Core Insight, an automated testing platform that regularly pen tests and analyzes the exploitability of threats to a business, offers multiple dashboard levels of information and reports for security, IT, and businesspeople. The idea is to map the threats to the business' sensitive assets and operations.

Rapid7 in its commercial Metasploit products has been integrating its NeXpose vulnerability scanning with Metasploit penetration testing and making the output more user-friendly. It has done the same with the open-source Metasploit version, according to HD Moore, chief security officer for Rapid7 and the creator of Metasploit.

Core's Insight -- which is in beta and scheduled to ship on Dec. 15 -- basically integrates and extends pen testing and vulnerability scanning, experts say. "Certainly this is an extension of the two categories of products and bringing them together: The traditional low-touch vulnerability scan tends to be done in snapshots, and with the penetration test a human looks at, 'How far can I get in? Can I actually exploit this?' Bringing those two together gives you low and slow and continuous assessment," says Diana Kelley, partner with Security Curve. "And [this assessment] is automated, so you can do it all the time."

Kelley says the problem with periodic scanning and testing is that it captures "a point in time," which may not reflect all of the real risks as networks shift and change. "This is the next phase beyond, 'There I am, and I'll check it again in three months,'" she says. It's an approach akin to what WhiteHat Security does with its dynamic Web scanning, she says, but differs from security information and event management (SIEM) products because those tools focus on what has already occurred.

It's becoming increasingly important to be able to spell out what certain bugs and exploits actually mean risk-wise to your business applications and operations, she says.

That doesn't mean replacing the human pen tester, of course. "This isn't looking to replace humans," Kelley says. "It's just a way of getting pen-testing [information] into the hands of those who [aren't experienced] with it."

More intelligence and actionable information helps organizations with limited resources, security experts say. "We got a lot of feedback from organizations saying they were getting all of this information about what vulns they have, but they can't easily match them to their business risks or assets," says Alex Horan, director of product management for Core. "[Insight] fills the gap between vulnerability information and all the things the business cares about ... we show how it maps to their exposure and risk."

Rapid7's Moore says the reason vulnerability scanning and pen testing are coming together is that you can't do one without the other. "We see a lot of folks doing a NeXpose scan saying, 'What do I need to focus on first?' The penetration-testing angle helps identify what the priorities are -- even if you aren't penetration testing, you can use it to verify" the actual risks associated with the vulnerabilities that are found, he says.

"What we're trying to do with Metasploit Express and Pro is bring the pen-testing usability bar down a little bit" to non-pen-testing experts, he says. "If you have the skill set and want to, you can do a hands-on, deep dive. Or if you just want to verify vulnerabilities, the pen-test tools now automate that well enough now. You don't have to be a pen-test expert."

Moore warns that continuous pen testing, however, could be risky due to the possibility of crashing a server before you can fix the bugs that are discovered. "When that is automated, there are chances of knocking [something] out," he says. Moore says weekly pen tests are typically sufficient.

"There's definitely a convergence in penetration testing and vulnerability scanning, asset management," and similar tasks, he says. Organizations are asking what to fix first, and need ways to verify and validate that, he says.

Larry Whiteside, CISO of the Visiting Nurse Service of New York, is currently beta-testing Core Insight. Whiteside, who helped push Core to build the tool, says he doesn't have the resources to dig through all of the threats and vulnerabilities his tools find. He has a small security staff of two, including himself. "We have 80-plus developers on staff and no one has the bandwidth to be everywhere at the same time and doing all the testing," he says.

Whiteside had previously handed off the data from pen-test and vulnerability scans to nonsecurity staffers to help his team prioritize what to fix first. "That approach is not the best way, leaving it up to people who don't necessarily understand security as well as a person in the security group," he says. "I really wanted Core to deal with the automation and pen-testing function and forget about it ... and go back and say, 'You need to do this because this is exploitable,'" for example, he says.

He says the idea is to be more proactive in mitigating threats. "One of the big things I stress is that the reporting needs to ... have the capability that a nonsecurity person can understand it. So they can look at the dashboard, report, and understand exactly what happened," Whiteside says. "It would have reports that come out every time it scans, what happened, what you need to do to mitigate it, whether it's a configuration change ... this is what we recommend to do."

Visiting Nurse Service of New York's Whiteside says these capabilities don't overlap with SIEM, however. "SIEM is really an aggregation tool," he says.

Fred Pinkett, vice president of product management for Core, describes it this way: "SIEM is about activity on the network. We are more about security posture ... SIEM and SIM are like military intelligence, and we're about understanding where your forces are standing," he says. "This is two sides of the coin and both are necessary."

To that end, Core plans to eventually integrate Insight with SIEM and SIM products as well, according to Pinkett.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .