Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:34 PM
Connect Directly

Penetration Testing, Vulnerability Scanning, And The Big Picture

New technologies aim to show organization's overall security posture

Getting a handle on an organization's true security posture can be like pinning down a moving target. But new features and technologies are becoming available that bring organizations closer to a true picture of where their actual risks lay -- and what they should do to about them.

Penetration testing firms Core Security and Rapid7, for instance, are rolling out new products and features that bring pen testing and vulnerability scanning to a different level. Core Security's new Core Insight, an automated testing platform that regularly pen tests and analyzes the exploitability of threats to a business, offers multiple dashboard levels of information and reports for security, IT, and businesspeople. The idea is to map the threats to the business' sensitive assets and operations.

Rapid7 in its commercial Metasploit products has been integrating its NeXpose vulnerability scanning with Metasploit penetration testing and making the output more user-friendly. It has done the same with the open-source Metasploit version, according to HD Moore, chief security officer for Rapid7 and the creator of Metasploit.

Core's Insight -- which is in beta and scheduled to ship on Dec. 15 -- basically integrates and extends pen testing and vulnerability scanning, experts say. "Certainly this is an extension of the two categories of products and bringing them together: The traditional low-touch vulnerability scan tends to be done in snapshots, and with the penetration test a human looks at, 'How far can I get in? Can I actually exploit this?' Bringing those two together gives you low and slow and continuous assessment," says Diana Kelley, partner with Security Curve. "And [this assessment] is automated, so you can do it all the time."

Kelley says the problem with periodic scanning and testing is that it captures "a point in time," which may not reflect all of the real risks as networks shift and change. "This is the next phase beyond, 'There I am, and I'll check it again in three months,'" she says. It's an approach akin to what WhiteHat Security does with its dynamic Web scanning, she says, but differs from security information and event management (SIEM) products because those tools focus on what has already occurred.

It's becoming increasingly important to be able to spell out what certain bugs and exploits actually mean risk-wise to your business applications and operations, she says.

That doesn't mean replacing the human pen tester, of course. "This isn't looking to replace humans," Kelley says. "It's just a way of getting pen-testing [information] into the hands of those who [aren't experienced] with it."

More intelligence and actionable information helps organizations with limited resources, security experts say. "We got a lot of feedback from organizations saying they were getting all of this information about what vulns they have, but they can't easily match them to their business risks or assets," says Alex Horan, director of product management for Core. "[Insight] fills the gap between vulnerability information and all the things the business cares about ... we show how it maps to their exposure and risk."

Rapid7's Moore says the reason vulnerability scanning and pen testing are coming together is that you can't do one without the other. "We see a lot of folks doing a NeXpose scan saying, 'What do I need to focus on first?' The penetration-testing angle helps identify what the priorities are -- even if you aren't penetration testing, you can use it to verify" the actual risks associated with the vulnerabilities that are found, he says.

"What we're trying to do with Metasploit Express and Pro is bring the pen-testing usability bar down a little bit" to non-pen-testing experts, he says. "If you have the skill set and want to, you can do a hands-on, deep dive. Or if you just want to verify vulnerabilities, the pen-test tools now automate that well enough now. You don't have to be a pen-test expert."

Moore warns that continuous pen testing, however, could be risky due to the possibility of crashing a server before you can fix the bugs that are discovered. "When that is automated, there are chances of knocking [something] out," he says. Moore says weekly pen tests are typically sufficient.

"There's definitely a convergence in penetration testing and vulnerability scanning, asset management," and similar tasks, he says. Organizations are asking what to fix first, and need ways to verify and validate that, he says.

Larry Whiteside, CISO of the Visiting Nurse Service of New York, is currently beta-testing Core Insight. Whiteside, who helped push Core to build the tool, says he doesn't have the resources to dig through all of the threats and vulnerabilities his tools find. He has a small security staff of two, including himself. "We have 80-plus developers on staff and no one has the bandwidth to be everywhere at the same time and doing all the testing," he says.

Whiteside had previously handed off the data from pen-test and vulnerability scans to nonsecurity staffers to help his team prioritize what to fix first. "That approach is not the best way, leaving it up to people who don't necessarily understand security as well as a person in the security group," he says. "I really wanted Core to deal with the automation and pen-testing function and forget about it ... and go back and say, 'You need to do this because this is exploitable,'" for example, he says.

He says the idea is to be more proactive in mitigating threats. "One of the big things I stress is that the reporting needs to ... have the capability that a nonsecurity person can understand it. So they can look at the dashboard, report, and understand exactly what happened," Whiteside says. "It would have reports that come out every time it scans, what happened, what you need to do to mitigate it, whether it's a configuration change ... this is what we recommend to do."

Visiting Nurse Service of New York's Whiteside says these capabilities don't overlap with SIEM, however. "SIEM is really an aggregation tool," he says.

Fred Pinkett, vice president of product management for Core, describes it this way: "SIEM is about activity on the network. We are more about security posture ... SIEM and SIM are like military intelligence, and we're about understanding where your forces are standing," he says. "This is two sides of the coin and both are necessary."

To that end, Core plans to eventually integrate Insight with SIEM and SIM products as well, according to Pinkett.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBind...
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIn...
PUBLISHED: 2021-04-14
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for...
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wor...
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wo...