Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2010
05:34 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Penetration Testing, Vulnerability Scanning, And The Big Picture

New technologies aim to show organization's overall security posture

Getting a handle on an organization's true security posture can be like pinning down a moving target. But new features and technologies are becoming available that bring organizations closer to a true picture of where their actual risks lay -- and what they should do to about them.

Penetration testing firms Core Security and Rapid7, for instance, are rolling out new products and features that bring pen testing and vulnerability scanning to a different level. Core Security's new Core Insight, an automated testing platform that regularly pen tests and analyzes the exploitability of threats to a business, offers multiple dashboard levels of information and reports for security, IT, and businesspeople. The idea is to map the threats to the business' sensitive assets and operations.

Rapid7 in its commercial Metasploit products has been integrating its NeXpose vulnerability scanning with Metasploit penetration testing and making the output more user-friendly. It has done the same with the open-source Metasploit version, according to HD Moore, chief security officer for Rapid7 and the creator of Metasploit.

Core's Insight -- which is in beta and scheduled to ship on Dec. 15 -- basically integrates and extends pen testing and vulnerability scanning, experts say. "Certainly this is an extension of the two categories of products and bringing them together: The traditional low-touch vulnerability scan tends to be done in snapshots, and with the penetration test a human looks at, 'How far can I get in? Can I actually exploit this?' Bringing those two together gives you low and slow and continuous assessment," says Diana Kelley, partner with Security Curve. "And [this assessment] is automated, so you can do it all the time."

Kelley says the problem with periodic scanning and testing is that it captures "a point in time," which may not reflect all of the real risks as networks shift and change. "This is the next phase beyond, 'There I am, and I'll check it again in three months,'" she says. It's an approach akin to what WhiteHat Security does with its dynamic Web scanning, she says, but differs from security information and event management (SIEM) products because those tools focus on what has already occurred.

It's becoming increasingly important to be able to spell out what certain bugs and exploits actually mean risk-wise to your business applications and operations, she says.

That doesn't mean replacing the human pen tester, of course. "This isn't looking to replace humans," Kelley says. "It's just a way of getting pen-testing [information] into the hands of those who [aren't experienced] with it."

More intelligence and actionable information helps organizations with limited resources, security experts say. "We got a lot of feedback from organizations saying they were getting all of this information about what vulns they have, but they can't easily match them to their business risks or assets," says Alex Horan, director of product management for Core. "[Insight] fills the gap between vulnerability information and all the things the business cares about ... we show how it maps to their exposure and risk."

Rapid7's Moore says the reason vulnerability scanning and pen testing are coming together is that you can't do one without the other. "We see a lot of folks doing a NeXpose scan saying, 'What do I need to focus on first?' The penetration-testing angle helps identify what the priorities are -- even if you aren't penetration testing, you can use it to verify" the actual risks associated with the vulnerabilities that are found, he says.

"What we're trying to do with Metasploit Express and Pro is bring the pen-testing usability bar down a little bit" to non-pen-testing experts, he says. "If you have the skill set and want to, you can do a hands-on, deep dive. Or if you just want to verify vulnerabilities, the pen-test tools now automate that well enough now. You don't have to be a pen-test expert."

Moore warns that continuous pen testing, however, could be risky due to the possibility of crashing a server before you can fix the bugs that are discovered. "When that is automated, there are chances of knocking [something] out," he says. Moore says weekly pen tests are typically sufficient.

"There's definitely a convergence in penetration testing and vulnerability scanning, asset management," and similar tasks, he says. Organizations are asking what to fix first, and need ways to verify and validate that, he says.

Larry Whiteside, CISO of the Visiting Nurse Service of New York, is currently beta-testing Core Insight. Whiteside, who helped push Core to build the tool, says he doesn't have the resources to dig through all of the threats and vulnerabilities his tools find. He has a small security staff of two, including himself. "We have 80-plus developers on staff and no one has the bandwidth to be everywhere at the same time and doing all the testing," he says.

Whiteside had previously handed off the data from pen-test and vulnerability scans to nonsecurity staffers to help his team prioritize what to fix first. "That approach is not the best way, leaving it up to people who don't necessarily understand security as well as a person in the security group," he says. "I really wanted Core to deal with the automation and pen-testing function and forget about it ... and go back and say, 'You need to do this because this is exploitable,'" for example, he says.

He says the idea is to be more proactive in mitigating threats. "One of the big things I stress is that the reporting needs to ... have the capability that a nonsecurity person can understand it. So they can look at the dashboard, report, and understand exactly what happened," Whiteside says. "It would have reports that come out every time it scans, what happened, what you need to do to mitigate it, whether it's a configuration change ... this is what we recommend to do."

Visiting Nurse Service of New York's Whiteside says these capabilities don't overlap with SIEM, however. "SIEM is really an aggregation tool," he says.

Fred Pinkett, vice president of product management for Core, describes it this way: "SIEM is about activity on the network. We are more about security posture ... SIEM and SIM are like military intelligence, and we're about understanding where your forces are standing," he says. "This is two sides of the coin and both are necessary."

To that end, Core plans to eventually integrate Insight with SIEM and SIM products as well, according to Pinkett.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24028
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.