CORE IMPACT Pro (a Professional Penetration Testing Product)

Vulnerability identification, detection, and prioritization are all assessment functions. You can classify a product as penetration testing only if it actually exploits a given vulnerability. Vulnerability assessment and penetration testing complement each other. They do different things, so they must be two separate categories. This confusion is often encountered during the sales process. The penetration testing product picks up where the vulnerability scans leave off.

Vulnerability assessment does an adequate job of providing the tester with a snapshot of the current network configuration. Unfortunately, this snapshot does not address the implication of a successful intrusion to organizational assets. It relates only what the vulnerabilities are; it does not probe deeper to reveal what happens when the vulnerabilities are exploited. The following details the limitations of vulnerability assessments and scanners:

• Provides just partial information assurance

• Identifies only vulnerabilities; does not provide meaningful weighting of vulnerabilities or prioritization of remedies

• Produces a long list of potential weaknesses, often including numerous false positives

• Does not demonstrate what information assets can be compromised

• Cannot simulate real-world attacks

• Does not exploit trust relationships between network components, nor demonstrate the implications of a successful attack

CORE Security is roaring into the security penetration testing marketplace with its exploit product, CORE IMPACT. Yes, exploit product. (It runs applications in the product.) CORE IMPACT actually does not detect vulnerabilities; instead, it exploits a vulnerability and installs an agent on the targeted server. This agent then enables you to escalate attacks and own the target machine. The CORE IMPACT product eliminates the annoying and embarrassing occurrence of false positives. Although the following section discusses at length how CORE IMPACT achieves this, you can learn more about CORE IMPACT at www.coresecurity.com.

In Their Own Words

The following section is a direct quote from the CORE Security web page describing its product:

CORE IMPACT Pro enables you to perform frequent, realistic and effective penetration testing throughout your enterprise. After first identifying and validating any vulnerabilities that provide unauthorized access to your network, IMPACT Pro takes the testing process a step further by emulating multi-staged attacks that pivot between network systems, endpoints, web applications and wireless networks to access your organization’s most valuable information and resources.

CORE IMPACT enables you to safely assess an organization’s security posture against the top four attack methods that jeopardize data today.

The product’s unified interface provides a consistent methodology for replicating data breach attempts that spread among these attack vectors. For instance, IMPACT can replicate an attack that initially compromises a web server or end-user workstation and then propagates to backend network systems. Only IMPACT allows you to utilize penetration testing to assess your information security in such an integrated, comprehensive, in-depth and seamless fashion.

Scan and Detection Accuracy

Scans and reported vulnerabilities must be accurate, with minimal false positives—defined as normal activity or configuration that the system mistakenly reports as malicious. The opposite also holds true, then: There can be no false negatives—defined as malicious activity that is not detected. IMPACT provides integrated Rapid Penetration Testing (RPT) capabilities across four attack categories:

• Network

• Client-side

• Web application

• Wireless

The four test approaches differ in the Information Gathering and Attack and Penetration stages. This is not a scanner; only limited scanning is possible during each of the RPT attack categories. For instance, during the information gathering phase using the Network RPT, information is gathered about the target network using network discovery, simple port scanning, and target operating system and service identification modules.

Documentation

Documentation must be clear, concise, well written, and easy to understand. This includes reporting documentation and application operation so that users can figure out how to make the application work and see the documented findings in the report.

CORE IMPACT Pro generates clear, informative reports that provide data about targeted systems and applications, results of end-user penetration testing tests, audits of all exploits performed, and details about proven vulnerabilities. These reports can be produced in HTML, PDF, or Microsoft Word formats. IMPACT Pro provides the framework to generate the following reports:

• Activity: Provides a detailed log of all testing activity that is being carried out, including the relevant data that organizations might need to share with auditors reviewing its security programs.

• Attack Path: A powerful visual representation of the manner in which tests can exploit individual vulnerabilities and achieve subsequent access to other systems and applications.

• Client-Side Penetration Test: Provides detailed results of assessments performed on endpoints and end users, including information about any social engineering tactics used to trigger tests.

• Client-Side User: Helps organizations understand exactly how well their end users stand up to social engineering attacks involving both email and web-based delivery models, including spear phishing assessments.

• Delta: Gives your organization an integrated view into vulnerabilities resident across a range of different assets, including network systems and client systems.

• Executive Summary: Offers a high-level view of penetration tests performed and understanding of how ubiquitous vulnerabilities are, where they reside, how they can be exploited, and where to begin remediation efforts.

• FISMA Vulnerability Validation: Provides results of penetration testing performed by government entities and other organizations working to remain compliant with the Federal Information Security Management Act of 2002 (FISMA).

• Host: Provides IMPACT Pro users with precise details about how their systems and applications can be compromised via real-world hacking or malware attempts.

• PCI Vulnerability Validation: Provides results of penetration testing performed with the goal of remaining compliant with the Payment Card Industry (PCI) Data Security Standard.

• Trend: Enables users to track data from up to 52 penetration tests over time, graphically representing changes in an organization’s security posture as exploitable vulnerabilities are identified, remediated, and retested.

• Vulnerabilities: Provides IMPACT Pro users with specific details about all the weaknesses successfully exploited during penetration testing and how those flaws can be used by attackers to obtain control of a tested system and establish a beachhead for subsequent activity.

• Web Application Executive: Provides summarized information of every vulnerable web page found during testing and how those problems can be exploited by real-world attackers.

• Web Application Vulnerability: Provides comprehensive information about every security flaw that can be exploited during penetration testing, including those available to SQL injection, cross-site scripting, and remote file inclusion attacks.

• Wireless Penetration Test: Details wireless networks discovered, client-to-access point relationships, and access point profile information. This report also includes information about which networks were tested against attacks, which where successfully compromised, and which weaknesses allowed the compromise.

Normally, these reports are standard type reports that you would expect. What makes them unique, however, is that IMPACT enables them to be customized and printed according to the level of detail you want to present. For example, the report given to an organization’s executive team should differ greatly from the report presented to the IT staff. IMPACT enables this level of customization.

Documentation and Support

The most important aspect of a vulnerability scanner is when you need to know the next steps after a vulnerability has been detected (that is, what was detected and how to fix it). Therefore, a report must be customizable, useful, and accurate.

When learning new software or applications, I find that it is important that the product has good documentation and support. This enables users to learn on their time versus other methods, such as training or scheduled web seminars (which I’m not a big fan of).

Vulnerability Updates

New vulnerabilities are constantly being released, and with today’s technology, every system should have a way of updating itself automatically.

CORE IMPACT Pro provide real-time updates including new penetration testing exploits and tests for additional platforms as they become available. The support team from IMPACT advises you if and when new modules are published and provides a link enabling you to download them the same day, directly from within the IMPACT Pro software, which enables easy updating of the attack modules through a single click of a button. CORE Security is committed to making the product grow and evolve so it has an aggressive development schedule. You cannot find every possible vulnerability within CORE IMPACT; however, there are also continual updates in this regard. It is a challenge to determine exactly which vulnerabilities become modules and, so far, observations have shown that good choices and options are rather limited; however, they are quickly growing.