An enterprise-level solution, Core Impact is designed to allow companies to run their own automated pen testing in-house. The new version of the software adds a client-side pen testing framework, expands target platform support, improves the Impact Agent, and brings data export capabilities. Integration with PatchLink Corp.'s vulnerability-management service provides for automatic remediation of any holes discovered.
As most security professionals know, good perimeter security is often no match for users who don't use good sense, or who do use software, sites or services that have been compromised. Once a client machine within the perimeter has been compromised, attackers are then free to move about the network under the cover of the user's valid credentials.
The new version of Core Impact tests for vulnerabilities in client software such as major Web browsers, media players, Outlook, Word, Excel and the like. Pen testing happens transparently to the user. In addition, the software allows for testing of other security products such as intrusion-prevention and intrusion-detection systems. It also adds support for testing machines running Apple's OS X, including a new OS X agent and tools for information gathering and exploit and reporting capabilities. Support continues for Windows, Linux, Solaris and OpenBSD.
The process, which is driven from the Core Impact console, proceeds in six steps: information gathering, attack and penetration, local information gathering, privilege escalation, cleanup on target machines, and report generation. Each step is documented at the console. The exploits are developed by Core and updated weekly. Testing data for all procedures can be exported to XML.
The package's new Impact Agent brings various performance and implementation improvements to the mix. Agents can multitask, and communication has been improved to reduce the amount of network traffic necessary to pivot and communicate with agents at the end of an agent chain. Flexibility has also been improved -- agents for new platforms can now be more easily integrated with the existing product, and support for binary plug-ins and code gives the product the ability to spot payloads dynamically created in runtime, or inserted as part of a customized exploit.
So, whatever happened to human-conducted pen testing? Core officials point out a few advantages to automating the process, including the ability to bring the work in-house, network safety and stability during testing, elimination of false positives, improved reporting, and quality control. In addition, Core Impact's console makes running the exploits themselves simple -- leaving the possibility of handing off that job to junior staffers, while senior managers concentrate on higher-level issues and solutions.
Mark Odiorne, chief information security officer at insurer Scottish Re, characterizes automated pen testing as "another bullet in [his] belt." His user installation is highly mobile -- "we're a company full of VPs, and everybody travels. I've got more laptops than desktops by far, and our endpoints do seem to be where we get attacked" -- and he characterizes automated pen testing as a time-saving strategy that allows him to prove to his own satisfaction and to management that vulnerabilities are patched or otherwise mitigated. He uses both automated and hands-on testing as needed.
As an insurance firm, Scottish Re is subject to the mandates of the Sarbanes-Oxley Act and the Graham-Leach-Bliley Act as well as a host of industry-specific security regulations. Auditors, Odiorne finds, may still raise an eyebrow at the prospect of automated testing, but the numbers make sense. "Some of the auditors kind of question it, but I explain that I can scan vulnerabilities all day long but I still have to prove whether or not a vulnerability applies to us. I can use the Core exploit framework to prove whether a vulnerability needs to be patched or even can be patched."
A one-year unrestricted license for Core Impact 6, covering an unlimited number of network users, is US$25,000. Customers with currently valid licenses can get Version 6.0 at no additional cost.