FOR ADDRESSING EMERGING CAG STANDARD
CORE IMPACT Pro Cited as First Penetration Testing Solution that Enables Compliance with Consensus Audit Guidelines Control 17
BOSTON, MA – Mar. 30, 2010 - Core Security Technologies, provider of the CORE IMPACT family of comprehensive enterprise security testing solutions, today announced that CORE IMPACT Pro has become the first solution to gain official recognition from Consensus Audit Guidelines (CAG) co-authors SANS Institute as user approved in addressing the security standard’s specific assessment requirements.
Developed by a consortium of influential U.S. government agencies and their private sector partners – including the Department of Defense, Department of Energy, FBI and US-CERT, along with NIST and SANS – the CAG’s set of 20 Critical Security Controls recommend cyber-security processes that are tacitly proactive and can “inform defense” of actual attacks that have compromised systems, or those that could transpire to do so.
IMPACT Pro is currently the only solution listed by SANS as having been confirmed by end-user organizations to automate compliance with CAG Control 17, which specifically recommends that organizations conduct penetration tests on a regular basis to identify exploitable vulnerabilities and attack vectors. IMPACT Pro also allows organizations to validate and prove the effectiveness of many other mandated CAG Controls, including a wide range of defensive mechanisms.
For internal Red Teams, flexible testing capabilities extend from the product’s fully-automated RPT (Rapid Penetration Test) to the ability for users to script and save custom exploit code, lend speed and consistency to the work of experienced assessment professionals.
“Leading IT security industry practitioners and policy-makers continue to reinforce that automated penetration testing is one of the most effective methods for identifying and prioritizing real-world risks, as well as testing and benchmarking the efficacy of other mandated security controls,” said Mark Hatton, CEO of Core Security. “The fact that we’re the only company endorsed by organizations working to comply with the CAG for performing regular internal assessments and validating other required controls speaks to our continued market leadership in this space.”
CORE IMPACT Pro allows organizations to directly address CAG Control 17 by:
- Providing the ability to perform ongoing penetration testing of Web applications, network systems, endpoints and email users, and to simulate both external and internal attacks.
- Automating many of the time-consuming tasks involved in manual pen testing and reporting functions, and allowing testers to add, expand and/or customize onboard exploit code via an extensible Python interface.
- Proving weaknesses, possible violations and potential improvements required in many of the other Critical Control areas – including validation of vulnerability scans.
In order to gain approval for SANS’ list of “User Vetted Tools” for CAG automation, Core Security was required to furnish a customer-sponsored case study detailing a government organization’s use of IMPACT Pro in meeting the terms of the involved control. To read that case study and learn how a national security laboratory is using Core Impact Pro to implement the Consensus Audit Guidelines, click here: http://www.sans.org/critical-security-controls/case-studies/
“Organizations need to concede that their defenses cannot stop every attack and instead take the approach of assuming that networks, endpoints and applications have been compromised and will likely be again,” said the customer, a senior security engineer with a U.S. government agency. “Penetration testing is highly complementary to scanning and other vulnerability management practices as it allows you to gain insight into which issues truly represent your most important points of exposure in direct relation to real-world attacks.”
In addition to meeting the assessment requirements laid out in Critical Control 17, IMPACT Pro also allows customers to perform consistent periodic validation and testing of other mandated CAG requirements and translate the mountains of information produced by other security and compliance solutions into actionable data that informs remediation.
For example, IMPACT Pro enables organizations to prove the validity of Applications Software Security mechanisms established in CAG Critical Control 7, which calls for deployment of web application firewalls to inspect all traffic for potential threats including Cross-Site Scripting and SQL injection. IMPACT Pro allows organizations to proactively assess Web applications and test those firewalls ability to catch attempted Cross-Site Scripting and SQL injection, as well as buffer overflow and PHP file inclusion attacks.
About Core Security Technologies
Core Security Technologies provides IT security executives with comprehensive security testing and measurement of their IT assets by adding real-world actionable intelligence and verification to their IT security management efforts. Our software products build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.
Tim Whitman or Lauren O’Leary