info@coresecurity.com  | +1.617.399.6980 | Contact Us

• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

Home :: Products :: CORE IMPACT Pro Penetration Testing Software :: What's New

CORE IMPACT Pro
Penetration Testing Software

• Products

• Products Overview

• CORE INSIGHT Enterprise
  Security Intelligence Solution
  • Overview
  • How It Works
  • Dashboards
  • Reports
  • What's New
  • Demos
    • CORE Insight Videos
  • Data Sheets and White Papers
  • Comparing CORE INSIGHT to CORE IMPACT
  • How to Buy

• CORE IMPACT Pro
  Penetration Testing Software
• Overview
• What It Tests
  • End-User Security Awareness
  • Endpoint Systems
  • Mobile Devices
  • Network Devices
  • Network Systems
  • Web Applications
  • Wireless Networks
  • IPS/IDS, Firewalls and Other Defenses
  • Vulnerabilities Identified by Scanners
• Commercial-Grade Exploits
  • Overview
  • Recent Exploits and Updates
  • How Our Exploits Work
  • About Our Client-Side Exploits
  • About Our Agents
• Vulnerability Scanner Integration
• Reporting
• What's New
• Version 12.3
• Version 12
• Version 11
• Demos
  • Impact
• Data Sheets, White Papers and Other Resources
• Intro To Penetration Testing
  • What Is Penetration Testing?
  • Comparing Security Testing Options
  • What To Look For
  • Independent Penetration Testing Resources
  • Conducting Penetration Tests
• Comparing CORE IMPACT to CORE INSIGHT
• Training, Certification and Support
• How to Buy

• Core WebVerify Web
  Application Security Testing Software
  • Overview
  • Web Application Vulnerability Coverage
  • WebVerify vs. Scanners
  • Reveal Implications of Application Vulnerabilities

• Core CloudInspect Cloud Security Testing for AWS

• Demos and Evaluations

• The Research Behind Our Products

• Why Our Products are Safe

• How to Buy

WHAT’S NEW IN CORE IMPACT PRO V9 - June 2009

CORE IMPACT Pro v9 provides IT security managers with an unmatched level of visibility into their enterprise risks, allowing them to replicate cyber attacks and reveal critical exposures on a regular basis. With IMPACT Pro v9 penetration testing software, organizations can assess their vulnerability to data breaches in a way that is comprehensive, realistic and safe. The new release enables organizations to independently perform security assessments as frequently as their environments demand. As a result, customers can actively measure and benchmark their security posture on an ongoing basis, while gaining actionable data for effective remediation.

The new release specifically extends the worlds leading commercial-grade penetration testing software solution by adding new enterprise management functionality and expanding the depth and breadth of the product’s real-world security testing capabilities.

In CORE IMPACT Pro v9 new features include:

• New Enterprise Management Capabilities Enhance Reporting and Compliance
• Additional Breadth for More Comprehensive Security Testing
• Additional Depth for Increased Testing Realism

New Enterprise Management Capabilities Enhance Reporting and Compliance

IMPACT Pro v9 provides top-level visibility into organizations’ IT-based risks, as well as the actionable data needed to address those issues. New capabilities for managing and reporting on penetration testing processes and results include:

• New Capabilities for Consolidating Data from Multiple Penetration Tests into an Aggregated Report
  Report consolidation capabilities enable customers to create overarching reports of enterprise penetration testing results. Users can now import and consolidate results from different penetration tests – conducted at various times using multiple workspaces and consoles – into each of IMPACT Pro’s standard report templates.

• New Attack Path Report
  Attack Path reports provide real-world, visual representations of exploitable multistaged attack paths. Customers can therefore reveal chains of exploitable weaknesses that attackers can use to traverse different systems and layers of infrastructure. For instance, information security managers can see how an attack could progress from a low-level endpoint client exposure to a major customer database breach

• New and Updated Reports to Assist with Regulatory Compliance
  The new FISMA report presents penetration test results from the perspective of FISMA controls by mapping exploitable vulnerabilities identified by IMPACT Pro to the FISMA controls and Consensus Audit Guidelines the vulnerabilities would violate.
  
  In addition, IMPACT Pro now includes CVSS vulnerability severity scores in PCI Vulnerability Validation Report. PCI has adopted CVSS as the standard scoring system for vulnerabilities identified during required scans and penetration tests. The inclusion of CVSS scores in IMPACT Pro reports therefore helps to ease PCI compliance verification efforts.

Additional Breadth for More Comprehensive Security Testing

IMPACT Pro v9 enables customers to test their environments against a broad range of threats, both within and across web applications, network systems and endpoint systems. New features include:

• Web Application Fingerprinting Capabilities
  IMPACT Pro can now gather profile information on the web applications it encounters during testing, enabling users to run known exploits for commercial off-the-shelf applications, in addition to the product’s dynamically created exploits for Cross-Site Scripting, SQL Injection and Remote File Inclusion.

• New Web Application Database Analysis Tools
  Built-in database intelligence allows testers to uncover specific data exposed by web application vulnerabilities without requiring them to have knowledge of specific database queries, helping them to reveal the full implications of a web application compromise. For instance, testers can direct IMPACT Pro to search a compromised database for numbers that match credit card formats, without entering SQL queries.

• Ability to Run IMPACT Network, Endpoint and Web Application Penetration Tests over WiFi Networks
  The ability to run existing IMPACT Pro penetration tests over wireless networks adds convenience to the testing process, while assessing whether an organization’s wireless network affords backdoor access to protected networks.

 Additional Depth for Increased Testing Realism

IMPACT Pro allows customers to assess the real-world cause and effect of a data breach by taking the same types of actions an attacker would after gaining access to an organization’s IT infrastructure.The new release adds pre- and post-exploitation capabilities that assist with both proactive security testing and post-breach forensic analysis:

New pre-exploitation capabilities:

• New and Updated OS Fingerprinting Capabilities
  New information gathering techniques allow testers to profile target systems and select exploits to run in a way that is more advanced and less invasive than that used by other security testing solutions.

• New WAFS, IPS and DLP Evasion Techniques
  New evasion techniques enable users to test the effectiveness of popular defenses, such as those mandated by PCI, FISMA and other information security regulations.

• Enhanced Client-Side Automation Capabilities
  Enhanced client-side automation enables testers to assess an endpoint system against multiple client-side exploits with a single click, adding efficiency and speed to security assessments.

New post-exploitation capabilities:

• New Password and Cookie Gathering Capabilities
  New credential-gathering features further extend the tester’s ability to replicate real-world cyber attacks by pinpointing the true implications of a system compromise.

• Support for Post-Exploitation Capabilities in SQL Injection Tests against DB2
  In addition to revealing exploitable SQL injection weaknesses in DB2, IMPACT Pro now allows testers to take additional steps after gaining access to the database, such as opening a SQL command shell to query the database for specific data.

• Enhanced Client-Side Agent Connection Capabilities
  Testers can now extend the “listening period” of deployed client-side agents by resuming monitoring for end-user responses to phishing tests after IMPACT Pro is temporarily disconnected from the network or otherwise disabled – and then gathering the results when reconnected.

• New Client-Side Module Autorun Capability
  IMPACT Pro users can now specify a module to automatically run when a client is compromised, further automating the client-side process. For example, they can automatically run password or cookie gathering modules, or take a screen shot to prove a compromise.

• New Browser Man-in-the-Middle Attack Capabilities
  IMPACT Pro users can now exploit the default configuration of browsers to force browser traffic to be proxied through the IMPACT machine. IMPACT Pro can then extract cookie information from all traffic that is rerouted.

Related Content