One CORE IMPACT Pro customer recounts his initial experiences in testing his assets against automated penetration testing software.
First impressions always mean a lot, and when it comes to using CORE IMPACT Pro, that’s no exception, as I’ll never forget my initial experiences. That’s because the very first time I ever launched IMPACT Pro, I owned 40 systems (servers & workstations) before the end of the involved training session. Unsurprisingly, it wasn't long after that I was traveling extensively and running scans over 1000's of my employer’s IP addresses.
Before buying in, I’d been looking for a penetration testing solution that could provide me with high ease-of-use, practical scalability and an extremely low false positive rate. Having used Canvas, Metasploit and Nessus I found them to be great tools, but each of them caused a certain amount of extra work, costing me time that I simply didn’t have to spare. Upon using Core IMPACT Pro, I quickly found that it was able to meet or exceed all of those expected requirements. I knew that from my initial tests that there were going to be problems in our environment, but to what extent I really couldn’t have imagined. With a 50 percent “Root Access Rate” for tested systems, the situation was far from optimal. But discovering that reality was the purpose of using IMPACT Pro. To uncover what the current state of our environment was, and use the results from those tests to lobby for a global patching policy and the needed tools to support it. At first there was some resistance. Mostly among SA’s who would never believe that their “secure” systems could be violated in minutes. To prove my point I went so far as to place folders with strange names on the root directories that I’d already exploited to really get the point across. With that tactic, and a few demos among the IT staff, the internal perception of IMPACT Pro quickly changed from “some Pen testing tool you want me to try” to “Hey! When can I run a few tests?” Another really interesting result that IMPACT provided was the ability to gain greater insight into our network. After you’ve scanned a few thousand IP’s you get to a level of understanding that’s actually kind of hard to explain. But what it does is help you acquire a certain type of intuition/experience to know what to look for. That’s a pretty valuable asset to have at your disposal.
One of my earliest pen testing tasks involved scanning a local subnet and, while doing a network discovery, finding a switch. And while there’s nothing news-breaking therein, when I decided to look at the switch a bit closer I found that HTTP access was wide open with no user name or password required. Needless to say, the potential risks of something like that can be quite serious, so I wanted to escalate the issue internally ASAP. Selling it at the management level was actually fairly easy. Once I’d produced the reports and worked them into a decent PowerPoint presentation it wasn’t hard to show the seriousness of the threat that we faced. The risk of loss of intellectual property, customer data, employee information and other “protected” resources was clearly very costly and dangerous.
Most big businesses have centralized patch management today, supported by the contention that it’s considered best practice by many of top consulting/auditing firms, and the fact that there are so many tools out there that that can help an enterprise patch in a cost effective way. There’s also the fact that certain governing regulations need to be met that require this type of patching. However, even using automated patch management, clearly there are still many vulnerabilities left exposed and penetration testing is the best way that I know of to help you understand where patching works, or more importantly, where it falls short. Using CORE IMPACT Pro the first time was a pretty eye-opening experience for me, and my teams. Since then, it’s a product that’s proven its business case and ROI quite often, and easily. Keep on testing.
-Core Customer X Core Customer X is a persona created to allow users of CORE IMPACT Pro to share their most hard-hitting, real-world penetration testing experiences without incurring the wrath of their employers or bringing unwanted attention to their companies’ IT security operations. All of the users writing Customer X blogs are experienced IT security professionals working for legitimate organizations who have employed CORE IMPACT to help find exploitable vulnerabilities as part of their ongoing vulnerability and risk management programs. .