Return to Cloud City: Core Hits RSA Conference 2010

March 8th, 2010

As the famed Boston Globe sports columnist Dan Shaughnessy often quips as he starts a column that he either should or could’ve written days beforehand… “picked up the pieces” from another raucous, rapid-fire RSA Security Conference last week.

(Of course he probably wouldn’t try to use the excuse of having no laptop power cord for a couple of days as an excuse for failing to write…)

events-rsaSo what did RSA Security Conference mean to Core Security this year? Plenty of re-connecting with old friends, as well as the start of some initiatives from which we expect big things in the next year to come, specifically.

The unofficial theme of this year’s entire show was undoubtedly the rise of so-called cloud-based security solutions, or services, but for Core the 2010 RSA confab meant so much more than flouting its applicability to one delivery model.

We did officially launch our integration within the cloud-based QualysGuard PCI Connect hosted compliance automation ecosystem, along with an expanded partnership with vulnerability assessment specialist nCircle.

However, the biggest event for our company was an off-site CSO roundtable event that we hosted for roughly 30 of the most influential leaders in IT security today – including security executives from among the largest commercial and government entities in the world.

Led by our newly appointed Advisory Board, the meeting consisted of an open forum where the execs spoke openly about their challenges in managing IT security operations and addressing today’s most pressing cyber-crime and compliance risks.

As Core CEO Mark Hatton and AB members Roland Cloutier, Melissa Hathaway and John Stewart pushed the group to give their most frank opinions on the daunting situation faced by nearly every organization today, it became clear that Core’s vision for more comprehensive and proactive IT security testing and measurement is an idea that is ready for prime time.

Having the ability to constantly monitor a wide swath of IT systems, applications and end users to determine their exposure to real-world threats – having an effective manner to confirm that existing defenses are working, and a smarter filter through which to validate security data and vulnerability scanner results – those are concepts that these leading strategists and practitioners are ready to embrace.

The thrust of the conversation endorsing more pervasive testing paralleled comments that Stewart, Cisco’s CSO, made earlier in the week on a show panel he spoke on with Hathaway and other industry leaders.

“Making security simple is hard to do, but exploitation is increasingly easy; we’re at a precipice and we need to figure out how to tip the scales,” he said.

As Core is already well down the road of building its new enterprise security testing and measurement solution, all the nodding heads in the room served to further reinforce what we already know. We’re in the process of creating something truly powerful and unique, which will already be in some of these C-levels’ organizations by the time we meet for RSA 2011.

rsa.cloudsIn addition to our roundtable event, Core also had one of its CoreLabs researchers, Pedro Varangot, deliver another fascinating session highlighting cutting-edge security risks. This time the topic was abuse of social networks, and how attackers can already employ automation to create highly targeted spear phishing attacks that take advantage of the trust relationships that people have formed over the sites.

We also saw one of our marquee customers, Pennsylvania CISO Bob Maley, joining his peers for a panel that elevated the challenges facing our U.S. states in addressing everything from budget cuts to IT consolidation. Maley also drew rave reviews from the audience for his return performance in scoping out more secure applications development tactics.

Between these aforementioned moments, after-hours receptions held with Qualys and nCircle, and a litany of other business and social events, RSA Security Conference proved once again to be the centerpiece show of the year for the security industry to come together and size up itself.

Here’s to another year of good company, come and gone, and lots of new measurement to come.

We hope to see all of you again next year. Now it’s time to hunker down and make some clouds of our own.

-Matt Hines, Chief Blogger

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, Cloud computing, Compliance, Conducting Tests, Conferences, Core Security Technologies, CoreLabs, Cybercrime, Data breach incidents, Enterprise security testing, IT security, Penetration testing, Phishing, RSA Conference, Research, Risk management, Security benchmarking, Security data overload, Security measurement, The future of security, Vulnerability Management, Vulnerability assessment, Vulnerability scanners | No Comments » | Posted by: mhines at 6:52 pm

Leading the Future of Enterprise Security Testing and Measurement

February 23rd, 2010

If you spend a lot of time speaking to IT security executives, as I do, the primary challenge that they’re all dealing with today quickly becomes very clear.

Driven by the continued proliferation of security threats, compliance mandates, and specifically the amount of security systems and event data that they’re now trying to manage, they lack a strategic method for accurately determining their real risk to attacks, or assessing their organization’s potential to fail required security audits.

It’s a discussion with so many different layers that it’s sometimes hard not to get stuck on an individual element of the entire process, and IT executives feel more pressure than ever to be able to create benchmarks to prove to business leadership and external assessors that their efforts to address these security challenges are paying off.

AB.group.Mark_webOver the last year, we here at Core have begun to share our vision for the direction that we’re moving in as a company via an entirely new line of products that we’re currently building aimed directly at arming CISOs and other IT leaders with the ability to tackle this problem they share.

What security executives need is a better way to continuously test their security standing across a broad swath of IT assets in relation to real-world risks – to understand precisely where their biggest exposures exist at any given time. They simply cannot test and measure those risks in any practical fashion today, and they will readily admit it as well.

The continued explosion of security information and point solutions have made the entire process of security management a convoluted practice that forces organizations to try to parcel together disparate repositories of complex data; a process that still leaves them wondering where the loopholes may be that will allow an attacker to steal their most valuable information, or will lead them to fail a compliance audit. That is a real problem, but, that’s also just where we believe that Core’s products can truly help.

Adding New Voices

Today, we announced the formation of our new Advisory Board, highlighting the fact the three of the most influential people in IT security today – Roland Cloutier, CSO of payroll giant ADP, former White House cyber-security advisor Melissa Hathaway, and John Stewart, CSO of networking and security behemoth Cisco – have signed-on to help guide the future of our company and its products.

Like those us who have been here at Core through the years, these three leaders firmly believe that there is a tremendous opportunity to leverage the powerful results provided by penetration testing in a totally new and extremely valuable manner. And when you can get people like Roland, Melissa and John not only to share that vision and give you their time, but also to help you translate your ideas into something tangible – a product that we’ll introduce before the end of this year – that’s something that’s really quite special.

These experts are joining Core and feeding our efforts because they truly believe that we’ve got the opportunity to dramatically change the manner that organizations assess and prioritize their IT security risks. Just read what they have to say.

In the quote he provided for our public launch of the Advisory Board, John says: “The security industry needs creative thinking, proof that efforts we undertake are making a difference, and a willingness to challenge ourselves before our adversaries do.”

That perfectly crystallizes the reason why we’re expanding our product line. Because, quite simply, IT security has become such a complex, expensive and time-consuming point of organizational risk that we can’t afford not to test ourselves just as attackers do every day – to understand that the investments that we’ve already made in defending ourselves are truly paying off.

We can’t simply put up fences or collect log data after the fact and try to respond slowly over time anymore. Organizations need the ability to feed the raging rivers of security data generated by all of our IT systems through a smarter filter, something that provides us with a real-world form of risk measurement, not just a theoretical model.

Leaders of business need CISOs to stop telling them they think they’ve got all the risks covered and to provide specific benchmarks that track changes in security posture over time and prove that all the time and money being dedicated to improving IT security is worth it. Business leaders need to stop losing sleep at night wondering if they’re one misguided URL-click away from having the crown jewels of their organizations stolen right out from underneath their feet.

In the coming months I’m planning to meet with our Advisory Board many times, including next week at the RSA Security Conference in San Francisco, to get more of their ideas and feedback to further refine what this next generation of security testing and measure solutions will encompass.

We already know that we all share the same vision, and considering the company, that’s a very encouraging feeling.

-Mark Hatton, CEO

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Cloud computing, Compliance, Conducting Tests, Conferences, Core Security Technologies, Data breach incidents, Enterprise security testing, Ethical hacking, Exploits, FISMA, Forensics, IT security, Risk management, Risk mitigation, Security benchmarking, Security data overload, Security measurement, The future of security, Vulnerability Management, Vulnerability assessment | No Comments » | Posted by: markhatton at 6:08 pm

Integrating CORE IMPACT Pro with the Metasploit Project

February 16th, 2010

Today we announced that CORE IMPACT Pro will be integrated with Metasploit in our next scheduled product release. As such, I just thought that I’d take the opportunity to let you know why we decided to do this.

Actually, the answer is quite simple, and it’s the same reason we do most of what we do in our products: we integrated with Metasploit because our customers wanted us to do it. This type of integration is actually something we’ve heard a good deal of feedback about, and so we’ve been examining the idea internally for a couple of years.

Many of our customers run Metasploit alongside IMPACT Pro for the same reason that many people used two scanners when Nessus was free for commercial use… that is, because they can.

metasploit_hax_smallEven though  IMPACT Pro has far broader, deeper security content, including most of what’s in Metasploit, the truth is that it only takes that one vulnerability that  you’ve missed for the bad guys to get in. If in a particular instance Metasploit has something we don’t, or something implemented differently so that it applies to a particular environment in another way, it’s worth it for testers to have that opportunity to double check and cross-reference their work.

In addition, many people run Metasploit for a while just to get started with penetration testing or because of budget reasons before they move on to using IMPACT Pro. Often they’ve learned certain things from using Metasploit, or may have customizations that they built in the framework that they haven’t yet moved over to IMPACT Pro. We want to support that evolution.

And finally, there’s the double-edged sword of being able to use an attack tool that’s fully available to anyone, as Metasploit is. It’s always possible that someday it will be used against you, so, it’s a good idea to try it out on yourself in addition to leveraging the comprehensive testing provided by IMPACT Pro.

Based on the feedback we received across our customer base, from our most technical consulting and red team clients to those who primarily use IMPACT Pro’s automation to point and shoot, we are providing two levels of Metasploit integration for each type of user.

For the expert, who is using Metasploit by hand to test systems, we’ll provide a way for a system with Meterpreter loaded on it through a Metasploit compromise to then have an IMPACT Pro agent loaded on it. This way, the user can use IMPACT Pro’s follow-on tools, including pivoting, local privilege escalation, assessment of multiple attack vectors and reporting, with that system in our product’s environment.

For the point and shoot user, we are integrating our automation with Metasploit’s db_autopwn feature so that they can take advantage of Metasploit’s basic capabilities via IMPACT Pro without first having to learn how to use them.

Many people may ask why we would integrate with the “competition,” especially since the Metasploit project is now owned by a commercial entity and likely to spawn new commercial products. Our view is that the Metasploit Project is not purely competition (see my blog post on the topic when the project was acquired) and that open source projects in every market help educate users and bring together creative ideas to push the involved technology’s value even further.

Every new user of Metasploit is a new potential user of IMPACT Pro in the future.  The framework allows more people to see and understand what the penetration testing process can do for them, and then they can look to us for the most advanced, commercial automated penetration testing technology that has been professionally built and matured for almost a decade.

We know that to be successful, we have to provide the most value in IMPACT Pro that we can, and that this value is best defined by our customers; as long as we keep listening to them, we will continue to stay ahead of any competition.

A market leader always benefits most from continuing development in its space as long as they stay open to their current and future customers, and can move quickly to address demand. As I said above, the real reason we’re announcing Metasploit integration today is the same reason we do almost everything we do at Core Security today – because our users wanted it.

-Fred Pinkett, Vice President of Product Management

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, CORE IMPACT Pro, Conducting Tests, Core Security Technologies, IT security, Metasploit, Penetration testing, Research, Risk management, Security benchmarking, Security data overload, The future of security, Vulnerability Management, Vulnerability assessment | 1 Comment » | Posted by: fredpinkett at 2:09 pm

Sn-OMG, we survived Shmoocon 2010!

February 12th, 2010

I would like to propose a question to all of the hackers, phreakers, lock pickers, security professionals, and social engineers out there reading this: why do we so love “Cons” like Shmoocon?  If the first answer you came up with is because you enjoy the parties… please, just stop reading now.

I’m only kidding of course, but seriously, events like ShmooCon, DEFCON, Notacon, etc. are all important for security pros to experience because they are all great places to learn. As much as people joke about going there to socialize, there is a TON that one can take away over the days of a Con. 

shmoo.stickersThe best part of these Cons is that they’re informal – you’re not in a classroom setting and the folks giving the presentations (who were probably up just as late as you were the night before) make their talks intriguing and entertaining. Not to say that other conferences put me to sleep, but it’s just a different way to think… a bit more fun… and hey, I can also wear my jeans and tattoos with pride.

Along those same lines, you get people from all around the globe coming to these events… snow-pocolypse or not.

(I especially enjoyed reading the note from the folks at the Wardman Park Marriot indicating that it was the worst storm since 1922 and that it may “hinder events and services.” Granted, there was no satellite T.V. for a few hours and there were limited places to eat, but it did not stop nearly 2,000 attendees from coming, even if all of us had to take an elevator from the lobby to mezzanine together. Apparently some skylights are not designed to support over two feet of heavy snow.)

But whether these folks are there presenting or simply attending, there are always a wide range of people with various skill sets… all of which create an extremely valuable atmosphere when we’re mixed together.

Joking aside, Cons are also a great place to network and meet new people. I can’t tell you how many amazing individuals that I’ve met at Cons whom I’m still in contact with. Cons bring people of like-minds together, and once you get us geeks in our environment you can really get us to open up… or give you a mohawk

Either way, it’s a win win situation. You’re literally in the midst of the larger process as it transpires around you… meeting people whose research drives us crazy when we’re attempting to remediate it, or talking to others who give us the chance to stay one step ahead, at least for a day or two.

So, why should C-levels care about these Cons? Let’s take a minute to throw out the fact that we socialize and/or consume some drinks, I get that it’s not part of the ROI they want to hear. Simply put, it’s about education

I would rank these Cons above any ‘courseware’ you can think of!  This is zero day information… in detail, given to the security people who know exactly what to do with it. You might not walk away from the event with a certificate of completion, but you’re going to walk away with a lot of truly valuable information that you can take back to your company to help enhance its security stance in one fashion or another. I don’t know any other types of shows that really make me feel this way. 

I find it hard to sum up the importance of these Cons and the security measures learned there to upper level management, but essentially it comes down to this reality: it will cost a company more money to clean up the mess after they get hacked, than it will to continue to send us to Cons like these and use the techniques learned and products necessary for proactive defense.  Cyber war is here, where are you?

Stay safe…stay secure…..PEN TEST!

-Caitlin Johanson, Technical Support Engineer

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , ,
Posted in Attacks, Black Hat, Core Security Technologies, CoreLabs, DEFCON, Enterprise security testing, Ethical hacking, Exploits, IT security, Penetration testing, Research, ShmooCon, The future of security | No Comments » | Posted by: cjohanson at 6:30 pm

Putting the “Ooo!” Back in ShmooCon

February 2nd, 2010

Some of you may be aware of my upcoming “Windows File Pseudonyms” presentation at Shmoocon, but perhaps you don’t know what it’s all about, or maybe you haven’t got a ticket (and you don’t want to spend $600 on one from eBay that may turn out to be a barcode pulled off a box of Pwny-Os cereal [breakfast of 31337++ champions]).

shmoocon.logoWell, that’s OK, because this blog post is going to be a super-sweet sneak preview!

In summary, Windows systems will accept a wide range of different variations on the same file name and still serve up the same file. Some of these are well known and documented, some are known but not documented, and some are documented but not terribly well known.

My research focuses on four different quirks in the way that Windows handles file names, and in this post I’ll share some interesting tidbits about one of those quirks – but not how these tidbits can be used in exploitation.

[I leave that up to the reader to figure out, and we can compare notes after you see my presentation! ;) ]

So, if you’ve spent some time working with Windows systems, you know what DOS device files are. For those who don’t, DOS device files are files which don’t actually exist on the filesystem, but can be referenced as if they did and allow for data exchange with certain devices.

Examples include:

-CON, used to interface with standard input and output
-PRN, used to communicate with the first parallel printer connected to the computer
-COM1, used to communicate with the first serial port on the computer
-NUL, a bit bucket like /dev/null

What you probably DIDN’T know is that these technically exist in EVERY directory on the entire machine.

They can be referenced even with an absolute path, so long as everything in the path up to the name of the special file actually exists.

These files can also be accessed by anyone, with standard identical permissions regardless of what directory they reside in, even if that directory is restricted to the user! Also, they can have any file extension and will still refer to devices, so “CON” is the same as “CON.thisIsALongAndArbitraryFileExtension”.

I’m sure that the more advanced readers out there are already scratching their beards, scheming up ways that these funny little quirks could be used, but if you want to see how I’M using them (and hear some amazing security haikus), you’ll just have to wait until Friday at ShmooCon and come see!

And BTW, as winner of the “Gringo Warrior” lock bypass competition at last year’s ShmooCon, I’ll of course be back to defend my title. So if you think you’ve got what it takes to pick some choice locks and abuse an innocent dummy all in a matter of minutes, see you there.

Keep fighting the good fight, info-warriors.

-Dan Crowley, Technical Support Engineer

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, CORE IMPACT Pro, Conducting Tests, Conferences, Core Security Technologies, CoreLabs, Cybercrime, Disclosure, Ethical hacking, Exploits, IT security, Penetration testing, Research, ShmooCon, Uncategorized, Vulnerability Management, Vulnerability advisories, Vulnerability assessment | No Comments » | Posted by: dan.crowley at 3:04 pm

« Older Entries