Skip to content ↓ | Skip to navigation ↓

When building an information security program a question faced quite often is, “Where do I start?” I wrote a post not too long ago that talked about the recommendations from the Council on Cyber Security.

In short:

  • You can’t protect what you don’t know about
  • Harden the systems you do know about
  • Check those systems for holes and plug them

For this post I want to focus on number three. Check those systems for holes, and plug them. This is the Council on Cyber Security’s Critical Control Number Four – Vulnerability Management and Remediation.

There are a few different ways to do this. I covered some differences in scanning methodologies in a previous post and today I wanted to answer the question, do I do a penetration test or scan for vulnerabilities?

In many circles, there is a blur between the two, and rightfully so! For a successful penetration test there are three key phases:

  1. Reconnaissance – Examining and analyzing the target; gather information through publically available sources and/or social engineering techniques
  2. Scanning – Looking for openings in the target including gateways, vulnerabilities, open ports, etc
  3. Exploitation – Compromise the systems based on information identified in the Scanning phase

In an enterprise environment, phase one is already covered as the enterprise should know their publically available information before it’s made public.

Phases two and three are where things get interesting.

In an enterprise environment, the internal organization has a key advantage over potential attackers and penetration testers. The organization’s internal vulnerability management team can conduct detailed authenticated scans as opposed to an attacker who is limited to an unauthenticated external only view.

An enterprise vulnerability management solution should be able to:

  • Identify what devices are running on the network
  • Correctly identify what software is running on those devices
  • Identify specific vulnerabilities tied to the identified software

Phase two is covered here. An enterprise vulnerability management solution will also allow for safe and efficient vulnerability scanning in high availability areas while providing the organization with actionable intelligence. Successful coverage of these three factors also covers three of the Top Four Critical Security Controls

Simple enough so far, right?

Phase three is where things begin to get tricky. The Exploitation Phase can be done by either conducting the exploits or by threat modeling. The former is definitely the more fun approach, but the latter is the safer way for an enterprise.

Conducting exploits can be harmful to production assets within an organization. Without appropriate guidelines in place it could result in a breach of confidentiality, integrity, and/or availability. Penetration testing still has a role in a mature security program, but the Council on Cyber Security ranks it as number 20 of their Top 20.

A much safer approach is to identify what exploits are available to an attacker. The vulnerability management team already has the advantage of a rich inventory of insider information. All they have to do now is map which vulnerabilities are tied to which exploits and figure out the route an attacker would take to compromise key systems on the network.

This can often prove to be a daunting task.

Good news! Tripwire has you covered! Tripwire has a dedicated team of experts called the Vulnerability and Exposure Research Team or simply, VERT. They are a dedicated team of experts who keep vulnerability coverage as well as exploit coverage information up to date. They look at a variety of feeds including those from Metasploit, Core Impact, and a wide variety of private and public sources.

The organization’s vulnerability management team can use this information which is already built into Tripwire’s IP360, PureCloud, and the free Secure Scan to identify which vulnerabilities have available active exploits and remediate those first.

The next step the organization can take is to utilize Tripwire’s Technology Alliance Partner (TAP) program to send this vulnerability information to a threat modeling and penetration testing solution within the organization. Solutions such as Core Insight automatically ingest Tripwire’s IP360 data and identify what route an attacker could use to compromise key systems on the organization’s network.

For more details check out the datasheet on Enabling Predictive Security Intelligence.

Using the information identified by Tripwire IP360, Core Insight will show you all this information without actually conducting the exploit!

Does penetration testing provide value? Absolutely! Should it be used as part of a day to day vulnerability management program? Definitely not.

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock

Successful coverage of these three factors covers three of the Top Four Critical Security Controls

Hacking Point of Sale
  • Ian Tibble

    “the Council on Cyber Security ranks it as number 20 of their Top 20” – ok this is an interesting comment, thanks for sharing. “All they have to do now is map which vulnerabilities are tied to which exploits and figure out the route an attacker would take to compromise key systems on the network.” – well, all they have to is to manage vulnerability really. What is described here adds a lot of extra work on top of usual processes, even if it can be semi-automated. The added value is limited.
    In general, there is a stage in the maturity of an infosec program where pen testing makes sense, but most (95%+) are not at this stage, and even then it only has any value if its _completely_ unrestricted.

  • Woody

    It is very complex and takes a lot of time

  • Brian

    Please don't tell people "In an enterprise environment, phase one is already covered as the enterprise should know their publicly available information before it’s made public."

    This is rarely the case. Employees ranting on social media, developers publishing source code to newsgroups, job boards revealing infrastructure, ever heard of Google Dorking? Recon can provide easy wins for criminals.

    People will reveal information, and unfortunately some of it is publicly available. This is why regular reconnaissance on your own organization is very important. Set up Google alerts, run Shodan queries on your company, do the things hackers do. It's part of the pentest methodology for a reason, and taking it for granted can cost you.