Forget "Thursday is the new Friday" and "brown is the new black." When it comes to servers, the really important message is this: "Penetration testing is the new vulnerability scanning."
Joe Pescatore, a security analyst at Gartner, explained. "Previously, companies needed to do vulnerability scanning on their network before attackers did, but since attackers have moved from vulnerability scanning to fairly targeted penetration testing, companies now need to carry out penetration testing before the attackers do," he told ServerWatch.
Pescatore recommends that any company involved with online transactions, which allows inbound connections and potentially exposing customer information, have an outside consultancy perform penetration testing at least once a year. Larger companies should carry out additional tests on their servers more frequently, either through a consultant or with automated penetration testing tools.
Penetration testing tools have really come of age in the past 12 months or so, both commercial products aimed at the corporate market place, and free tools like Metasploit framework 3. It's probably not an exaggeration to say that the power of Metasploit has really moved the goalposts, making it far easier for hackers to carry out their own penetration "tests."
See all articles in our Series Bugger Off: The Importance of Securing Your Servers
Having said that, there's no doubt that the best way to pen test your network is to employ a good outside consultant. A skilled human is more likely to find a way in than even the best software tool will; an outsider is likely to be more effective because familiarity with your own network can leave you blinkered to possible vulnerabilities. "There is an issue that when internal people test things, because they fall in to a pattern of testing and tend not find paths through less-valuable assets," said Pescatore.
The DIY Route
Do-it-yourselfers will find using pen testing software to carry out internal penetration tests is a good option. First, you can carry out these tests yourself on a monthly or even weekly basis, or whenever you make significant infrastructure changes, without incurring costs associated with repeated tests carried out by a consultant. By catching and fixing any exploitable vulnerabilities that the software discovers, you ensure consultants spend their (expensive) time finding the more obscure vulnerabilities.
So if you're charged with the responsibility of network security and decide to carry out your own penetration tests with the help of some pen testing software, what should you choose? The free Metasploit framework (like the hackers probably will)? Or a commercial penetration testing tool, like the top-of-the-range Core Impact, from Boston-based Core Security? Core Impact is priced upward of $10,000 per year including training and regular updates. That's a significant amount, but still relatively small compared to what a consultant might charge for a single test.
Metasploit Framework 3 certainly packs a punch. "For a skilled person, you can do everything with Metasploit that you can do with Core Security's Core Impact," said Pescatore. "The depth of testing is just as great, but you do need far more time and energy to do it."
This last point is important: Metasploit has a steep learning curve and requires some time to master. As Metasploit project founder H. D. Moore once put it, Metasploit has a very high geek factor you need a good knowledge of security matters to get the most from it. In contrast, Core Impact runs on Windows and is very easy to use, has a simple and intuitive interface, and can run powerful penetration tests automatically. It can even generate executive and detailed reports suitable for presentation in a corporate environment.
A key benefit of Core Impact is that IT staff can use it. It does not require specialist security personnel to carry out automated penetration tests on a weekly or monthly basis. In other words, the security smarts are in the software, not the people. But while Core Impact can be very effective and penetrate many vulnerable systems in a matter of minutes, even Core Security doesn't claim to be an alternative for a human-based penetration test.
"We say our software can't replace a smart thinking person an automated test is not the same as a pen test carried out by a consultancy. But it is a very cost-effective way of carrying out frequent testing," said Max Caceres, director of product management at Core Security.
If you do decide to conduct your own pen tests, Metasploit is a good place to start. It costs nothing to try, and if you don't fancy taking the time to get to grips with the whole system, you can at least run db-autopwn, the automated exploitation feature, to see if it can penetrate your system without any intervention on your part. It can't do this anywhere near the level of sophistication of Core Impact, which can compromise machines and then launch exploits from them on to other parts of the network; it simply scans the network for open ports using Nmap (or you can import the results of a Nessus scan if you prefer), and then runs any appropriate exploits against all the machines it finds automatically.
Nonetheless, Metasploit is worth a try, and if successful, it will present you with a series of command prompts from any machines it successfully compromises. If you take Core Impact for a test drive after that, it's obvious sophistication will make you quickly realize why it commands the price that it does.
A word of warning though: Before undertaking pen testing a system it's wise to consider the risk of causing a self-inflicted injury there's always the possibility that any penetration attempts will lead to denial of service on some servers. "It's something we try to minimize, but there's a risk of downtime for some tests," says Caceres. Bringing down core systems could be extremely expensive, and one that most organizations would want to avoid at all costs.
It's also worth thinking about the extent of your test. If you don't know what you are doing, it's possible some products could drill down and get on to a sourcing partner's system. Crash that, and you could be liable for all sorts of compensation payments.
Whatever you decide to do to ensure network security, determining potential threats must play a role in strategizing, and since the black hats are using increasingly sophisticated methods, it seems pretty clear that you should be, too. If you're not pen testing your servers regularly, now is the time to consider doing so.