Carl Weinschenk spoke with Mike Yaffe, director of product marketing at Core Security Technologies.
Weinschenk: "Ethical hacking" has a frightening sound. Is that why the industry came up with "penetration testing?"
Yaffe: The term "ethical hacking" can be a scary term. If I come in and say I want to do ethical hacking to a C-level executive, he will say, "Whoa, what's the implication of that? What are you talking about? What processes are you going to unleash on my network?" Penetration testing is talking about penetrating to test defenses and resiliency. While they do mean the same thing, to most people one is a little bit less offensive.
Weinschenk: How does penetration testing - pen testing - relate to vulnerability scanning?
Yaffe: We view vulnerable scans and penetration tests as complementary technologies. They are not at all competitive. If you look at a building and look at all the windows, a vulnerability scan would say, I think windows on the first floor and the seventeenth are open. I haven't actually tried to open those windows, but they look like they might be open. Vulnerability scanners may say because the window on the first floor is easily accessible, it is critical, so you should check that one first. This is all based on probability. Nothing has been attempted yet. Penetration tests try to open the windows to confirm or refute the fact of what the vulnerability test finds. In cases in which the first-floor window is open but leads to a locked janitor's closet, it's not [a problem] anyway. But suppose the seventeenth floor is unlocked and happens to be the office of the administrative assistant to the CEO who has access to all the CEO's files. Penetration test against that tries to physically enter the system to assess the situation.
Weinschenk: It sounds challenging for a company to design its own pen test or for a vendor to provide a product to do testing in a repetitive fashion.
Yaffe: It's hard to do penetration testing correctly and to do it safely. It is very challenging. The underlying technology that makes pen tests go are exploits, the code that allows you to exploit a vulnerability and interact with machines you are trying to target. So correctly writing these exploits - and making sure they are safe and commercial grade - is very, very difficult. This is one of the things we are capable of doing safely in a controlled manner to find and fix problems before someone else does. It is no magic button. It is a test you can take to further mitigate risk. That's the name of the game now, how do you best mitigate risk. C-level folks have to ask themselves what happens if the network is breached. What is the cost?
Weinschenk: How does Core differ from others in the sector?
Yaffe: Lot of companies do penetration testing as a service. They come in as consultants and use a collection of home-grown tools or freeware. The results of those tests depend on the quality of the tester. We give them a standardized product that can be used repeatedly on the network. There are some consultants that do great work. But what are the costs? What we offer is a software product that the end customer can use themselves to conduct pen tests on networks, clients and the applications they use. We have doubled the customer base every year for four year; we have 500 customers now. It's going great. We have no complaints, though everyone wants things to go faster.
Weinschenk: Are pen tests becoming more common?
Yaffe: I think forward-thinking groups like MasterCard and Visa with PCI in their standard have pen testing mandated. It's the first that I know of that mandates pen testing on regular basis. It is already commonplace for a lot of organizations. I think a lot of guys in the trenches already know about pen testing. They are feeling the pain right now. C-level and VP-level executives need to take a hard look at this. It can make a big difference, especially for CFOs charged with mitigating risk and protecting assets. The time of plausible deniability is going away fast.
Weinschenk: Does penetration testing look at the human element - phishing situations, for instance - or does it just check for technical vulnerabilities?
Yaffe: Bad guys are always developing new ways of attacks, figuring out the easiest path into the network. Right now, the easiest path is end users. People are spending money trying to harden the outside network, but the path of least resistance is getting users to open attachments and click on links that they shouldn't. Part of [penetration testing] is testing users. The software sends an e-mail to the user group and says to click on this link and open this attachment. We compromise no less than 15 percent of people we test. We give the capability to test end users and applications they use.
Weinschenk: Could pen testing become an element of network access control (NAC) or some other bigger family of security tools?
Yaffe: Anything that would make it easier or simpler for customers to use more and better technologies is a good thing. If that's what customers want, that is what we should do.