Kachina Dunn spoke with Billy Austin, chief security officer of Saint Corp., which has launched SAINTexploit, the first integrated vulnerability and penetration testing tool. SAINTexploit gives network administrators the authority to run controlled exploits on targeted machines.
Dunn: How does the integration of vulnerability detection/scanning and penetration testing benefit IT, specifically?
Austin: Today, vulnerability scanning is the process for identifying if a system or network device is vulnerable to "possibly" being compromised. Vulnerability scanning vendors do have false positives, as there are instances whereby a definitive check for a vulnerability cannot be performed. On large networks or even small networks with many vulnerabilities, the priority of repairing the vulnerabilities can become challenging, even knowing the severity level, which might be categorized as high. So here is the integration benefit to IT: (1) Now that the vulnerability scanning process has been completed, the penetration test or vulnerability validation test can be performed to confirm that (a) the vulnerability is 100 percent real and (b) that the vulnerability can be exploited. (2) The priority of vulnerabilities can now be escalated a level as they now have the capability to perform their own simulated attacks as a hacker would within one graphical user interface.
Dunn: Why has it taken so long for vulnerability scanning and penetration testing to be combined?
Austin: First of all, the mandated regulations such as FISMA, HIPAA, SOX, GLBA, PCI ... are now requiring penetration testing on networks, so this has been giving product vendors and service providers a boost in businesses that offer pen testing products/services. Secondly, there are only a handful of vendors that develop vulnerability scanners that have incorporated many development features on their wish list, such as the integration with remediation/patch tools, asset and risk mgmt, etcetera... In addition, developing exploits with shell code is a sophisticated skill and I'm fairly confident that few of the other vendors incorporate such skill sets.
Thirdly, remote exploits have been popular in the past but as new security technologies emerged, feature sets have been created to prevent such exploits from being successful - although the majority of the world is still today "vulnerable," in my opinion. The new exploits being developed that are even more popular are client exploits and this is where you have some internal cooperation from a user, such as clicking on a forged e-mail or hyperlink. With exploits growing at a daunting pace, in addition to new vulnerabilities being discovered, we felt that allowing organizations to perform their own attacks as a hacker would assist in the mitigation of unwanted visitors. So why has it taken so long? I would say that penetration testing today is now being accepted on a broad scale in the industry due to market drivers and an increase of new vulnerabilities, threats and exploits.
Dunn: Can you give me more details about the exploit library and how it is maintained?
Austin: The exploit library is maintained by SAINT developers, and we release such exploits to all of our SAINTexploit customers. Once a new vulnerability is released, an exploit is developed for supporting multiple platforms such as Windows 2003, SP1, SP2, XP, etcetera... We then write what is called shell code, which allows us to not only exploit the target machine but to actually connect to the target and view/browse files, create guest accounts or basically whatever you would like to do now that you have connected to the target. The main goal is to prove that the machine can be attacked and the existence of the vulnerability is a real threat. Every week, we release new exploits to our customers, and they can receive these updates via an automatic update process or via a manual download process.