Review: Security--Proactive Style

CRN

It has proved to be so impressive in day-to-day use that it's time to look at its potential as a central piece in any VAR's security toolbox.

Core Impact is a pure penetration tool with a suite of preprogrammed exploits. Core Security's engineers have developed a wide range of exploits, such as the security flaw in Adobe Flash, Microsoft's Windows operating systems and even the recently publicized random number generator vulnerability in Debian Linux. The support agreement provides regular updates with newly developed exploits, keeping Impact up-to-date on all known vulnerabilities. It is also possible for Impact users to write their own custom exploits, modify existing ones and add them to the library. Exploits are written in Python and can be developed using templates.

Core Impact can serve two purposes. It's a diagnostic and testing tool to provide customers comprehensive security assessments. Solution providers can use the test suite to proactively attempt to compromise customer networks in order to find any vulnerabilities that may result in a breach. Once an initial target is compromised, the tester can launch attacks on other internal resources, getting a clearer idea of where all the problems are. Customers and solution providers can work together to identify these problems before any data is stolen.

Core Impact features a three-paned window with all the exploits organized in an easy-to-navigate library, straightforward wizards to design the attacks and a new reporting interface that allows drill-downs into the data.

Version 7.5 added new functionality for testing Web applications and simulating e-mail phishing attacks. For Web applications, Core Impact crawls the target Web site to identify pages to be tested before launching dynamically created exploits. If the exposed database is running on Microsoft SQL Server, MySQL or Oracle servers, Core Impact can read or write files on the system and install agents.

With phishing attacks, Core Impact harvests e-mail addresses using search tools, DNS, Whois, PGP key servers, the corporate Web site and others that malicious attackers scavenge to collect valid addresses. This way, companies can identify and control the information that is available on the Internet. Second, the phishing exploits test how security-aware end users are. The application creates legitimate-looking e-mail and embeds simulated Trojans (software agents designed to act like Trojans) and sends them to end users. Core Impact tracks whether users open the Trojan, if the end-point security measures in place stop the Trojan download or if the attack is reported to IT.

While Core Impact can perform penetration tests on a variety of platforms, the application itself runs only on Windows XP SP2 and Vista machines. Agents and exploits target Windows platforms, including Windows Vista, Server 2003, Windows XP, Windows 2000 and Windows NT4, as well as Linux, Mac OS X, AIX, Sun Solaris and OpenBSD.

Priced at more than $30,000 for the unlimited version, Core Impact is sold on an annual license, which covers free upgrades, updates (such as new exploits) and module updates. The limited version gets only eight IP addresses.