2009CORE IMPACT Pro DemonstrationMatt Hines, Marketing ManagerMatt Koch, Sales Engineer

Situation Analysis – The Threat EnvironmentThreats are …Increasingly sophisticatedWell-funded and staffedComplex in breadth and depthIT environments are …Increasingly dynamic and interconnectedIncorporating new technologies (i.e., potential threat vectors)Becoming mission-critical for revenue and customer serviceSecurity spending continues to increase exponentially, however:Traditional security strategies are imperfect and fragmentedOrganizations can’t measure overall security effectiveness or efficiently mitigate riskOrganizations can’t just keep throwing money at point solutions. Need to measure what’s working, what’s not and what to do about it to assess ROI and plan future security investments

Re-thinking Vulnerability ManagementTraditional security testing results in data overloadNetwork Scanners (i.e., Nessus, Retina, Qualys, etc.) identify potential flaws on your networkWeb Application Scanners (Watchfire, SPI, Cenzic, etc.) identify potential vulnerabilities (code issues) in applicationsNeed to identify where critical, operational risks areVulnerability (network and/or web application) scanning does not:Show or exploit linkages between information systems and assetsAllow for cross-asset vulnerability assessment Reveal the impact of loss of information assets (only shows the "outer layer" of the onion) such as theft of intellectual property, leakage of internal communications, etc.Being 100% patched is unrealisticPatches can break critical applicationsMoney is wasted in dealing with false positives and unnecessary patches

Penetration Testing: Think Like an AttackerPenetration Testing – Actively exploits vulnerabilities, evaluating and testing the effectiveness of security solutions by safely launching real-world attacksLooks at your network, endpoints, applications and users from the perspective of an attackerWithout physically penetrating the host, application or network, there is no way to quantify / qualify an organization’s true exposure Perform penetration testing against:Servers, patchesWeb ApplicationsIPS/IDS/FirewallsClient applications/usersAdvantagesEnables you to be proactive with informed security decisionsProvides efficient, precise, cost-effective remediation information Exploits vulnerabilities and exposes resources that are at riskHighlights the efficacy of defensive mechanisms

IMPACT Pro for Commercial-Grade Penetration TestingEmulates attacker behaviorLaunches real-world attacks in a safe & controlled mannerdemonstrates exactly what an attacker can do, including escalation of privilegesEmulates threats against (and between) networks, applications and clientsMultiple levels of controlAutomated modes speed previously manual, expensive processesRapid Penetration Test (RPT)One-step testing modules: Network, Endpoint, Vulnerability ValidationManual testing mode for targeted, granular controlFully customizable exploits (Python) + add your own exploitsCommercial-grade capabilities for ongoing, repeatable testing against new threatsProfessionally developed, commercial-grade exploits (10-20 per month)Innovative agent technologyPowerful user interface for conducting, sorting and managing large testsStandard and custom reporting = actionable dataComplete log of all activitiesRemediation informationBacked by ongoing development, support and training

Web Application TestingClient-Side TestingNetworkTestingIMPACT Pro for Multistaged Security TestingFirst product to integrate security testing across three top attack avenues, replicating multistaged attacks Databases compromised during Web App testing ……can be farmed for email addresses and other personal info to use in IMPACT Client-Side Tests, which assess end-users against social engineering attacks Servers compromised via Web App Testing and workstations compromised during Client-Side testing ……can be used as beachheads from which to launch IMPACT Network Tests, which identify and validate OS and services vulnerabilities on backend systems

- CONFIDENTIAL -Trusted Vulnerability Research & Leading Threat ExpertiseThe Knowledge Behind Our Products CoreLabs (R&D)Filtering of known vulnerabilities for operational risksDiscovery of new vulnerabilities before criminals doCollaboration with software vendors to remediatePublishing of research papers and advisories Core Security Consulting Services (Core SCS)Front-line risk assessment and custom analysisEarly identification of new threat vectorsDefining attack patterns & point solutions exposures Core EngineeringCommercial-Grade exploit creation Core ProductsCORE IMPACT ProCORE IMPACT Essential

IMPACT Pro V9: New CapabilitiesV9 provides unprecedented visibility into overall IT security posture with:First Automated Penetration Testing Attack Graph reportVisual representation of multi-staged attack behaviorCentral workspace repository for multiple consolesUpdated PCI report with explicit CVSS vulnerability severity info New FISMA report for government entities and external contractorsNew Web application testing capabilitiesSupport for DB2 as a SQL injection target – expands test coverageFingerprinting of web application infrastructure – enables users to run known exploits for COTS, in addition to IMPACT’s dynamically created exploitsClient-SideAutopwn: all, by app, by browser – increases automation by running multiple exploits at oncePre/post exploitationPassword and cookie gathering – provides further evidence of at-risk assetsAdditional, improved OS fingerprinting – assists with attack selectionv9

How Customers Use IMPACTPerform efficient, safe and cost-effective network, web application and client-side penetration testingOptimize the vulnerability management process – focus on critical issues firstVerification of security defenses (e.g., IDS/IPS )Prove security compliance with industry and internal regulations (e.g., FDIC, HIPAA, SOX, PCI, etc.)“Penetration testing that goes beyond simple vulnerability scanning needs to be performed frequently.” - John Pescatore, VP Distinguished Analyst, Gartner

CORE IMPACT ProComprehensive security testing software solutions based on independent, trusted vulnerability research and leading-edge threat expertise.Matt Hinesmatt.hines@coresecurity.comCore Security Technologieswww.coresecurity.com