Vulnerability Assessment and Penetration Testing Across the Enterprise:

Transcription

1 White Paper Vulnerability Assessment and Penetration Testing Across the Enterprise: Can Organizations Afford Not To?

2 Vulnerability Assessment and Penetration Testing Across the Enterprise Can Organizations Afford Not To? Vulnerability Assessment and Penetration Testing Across the Enterprise by Pwnie Express is licensed under acreative Commons Attribution-NoDerivatives 4.0 International License.

3 Today s increasingly complex enterprise IT infrastructures consist of hundreds if not thousands of systems and subsystems generally distributed and often in hard-to-reach locations. The growing use of varying technologies by enterprises and their employees as wired and wireless systems evolve makes the task of assessing the security risks associated with the seemingly endless stream of vulnerabilities and attack vectors ever more pressing and difficult. IT security team members need to be all seeing, all knowing. They require continuous insight into who and what is hitting their infrastructure and must adopt vulnerability assessment and penetration testing as an integral part of their security and risk management. For IT staffs responsible for maintaining the infrastructure and continually evaluating the security posture, vulnerability assessment and penetration testing will enable them to: See all the things. Vulnerability assessment and penetration testing provides critical visibility, showing the weaknesses in all aspects of an organization s infrastructure. By obtaining this invaluable insight on demand in both wired and wireless networks, an organization can identify which threats pose real exploitable risks and can intelligently manage them. Meet compliance mandates. Federal governments and industry consortiums have recognized the escalating cyber crime threat and subsequent increasing number of breaches. To mitigate risk they have established regulations like the Payment Card Industry Data Security Standard (PCI DSS). Implementing a strong assessment and testing program enables organizations to provide the information they need to meet compliance and more importantly heighten their actual security posture. Avoid network downtime. In the short term, recovering from a security breach can result in lost revenues, and costly and timely Page 1

4 OT remediation efforts. In the long term, downtime could lead to customer flight and cost an organization millions of dollars. By preventing interruptions customers can continue to transact and revenue can continue to flow. Maintain corporate brand. Every single incident of compromised customer data also can be costly to a company s reputation as trust is breached. By seeing all the things organizations now have insight into potential threat vectors across their entire distributed infrastructures enabling them to prevent or quickly mitigate breaches to ensure their brand equity remains intact. Justify existing security investments. Vulnerability assessment and penetration validates the effectiveness of an organization s current security infrastructure. The increased visibility can be used to demonstrate what, if any, additional security technologies need to be instituted and/or security measures need to be taken. IN THIS WHITE PAPER In this white paper, we provide an overview of vulnerability assessment and penetration testing. We demonstrate why such measures are critical to the long-term health and success of enterprises across vertical industries. We also present the features and benefits of Pwnie Express s technologies, which are the only vulnerability assessment and penetration testing solutions on the market that assess wired and wireless network security in hard-to-reach remote locations, simply, costeffectively and on demand. Page 2

5 Vulnerability Assessment and Penetration Testing Anywhere, Anytime In an ideal world, managing an organization s risk would be based on complete knowledge of every factor involved in calculating that risk, namely total knowledge of all the systems or assets, in particular what is connected to or has access to all of those systems or assets, and the data residing on those systems or assets, as well as knowledge of potential breaches. Vulnerability assessment and penetration testing products and tools used to conduct real but controlled and safe attacks on IT infrastructure to identify risks, have been commercially available and available via open source since Dan Farmer s COPS, and SATAN. Many of these tools were purpose built to assist IT security professionals in identifying, monitoring and reporting on the status generally of known vulnerabilities. However, these tools have traditionally been limited by their lack of real visibility as to what is connected to their infrastructure, their invasive nature that often impacts operations, their lack of ease of use, and their prohibitive costs to carry out in remote locations. The role of the IT security practitioner is becoming more challenging as technology changes, relying increasingly on wireless networks. Their responsibility now not only includes the entire IT infrastructure under their purview but also employee devices not under their control and unknown devices belonging to customers and partners that enter the workplace. Most security testing is conducted by outside consultants or a specialized (Red) team within the IT security organization. In addition, the distributed nature of today s enterprise is having far reaching implications what is happening at hard-to-reach branch Page 3

6 offices/locations? What is connected to their network and systems? Who is connected to their network and systems? Vulnerability assessment and penetration testing solutions answer those questions. However, not every solution is the same. Traditional solutions can be costly and difficult to use, deterring or slowing an organization s adoption. Hackers and other criminal elements have the technical acumen and access to sophisticated hacking tools and are using them for financial gain. Case in point, the 40 million Target retail store customers who had payment card information stolen at the end of Those cards are sold for cents on the black market. Furthermore, the personal records of some additional 70 million Target customers that were breached and potentially could be used for identity theft. IT security professionals need to avail themselves of the same, highly sophisticated tools as those creating a breach. As we saw with Target these attacks can result in severe damage to a company s bottom line, reputation and brand as well as mire them in litigation and subject them to potential fines. Pwnie Express Pwnie Express leverages the same open source tools available to the hacker and known by the IT security practitioner but it has taken those tools and built on to them, providing the only technology on the market that can assess both wired and wireless network security in remote locations on demand. With Pwnie Express s solutions, which come in a variety of form factors (sensors), organizations or third party Page 4

7 assessors/auditors can ship to any location a Pwnie sensor and plug it in (drop box) to immediately receive actionable information as to who and what is connecting to their network. Pwn Pad 2014 Commercial grade penetration testing tablet High-speed, lightweight device High performance CPU/GPU Large HD display Powerful battery (up to 9 hrs. active use) A drop box is essentially a network vulnerability assessment appliance that provides visibility and pentests remotely, establishing a persistent presence at each site. The boxes are preconfigured and reside on the network to provide a platform for the third party assessor/auditor or Red Team to gain unprecedented visibility and access into the network to conduct testing as if they were on site. This timeliness and the ability to quickly identify real vulnerabilities at a fraction of the cost helps safeguard organizations while allowing oftentimes overworked staff to pursue other missioncritical endeavors. Pwn Plug R2 Tightly integrated penetration testing platform Portable, shippable, plug-and-pwn form factor Onboard high-gain wireless and dual-ethernet External high-gain Bluetooth 4G/GSM cellular Page 5

8 The devices can be standalone, depending on the nature of the organization, or distributed and feeding into a single smart centralized console into which sensors can feed their information. This shared command and control interface provides the ability to run certain common tasks across the entire infrastructure with a minimum of human involvement while delivering unparalleled visibility into the distributed environment. Pwn Appliance Powerful hardware platform for professional pentesting Permanently deployable for branch offices and remote locations Enterprise-class 1U rack-mount or small form-factor case Onboard high-gain b/g/n wireless supporting packet injection & monitor mode On-board high-gain Bluetooth adapter supporting packet injection External unlocked 4G/GSM cellular When anomalies are detected or suspicious activity surfaces, the Red Team or assessor/auditor can utilize the centralized system as a pivot to gain direct access into the remote site. If the point-of-presence intelligent appliances double as penetration testing platforms, the Red Team is able to do deeper-dive penetration tests, check for false positives, and validate uncovered vulnerabilities. Page 6

9 Benefits of Vulnerability Assessment and Penetration Testing with Pwnie Express By deploying Pwnie Express devices/sensors across distributed networks and infrastructures, organizations can meet security regulations while receiving unprecedented visibility into attack vectors. Team members or assessors/auditors no longer need to travel or spend days out of the office to know what adversarial activity is hitting their network. Business benefits include: Allowing organizations to see all the things. Organizations now receive critical visibility into what is connecting to all aspects of their infrastructure, enabling them to invest their time, efforts and dollars wisely by identifying and mitigating real exploitable risks. Saving hundreds of thousands if not millions of dollars in lost revenue and remediation. Like the reported Target retail stores breach which occurred over a period of nearly two weeks, having a continuous tool to monitor and report on rogue activity could spare companies millions of dollars not only in lost revenue but also, remediation and ensuing litigation. Reports last year on the ability to hack the Internet of Things, making everything from medical devices to toaster ovens vulnerable, revealed that testing may not only save dollars but lives. Lowering the costs of security audits. Drop box sensors provide comprehensive, actionable information on threat vectors at a fraction of the cost, enabling organizations to ensure continuous monitoring to safeguard its distributed infrastructure. Helping to ensure compliance with government and industry mandates. Using vulnerability assessment and penetration testing tools not only helps meet increasing federal government and industry consortium mandates but also improves an organization s Page 7

10 real security posture as it provides invaluable insight into what and who is accessing their infrastructure. Ensuring brand equity and customer loyalty. When a breach occurs, in addition to hard dollars lost, an organization s brand can be damaged, sometimes to the point of no return. By continuously assessing and testing, organizations ensure that they maintain their brand equity and prevent customer flight. Providing a basis for security expenditures. By seeing what is getting through to an organization s network or systems or subsystems, an organization can accurately assess the efficacy of their current security tool/solution investments, in particular their return on investment (ROI). It also enables organizations to identify security holes and where they need to allocate budget. Conclusion Vulnerability assessment and penetration testing are critical to meet today s increasingly common and sophisticated cyber threats. Pwnie Express is a comprehensive yet easy to use and cost effective solution for identifying the real threat vectors that enterprises are facing every day as technology advances and cyber crime escalates. Page 8

11 About Pwnie Express Pwnie Express provides unparalleled visibility into wired and wireless network security, in remote locations, on demand. Founded in 2010 to leverage and build upon the power of open source tools, Pwnie Express sensors are providing previously unattainable intelligence to more than 1,000 companies globally. The list includes Fortune 500 companies to government agencies and security service providers, helping them bolster their security while meeting compliance requirements. twitter.com/pwnieexpress facebook.com/pwnie.express.pentesting Page 9