Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Editor's Blog and Industry Comments

Consultancy free vulnerability testing

24 April, 2008
As network vulnerability continues to become ever more complex and the scope of protective products widens along with the vendor base offering them, verifying the effectiveness of that protection is an important role of the IT Administrator.
Core Security Technologies started up in consultancy services testing client, network and web-based vulnerabilities for organisations before launching their product, Core Impact, which offers full penetration testing for users.

Core Impact can be set up and run by in-house IT personnel to perform systematic simulated attacks on the network and web applications and report on the vulnerabilities that exist, enabling them to be closed off before a real attack happens. Core Impact views the corporate network from the point of view of a hacker rather than an IT Administrator and so vulnerabilities are more easily picked up than by simply analysing the network "internally". The product can be set up internally or remotely and can view different aspects of the network, users and web applications.

I spoke to Michael Yaffe, Core Security Technologies' Director of Product Marketing, about their product and asked if it was the case that it would be a very nice tool for the hackers themselves. Michael explained that this is true but they wouldn't be able to get their hands on it! The company operates a strict "face control" policy, allowing its product to be bought only by genuine corporate representatives who can only use the product on their own network. Licence verification and code revision are checked on connection and if they don't tally, the product can't be used.

IT security is a complicated subject and real experts are few and far between, not many of whom actually work in client organisations, so I was interested to find out a little about the usability of the system and the benefits it can bring to the corporate IT Manager. In this respect, the system is largely wizard based and is entirely usable by a suitably qualified IT Administrator such as a Microsoft Certified Professional without special training in security. Michael explained further that it provides immense productivity benefits to the IT department since they will be focussed on correcting real problems that exist and securing their network. They can also provide verification of the effectiveness of any fixes by performing tests against a plan. This plan could be based on different test points or a monthly sequence or linked to events such as patch updates.

IT security is expensive and justifying it to Finance Directors is never straightforward since cost cases are invariably based on cost avoidance rather then return on investment. Since CFOs are rarely convinced by "what if" type cost avoidance cases, I asked Michael what he would advise potential purchasers of Core Impact in terms of putting a case together for it. "The main thing", he told me, "is the productivity improvements of the technical security personnel which is a big factor. But also of significant value is the ability to provide assurance and confirmation of the value of previous investments. With this product, you know that the money you've spent on security has worked for you".

For the future, Core Security Technologies are continuing to develop. Seeing themselves as the idealists of the security industry, they're putting a lot of effort into collaborative projects and focussing their development and consultancy activities into future vulnerabilities such as infrastructure attacks. They also run a customer portal which contains an extensive knowledge base which they put a lot of effort into maintaining.
Bookmark and Share