• Follow us


Pen Testing Takes Center Stage at RSA

It’s more important than ever for cybersecurity professional to understand how attackers can gain access to sensitive company or customer data. While it’s still important to examine vulnerabilities in isolation, the ability to understand attack paths and how attackers can gain access to data.

These realities have led to several advancements in the area of penetration testing—essentially, simulated cyberattacks to check for vulnerabilities that hackers could exploit. In general, pen testing is a good way for organizations to gain an initial view of their security weaknesses, which can help them develop the right security strategy. Pen tests are a good precursor for establishing true vulnerability management programs and robust security strategies. For organizations with more mature security programs, pen testing is useful for continuous improvement and exploring specific areas of their security posture.

In their RSA session on virtual pen testing using risk models, Joel Amick, TIAA’s director of cyber analytics and data science, and Jack Freund, TIAA’s director of cyber risk, explained the concept of virtual pen testing in detail. In a nutshell, they explained how virtual pen testing can enable automated data feeds and model execution from real-time assessment inputs, how a model can simulate loss scenarios associated with attack successes, and how it can be used for offline cyber resiliency testing.

Freund and Amick pointed out two major challenges. The first is that network complexity requires either thoughtful abstraction for simplistic modeling or detailed development to appropriately articulate assumptions and behaviors to add. The second is that multiple and overlapping exfiltration paths and attack scenarios are needed to fully represent the attack surface.

Pen Testing Advances

Trustwave SpiderLabs has added a lot of new features to its pen testing tool that principal consultant Matthew Lorentzen says is 10 times more powerful in creating realistic and unpredictable security testing environments.

Sheepl 2.0 is focused on internal network behavior within a Windows network; the AutoIT language that Sheepl creates is a Windows-specific platform. Sheepl also can interact with Linux or embedded systems over common management protocols like SSH. Key Sheepl 2.0

With Sheepl 2.0, Trustwave SpiderLabs has rewritten the core to make the tool fully modular. This makes adding tasks less complex, and allows security pros to create Sheepl blueprint files. This creates the ability to develop a library of Sheepl that perform specific types of activity. Sheepl provides a robust way of executing attack signatures while complimenting the noise commonly found within a traditional corporate network environment, Lorentzen said.

“Sheepl has always been geared towards a solution for replicating real-world users through the tasks and behaviors that Sheepl executes, which supports the goals of both attack and defense,” he explained. “If we can accurately model malicious user activity, this gives organizations something to detect.”

The main difference between Sheepl and other approaches to pen testing is the structure for the execution and the flexibility of the tasking. “Sheepl has been designed from the beginning to remove the predictability of when task assignments are executed,” Lorentzen said. “Predictable behavior leads to complacency, which ultimately reduces the effectiveness of measuring a response, whether it’s within a lab training environment or from Sheepl deployed onto a live network.”

According to Lorentzen, the most important use cases for Sheepl include executing techniques from the MITRE ATT&CK framework; creating forensic artifacts on an endpoints to allow the reconstruction of events; generating noise through common user activities like browsing or creating documents; and monitoring process and responding to certain events, such as a specific program starting, which could then be stopped.

Aside from adding additional tasks, Lorentzen said he plans to add in even more realistic behavior in future editions of the tool, such as providing typing abilities and introducing errors into that typing. He also plans to add something he calls “traits”, where Sheepl will have traits that are different from others, such as always opening a specific filetype that is deemed trusted or activating macros in a spreadsheet. “Traits will enhance the output by allowing you to specify tasks and then further personalize the Sheepl output through trait assignments relevant to the respective task,” he added.

Tripwire also announced a pen testing solution at RSA, but instead of offering it as a product, it’s service-based. The Penetration Testing Assessment Service provides organizations with cybersecurity experts, who discover and then exploit vulnerabilities to assess the security of an organization’s IT environment. More specifically, it helps ensure that critical assets including network services and configuration, web applications, wireless infrastructure, client-side and internal infrastructure, and social engineering and physical assets, are secure.

Product manager Onyeka Jones explained that the service combines pen testing techniques with vulnerability assessment activities, configuration reviews, and architecture analysis to provide an in-depth view of network and application interrelationships. In some cases, the assessment also includes evaluating policies and hosting interactive discussions with client staff members.

Once assessors fine and review weaknesses, they can analyze the potential impact on the organization and recommend ways to address the weaknesses. “Then we can move on to actually helping them implement critical security controls.” Jones said.

As for the future of penetration testing in general, organizations need to put more focus on the access users have, Lorentzen said. This is especially true as organizations continue to adopt cloud-based resources, and the lines between internal and external perimeters continue to blur.

“Traditional penetration will still have a role in meeting compliance and regulatory needs and it is an excellent way of an organization assessing a baseline,” he added. “Building on this baseline requires a focus on detection and response to fully understand how an attack can be managed to minimize potential damage.”

Read More

Leave A Comment

More News


Ryuk ransomware "still going strong" 2019-02-20 11:00:19Multiple groups still using Ryuk to extort money from companies.

Keep your business centre operations running 24/7 with 2019-02-20 08:00:40Reboot to restore solutions help IT admins take a preventive approach to computer management at business centres, thus enhancing the availability and

Microsoft uncovers major hacking attempts against EU organisations 2019-02-20 07:30:44Firms across Europe were hit in the attacks.

Qualcomm unveils most powerful 5G modem 2019-02-20 07:00:06Second-generation X55 modem will hopefully power the first 5G smartphones.

12 billion devices will be internet-connected by 2022 2019-02-20 06:30:28Up to four billion IoT devices will be online soon, Cisco estimates.

UK companies still worried about cyber risks 2019-02-20 06:00:38They fear 5G, but they're willing to invest.

Don’t let the tech takeover: Time rich, mindfulness 2019-02-20 06:00:22With today’s data-driven on-demand economy, we are winning back some of that precious time. But are we getting the most out of it?

The technology trust gap that’s hurting sales efforts 2019-02-20 05:30:02Here are my five key steps to get salespeople onboard with technology projects:

Why hackers love mainframe passwords – and what 2019-02-20 05:00:37Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?

Reflecting on data privacy for 2019 – Why 2019-02-20 04:30:11Below, six industry experts give their take on why data security needs to be at the heart of operations, and their opinions on what can be done to ens

Shipping on the cusp of a digital wave 2019-02-20 04:00:42Despite its significance, the industry still remains largely untouched by digital transformation and efficiencies it can bring.

Microsoft Surface Go review 2019-02-19 12:19:33An ideal pocket-sized budget work companion, but don't expect anything earth-shattering.

Dev Pro

Pen Testing Takes Center Stage at RSA 2019-03-07 01:21:00Virtual pen testing can enable automated data feeds and model execution from real-time assessment inputs; simulate loss scenarios associated with atta

FireEye, Agari Offer Advanced Email Protection 2019-03-07 00:20:00The rise of attacks against email concern many organizations, and vendors are on the case. There were several announcements of products attempting to

Amazon Gives AI to Harvard Hospital in Tech's 2019-03-06 20:45:00Amazon Web Services is working with a Harvard-affiliated teaching hospital in Boston to test how AI can simplify medical care.

Multiple Biometric Products Introduced at RSA 2019-03-06 20:39:00Unisys debuted a tool that associates a user's network rights with their verifiable biometrics, and Feitian wants user fingerprints for for authentic

Zuckerberg Says Facebook to Focus on Private Communication 2019-03-06 20:34:00The changes would involve making it possible to send messages between the different properties Facebook owns, including WhatsApp and Instagram, which

Samsung Is Said to Be Preparing More Foldable 2019-03-06 19:42:00Samsung Electronics Co. is working on a pair of new foldable smartphones to follow its Galaxy Fold.

Can Alphabet Become the Next Big Cybersecurity Vendor? 2019-03-06 17:00:00Backstory, a nascent Alphabet cybersecurity unit’s first product, aims to protect enterprise infrastructure on-prem and in the cloud.

How to Compare the Cost of HCI Systems 2019-03-06 04:24:00Find out why traditional storage metrics aren’t adequate when it comes to evaluating HCI systems and how to assess costs.

LogRhythm Tackles Network-Borne Threats Via Automation 2019-03-06 00:21:00LogRhythm, a company focused on security intelligence, has introduced a new product that reduces the humans required to discover and respond to advanc

New Approach to Perimeter Security Will Better Protect 2019-03-05 18:51:00Unlike other firewall solutions which focus on protection outside the network perimeter, the VMware Service-Defined Firewall flips the model on its he

Bare-Metal Cloud Firmware Security Fail Isn’t Limited to 2019-03-05 13:05:00"This is really a broader industry concern about the firmware layer being effectively ignored by almost everybody.”

Ubuntu Long Term Support Announcement Begs Security Questions 2019-03-04 19:51:00Canonical's announcement that Ubuntu long term support will span a decade must be considered in the context of hardware, the cloud and CI/CD.

TechRadar: Internet news

The Samsung Galaxy Fold just changed the future 2019-02-20 20:04:54The Fold is too expensive, weird and thick for the mainstream… but this is just the beginning.

Best security camera: keep an eye on your 2019-02-20 19:53:36We've collected together all of the best smart security cameras for keeping your house safe when you're not around.

YouTube TV: Everything you need to know about 2019-02-20 19:42:38Watch out cable, YouTube TV is here to liberate the contract-bound masses. Here's everything you need to know.

Best running headphones 2019: our top 10 choices 2019-02-20 19:17:39From tarmac to trail, the best running headphones will keep your tunes going right up to the finish line.

Best Samsung Galaxy S10e pre-order plans and prices 2019-02-20 19:14:50Samsung's Galaxy S10e is supposedly its more affordable offering, but you can save even more with these plans

Best Samsung Galaxy S10 Plus pre-order plans and 2019-02-20 18:50:12The larger of Samsung's Galaxy S10 phones obviously costs the most, so here's how you can nab it for less.

Samsung's new Galaxy Fit and Fit E are 2019-02-20 18:47:15If you're going to release a fitness tracker these days, you need something exciting... but only the price might attract you.

Best Samsung Galaxy S10 pre-order plans and prices 2019-02-20 18:36:04Samsung's latest flagship will no doubt be its best to date, and here's how you can ensure you get your hands on it.

Remote code execution vulnerability discovered in WordPress 2019-02-20 18:31:48Researchers have discovered a critical flaw that could allow hackers to gain complete control over a user's WordPress blog.

Samsung Galaxy S10 Plus vs Samsung Galaxy Note 2019-02-20 18:20:13The Galaxy S10 Plus has a screen the same size as the Galaxy Note 9, but what else is similar?

Best Samsung Galaxy S10 outright prices in Australia: 2019-02-20 18:14:28Samsung's next flagship series, the Galaxy S10, has been revealed – here's how you can secure your pre-order.

Here's everything that launched at Samsung Unpacked 2019 2019-02-20 17:25:39Samsung just announced a huge number of new devices, so we've rounded up the info you need on them all right here.

Enterprise – TechCrunch

Clari platform aims to unify go-to-market operations data 2019-03-06 09:00:29Clari started as a company that wanted to give sales teams more information about their sales process than could be found in the CRM database. Today,

Matterport raises $48M to ramp up its 3D 2019-03-05 12:05:55The growth of augmented and virtual reality applications and hardware is ushering in a new age of digital media and imaging technologies, and startups

SurveyMonkey acquires web survey company Usabilla for $80M 2019-03-05 09:00:09SurveyMonkey announced today that it has acquired Usabilla, an Amsterdam-based website and app survey company, for $80 million in cash and stock. Zand

Salesforce releases myTrailhead, a customizable training platform 2019-03-05 08:00:10Salesforce has been using the notion of trailblazers as a learning metaphor for several years, ever since it created Trailhead, a platform to teach cu

Can predictive analytics be made safe for humans? 2019-03-04 13:44:40Massive-scale predictive analytics is a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy.

Scytale grabs $5M Series A for application-to-application identity 2019-03-04 10:33:34Scytale, a startup that wants to bring identity and access management to application-to-application activities, announced a $5 million Series A round

Rackspace announces it has laid off 200 workers 2019-03-01 16:42:03Rackspace, the hosted private cloud vendor, let go around 200 workers or 3 percent of its worldwide workforce of 6,600 employees this week. The compan

Open-source communities fight over telco market 2019-02-27 18:36:02When you think of MWC Barcelona, chances are you’re thinking about the newest smartphones and other mobile gadgets, but that’s only half t

Box fourth quarter revenue up 20 percent, but 2019-02-27 17:09:52By most common sense measurements, Box had a pretty good earnings report today, reporting revenue up 20 percent year over year to $163.7 million. That

Compass acquires Contactually, a CRM provider to the 2019-02-27 13:01:44Compass, the real estate tech platform that is now worth $4.4 billion, has made an acquisition to give its agents a boost when it comes to looking for

Threads emerges from stealth with $10.5M from Sequoia 2019-02-27 09:05:43The rapid rise of Slack has ushered in a new wave of apps, all aiming to solve one challenge: creating a user-friendly platform where coworkers can ha

New VMware Kubernetes product comes courtesy of Heptio 2019-02-26 11:00:17VMware announced a new Kubernetes product today called VMware Essential PKS, which has been created from its acquisition of Heptio for $550 million at

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.