These solutions are less costly than ethical hacking projects, comparable in cost to automated scanners and could be used for regular periodic security assessments of all corporate information systems exposed to the Internet. Their look and feel is similar to automated vulnerability assessment scanners. They do not require administration overhead of ethical hacking projects. These solutions are available on-line and assessments can be scheduled through web portals with very little manual interaction and no expertise required by the customer. Frost and Sullivan recently published an overview of these hybrid solutions.
Hybrid vulnerability assessment solutions are particularly accurate when analysing web based information systems, which are often ranked as high-risk in annual information security reports. The competitive advantage of hybrid vulnerability scanners over traditional automated scanners is in human skills to adapt attack strategies and related tools to particular components of a target. The concept mimics the approach of attackers.
Attackers usually begin with reconnaissance, with the objective of collecting intelligence about the target. These techniques are also used by automated vulnerability scanners. Hackers perform web searches for details about the target company, its employees, and its web identity. They search Internet forums and social networks to identify weak links for possible phishing attacks. These methods are also used by ethical hackers, and are available in their reports with recommended protection practices.
When hackers collect enough information and identify the weakest links in the security chain, they begin manual attacks. The weakest link, as illustrated in the above-mentioned Financial Times case, is typically an information system component that is not updated regularly with security patches therefore vulnerable to published exploits.
Other weak links could be those components that are misconfigured, for example disclosing unnecessary information about software versions in error messages displayed to every user. To be efficient, attacks have to be optimized and adapted to bypass security controls. Automated tools cannot adapt their attack scripts for sophisticated evasion techniques. Undoubtedly hackers can. Ethical hackers, working in the "back office" of hybrid vulnerability scanners, apply the same evasion techniques when assessing the level of exploitability of target systems. This increases the accuracy of exploit level estimates in reports from hybrid vulnerability scanners over automated scanners.
I have tested hybrid vulnerability solutions, such as ImmuniWeb; they offer custom-built scripts in their assessment reports in the form of exploit proof of concept. These scripts are useful for information security teams to verify the likelihood of a risk materializing and to adapt mitigation controls. They could be applied after mitigation controls have been implemented to verify their effectiveness. These target specific scripts were traditionally available only in dedicated ethical hacking and penetration testing projects.
Hybrid vulnerability assessment solutions enrich the arsenal of protection available to information security practitioners in this increasingly insecure cyberworld. With hybrid vulnerability scanners already available on the market, even those information systems identified as being low risk could be included in regular vulnerability assessments. Consequently organizational risk exposure would be more accurately measured and potential business impact further reduced. Indeed, the Financial Times intrusion would probably have been avoided if all their blog systems were systematically tested for security vulnerabilities.
Sign up for CIO Asia eNewsletters.