Security Testing: Taking ChargeBy John Moore | Posted 2007-03-09 Email Print
Reinsurance firm Scottish Re wanted more control over penetration testing, so it took the work away from a consultant and brought the service in-house.
Scottish Re decided to make security testing an inside job. The life reinsurance firm, with operating companies in the U.K., the U.S. and other countries, had been using a third-party provider for penetration testing services. In penetration testing, an authorized individual probes an organization's networks and applications for security vulnerabilities and attempts to exploit them.
That type of security assessment has been taking place in-house for the last 18 months, says Mark Odiorne, chief information security officer and senior network systems manager at Scottish Re. The company is using Core Security's Core Impact, an automated penetration testing tool that gathers information on the network to be assessed, identifies the operating systems and services running on host computers, and scans TCP/IP ports for vulnerabilities. The tool launches attacks based on that information and then generates a report that provides a list of successfully exploited vulnerabilities.
Penetration tests are among the steps an organization may take to bolster security. Tests may be performed as part of a broader security audit or independently. A penetration test may follow a vulnerability scan, in which an internal security group or a contractor uses a software tool to identify potential security gaps. In that scenario, the penetration test determines whether a given vulnerability can actually be exploited. Scottish Re also uses Core Impact for vulnerability scanning.
Scottish Re's departure from the third-party route has saved the company money, according to Odiorne. "The price we paid for Core per year was less than paying the vendor," he says.
Scottish Re pays an annual licensing fee of around $25,000 to use Core Impact. Odiorne says the tool's price tag, although not inexpensive, represents at least a 30% savings compared with outsourced penetration testing.
Odiorne did not reveal the name of the third-party security vendor, describing the company as a regional I.T. services provider. He notes that Scottish Re continues to use the company on occasion for services unrelated to security.
In addition to Scottish Re, Core Security counts companies such as Bloomberg, JPMorgan Chase and H&R Block among its customers.
Cost avoidance is one reason such companies opt for penetration testing software, says Jeff Cassidy, vice president of sales and business development at Core Security. He estimates that penetration tests performed by outside parties can run into the $100,000 range.
The in-house approach saves time as well. With third-party testing, Scottish Re's security personnel spent eight to 10 hours a month interpreting the vendor's test results, Odiorne explains. "We would get their report, but would then have to determine whether that [reported security issue] was a true vulnerability," he says.
The use of Core Impact, however, eliminates the report review step. "Core Impact gives us positive proof whether the vulnerability is exploitable or notor whether our mitigation strategy is working," Odiorne says.
Not having to double-check the checkers also contributes to cost reduction. Scottish Re's savings projection takes into account in-house labor costs and the yearly cost of the tool versus the third-party vendor's services and the time spent reviewing and answering the vulnerability scan reports, according to Odiorne.
Another advantage: Taking the testing process in-house lets Scottish Re conduct tests whenever it sees fit. "We didn't have to wait until the end of the month, when it was time for the outside vendor to do their tests," Odiorne says. "Having the tools ourselves, we can do those tests anytime we want to."
Now, Scottish Re can run a penetration test when it makes a change that could affect its security posture. Odiorne cites events such as adding a new server or changing firewall ruleswhich govern what pieces of traffic can traverse the networkas examples of changes that trigger testing. "I run [tests] often, both internal and externalat least once a month, but usually more often," he says.
Penetration testing also helps Scottish Re understand a given vulnerability. When Microsoft disclosed the MS 06-040 server vulnerability last year, Scottish Re found that its firewall was able to protect servers from outside, Internet-borne attacks. Using Core Impact, however, the company's security personnel discovered that unpatched systems could be compromised from the inside.
According to Microsoft, an attacker who successfully exploited the server vulnerability could take control of an affected system and be able to install programs and view data. In response, Scottish Re patched the majority of the affected servers and established router access control lists to protect a few servers that could not be immediately taken down for patching, Odiorne says.