8 Tips for Penetration Testing

Posted by Ashley Sims - Marketing Manager on Tue, May 24, 2016

You think that you're safe, that your network is secure, that your firewalls are protecting you - but how will you know if you don't test it? 

A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely tring to exploit vulnerabilities. You may have also hear the term "Red Hat" or "White Hat" when it comes to testing because, while they are trying to hack into your system, these "attackers" are doing so in an ethical effort to find the vulnerable parts of your network in order to patch them. 

There are many options for penetration testing - either manual or automated, a pen test systematically compromises servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other points of exposure. 

With so many things to test and so many options for testing, how do you know if you're getting the most out of your test? 

Download 8 tips to help you get the most out of your penetration test. 



Tags: vulnerability management, vulnerability, pen-testing, penetration testing

How does Vulnerability and Access Risk Management Work?

Posted by Felicia Thomas on Thu, Mar 31, 2016
When a company wants to prevent breaches that come through vulnerabilities, it can detect them with a vulnerability scanner. These scanners will show all vulnerabilities in the iStock_000074019755_Double.jpginfrastructure, from tens to thousands, based on the size of the network. In addition, many vulnerability management solutions offer antivirus software capable of fact-finding analysis to discover undocumented malware. If it finds software behaving suspiciously—such as attempting to overwrite a system file—it will provide an alert.
Fast-acting correction to these vulnerabilities, such as adding security solutions, or educating users about social engineering, will be the difference between exposing a system to potential threats and protecting the system from those threats.
iStock_000076260879_Full.jpgAccess risk management (ARM) is the part of an IAM solution that identifies, assesses, and prioritizes risks from an access provisioning and compliance perspective. Because there are various sources from where risk comes from, utilizing access risk management helps to continuously monitor a system while providing preventative measures to manage user access and account entitlements.
Having VARM as a threat solution helps when identifying the sources of potential risk. Risk sources are more often identified and located not only in technological assets but within infrastructure and other tangible elements. It is extremely difficult for IT security personnel to be able to apply an objective and systematic observation of the state of their network without a solution in place. Utilizing VARM helps to identify not only that something is wrong, but it can support the clear
understanding of how, when and where to act on a potential threat. 

Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access governance, access risk, access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Checklist for a Vulnerability and Risk Management Solution

Posted by Felicia Thomas on Thu, Mar 10, 2016

Tags: access rights, access risk, identity and access management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

What is Vulnerability and Access Risk Management?

Posted by Felicia Thomas on Thu, Mar 03, 2016

Threat intelligence is a company’s worst nightmare which pushes cyber security and risk management to the top of the list for standard operating procedures (SOP). Traditional risk management is a thing of the past, and corporations have begun investing in top-notch security solutions for their various databases. Although no solution will ever be 100% capable of preventing attacks, there are solutions that can help provide roadblocks to deter these occurrences. With proper detection solutions, a company becomes proactive—rather than reactive—to fight against vulnerabilities that exist in their systems.

Large organizations are riddled with increasing threats to their system infrastructures and customer data. TheiStock_000065499107_Full.jpg vast majority have moved into protecting these assets with Identity and Access Risk Management (IAM). An emphasis on compliant provisioning of users, identifying management of roles, the maintenance of compliant roles, and processes to manage segregation of duties (SoD) are the focuses of this type of management tool. However, in some cases, the traditional IAM solution is not enough protection against threats.

Many large corporations want an automated, rules-driven solution that can provide quick remediation around network access controls. However, before an attack occurs and remediation can begin, there is the challenge of anomalous activity detection from the infrastructure level. To help with this detection, many companies have instituted consistent monitoring by scanning the system for potential threats to safeguard their infrastructures.

Dynamic provisioning capabilities through IAM, and the proper protection to deter attacks from the infrastructure level with vulnerability management, can position a corporation to achieve the best level of protection possible. This introduces the concept of the acronym VARM – Vulnerability and Access Risk Management. It’s not just the first line of defense; it’s a complete, end-to-end solution that will break the “kill chain” from system threats within the enterprise.


Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access risk management suite, IAM, access risk, intelligent IAM, identity and access management, Access Risk Management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

How to Think Like an Attacker - Part 2

Posted by Ashley Sims - Marketing Manager on Tue, Mar 01, 2016

Today we are live from the RSA showroom as our Director of Product Management, Ray Suarez, gets ready to present "A Vulnerability Maturity Model That Thinks Like an Attacker". We brought you the first part of this series last week, and if you haven't read it yet, I would urge you to go back and read How to Think Like an Attacker - Part 1

For those of you not lucky enough to hear Ray's presentation in person, we have convinced him to share his actual presentation with all of you. Keep reading for the conclusion of "How to Think Like an Attacker." 

 We started last week with a funny look at cyber security with a top 5 "you're in trouble when" list, but let's be honest, there is nothing funny about the risks in your organization. Let's imagine that you are the new CISO of an organization, and you walk in on your first day and sit down with your security team. Your first question is: "how many vulnerabilities are there in our system?" What would be an acceptable number to you? 100? 100K? What if you had 700K+, and you need to know which ones are most important. How many are high risk? How many are relatively low? Where do you even start? 

That number changes every day. With the number of servers in your environment growing at 15% per quarter - along with your business units and IT staff - you need to know what your biggest risks are so that you can target them immediately. 

Let's do some math. Out93_highs.png of your 700K vulnerabilities, let's just look at the "high" threats. If there are: 

  • 93K High Threat Vulnerabilities 
  • 250 Working days in a year 
  • You can fix 372 vulnerabilities per day or 1,860 per week 

The problem here? We are overwhelmed by data. Even if we spent every minute of every day fixing just the high risk, high severity problems, would we really solve almost 2,000 every week? Oh, and that is considering that no new vulnerabilities pop up. The attackers are taking advantage of that limitation and are using it against you. You need a vulnerability managment system that thinks like an attacker. 

Peak data overload is the most common issue for most IT security teams. Take a look at this model:


In the first two levels, you are in the wonderful stage we call "blissful ignorance" where your threats are nonexistent, and you just start the scanning process. Then you get the results of your scan which is where you first encounter the magnitude of your issues. We will start here, with your scanner, and give you the five steps to building a vulnerability management model that thinks like an attacker. 

1. Scanning - Get the basics in order 

The first step in setting up your solution is to incorporate your busines goals into your vulnera bility management program. By aligning your business and IT security goals, you will establish a unified team. You need to adopt or acaquire a vulnerability scanning capability that will regularly scan and help you find vulnerabilities. 

2. Assessment and Compliance - Begin actually managing vulnerabilities 

Just like with any other business system, you will need to establish a repeatable process to create metrics that you can measure. Adopting a compliance framework (PCI, FISMA, HIPAA, etc) is the bass for vulnerability scanning and patching and help you to implement a basic prioritization framework to deal with data overload. 

3. Analysis and Prioritization - Formalized Process 

A vulnerability management program that deals with vulnerabilities, prioritization, and patching are part of a complete ecosystem. These tools help security and/or IT operations adopt tools that can add value to the data, enable prioritization, and deal with the problem of too much data. In this stage, vulnerabilities are prioritized to facilitate limited resources and bandwidth and metrics begin to focus on improving security rather than being busy. 

4. Attack Managment - Attacker Focused 

In this stage, processes and metrics are coupled together to understand security posture trends and to improve process and execution. Security and IT departments build continuous processes that manage the lifecycle of a vulnerability and analytics and risk management processes and tools are used to measure risk to critical assets. The focus of the vulnerability management program has shifted from the need to patch and comply to being attacker and threat focused. Penetration testing is conducted by internal red teams and, likely, validated by external professional service teams. 

5. Business-Risk Management - Business-risk and vulnerability context 

A vulnerability managment program incorporates business goals and critical assets as it looks at risk as a business wide issue. Business leaders become engageed at the program level and make decisions routinely about where to apply limited security resources. All potential threat vectors (mobile, web, network, social, identity, wireless) have been integrated into the vulnerability management program and the tools and processes that measure risk and provide prioritization are fully integrated with security, IT, operational and enterprise risk management functions. 

Is your vulnerability management system prepared to think like an attacker? 

For more information on how to prioritize vulnerabilities and secure your business assets, download Ray's presentation here.


Ready to see what this can look like in your organization? Request a demo of Core Insight, our market-leading vulnerability management solution. 



Tags: vulnerability management, vulnerability risk management, vulnerability, Ray suarez, Vulnerability and access risk management, rsa

How to Think Like an Attacker - Part 1

Posted by Ashley Sims - Marketing Manager on Thu, Feb 25, 2016

Confession - I loved David Letterman and I couldn't get enough of his Top 10 lists. So in that theme, I give you the

Top 5: You Know You're in Trouble When... 


5. You’re asked to move the Active Directory server to an open part of the network to insure users can easily LOGIN
4. When your boss, who is responsible for security, asks you, “What type of security software do we use?”
3. You remind him, “the freeware version of Malwarebytes Anti-Malware”
2. A press release states, “our IT system and security measures are in full compliance with industry practices.”
1. The second press release states, “we were the victim of a sophisticated cyber attack operation.”

Top 5 list is sort of a funny way to look at it, but if there is one thing that everyone in the security industry can agree on, it is that the hackers are getting smarter.

A firewall isn't enough to keep your network safe. You can have the strongest password in the world, and still have it taken from you in a phishing scam. Healthcare and financial services records are the most valuable in the world, their security systems are top notch, and yet still the hackers are getting in. So the question becomes: how do you think like an attacker? anatomy_of_a_cyber_attack.png

First you have to understand the anatomy of a cyber-attack. Let's use the Target hack as our example for this. Target was breached the same way that many other organizations are - through stolen credentials. One of Target's partners, an HVAC company, had access to its network as a non-employee and fell victim to a phishing campaign. Once the hacker had the contractor's information, he was able to use a web application to get into Target's network. From there, the hacker was able to take any one of many lateral paths to information. 

Once the network was accessed, it was easy for the hackers to make their way to the POS system and start to exfiltrate data from their system. The attack path here seems simple, he was in and out in only six steps. The issue is, how would you have stopped him? 

The firewall held, there was no vulnerability exploited (the hacker had valid credentials), and there were no alarms raised when the network was accessed. However, there were also no alarms raised when a contractor working on their HVAC system started working their way into the POS system. That is the problem. The hacker knew that there were no obstacles in place to alert anyone of his activity so they were free to roam around the network finding the information they wanted and exfiltrating it straight to the black market. 

Would you have caught the hacker when they entered the system? Would you have noticed when he accessed applications that should have been out of his reach? Would you even have caught on when massive amounts of data started disappearing from your network? Dummies_book.png

It's time to stop playing defense and start thinking like an attacker.

Are you ready? Join us next Tuesday for a special #TechTuesday blog where Ray Suarez will be at the RSA Security Conference presenting Grow up: It's time for a vulnerability model that thinks like an attacker

Don't want to wait? Find out what it means to "think like an attacker" with a demo of Core Insight and see how attack path modeling  can help you visualize what an attacker sees. Or download a copy of Intelligent IAM for Dummies and see what you should be looking for in an intelligent IAM system. 



Tags: Courion, cyber attack, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Better Together: Courion and Core Security

Posted by Chris Sullivan - GM, Intelligence/Analytics on Wed, Dec 16, 2015

Courion + Core Security FAQ
By Ray Suarez, Core Security and Chris "Sully" Sullivan, Courion

A lot of folks have been asking why we made this acquisition. The reality is, this is a merger of two market leaders expanding their products to offer something never before seen in the cyber-security space. So to build on and explain this thought, we wanted to do a little Q&A to answer some of your questions.

Ray:  Sully, why do organizations do Identity, Governance and Administration (IGA)?  Better_together_1.jpg
Sully:  To manage access to information and processes.

You can buzz it up by talking about threat surface and risk but you are simply protecting card data, IP (your crown jewels) or the ability to prevent unintended transfer of large sums.

Sully:  Why do organizations do Vulnerability Management (VM)?
Ray: To manage access to information and processes.

So let’s see, they are both solving the same problem. VM protects you up to the identity, and IGA from the identity to the process or information. Each area has tools, control processes and teams to do the work.

But our adversaries don’t partition their work this way. Consider the Target breach attack path. It was HVAC vendor account (IGA) -VPN (VM) - BMC_user1 account (IGA) - C&C server (VM), - payment systems network firewall (VM) – dev, sw distribution, exfil servers (VM). Our adversaries move quickly between the VM and IGA world and hide in the cracks between them.

Now Courion has long been an IGA market leader and is specifically recognized for customer sat and delivering on the promise of intelligence. We use a property graph (I know too techie but it’s necessary to solve the scale problems) to give you a comprehensive view of your logical access. That’s person, to accounts, to permissions and sub-permissions and roles and sub-roles and sub-sub-sub.. In a mid-sized company, that’s billions of changing security permutations – even the best security experts can’t visualize that complexity. Our analytics let you really understand what’s important so you know what you are requesting, reviewing, approving instead of just pretending that you do.

better_together_2.pngAnd Core Security has long been the VM market leader and is specifically recognized for unraveling the complex permutations of vulnerabilities that could lead to a breach of critical assets by an attacker. Courion also uses a property graph to give you a comprehensive view of the layered infrastructure and understand what’s important. That’s network, client, web, wireless and mobile.

Now imagine what would happen if you connected those two worlds with all that domain expertise and IP.  For example a blind person will perfect their listening skills to compensate for their disability and a hearing impaired person will perfect visual observation. If we could combine each of these improved senses, it would provide clarity that us normal folk might not even think possible.

Don’t believe us? Hear what some of the industry experts have to say here

2 more questions…

1. Why does InfoSec exist? To manage access to information and processes.

   2. Why Courion + Core Security? Because it was the only sensible thing to do.

Welcome to Courion + Core Security, the only security company that can continuously and comprehensively mange access to your information and processes.

Did we miss anything? We are building a new world so if you have any questions or just want to discuss things, please let us know in the comments. 


Tags: IAM, Courion, cyber security, intelligent IAM, IAG, identity and access governance, core security, vulnerability management, VRM, vulnerability risk management