Posts Tagged ‘Penetration Testing’

Vulnerability Management Beyond E-SPIN

World keep changing and in the rapid way. No long ago we saw the changing landscape technology introduce by vulnerability management with “container security”. We can use to divide those who had it, work on it, and do not see it is part of the solution they will willing to integrate or work with 3rd party for it.

For past five years, for the initial introduce of Cloud Security and cloud based vulnerability scanner to vulnerability management. And now for those who possess it growing in the internet time be the large few player in the market. World keep repeat the same way, technology keep introduce, you either adapting it or you are out from the business. We saw player exist the market as well in the five year horizon, as the market, no really that long. If you can not commit resources for the head to head competition, better you give out and focus on other area you had the core strengths and competency.

As the industry established for so long, traditional vulnerability management (VM) market we saw long of changes, new technology, takeover, out of business, change of vendor direction, change of business model.

This article focus on few interesting topics.

Traditional vulnerability management market is now full of commercial and open source player. Include as well threat management (TM) player now offer vulnerability management (VM) through horizontal/vertical forward and backward integration or expansion. From the market and user point of view, total and unified solution, provide lower total cost of ownership continue to be strong value proposition. Unless it is hardcore and expert users, who depend on the specialized and more technical advance/complex tool and product solution, else generic and all-in-one product continue to provide massive benefits and market. It matter for the value, if you can not provide better functionality, then need to pricing right for it.

For professional and expert user who really know what it want to accomplish and possess the know how to do so. We are no surprising they use open source tool if they had the competency to do so.

Want we see most in the enterprise market is buyer more prefer report friendly tool and simple to operate and more “automation” feature set. This continue to be market dominance approach for big player, who will forward proposing more and more feature and functionality in the comprehensive offering. All commercial player aim to be prefer vendor for the chosen one.

For majority of buyer, most of them will settle down for generic all in one vulnerability management tool or suite, from affordable unlimited IP to those solution allow small IP node asset count, rather than commit huge IP block. Beware of the open source alternative keep provide alternative check whether the investment out weight the cost.

Few area of development is worth to following closely.

Toward Cloud. Despite it still had some very traditional industry and market do not accept cloud, but it is future proof and evidence all over the world how the cloud architecture solution do benefits the enterprise who adopted it. More and more enterprise infrastructure is migrated over cloud, if you still left behind in the cloud adoption in the right way, for sure, you will be spend lot of resources in the old fashion way. Cloud is not just about hosted on cloud, it also about automation, “cloud” system that go beyond traditional, capable to concurrent scan said 100k IP node at the same time. Just imagine, how much time you need to perform 100k IP assessment for the scanning if you do not do in the cloud way. It help the enterprise saving lot of time and money. More important, it provide the speed that traditional way can not be match. Scalability is another area, as they do not need to size up hardware and user is always paid by using thru subscription model, so no capital expenditure involved. Most of time we saw lot of people develop mis perception or maybe previously they are engage by no professional people mis to educate them correctly, and mis the opportunity to alignment the company resources for rapid business and technology transformation forward.

Container security. It a must for certain industry now. If your core business is on streaming video or data to mass market. Traditional vulnerability management fail on this due to speed and massive of streaming data they can not cope, this is why “container security” come in the age as the world evolved and require new form of technology.

DevSecOps. World toward cloud, online and speed, and adopted to DevSecOps as the way for be future forward and relevancy. Traditional way for separate process and wait for each other complete their stage before move to next stage manner is yesterday practice. Business now day demand application now and secure it immediately, where demanding for the automation, integration and instant end to end process. For traditional said just focus on dynamic application security testing (DAST) will found it out from the demand, where now the requirement is also provide static application security testing (SAST). Technology vendor who can provide it both and capable to integrate, automate all the process and workflow continue be relevant and needed for the future to come. Else, you need to lower your product pricing due to less value you bring into enterprise user use case and fulfil their business requirement.

Unified security, from infrastructure security to application security. Traditionally we saw player divide by the area, said application security, or enterprise vulnerability management field. As the market demand for the speed, we saw player from application security offering generic host vulnerability scanning. Same as well infrastructure security vendor offer application security or niche technology in their product suite portfolio (whether they take over another company or build in house for the technology).

Vulnerability correlation (VC) in more holistic and broaden area to make the data, intelligence can be leverage by other department and key result area (KRA). For example, for fit into Governance Regulatory and Risk Compliance (GRC) solution, co exist with Security Information and Event Management (SIEM) / Security Operation, provide vulnerability data for network and application security protection system for temporary “seal” the vulnerability to buy time for the developer fix their system, the opportunities and use case is limitless for leverage the information to benefits lot of related systems.

Vulnerability validation and exploitation testing or manual penetration testing. We expect the vulnerability management player either provide 3rd party support or integrated vulnerability assessment and pen-testing into single suite of product. This is also very appeal area we will look forward for the significant development. Surprising in case you are still no aware, it only had few main player on pen-testing, but we had lot of VM player. We also saw the recent development of pen-testing vendor offering VM as way responding to the market changes.

E-SPIN Group is active involved in vulnerability management and penetration testing (VMPT) business since 2005. We work with various of VM and PT supplier vendor and offering them as part of the solution that work for the enterprise market we served across the region of countries we do business. Feel free to contact our solution consultant for the business and partner requirements and opportunities.


Read Full Post »

Acunetix APAC Manager business visit E-SPIN Malaysia business centre

Acunetix APAC Region Sales Manager business visit E-SPIN Malaysia business center

Acunetix, developer of famous Acunetix Web Vulnerability Scanner (WVS), an automated and advanced manual web application security testing/penetration testing tool that audits your web applications by checking for exploitable hacking vulnerabilities, represented by Robert Padovani, APAC Regional Sales Manager visit to one of the E-SPIN Business Center located at Malaysia on last Friday (4 Oct 2013).

Vincent Lim, Group General Manager of E-SPIN Group of Companies and the members of staff, welcome Acunetix visit, since it symbol a step forward in consolidating the business relationship between both organizations. Robert is sharing Acunetix latest profile, insightful product information and latest corporate licensing. Vincent is on behalf of the company thank you for Acunetix visit and being active web application security product contribution in E-SPIN Vulnerability Management solution portfolio that include full range of best of breed vulnerability management, security audit and penetration testing.

Both parties is having local reference sites, customer and partner office visits. E-SPIN will organize Acunetix version 9 product briefing for the reseller channel partner and end user in the coming date.

Read Full Post »

vulnerabilities threats model

Today’s high-tech network security appliances ensure a great job of keeping the vulnerabilities threats from invading your business. These vulnerabilities threats can increase the level of vulnerabilities and penetrates to your host system and network assets to obtain the confidential info and utilized illegally for their own benefits.

Where do these vulnerabilities generated from?

  1. USB thumb drives – The ubiquity of thumb drives hackers to develop targeted malware, such as the notorious Conficker worm, that can automatically execute upon connecting with a live USB port
  2. Hardware, Laptop and netbooks – With a handy Ethernet port for tapping directly into a network, a laptop may already have malicious code running in the background which is tasked to scour the network and find additional systems to infect.
  3. Wireless access points – Wireless APs provide immediate connectivity to any user within proximity of the network and are naturally insecure, regardless if encryption is used or not. Protocols such as wireless encryption protocol contain known vulnerabilities that are easily compromised with attack frameworks, such as Aircrack
  4. Smartphones and other digital devices – Phones are full-functioning computers, complete with Wi-Fi connectivity, multithreaded operating systems, high storage capacity, high-resolution cameras and vast application support. However, these devices also have the potential to elude traditional data-leak prevention solutions.
  5. E-mail – An electronic mail carries the messages with confidential information that can easily be forwarded to any external target which the e-mails themselves can carry nasty viruses in targeted e-mail via phishing for access credentials from an employee. These stolen credentials would then be leveraged in a second-stage attack.

What can I do to combat with these vulnerabilities threats?

To combats these harmful, dangerous, potential vulnerabilities threats, E-SPIN’s offer a comprehensive portfolio of Vulnerability Management, Risk Assessment and Compliance Assurance Solutions (http://www.e-spincorp.com/espinv3/index.php/solutions) to automate the process of vulnerability management and policy compliance across the enterprise to keep your host system and network assets safe and secure from these vulnerabilities threats by:

  • Providing network and network security device to secured laptops, netbooks or any digital devices, USB devices
  • Server and system, OS, web application
  • Database and wireless access point
  • Mobile device discovery for smart phones and other digital devices.
  • Mapping, asset prioritization, vulnerability assessment reporting and remediation tracking accordingly to business risk
  • Policy compliance allows auditing, enforcing and documenting compliance with internal security policies and external regulations.

What are E-SPIN’s Solutions offers and specialties?

  • Vulnerability Management, Vulnerability Assessment, Security Audit, Penetration Testing, Network Assessment, Network Device Audit, Web Application Audit, Database Security Audit, Wireless Network Assessment, Mobile Device Security Audit, Exploitation Management and Testing, Vulnerability Reporting
  • Automating Vulnerability Management, Enforcing IT Policy Compliance, in deep and comprehensive reporting, best of breed industry de factor solutions, maintaining regulatory compliance, Automated and Advanced Exploitation Testing.

Read Full Post »

Sessions Hijacking

Social Media Facebook and Twitter is popular and widely adopted. For this article would like to share on one ID security risk that is so common for people make use of public WiFi to access their private social media account (actually it work for all the web access page submit user ID and password).

Everything I hangout at the Coffee Shops, will noted that most of people will make use of the Public WiFi to access to social media website. Most of people do not have security awareness and aware that share public WiFi is connected with all sort of people.

Below live video demonstrate is base on the scenario on the public WiFi, session hijacking can be do as easy as just auto scan and pick a victim. Please spend few minutes for the full video and get the lesson.

E-SPIN is partner with Immunity to distribute their SILICA wireless penetration testing tool set (come with wireless injector adapter, signal booster, USB boot SILICA wireless to perform wireless security assessment, penetration testing or audit). If you or your company look for secure wireless network or Access Point (AP), or consult on the wireless security assessment, penetration testing or ethical hacking, feel free to contact E-SPIN for assistance.

E-SPIN is specialize in the end to end vulnerability management, security assessment, penetration testing and ethical hacking system and point solutions, and active in serving partners, enterprises, governments and military clients.

Read Full Post »