The Commonwealth of Pennsylvania found a way to guard data housed on its online infrastructure, reports Greg Masters.

With a staff of 10 security professionals on his team, Robert "Bob" Maley, CISO, Commonwealth of Pennsylvania, is responsible for the 47 agencies under the executive branch, which physically span the entire state of Pennsylvania. While his team's skill sets range from project management specialists to highly technical penetration testing and computer forensics experts, Maley says working in a government IT environment poses an interesting set of challenges based on a mandate to foster openness and online availability of information to its citizens.

“While a large majority of government data is exposed in the public domain, there are, of course, certain data sets that must be kept private and out of the hands of unauthorized parties,” he says. “At the same time, with the combination of this prevalence of online data availability and the reality of aging IT infrastructure still deployed across the Commonwealth, it came to our attention that our online infrastructure could be subject to a host of potential attacks specifically aimed at harvesting this private information.”

To assist in keeping its private records private, and to maintain both regulatory compliance and the highest level of trust from its citizens, Maley and his team decided to enlist some new tools to help address what it determined were areas of risk.

The Commonwealth of Pennsylvania, based in Harrisburg, Penn., the capital of the state, is fundamentally dedicated to maintaining the trust of its citizens while providing the highest quality of services in a compliant environment., says Maley. “To do so, we must employ the most effective and proactive means available to us to ensure that our sensitive records are as safe as we can make them.”

Maley and one of his technical security architects got involved in a technology review and procurement process to find a solution. They considered a range of different tools and services, including open source security assessment tools.

Because of its ability to emulate real-world hacking attempts and malware attacks designed to burrow through defenses to gain access to the data reserves, they chose CORE IMPACT Pro.

“It allows us to accomplish these goals with minimal time and effort,” he says, adding that CORE IMPACT Pro was far and away the most polished, commercial-grade product available in the penetration testing space. “Based on its ease-of-use, level of support and sizeable library of testing exploits, CORE IMPACT Pro was the only product that could meet all of our needs.”

The only other available technologies in the pen testing automation segment were far-less advanced or commercial-grade open source tools, which, he says, were not an option based on the state's internal guidelines.

“All things considered, Impact Pro was really the only solution that was going to meet our needs based on our guidelines, the nature of the work we wanted to do and our level of staffing expertise. Beyond the inability to go with anything open source, CORE IMPACT Pro was the product that had the features we wanted and that could allow users of varying skill depth to utilize it most effectively.”

Even if they had the freedom to go with open source, support would have been a big concern, he points out.

He says his team doesn't have time to devote to going out and finding new exploits or testing them to ensure that they work and don't introduce unwanted side-effects. “With CORE IMPACT Pro, we knew that we were getting a fully baked solution that would meet our needs out of the box, and continue to do so over time.

Deployment was extremely easy and Maley's team was very satisfied with the implementation from the get-go. “In about 30 minutes, we had the product up-and-running and ready to perform testing. The process has only improved over time as our teams have become more experienced with using it.”

Vital business partner

Fred Pinkett, vice president of product management, Core Security TechnologiesCore Security considers it an honor to have its technology used so prominently by the state of Pennsylvania, says Fred Pinkett (right), vice president of product management, Core Security Technologies. “Working with Robert Maley and his team has helped guide the continued development of our functionality by providing us with open and honest feedback at every turn from specific exploits to high-level features. Core truly considers the Commonwealth of Pennsylvania a vital business partner in helping us understand both general and government specific needs as it relates to the development of our automated penetration testing capabilities.”

By adding automated penetration testing to their security programs, Maley and his team were able to tackle a broad range of operational and process-driven security goals without detracting from any other area of their strategy, says Pinkett.

“Not only can the Commonwealth feel confident that it has a far more precise fix on its areas of risk than it did before adopting the solution, but it has also been able to streamline processes related to operational security management and regulatory compliance as a result of using CORE IMPACT Pro.”

Support factor

Also, support was a significant priority coming into the deployment and Maley says that CORE has been second to none and exceptionally responsive. “Learning the various nuances of the application was easy after attending the free online classroom sessions and viewing the online help tutorials,” he says.

CORE IMPACT Pro is by far the product with one of the highest levels of ease-of-use that we currently have in our environment, says Maley. “The user interface includes Rapid Penetration Testing, which allows us to drag and drop a number of steps in the actual penetration testing process using graphical icons to signify targeted computers.”

The point-and-click interactivity of the application puts real-world penetration testing techniques into the hands of even the most inexperienced users, he adds.

“Overall, it's truly meeting our expectations on all avenues.”

The tool has great support, high ease-of-use and superior functional effectiveness and provides tremendous cost savings, he says.

Government needs

Being in the government space, Maley's team is bound to a wide range of IT security regulations, much as private corporations are, including the requirement to complete frequent security audits of its infrastructure assets.

“Core IMPACT Pro allows us to quickly audit all the objects on our network that we're mandated to test and provides detailed reports that directly support our compliance efforts and speed the audit process itself. In this sense, the true power of IMPACT Pro is found in its ability to not only discover vulnerabilities, but to specifically demonstrate their existence and availability to outsiders by actively exploiting them.”

At this time, the Governor's Office of Administration is the only agency with Core IMPACT Pro deployed within the Commonwealth. However, Maley points out that in its current capacity, CORE IMPACT Pro already offers the ability to touch and audit all of the necessary target systems needed to test in all of the agencies under the governor's executive branch.

“In that regard, it is used very widely to discover issues with our infrastructure,” he says.

Ultimately, the Commonwealth is hoping to establish a pen testing standard under which all state agencies will adopt the process as a central element of their IT security assessment and regulatory compliance efforts, Maley says. The results of doing so would be a dramatically more secure computing environment for all, based on the ability to know where assets stand from the standpoint of being open to external threats.

“Further, I would recommend that an automated penetration testing tool be recognized as a preferred method of conducting penetration testing under this requirement,” Maley says.

It will also help the many agencies working to comply with external regulations, including the PCI Data Security Standard.

“We already have a new process in development, and in time we will see if the Commonwealth certifies and accredits the process under its guidelines, which have been patterned on Department of Defense accreditation methods,” says Maley.

Part of this process will be requiring software developers working for the Commonwealth to have security measures baked into their applications from the design phase onward, and Maley says he will likely require pen testing of applications before they are allowed to go into production.

Shifting priorities

Maley says that priorities in the state haven't necessarily changed over time. “Mission number one has been to protect our critical data for a long time.” But, what has changed are tactics and strategies, and the team's response to the evolution of the threats they face.

“We try to be as agile as we can be, and testing new exploits as they are released is a significant benefit to that end. We don't necessarily have the staff to constantly be checking for new exploits or looking at new threat models.”

Using IMPACT Pro, Maley's team feels confident that almost everything is already in there, that they're getting the updates, and that staff know how to use the product to conduct pen tests confidently.

The Commonwealth of Pennsylvania, says Maley, is facing a magnitude of new threats daily. From phishing, viruses and cross site scripting to SQL injection attacks, the realm of computer security is constantly changing, which creates the sizeable challenge of trying to keep up.

“As one countermeasure to an attack is created, a new attack emerges to take its place. IMPACT Pro helps us manage this changing landscape by providing updates and new exploits for the latest attacks and allowing us to check the ability of our assets to be targeted by attacks on a regular, consistent basis.

Pinkett adds that IMPACT PRO is unique in that it is the world's only commercial-grade automated security testing software solution.

A handful of penetration testing “frameworks” and applications allow experienced assessors and consultants to manually run a limited set of exploits to conduct individual vulnerability investigations, he says.

“IMPACT Pro, on the other hand, is a truly commercial-grade solution backed by the industry's largest and most experienced professional exploit development team working in cooperation with world-class research and consulting teams. All of this expertise results in security testing products that are second to none. While the exploit development team is wholly dedicated to the task of creating new testing methods that safely mimic the activity of real-world hackers and malware authors to give organizations a comprehensive view into their security standing, the engineering team develops the commercial capabilities – including reporting, automation, management and ease-of-use – which makes IMPACT the only choice for security testing in organizations like the Commonwealth of Pennsylvania.”

In addition, says Pinkett, by giving organizations the ability to test exploits that move through networks, endpoints and web applications, IMPACT Pro allows users to assess their security against multi-staged attacks that seek available paths to backend data, in the exact same manner employed by cybercriminals.