When battling a determined foe, combatants often try to simulate an enemy's plan of attack and prepare defenses and potential counterattacks. That's true for armies, boxers and business-technology managers who must fend off hackers looking for new ways to attack computers and networks.
It's a tough challenge when more than 70 software vulnerabilities are discovered each week and all a hacker needs to do to gain access is find one misconfigured server, an unpatched operating system or a poorly designed application. Even with a full suite of security technology such as antivirus software, firewalls, patch-management applications and network and software vulnerability scanners, it can be hard for security professionals to find all of the potential holes in their systems and know which vulnerabilities pose the greatest risk to their assets.
Business-technology managers can benefit from looking at their infrastructure the same way hackers analyze computer systems and networks, says Chris Hoff, chief information security officer and director of enterprise security services for financial-services cooperative Western Corporate Federal Credit Union. To accomplish that, Hoff has turned to Skybox View from Skybox Security Inc., which combines information from a variety of sources, including asset- and network-management tools, firewalls and vulnerability scanners, to simulate how hackers might attack. Pricing for Skybox View starts around $50,000.
Hoff says Skybox View software has helped him more efficiently protect WesCorp's systems by showing him a variety of ways a hacker might attempt to breech those systems. It also helps him focus on fixing the software vulnerabilities that create the most risk to his systems and predict how system changes, such as adding a server or application, could potentially create new security holes.
"The power with this type of software is the security professional can create what-if scenarios that help them to more quickly spot likely vulnerabilities hackers would attack," says Pete Lindstrom, research director at Spire Security.
Software that provides deeper insight into the potential ways hackers could attack systems is a new type of security application that should show growth, Lindstrom says. Start-ups such as Amenaza Technologies Ltd. and Black Dragon Software LLC also provide software that identifies potential avenues of attack, he adds. "These applications can help move security programs from being reactive to threats and vulnerabilities to more strategically managed security programs," he says.
The software attack simulation pays for itself, Hoff says, by letting him pinpoint exactly which vulnerabilities pose the greatest risk and which systems need the most attention. That translates into more secure systems in less time. "There is no way you can do this in your brain," he says.
For instance, a vulnerability scan might discover that a network has 30,000 potential vulnerabilities a hacker could try to use to gain entry. The Skybox application, however, can show how, by fixing a few hundred key vulnerabilities, "the rest of the vulnerabilities go away," Hoff says.
Security professionals can use the software to find and fix the 1 percent or 2 percent of security holes that are most threatening, Skybox CEO Gidi Cohen says.
Skybox View has surprised Hoff a couple of times. "When I first set it up, it said that we had a vulnerability on a certain application. I didn't think it was possible," he says. But Hoff decided to do some double-checking and discovered that the Skybox application was right. One of the company's IT staffers had failed to make some system rule changes, leaving the application vulnerable to a hack attack.
This article originally appeared in InformationWeek, Aug. 30, 2004