Aerospace and Defense
Industry Use Case - Red Team Penetration Testing
This massive aerospace company’s primary use of Core Impact Pro is fairly straightforward as it involves conducting proactive testing of its IT systems and applications to understand where its’ most significant vulnerabilities reside. The company has penetration testing expertise in-house and views Core Impact as a powerful solution to put in its testers hands to advance their ongoing activities and lend additional consistency to their work. With the types of industries the firm is involved in and the nature of the customers it serves, the company’s intellectual property is its lifeblood and it must ensure that outsiders cannot access its designs or customer data in order to protect its market position and perception of its viability among extremely sensitive organizations including the U.S. Department of Defense.
Industry Case Study - Travel and Leisure Website
"While it's nice to know that we're compliant with regulations, it´s much more important for us to deliver on our promise to ensure information security for our customers. Fortunately, Core Impact helps us to both comply with the PCI Standard and honor our commitment to keep customer data safe."
- Chief Architect and Security Officer
Travel and Leisure Website
Industry Case Study e-Commerce Platform Provider
"Using Core Impact Pro has allowed us to reduce the amount of time it takes to sort through vulnerability scanner results by 80 percent, giving us the ability to throw out false positives and directly address high-priority exploitable issues. We´re using these results to rethink applications development and re-frame our entire security testing and remediation process."
- IT Director and Information Security Officer
Major e-Commerce Platform Provider
Industry Use Case - Vetting Acquisitions Security
As a provider of Web-based services, specifically those that deal with some of their clients’ most private and personal information, this HR firm is particularly concerned with the security of its IT systems and applications. As a company experiencing rapid growth, in a large part through the acquisition of other businesses, the firm is also concerned with ensuring that all of the IT systems that it absorbs via its acquisitions are every bit as secure as its own operations. To help assess the security posture of its newly acquired assets before tying them to its existing infrastructure, the HR specialist uses Core Impact Pro to test those systems and applications to make sure that by integrating with them it isn’t compromising its sensitive electronic data, or Web applications resiliency.
"By taking control of the penetration testing process with CORE Impact, we can now test as often as we want. A major benefit for us is that we don't have a whole bunch of tools to integrate. If Impact says vulnerability exists and it's exploitable - we take those results as gospel."
- Information Security Manager
University of North Florida
"One of the biggest challenges for any university is to maintain a high level of security while fostering an open network that allows for research and creativity. To achieve that level of flexibility you truly need to understand where your biggest weaknesses may be at any given point in time and worry about those first."
- Security Specialist, SITEL Team
Université du Québec a Montreal
"CORE Impact provides us the parameters that best meet the standards we require. Being able to efficiently, easily and professionally demonstrate a penetration test is a significant tool for our instructors."
- Assistant Professor and Senior Research Scientist, ITOC
United States Military Academy at West Point
Industry Case Study – Large U.S. University
"When issues are found using Impact Pro prompt action to resolve the involved security hole is never too far behind as the direct demonstration of a security problem via penetration testing is always received with heightened attention; it really helps to increase the awareness of IT risks across the board."
- IT Security Officer & Security Engineer
Large Midwestern U.S. University
Energy and Utilities
Industry Case Study – Energy & Utilities
"Without Core Impact it would have been impossible to integrate penetration testing into our security process. Other tools require too much expertise, aren't safe to run on live networks, and deliver questionable results."
Enterprise Energy and Utility Organization
With the Core Attack Intelligence Platform, Eskan Bank strengthened and simplified their vulnerability management process. Eskan Bank consolidated and prioritized a large quantity of vulnerabilities from their scanning efforts, to an actionable number, leading to more frequent and effective remediation efforts. The result is a highly secure network with less administrative overhead.
"We've truly integrated penetration testing into our process and even now we know we're still just scratching the surface of what we can accomplish. Using Impact Pro we're constantly moving the process forward and hitting new vectors; before we had the product we would do some rudimentary internal testing and bring in consultants, but now we're doing a lot of the testing in-house and spending less on third party engagements."
- Information Security Engineer
"With CORE Impact we were able to find several weaknesses before they became issues. We were also able to verify which of our network defenses were performing up to expectations, and as a result our network is now significantly more resilient."
- Assistant Vice President
Happy State Bank
Industry Case Study - Insurance Provider
"With Impact we don't have to overextend our staff and budget in order achieve the peace of mind of knowing that our network is protected. I now sleep better at night."
- Senior Network Systems Manager
Large Insurance Provider
Industry Case Study – Mortgage Services
"I used to get 30 pages of data from my scanner and it always required guesswork to sort out the real threats from the false positives. With Impact we get straightforward information about actual, proven vulnerabilities in about 5 pages - no guesswork required."
- IT Manager
Mortgage Services Organization
Industry Case Study – Retirement Services
"To prove that our security testing is both consistent and unbiased, we’re required to have an outside entity provide us with accreditation. Because of the approach we’ve established testing with CORE Impact, and the ability to respond quickly and patch any issues, we remain confident that auditors will recognize that we’ve tested everything to best of our abilities in the same manner that a hacker would."
Chief Security Engineer
Large Retirement Services Organization
Industry Case Study - Tax Services Consultancy
"We want to be able to serve our customers as comprehensively as possible in terms of mitigating IT risk, while at the same time keeping our engagements running as smoothly and efficiently as possible; CORE Impact Pro has allowed us to maximize our internal testing expertise and, by extension, better serve our customers in the process."
Tax Services Consultancy
Industry Use Case - Benchmarking Security Posture
This carrier, which provides workers' compensation insurance to employers in a large U.S. state, recently hired a new CISO who had formerly worked in a similar regard at a major U.S. consumer brands company. Upon arrival, the executive ordered her security teams to perform penetration testing across their IT systems and applications in order to create benchmarks that will be used to determine its current security posture and measure changes to that status over time. The company’s use case is indicative of both the importance of security testing within large enterprises and the growing adoption of “security measurement.” The thinking goes… Without performing testing upfront to assess where you stand before making changes, how do you know where to target your efforts/investments in security or how well those initiatives are meeting their goals?
"With Core Impact, we don’t have to rely on ‘smoke and mirrors’ to convince IT staff of the existence of security Threats…We now provide our clients with facts about exploitable vulnerabilities and their associated risks."
- Information Security Manager
South Carolina Division of the State Chief Information Officer
"We found some holes that people missed in the remediation. In that one case alone, the value we got back far exceeds what we spent."
Commonwealth of Pennsylvania
"If you look at the reports that you get from running tests using Impact, every vulnerability is prioritized; this allows you the ability, within a relatively short timeframe, to define your biggest risks and generate the same types of assessment data internally that you'd typically get from third party consultants."
- Security Architect
Royal Borough of Windsor-Maidenhead, U.K
Industry Case Study - U.S. Government Lab
"Organizations need to concede that their defenses cannot stop every attack and instead take the approach of assuming that networks, endpoints and applications have been compromised and will likely be again. Penetration testing is highly complementary to scanning and other vulnerability management practices as it allows you to gain insight into which issues truly represent your most important points of exposure in direct relation to real-world attacks."
- Senior Security Engineer
U.S. Government Lab
Industry Use Case - Major U.S. Federal Agency
At one major federal agency, officials are letting their security techies be the foundation for their security operations. They need to be dynamic and creative in their security considerations.
Using CORE Impact Pro, penetration testing software from CORE Security, the agency's security team is able to replicate attacks across networks, Web applications, end-user systems, wireless networks and network devices in its security lab. Because the tool automates the process, only three security specialists are needed to conduct penetration testing of the agency's 7,000 IT assets.
Excerpt from "Security lab, pen testing key to proactive, creative, cybersecurity," SearchSecurity.com
Industry Use Case - Client-Side Security Assessment
This major U.S. city’s IT security team is using CORE Impact Pro for a range of purposes, but perhaps the most intriguing element of its case is its utilization of the client-side testing element of the solution. In a test carried out on its internal users in 2008, the company found that a whopping 85 percent of its employees willingly handed over sensitive organizational details such as their IT systems log-in credentials in response to unsolicited requests. After using those results to push for renewed end user security training programs, a subsequent test along the same lines only garnered information from 5 percent of its users. The use of the client-side tests has created a new environment where users are far more aware of security issues and adherent to organizational security policies.
Industry Use Case - Comprehensive Vulnerability Management
This sizeable U.S. state government is using CORE Impact Pro as part of a full-scale move toward vulnerability management; in particular in addressing security for the state’s many Web applications. The state’s CISO repeatedly referenced the many millions of dollars ($37 million-plus) that he believes this vulnerability management program (which also includes source code analysis and vulnerability scanning) has saved by finding critical vulnerabilities that could have led to electronic data theft and subsequent response expenses. In addition to helping to lower the total number of electronic records stolen from the state from over 500,000 in 2007, to only 212 in 2008, and a mere 2 thus far in 2009, the CISO credits the effectiveness of automated penetration testing and vulnerability management with helping to affect a fundamental change in the manner in which the state now approaches the entire applications security process.
"Our approach is based on the premise that penetration testing must be a fundamental piece of any mature IT security program, in terms of testing from both the internal and external perspectives. It’s a critical element of what needs to be done to get to the heart of any vulnerabilities that you might have to eliminate them before they can be compromised."
Visiting Nurse Service of New York
Industry Case Study - Health Insurance
“Before Impact, we hired consultants to perform an annual assessment, but after taking a hard look at what was being performed and the results that we were getting, the overall process seemed lacking and I felt that our return on investment wasn’t stellar. When you show people that internal penetration testing doesn’t have to be a completely manual process and that solutions have evolved to the extent that consultants use these same products, it’s easy to defend not only how Impact Pro can save the company money and provide more quantifiable results.”
- Senior Information Security Architect
National Health Insurance Provider
Industry Case Study – Manufacturing Organization
"The decision to go with CORE Impact was a `no-brainer´ and it has been worth every penny."
- IT Security and Telecomm Director
Major Manufacturing Company
Security Consulting Services
CORE Impact makes our penetration testing services more reliable and has commercial-grade exploits that speed the entire assessment process, particularly when compared to open-source alternatives and ad-hoc exploits.
- Senior Consultant for Internetworking and Security
Industry Case Study – IT Security Consultancy
"With CORE Impact, we equip customers to continue to identify, reduce and manage their attack surfaces long after the consulting engagement is over."
- Founder and CTO
IT Security Consultancy
As we’ve used CORE Impact Pro over the last year, it has helped us satisfy the expectations of our customers in helping them address their most significant security challenges more effectively, and met our business needs in delivering higher quality services and training engagements.”
- Head of Foreign Trade
Industry Case Study - IT Security Services Provider
“Our customers have to know how their IT infrastructure and defenses are going to stand up in the face of real world attacks, and the best way to understand this is via regular penetration testing. Impact Pro gives us the flexibility to balance our in-house expertise with a database of the latest vulnerabilities and exploits, which translates into maximum results for the organizations we serve.”
IT Security Services Provider
Industry Case Study - Enterprise Security Service Provider
"Customers don´t just want to know their theoretical weaknesses, they want to know if they´re real and understand the broader impact of those vulnerabilities - using pen testing to investigate any problems we find is the best way to know for certain if a vulnerability is exploitable, otherwise it´s just guesswork."
- Manager of Product Management
Enterprise IT Security Consultant
Industry Use Case - Mining for the "Unknown Unknowns"
This large IT security services provider uses CORE Impact Pro across a number of its practices, including enterprise risk management and compliance management. However, one of its top government representatives who attended the event spoke of penetration testing as the best way for organizations to research their “unknown unknowns.” What he means by that is that by conducting testing organizations often find systems, applications and data repositories they didn’t even realize they had… and uncover where those assets are vulnerable. His larger point was that the only way you can really know what you have, and how it is exposed, is via regular, proactive testing.
"We can now do a penetration test without having to hire a team of highly-specialized experts. In the past it would have taken a large budget and a big group of people to do what one person can do with Impact. It's a real cost and time saver."
- Security Director
Industry Use Case - Targeted Assessment in SOC
Based on its critical need to keep its cable and ISP services running at peak performance, and to protect the millions of electronic customer accounts it maintains around those services, this telecommunications giant is using CORE Impact Pro in its Security Operation Center, or SOC, to test any new IT systems or applications that it plans to launch before bringing those systems into production. By actively testing its IT assets in this lab-like environment, the company can assess whether or not they are vulnerable to outside attack and could be used to launch denial-of-service threats or to steal its electronic data. While Impact is safe enough to use on live production systems, many large enterprises like this provider with sensitive operational environments perform testing in the SOC to be even more careful about any results that testing might have. The company also uses Impact to perform “spot checks” of various systems and to “prove” that known vulnerabilities are exploitable.
Industry Case Study - Major Airline Carrier
"Running a penetration test used to be very risky, but now with Core Impact the testing and penetration processes are safer and more manageable. Also, CORE Impact made my team and me more efficient, reducing our testing time from days to just minutes a week."
- Information Security Director
Major Airline Carrier