Vulnerability Assessment and Prevention with Rapid7

Ever hear of a company or government agency’s computer systems falling victim to some individuals' malicious activities? In spite of the frequent news documenting these events, many organizations don't prioritize the security of their own systems. Vendors such as Rapid7, McAfee, or Qualys offer different types of software to assess, manage, or curtail your information technology (IT) systems’ vulnerabilities. I recently saw a demonstration of Rapid7’s products and would like to highlight a bit of what they can be used to do toward efforts at hardening IT systems.

A general refrain from Rapid7 (Web site) is that organizations often put a low priority on preventative security because of

  • budget restrictions,

  • the fear of additional workload on IT staff, or

  • the belief that existing intrusion detection systems are sufficient.

Yet real security breaches ultimately end with a burdensome financial impact and a lot of additional work to repair the incurred damages. Intrusion detection systems, although useful in a security strategy, are generally intended to identify or help resolve a breach once it happens but they don't necessarily prevent damage.

Rapid7 recently released a report in which it examined 268 breaches in the government sector since 2009 and identified that these led to the exposure of personal records or to other damages (download their detailed report from this link). To counter these problems, Rapid7 offers two applications, Nexpose (for vulnerability assessment) and Metasploit (for penetration testing), to help organizations avoid falling victims to security breaches.

Nexpose provides vulnerability assessment and testing. It gathers information about an organization’s IT environment by scanning the IT assets (the network, operating systems, devices, routers, etc.). The information Nexpose gathers includes identifying vulnerabilities in individual computers, their configurations, browser settings, improperly issued certificates, patches that are missing from operating systems, and many other issues.

Ultimately, with Nexpose Rapid7 is trying help organizations understand the IT assets they’re dealing with and focus on areas that are likely to be security problems. Rapid7 recognizes that as people increasingly bring their phones and other devices into a workplace environment, IT departments have an increasingly difficult time knowing where threats might occur.

It’s likely that Nexpose can deliver on the premise that it saves admins’ time. IT and personnel have to devote effort into properly resolving security problems but the extent or value of this effort is not always well-understood by others in the organization.

Nexpose, however, sends regularly scheduled reports that detail things needing to be fixed in an organization’s environment. (Nexpose’s information comes from sources such as SecurityFocus and Rapid7’s own vulnerability database.) At face value, such reports might seem like they have the potential to add to the workload. Instead, the Nexpose reports include useful, work-reducing features. While they point out problems, they also provide the steps in order for admins to fix the problems. In some cases, these instructions will include links to download patches or example code to use. This ought to save admins’ time in not only identifying the problems but also seeking out resolutions. Additionally, the reports state how long it should take to make each of the identified fixes. This way, IT personnel know how to budget their time appropriately and can actively plan their work efforts.

Rapid7's penetration testing tool, Metasploit, complements Nexpose, not by reporting but by attacking vulnerabilities. When Metasploit cannot exploit vulnerabilities, it communicates with Nexpose so that Nexpose will adjust its vulnerability reporting accordingly. In other words, Nexpose will no longer consider it an exploitable vulnerability. Metasploit provides some intriguing features that I’ll mention shortly.

Metasploit came into existence as HD Moore’s open source project on exploit development. Rapid7 acquired the framework in 2009 and continues to maintain the open source project. In addition to the open source project’s command-line interface, Rapid7 sells a pro version of Metasploit, which comes with a Web-based user interface, making Metasploit accessible to a wider variety of users. Rapid7’s Metasploit graphical interface automates many tasks, including the ability to select how many hosts to attack and how sensitive to make those attacks.

Like many open source projects, Rapid7 provides commercial support services around Metasploit. The commercial, pro version of Metasploit has a particularly interesting toolset for running social engineering campaigns. In other words, it’s a tool for not only finding technological vulnerabilities but also helping you understand how your systems and data are vulnerable in relation to the way people act and work.

Rapid7 demonstrated, in a matter of minutes, how an administrator could generate an e-mail, which would be sent to company employees and appear to have come from LinkedIn (though as the administrator, you of course would define what type of source to have the message come from). The e-mail contained a request that the recipient follow a link to download a program. Although some people know to be suspicious of such e-mails, a lot of people don’t think about checking where such links go and will unscrupulously download and install programs like this.

This style of social engineering campaign is a common way for intruders to gain outside access to systems, spread viruses, or otherwise cause harm. Sending such a message using Rapid7’s system instead delivers an executable file with a harmless payload. Because it instead connects back to a built-in Web server, it lets an administrator track what would happen when users click on such messages. Administrators can then better understand where their vulnerabilities are, devise ways to harden their systems against these vulnerabilities, and educate users so that they don’t fall prey to real attacks.

Rapid7 was founded in 2000 and is headquartered in Boston, USA. The company currently has about 2,000 clients spread across 65 countries. It counts governmental organizations such as the US Department of Homeland Security and the Department of Defense among its clients. Rapid7 recently received nearly $60 million in new funding, which should open its growth. I expect that if the company continues to keep apace with new exploits and take advantage of the varied resources from its Metasploit community, it will continue to grab a good share of success with its products.
comments powered by Disqus