Interview with Ivan Arce, CTO of Core Security Technologies

Ivan Arce, Chief Technology Officer of Core Security Technologies, sets the technical direction for the company and is responsible for overseeing the development, testing and deployment of all Core products.

Arce, who has three patents to his credit, also writes for numerous technical publications, speaks frequently at industry events and is commonly quoted in industry publications.

He also currently serves as the Associate Editor of the IEEE Security & Privacy Magazine and as a Project Advisor to the Open Web Application Testing Project.

When and with what mission was Core Security Technologies started?

Core Security Technologies was founded in 1996. Our mission is to provide strategic information security solutions to our customers. We believe that today’s information security product and service offerings lack a natural fit with organizational business requirements, creating need in the marketplace that need to be addressed.

We view information security as a three stage iterative process (ASSESS-> PROTECT-> AUDIT) rather than a set of independent technologies and practices. If we assume that 100% bullet proof security is not achievable in any organization (and this is a safe assumption), then our logical conclusion is that the best security strategy is to address security as a streamlined and iterative process that supports and enhances other business processes in a sustainable manner providing:

• visible immediate benefits, and
• a mechanism to reduce risk constantly in each iteration of the process.

In this way, two of the most important infosecurity concerns for C-level executives can be understood and addressed:

• What is the ROI of our infosecurity spending?
• How is the infosecurity spending protecting and enhancing our business today and how it will do so in the future?

That is the ‘strategic’ part of our mission. We provide our solutions based on products and services built from scratch with this view as the guiding principle

Introduce CORE IMPACT. Which platforms does it support?

CORE IMPACT is the first comprehensive penetration testing solution for assessing specific information security threats to an organization. The product is designed to replace expensive, inconsistent manual penetration testing with a professional, state-of-the-art automated penetration testing product. CORE IMPACT goes beyond vulnerability scanners by enabling real-world attacks on IT assets and presenting analysis of information security risks in one comprehensive application.

The product runs on Windows 2000 and XP, and has agent support for Linux, Windows 2000, Windows XP, Solaris, and OpenBSD.

What are the key functions of CORE IMPACT?

CORE IMPACT is a unique software product. It provides a comprehensive and professional framework for penetration testing. Until recently penetration testing was an obscure and almost magical discipline that could only be performed by highly technical and experienced individuals. CORE IMPACT changed that. CORE IMPACT provides an organization’s security or systems administrator with the most advanced penetration testing techniques, including professional grade exploit code for remote and local system compromise and privilege escalation, complete accountability, reporting and clean up capabilities.

And to the expert penetration tester CORE IMPACT provides a framework in which to develop, retain and use information security knowledge in a highly cost-effective manner. Thus improving the quality of work and substantially reducing tedious and time-consuming tasks.

Introduce CORE FORCE . Which platforms does it support?

CORE FORCE is a comprehensive security solution for workstations which are, from a security standpoint, the most overlooked component in an organizations IT infrastructure. CORE FORCE has not been officially released yet at our lab we are actively working in application sandboxing, file system and registry access control mechanisms and network firewalling capabilities for WinNT, Win2k and WinXP based workstations using it.

Your Company is VISA-CISP certified. What are the benefits from this certification?

CORE is one of the very few companies worldwide that is certified by VISA to determine if an organization meets the VISA Cardholder Information Security Program. This program defines VISA’s standard of due care and enforcement of protection mechanisms of customer’s sensitive information.

Compliance with CISP is a mandatory requirement from VISA for its online merchants. Benefits of achieving the certification are both direct, such as being able to operate an e-commerce initiative within defined security standards, and perceived, such as providing a greater level of confidence and assurance to customers with respect to their sensitive information and the security of their transactions.

What security concerns dominate with your clients?

• How do I really know what I am vulnerable to?
• What is my security posture against real-world attackers?
• Why should I spend money on information security? What happened with all the money I already spent? How much more secure am I now?
• How do I make my security staff more effective, efficient and improve their team and personal abilities and knowledge?
• How do I increase the security awareness of my users?
• What did I overlook in my security strategy?
• How do I bake-in security and make it sustainable over time instead of smearing it on my current infrastructure and business, which by the way might change substantially in 1, 2, 5, 10 years?

In your opinion, what operating system is better, when taking a look from the security perspective?

For many years OpenBSD has been the most secure general purpose operating system. It is also free and open-source, which are additional advantages. Many others, both commercial and free, are quickly catching up. But if I had to choose today, from a purely security perspective. I would say that OpenBSD is still the king of the hill.

What are the good and bad things of full disclosure of vulnerabilities?

To me, full disclosure of vulnerabilities is just a tool that can be used for good or evil. It is the USE of that tool by specific individuals or organizations that should be judged, rather than the concept itself.

If used properly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, and ultimately WILL help to reduce the overall risk vulnerabilities pose.

If used improperly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, but ultimately WILL NOT help to reduce the overall risk vulnerabilities pose.

However no disclosure or ‘secret’ disclosure of vulnerabilities has never been proven as a bullet-proof method to get bugs fixed and reduce risk.

So, using this full disclosure tool might be harmful. But NOT using it IS DEFINITELY harmful! So, I do not really see much of a choice.

How much disclosure constitutes full disclosure is a matter of controversy as well, and I do not think one can generalize here. At Core we deal with these issues on a case-by-case basis and try to put forth our best efforts and leverage our extensive experience to work towards minimizing risks.

Name your top five security tools?

vi : The popular UNIX file editor.

I really enjoy reading source code, and I not only look for security bugs but I also try to understand the author’s mind and heart as expressed by his or her code.

Simple, elegant, clearly conceived and implemented code with cleaver techniques is generally also secure code. A simple file editor and enough time on your hands is the best security tool in existence.

You can inspect other people’s code and find bugs, sometimes you can fix the bugs yourself or you can even code your own software that matches your own security standards.

CORE IMPACT : The penetration testing solution

Next in my favorites list. It never ceases to amaze me the amount of knowledge and security expertise poured into this product – and yet it is usable by any regular guy. Besides all the commercial justifications for a product like this – which I shouldn’t be so blatantly promoting :), it gives me a great tool to learn and try new things and ideas that otherwise I would not have had the time to do.

Snort : The network Intrusion Detection System

The closest to perfection in the network IDS space. Given the dedication and unselfish attitude of the snort development team, it is no surprise that they have been able to develop such a high quality tool that can accurately detect when you are under attack. This is not a minor achievement.

Although I believe that no NIDS will ever accurately detect ALL attacks, not even all the ones that exploit known vulnerabilities, I also know that Snort closes the gap between noticed and unnoticed attacks more quickly than any other option. Also, it is free, open-source and has a vast legion of paranoid security fanatics improving it constantly.

PF : OpenBSD’s packet filtering firewall

It is compact, efficient, feature rich, and yet secure. That is an accomplishment for firewall technology.

Nmap : The network swiss knife, err mapper

It is always useful and comes in handy for a wide array of uses.

Your company often releases security advisories. Is the exposure you are receiving as a direct result of the disclosed vulnerabilities, a good “marketing” tool for your products and services?

I think the best marketing tool we have is to demonstrate our security expertise, technical capabilities and the professionalism that everybody at Core possesses. Publishing advisories is a way of showing this, but it does not necessarily translate into direct marketing for our products and services. To disclose vulnerabilities just for the sake of gaining exposure no matter what is not our game. Our goal is to try and provide some benefit to the security community, to help them understand the vulnerabilities and their risk, and to fix them either with what their vendors give them or with their own workarounds. If the reader of our advisories is happy with our free work they would probably consider us for the paid stuff 🙂

In your opinion, how important is penetration testing?

Penetration testing is an underrated practice. If used wisely it can provide instant results that improve one’s security posture in a tangible way. Many organizations are starting to share this belief and we see that happening everyday with new standards and regulations increasingly talking about pen-testing. To further this belief we also see growing interest from all kind of organizations: Fortune 1000 companies, government, military, security consulting boutiques, IT consultants
and even mid-size and small companies.

Like everything else in the infosecurity space, pen-testing is not a silver bullet, but it is really the best way to address the security problem from the viewpoint of the attacker. And that is a requirement if you are serious about your security.

What is your take on the automated vulnerability assessment services?

I see these services as a very useful component to enforce security in organizations that lack the will, focus, expertise or resources to do so in-house. I usually refer to these as automated vulnerability *scanning* services, which is quite different than an assessment. The later implies that the provider understands the risks associated with each vulnerability and how they apply to the particular organization being scanned. This in turn implies a somewhat deeper understanding of its business model and processes, IT infrastructure and human resources. So, in that sense it is not a very scalable or automatable service. But it is definitely a useful one.

However, a common mistake is to think that if you contract an automated vulnerability scanning service you will offload the infosecurity chores from your staff. Well that is the case if you don’t plan to act upon the results of the scans (a bad idea!). But if you do plan to act on the results, then you will face the patch management and distribution problem, which could also be automated, and this means having to decide what to patch and when – and that decision can not be automated without an in-depth understanding of your organization. So, overall a vulnerability scanning service can be of great help to your security if you understand what is the best use for it in your organization.

Wireless networks are more and more replacing the current wired networks. What do you think about the current state of wireless security?

It is very close to non-existent. Wireless security is a very immature field and current solutions are at best ‘weak’. I would expect substantial improvements in the next few years. I am an optimist, I believe in people, even scientists, engineers and businessmen are able to learn from past errors and avoid repeating them. 🙂

What security related books can you suggest to our visitors?

• “Security Engineering: A Guide to Building Dependable Distributed Systems” by Ross J. Anderson
• “Building Secure Software: How to Avoid Security Problems the Right Way” by John Viega, Gary McGraw
• “Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community” by The Honeynet Project (Lance Spitzner et. al.)
• “Honeypots: Tracking Hackers” by Lance Spitzner
• “Computer Security: Art and Science” by Matt Bishop

And certainly the collection of Early Computer Security papers at http://csrc.nist.gov/publications/history/

What should we expect from Core Security Technologies in the future?

You should expect Core Security Technologies to continue providing world-class security expertise in our CORE IMPACT product and our consulting services. CORE IMPACT 4.0 is due out in Q3 2003 and will have some amazing new capabilities.

And we have many other things up our sleeve.