In June, 2014, a thriving, cloud-based code-hosting service was obliterated overnight with literally just a few clicks.


New Jersey-based Code Spaces was brutalized by an attack that rendered the company a real-life victim of what has become the “nightmare scenario” for any business that uses cloud services. First, hackers gained access to the control panel the company used to operate its Amazon-based infrastructure. Then they denied Code Spaces access to its own system. Once in total and complete control, the digital extortionists demanded a hefty ransom.


When Code Spaces refused to pay, the criminals deleted their data, their backups, their machine configurations — even their offsite backups. With their data and backups gone, their customers left without the product for which they paid, and their reputation irreparably shattered, the company was left with no choice but to release the following statement before disappearing forever:


“Code Spaces will not be able to operate beyond this point. The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility.”


Penetration-Testing Software and the Metasploit Project


Penetration-testing software is designed to enable legitimate businesses to launch attacks similar to the one that crippled Code Spaces — on themselves.


Acquired by Rapid7 in 2009, Metasploit is the most widely used penetration-testing software in the world. In an effort to level the playing field between hackers and the entities they target, Metasploit provides companies with the vulnerability information — or “exploits” — that hackers acquire illegally on the black market.


By using these exploits to attack their own systems, businesses can identify their systems’ weaknesses.


IP Security


The Metasploit Community and Security Dominance


The backbone of the Metasploit Project is the Metasploit Framework, an open-source software platform for developing, testing and executing dangerous exploits. Aside from Metasploit’s payroll, which is stacked with global security experts, many of their biggest innovations come from the broader, volunteer Metasploit community. These individuals contribute as a way to publish and document their research, to fight back against hackers who have victimized them, to get noticed by employers who are hungry for untapped talent, or simply to achieve Internet stardom.


The result? According to Wired, Metasploit is “A website that lists every known security hole in every piece of popular software on Earth and serves up software that lets anyone exploit all those holes.”


An expert remarked in the same article that at most of the major security conferences, “half the screens you see are running Metasploit. They’re either using it to demonstrate that they can do something using Metasploit or that they’re proving that they can protect against something.”


Is Metasploit the Solution, or Only a Piece of the Puzzle?


So in a world laden with modern security minefields such as cloud-based computing, bring-your-own-device corporate culture and remote hosting and storage, can — or should — penetration-testing software in general and Metasploit specifically replace the human-being-based security consultations on which businesses have traditionally relied?


Well, one clear lesson from the Code Spaces disaster, according to one expert, is that the company put all of its eggs in the same basket when it came to its security apparatus. Among other things, it placed all crucial elements of access in a single control panel.


So why would investing everything in the admittedly awesome, yet singular power of Metasploit be any safer if no human-based redundancies, checks or balances were in place?


In the very same article, Metasploit’s own engineering manager, Todd Beardsley, admitted that no software can replace the human touch needed for precautions such as enforcing a two-factor authentication for logins to critical infrastructure, the limitation of privileged access, and establishing local control of irreplaceable intellectual property.


Metasploit in the Home and the Internet of Things


Metasploit could prove to be the magic bullet for a security dilemma that is an obsession of the security world even though it’s not yet much more than a concept: The Internet of Things (IOT). Connecting the common items of everyday life to the online world (think coffeemakers that tweet and refrigerators that remind you on Facebook that your milk is about to expire) is moving out of the conceptual stage — and hackers are moving with it.


Already, a new Linux worm that targets cameras, routers and other IOT devices has highlighted Metasploit’s unique ability as a potential powerhouse in addressing the IOT’s potential security pitfalls.


For individual people — who don’t necessarily have the time or knowhow to continuously and meticulously update their computers — maintaining security on connected fish tanks and freezers may seem like a hill not worth climbing. If Metasploit could spare them that headache, however, they can certainly do the same for businesses whose printers and copiers are already online.


The incredible, collusive power of the Metasploit Project has put in the hands of businesses, a remarkable degree of power in both diagnosing and fixing the problems that exist in their security networks. The reality is, however, that human beings are behind every hack, and no software — not even Metasploit — can act as a substitute for a defense backed up by human intuition and human interaction. In the end, Metasploit is merely a large piece of a puzzle — a puzzle that still requires a human touch.