The Greatest Free Security Tools, by James DeLuccia

Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded.  He highlights a few of the numerous available tools, but neglects a few foundation security applications.  He suggests the following tools (comments added):

  • Metasploita superb tool!  Necessary for everyone.  It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around.  Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
  • Splunkexcellent interface and allows for excellent review of large amounts of data.  A great tool if the budget exists – other resources are Zenoss and Nagios systems
  • Googlealways great for data mining, but check out the data exploration tool below as an addition to your arsenal
  • KeePasscentrally locating your passwords is great, so long as you use a secure key – fyi this is not a proper alternative to your enterprises key management process.
  • HelixKnoppix is a great platform to work from and a top tool in my kit.
  • NetwoxNever used this particular tool, but the capabilities speak for themselves.

Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):

  • WireShark (formerly Ethereal) – network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
  • Nessus – of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools – such as Metasploit)
  • BackTrack in lieu of a generic LiveCD this is a great – cheap / free / 0 effort – security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
  • John the Ripper – test password strength – i.e. truly validate whether passwords are meeting secure settings.  Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
  • Wireless testing of access point security tools in your kit should include – The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
  • Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others – in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
  • Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network.  Check out Scapy for such a test.

PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.

A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) – Click here for top 100 tools.  This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.

Please add comments for the best security tools that address your challenges.  Free is preferred, but products with nominal fees can be worth the expense.  If any of the above are unknown to you – download them and experiment, it truly is the only way to understand your control environment.

Best,

James DeLuccia

Advertisements

2 responses to “The Greatest Free Security Tools, by James DeLuccia

  1. Great post! Adding to your list above I would also add OSSIM, nikto, Snort, Autopsy, and Sleuthkit.

  2. The best information i have found exactly here. Keep going Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s