Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded. He highlights a few of the numerous available tools, but neglects a few foundation security applications. He suggests the following tools (comments added):
- Metasploit – a superb tool! Necessary for everyone. It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around. Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
- Splunk – excellent interface and allows for excellent review of large amounts of data. A great tool if the budget exists – other resources are Zenoss and Nagios systems
- Google – always great for data mining, but check out the data exploration tool below as an addition to your arsenal
- KeePass – centrally locating your passwords is great, so long as you use a secure key – fyi this is not a proper alternative to your enterprises key management process.
- Helix – Knoppix is a great platform to work from and a top tool in my kit.
- Netwox – Never used this particular tool, but the capabilities speak for themselves.
Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):
- WireShark (formerly Ethereal) – network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
- Nessus – of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools – such as Metasploit)
- BackTrack in lieu of a generic LiveCD this is a great – cheap / free / 0 effort – security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
- John the Ripper – test password strength – i.e. truly validate whether passwords are meeting secure settings. Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
- Wireless testing of access point security tools in your kit should include – The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
- Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others – in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
- Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network. Check out Scapy for such a test.
PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.
A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) – Click here for top 100 tools. This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.
Please add comments for the best security tools that address your challenges. Free is preferred, but products with nominal fees can be worth the expense. If any of the above are unknown to you – download them and experiment, it truly is the only way to understand your control environment.