Slashdot Mirror
Security Probes for New Clients?
archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."
My company recently purchased an SSL cert from verisign and recently received an email from http://www.qualys.com (in conj. with our purchase) to perform a web based security scan of internet facing machines, such as web servers. The results and demo reports appeared a bit better than our usual Nesus vulneravility scan, however, Qualsys is not free. Try these tools out, for web servers, they have done quite well for my end.
Good free ones: nessus, nmap, nikto. Besides Retina, look at Foundstone. There is also Qualsys, nCircle and several others (search for vulnerability assessment tools). Make sure that you understand the network topology, especially if firewalls & routers are involved. There are also host-based scanning tools designed to be run on individual systems, primarily to harden them.
Not "Nuff said." Any security person who uses only one tool is a damned fool!
He who laughs last is stuck in a time dilation bubble.
[links not provided: it is assumed you can google]
First you'll want "nessus" -- this scans and attempts to exploit vulnerabilities. Comes complete with up-to-date 'signatures' for attacks to ensure that systems are patched or that firewalls are blocking access.
Second you'll want "GFI Languard" and run that to scan the internal Windows PCs -- it will give a nice report of each machine and patches needed (assuming you've got approval and admin access on the domain). This costs like $1k, but has a 30 day free trial to get the client started. Can also be used to deploy patches.
If you don't want to use Languard, which is really quite a bit better, you should at least use Microsofts "Baseline Security" tool. Again, requires admin access, but gives a nice report for each machine you scan.
nmap is nice to document open ports on machines, particularly so-called DMZ or other firewalled internet-accessible hosts.
dsniff is a good tool to watch for insecure protocols. Always fun to report that everyones pop3 password seems to be the same as their domain login password.
lopht crack is good to give a baseline indication of how secure user passwords are. Run it for a set amount of time -- 1 hour say -- using all of the passwords found by dsniff over a day or two as part of it's dictionary.
There's a lot more to do -- check routers etc. for default passwords, war-dial all phone numbers of the company looking for rogue modems and more default passwords, etc. But the tools above should give a pretty good start.
All of these tools produce reports in some flavor, which you can then combine manually. I assume the client is paying you for the report, so some manual effort is OK.
Make sure to push for a 'follow-up' audit after the client has remediated the problems.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
war-dial all phone numbers of the company looking for rogue modems
Combine this with talking each answering person into giving their authentication information. I understand the easiest way to achieve that is by telling them you are hired by their company to make a security audit and said authentication information is necessary to point out flaws in their IT security. Not like I were experienced in the field but that's what they keep telling 'round the 'net, Mr. Mitnick for instance.
Have fun!
I think, therefore thoughts exist. Ego is just an impression.