Security Probes for New Clients?

archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."

Somethings to try out...

[rayamor]

My company recently purchased an SSL cert from verisign and recently received an email from http://www.qualys.com [qualys.com] (in conj. with our purchase) to perform a web based security scan of internet facing machines, such as web servers. The results and demo reports appeared a bit better than our usual Nesus vulneravility scan [nessus.org], however, Qualsys is not free. Try these tools out, for web servers, they have done quite well for my end.

You need Nessus

[Anaxagor]

It's the shit. [nessus.org]

Scanning and Vuln Assessment

[NonNullSet]

Good free ones: nessus, nmap, nikto. Besides Retina, look at Foundstone. There is also Qualsys, nCircle and several others (search for vulnerability assessment tools). Make sure that you understand the network topology, especially if firewalls & routers are involved. There are also host-based scanning tools designed to be run on individual systems, primarily to harden them.

Nessus

[ralphus]

Check out Nessus [nessus.org]. Nuff said.

Some tools

[smoon]

[links not provided: it is assumed you can google [google.com]]

First you'll want "nessus" -- this scans and attempts to exploit vulnerabilities. Comes complete with up-to-date 'signatures' for attacks to ensure that systems are patched or that firewalls are blocking access.

Second you'll want "GFI Languard" and run that to scan the internal Windows PCs -- it will give a nice report of each machine and patches needed (assuming you've got approval and admin access on the domain). This costs like $1k, but has a 30 day free trial to get the client started. Can also be used to deploy patches.

If you don't want to use Languard, which is really quite a bit better, you should at least use Microsofts "Baseline Security" tool. Again, requires admin access, but gives a nice report for each machine you scan.

nmap is nice to document open ports on machines, particularly so-called DMZ or other firewalled internet-accessible hosts.

dsniff is a good tool to watch for insecure protocols. Always fun to report that everyones pop3 password seems to be the same as their domain login password.

lopht crack is good to give a baseline indication of how secure user passwords are. Run it for a set amount of time -- 1 hour say -- using all of the passwords found by dsniff over a day or two as part of it's dictionary.

There's a lot more to do -- check routers etc. for default passwords, war-dial all phone numbers of the company looking for rogue modems and more default passwords, etc. But the tools above should give a pretty good start.

All of these tools produce reports in some flavor, which you can then combine manually. I assume the client is paying you for the report, so some manual effort is OK.

Make sure to push for a 'follow-up' audit after the client has remediated the problems.

Cheap cheap

[TheOtherKiwi]

For Windoze systems checkout the Microsoft Baseline Security Analyzer although it relies on Windows Update, not a good sign, but it can at least check against MS known vulnerabilities - the client can already download and run but it can be used as a base level of checking to show how good your "industrial strength" tools are.

At the end of the day, its a cost/benefit exercise in trying to balance the clients budget against their paranoia.

These guys do scans for a living

[WayneConrad]

These guys [edgeos.com] do inexpensive automated scans for a living. They run all the tools you know and love (nessus, nmap, etc.), and can be set to scan on a schedule, or you can do one-offs.

This is a plug (they're friends), but check it out: It seems to be what you're looking for.

things to look out for

[gothzilla]

Slightly off topic, but I've done work in vulnerability assesment, forensics, and security testing. The first lesson anyone going in this realm should know is that if you claim that a network is secure and it gets hacked, your credibility goes right into the toilet.

Make sure you stress heavily that the only secure machine is an unplugged machine and all you can do is look for existing security holes, like missed security updates and firmware or poorly set up computers. Make sure your client understands that most security breaches come from a company's own employees. I've worked on projects that found a company's own network was secure, but their ISP had a security hole that allowed us to completely bypass all their security. I've seen post-its on monitors with username/password written on them. One time we had a guy walk into a bank, claim to be a new employee, and get set up on a terminal with an account. I've seen entire IT departments escorted out of a building by security while the Cisco vans pulled up out front to fix a down network because a router was missing a 6 month old firmware update and some skript kiddie took it down. There's nothing like wiping the grin off of a smug IT Admin's face, but it's a scary business if you don't practice a lot of C.Y.A. or try to claim that someone's network is totally secure.

Run a firewall, antivirus, and keep software and firmware updated and you won't have to worry about outside attacks so much. No software can find post-its with account info stuck to a monitor.

maybe

[dtfinch]

These are some of the best security audit tools I know of. Using any of them without written permission, or without giving a good explanation of what they do and what impact they'll have on their network, could subject you to lawsuits or prison.

nessus will scan for known vulnerabilities. I've heard it's the best, but haven't tried it myself. Be aware that running it will most likely crash some servers.
nmap will tell you all the open ports on all the systems on the network, and attempt to identify them.
ethereal will spy on network traffic. Look for suspicious traffic and cleartext passwords that shouldn't be cleartext.
The Microsoft Baseline Security Analyzer will identify missing patches and weak passwords. Though in my opinion simply running it requires you to be insecure, because it depends on "hidden" administrative shares to access the hard drives of all the systems on the network, which you may wish to disable.
l0phtcrack and Hydra are popular password crackers, used to detect accounts with weak passwords.

And like always (assuming they run Windows):
Check the firewall logs.
Make sure all security updates are installed.
Run the IIS lockdown tool on servers running IIS.
Make sure workstations are free of spyware/adware and other unwanted startup programs.
Look into the Windows gold standard and other popular security templates intended for locking down workstations and servers.
Make sure your wireless routers use adequate encryption. WEP is encrypted but uses weak keys.
Etc. Can go for hours.

Even Eeye reccommends Nessus

[vitroth]

If you don't have the budget for Retina, try Nessus. Even Eeye reccommends it, in this post on bugtraq [securityfocus.com].

Re:Hit them upside the head with a 2x4

[mbstone]

I wouldn't even attempt a vulnerability scan, let alone touch one of the client's keyboards, unless the client first signed a permission slip -- one that I paid a lawyer to draft.

Re: Qualys is Enterprise Scale

[illectro]

It's easily the best product out there with the largest database of detections and reliable ones at that. Nessus is free and maybe has 2/3's of the database that Qualys has. Everyone else is a distant 3rd, with maybe 1/3 of Qualys' database.
For a free one off scan I'd suggest you use Nessus because they cost nothing to setup - just find a spare machine and install linux, and you can throw away the host after you've finished with it. One major thing to watch out for with Vulnerability scanners is that you make sure the host they're installed on is properly secured, I heard abotu a company that installed Foundstone's application, which needed an Microsoft SQL database to support the app - guess how many vulnerabilities adding that support machine added to their network? Qualys of course doesn't have any setup worries - either they run the scan from their remote servers, or you get one of their cute little 1u boxes, plug it in, give it an IP and it's done.
The other downside to the Nessus solution is that the presentation and management of the results isn't particulalry good, again that's one thing you see in the enterprise solutions, work flow management for rememdiation, as well as a lot of nice looking reports and summaries. If you're scanning your own network the Qualys scanner is a fabulous choice, I think qualys used to offer a pay-per scan service, so maybe you could get a deal for a one time scan. But if it finds any problems with you client then you're going to need to stump up more when the vulnerabilities are supposedly fixed.
So... maybe setup a nessus box, and maybe take advantage of Qualys free demo scans.
And make sure you get permission.
And of course turn off all the nessus tests which crash things.