Security Probes for New Clients?

archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."

Re:Nessus

[shfted!]

Not "Nuff said." Any security person who uses only one tool is a damned fool!

Social engineering considered most efficient

[korpiq]

war-dial all phone numbers of the company looking for rogue modems

Combine this with talking each answering person into giving their authentication information. I understand the easiest way to achieve that is by telling them you are hired by their company to make a security audit and said authentication information is necessary to point out flaws in their IT security. Not like I were experienced in the field but that's what they keep telling 'round the 'net, Mr. Mitnick for instance.

Have fun!

Security Audit != vuln assessment via the internet

[martin]

A proper security audit shoud include a vuln assessment from the internet, but how about

1. Dial in lines..
2. social engineering - ring someone and say "Hi I'm the new guy in IT and I've been asked to check everyones password, can I have yours". Ring the IT dept, "Hi I''m fred from xyz sales inc. we sell firewalls (or whatever) can I spend a few minutes talking about your network security" amd so on.
3. Do they have a security Policy. How to they enforce the policy.
4. What about disaster recovery?
5. What happens when the senior IT security is on holiday/off sick and you get a reported breach?
6. .......

Not just tools!

[Anonymous Coward]

Others already posted links to various tools, so I'm not going to repeat that. However, you should be aware that these tools cover only a very small part of what a "security audit" should look into.

Corporate security is about much more than buffer overflows. Sure, it's worth keeping your PCs patched, but that doesn't mean that you're doing your security right. If I were hiring a contractor to do some sensitive work, I would look very carefully at e.g.

- physical security (office access controls, guards, cameras)

- personnel (qualifications, turnover, hiring practices, background checks)

- policies about acceptable behavior and whether they are followed (e.g. are you allowed to take your work home? is hard disk encryption mandatory for all laptops? can you give "guest accounts" for your friends or ex-employees?)

- continuity (offsite backups? redundant machines? ability to continue if a key person leaves?)

A security standard such as BS7799 should give you a more complete list of what matters.

Really think about whether this is a good idea...

[PinglePongle]

Security is a process, not a product (no, I didn't make that up - check Bruce Schneier's company).
Security is a fairly wideranging topic, and involves at least half a dozen different, highly specialized disciplines. You may not need to be particularly thorough in all of them, but if you follow the great advice to use Nessus for network scanning, you may not realize that your client has left a gaping big hole in their ASP code which will allow arbitrary database requests to be executed against your client's database.
Or, you could have tightened down your network and website, but have no protection against viruses or worms on the desktop. Or there may be a wifi point allowing access to all and sundry. Or the server room may be accessible from the kitchen where many casual staff work. Or your client's CEO's daughter's boyfriend might have access to his PC with a VPN connection that automatically starts without prompting for a password....
So, yes, it's a good idea to use automated tools to do a basic audit. Nessus is good. You could do worse than read "Hacking Exposed" - it mentions a lot of good tools, both free and commercial, as well as the basic process for conducting a security audit.
However, make sure your client realizes that a clean bill of health (or fixing the issues your tools reported) does not mean they are "safe", (nor that they can sue you for any breaches that might occur), but rather that their organisation is not vulnerable to the attacks you tested for. If you didn't "test" hiring practices, they have no idea whether they are protected against employee fraud (which is still by far the most common form of computer crime). If you didn't "test" their virus protection policy, they have no idea of how exposed they are to the next email worm.
And of course, you are never "safe" - new threats emerge every day, and a server that was as safe as Fort Knox yesterday might be more like a crackhouse when the latest spl0it is released. So it's an ongoing process - assess, evaluate, repair, repeat & rinse.
Now, if your client is a small local firm with family members as employees, who use computers only for non-critical tasks, the "we'll run Nessus once a month" approach might be okay. If they are - oh, say, Microsoft...- that approach is clearly not sufficient.

Think about the interests of your client - not just in terms of saving them money, but protecting them from risk.

Re:Nessus

[ralphus]

agreed completely. I guess I meant that as I took the poster to be asking what's a good single tool that doesn't cost as much as Retina. Furthermore, if you are going to be a damned fool and only use one tool, is there a more comprehensive open source one than Nessus (which is really several tools IMO)?

If you have to ask, don't.

[bpalmer]

Frankly, if you have to ask these questions, you should shy away from offering security consulting. Pay someone that lives, eats, sleeps and breathes IT security and you'll serve your customer better. I do IT security work (and only IT security work) for a living. I don't know how many times we've gone into a company that paid someone to do a security assessment, asked to see the previous report and been handed the stock report that NessusWX generates. Invariably when we do our work and write our report detailing the risks the customer feels their previous 'security consultants' cheated them. Often we find massive security issues that for one reason or another the automated scanners don't pick up. It won't do your reputation any good to do a poor job. The ability to do proper analysis is not a black art, but it becomes easier with experience and study.