Security Probes for New Clients? 40
archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."
Somethings to try out... (Score:5, Informative)
Re: Qualys is Enterprise Scale (Score:3, Informative)
For a free one off scan I'd suggest you use Nessus because they cost nothing to setup - just find a spare machine and install linux, and you can throw away the host after you've finished with it. One major thing to watch out for with Vulnerability scanners is that you ma
Re: Qualys is Enterprise Scale (Score:1)
I'd say clone your production server if you can't afford for it to be down, but DO run the tests that crash things. You do want to know if some bored script-kiddie can take your site down with a trivial syn-flood or ping-of-death.
Qualys is sh*t (Score:2)
Much better to roll your own, because in
Re:Qualys is sh*t (Score:2)
Much better to roll your own, because in the
You need Nessus (Score:3, Informative)
Scanning and Vuln Assessment (Score:5, Informative)
Nessus (Score:4, Informative)
Re:Nessus (Score:5, Insightful)
Re:Nessus (Score:2, Insightful)
Re:Nessus (Score:2)
Re:Nessus (Score:1)
Kids, use many tools. Here's a good list [insecure.org] to start with.
Impressive. (Score:1)
For most companies security is an afterthought that's not worried about until they they notice their server's been compromised for a couple of months.
Most impressive, congratulations for finding a clueful employer. I hope the audit goes well.
Some tools (Score:5, Informative)
First you'll want "nessus" -- this scans and attempts to exploit vulnerabilities. Comes complete with up-to-date 'signatures' for attacks to ensure that systems are patched or that firewalls are blocking access.
Second you'll want "GFI Languard" and run that to scan the internal Windows PCs -- it will give a nice report of each machine and patches needed (assuming you've got approval and admin access on the domain). This costs like $1k, but has a 30 day free trial to get the client started. Can also be used to deploy patches.
If you don't want to use Languard, which is really quite a bit better, you should at least use Microsofts "Baseline Security" tool. Again, requires admin access, but gives a nice report for each machine you scan.
nmap is nice to document open ports on machines, particularly so-called DMZ or other firewalled internet-accessible hosts.
dsniff is a good tool to watch for insecure protocols. Always fun to report that everyones pop3 password seems to be the same as their domain login password.
lopht crack is good to give a baseline indication of how secure user passwords are. Run it for a set amount of time -- 1 hour say -- using all of the passwords found by dsniff over a day or two as part of it's dictionary.
There's a lot more to do -- check routers etc. for default passwords, war-dial all phone numbers of the company looking for rogue modems and more default passwords, etc. But the tools above should give a pretty good start.
All of these tools produce reports in some flavor, which you can then combine manually. I assume the client is paying you for the report, so some manual effort is OK.
Make sure to push for a 'follow-up' audit after the client has remediated the problems.
Social engineering considered most efficient (Score:5, Insightful)
Combine this with talking each answering person into giving their authentication information. I understand the easiest way to achieve that is by telling them you are hired by their company to make a security audit and said authentication information is necessary to point out flaws in their IT security. Not like I were experienced in the field but that's what they keep telling 'round the 'net, Mr. Mitnick for instance.
Have fun!
Re:Some tools (Score:2)
GFI is a better bet. Retina really does the job.
Check out the Archives of the pen-test mailing list [securityfocus.com] at SecurityFocus.com
Re:Some tools (Score:1)
Security Audit != vuln assessment via the internet (Score:5, Insightful)
A proper security audit shoud include a vuln assessment from the internet, but how about
1. Dial in lines..
2. social engineering - ring someone and say "Hi I'm the new guy in IT and I've been asked to check everyones password, can I have yours". Ring the IT dept, "Hi I''m fred from xyz sales inc. we sell firewalls (or whatever) can I spend a few minutes talking about your network security" amd so on.
3. Do they have a security Policy. How to they enforce the policy.
4. What about disaster recovery?
5. What happens when the senior IT security is on holiday/off sick and you get a reported breach?
6.
Cheap cheap (Score:1, Informative)
At the end of the day, its a cost/benefit exercise in trying to balance the clients budget against their paranoia.
Not just tools! (Score:3, Insightful)
Corporate security is about much more than buffer overflows. Sure, it's worth keeping your PCs patched, but that doesn't mean that you're doing your security right. If I were hiring a contractor to do some sensitive work, I would look very carefully at e.g.
- physical security (office access controls, guards, cameras)
- personnel (qualifications, turnover, hiring practices, background checks)
- policies about acceptable behavior and whether they are followed (e.g. are you allowed to take your work home? is hard disk encryption mandatory for all laptops? can you give "guest accounts" for your friends or ex-employees?)
- continuity (offsite backups? redundant machines? ability to continue if a key person leaves?)
A security standard such as BS7799 should give you a more complete list of what matters.
Really think about whether this is a good idea... (Score:5, Insightful)
Security is a fairly wideranging topic, and involves at least half a dozen different, highly specialized disciplines. You may not need to be particularly thorough in all of them, but if you follow the great advice to use Nessus for network scanning, you may not realize that your client has left a gaping big hole in their ASP code which will allow arbitrary database requests to be executed against your client's database.
Or, you could have tightened down your network and website, but have no protection against viruses or worms on the desktop. Or there may be a wifi point allowing access to all and sundry. Or the server room may be accessible from the kitchen where many casual staff work. Or your client's CEO's daughter's boyfriend might have access to his PC with a VPN connection that automatically starts without prompting for a password....
So, yes, it's a good idea to use automated tools to do a basic audit. Nessus is good. You could do worse than read "Hacking Exposed" - it mentions a lot of good tools, both free and commercial, as well as the basic process for conducting a security audit.
However, make sure your client realizes that a clean bill of health (or fixing the issues your tools reported) does not mean they are "safe", (nor that they can sue you for any breaches that might occur), but rather that their organisation is not vulnerable to the attacks you tested for. If you didn't "test" hiring practices, they have no idea whether they are protected against employee fraud (which is still by far the most common form of computer crime). If you didn't "test" their virus protection policy, they have no idea of how exposed they are to the next email worm.
And of course, you are never "safe" - new threats emerge every day, and a server that was as safe as Fort Knox yesterday might be more like a crackhouse when the latest spl0it is released. So it's an ongoing process - assess, evaluate, repair, repeat & rinse.
Now, if your client is a small local firm with family members as employees, who use computers only for non-critical tasks, the "we'll run Nessus once a month" approach might be okay. If they are - oh, say, Microsoft...- that approach is clearly not sufficient.
Think about the interests of your client - not just in terms of saving them money, but protecting them from risk.
These guys do scans for a living (Score:4, Informative)
These guys [edgeos.com] do inexpensive automated scans for a living. They run all the tools you know and love (nessus, nmap, etc.), and can be set to scan on a schedule, or you can do one-offs.
This is a plug (they're friends), but check it out: It seems to be what you're looking for.
On the cheap (Score:4, Funny)
If you are really wanting to do a thorough job on the cheap, there are various places on the net were you can get a team of experts on it for no charge, just by posting their IP addresses, etc.
Reporting is a problem though.
-- MarkusQ
P.S. Hint for the humour-challenged: this is the kind of post that comes with a "hint for the humour-challenged" attached.
No tool will give you an audit... (Score:2, Interesting)
things to look out for (Score:2, Informative)
Make sure you stress heavily that the only secure machine is an unplugged machine and all you can do is look for existing security holes, like missed security updates and firmware or poorly set up computers. Make sure your client understands tha
Hit them upside the head with a 2x4 (Score:2)
Re:Hit them upside the head with a 2x4 (Score:2)
This tactic may get you one job because they're afraid of blackmail/extortion, but that's it. If you set things up with the client properly the first time, you could have a scan-every-six-months client for life.
Re:Hit them upside the head with a 2x4 (Score:4, Informative)
hackersafe / scanalert (Score:2)
maybe (Score:4, Informative)
nessus will scan for known vulnerabilities. I've heard it's the best, but haven't tried it myself. Be aware that running it will most likely crash some servers.
nmap will tell you all the open ports on all the systems on the network, and attempt to identify them.
ethereal will spy on network traffic. Look for suspicious traffic and cleartext passwords that shouldn't be cleartext.
The Microsoft Baseline Security Analyzer will identify missing patches and weak passwords. Though in my opinion simply running it requires you to be insecure, because it depends on "hidden" administrative shares to access the hard drives of all the systems on the network, which you may wish to disable.
l0phtcrack and Hydra are popular password crackers, used to detect accounts with weak passwords.
And like always (assuming they run Windows):
Check the firewall logs.
Make sure all security updates are installed.
Run the IIS lockdown tool on servers running IIS.
Make sure workstations are free of spyware/adware and other unwanted startup programs.
Look into the Windows gold standard and other popular security templates intended for locking down workstations and servers.
Make sure your wireless routers use adequate encryption. WEP is encrypted but uses weak keys.
Etc. Can go for hours.
Even Eeye reccommends Nessus (Score:2, Informative)
Tools... (Score:2)
Also try Nessus (http://www.nessus.org) on the free side of things.
-Jack Ash
If you have to ask, don't. (Score:4, Insightful)
Re:Tough Crowd. (Score:2)
I am working with a client now that doesn't understand technology at all and has paid $900 for a verisign cert and installed a black ice firewall with a default accept policy and thinks he is rock-solid secure. He didnt listen closely to the vendors who sold him those products and thought he was secure.