Security Tools and Information

From Consultancy.EdVoncken.NET

Information Security (InfoSec for short) is a very broad field of expertise. There is a lot of snake oil on the market (like "unbreakable" encryption). Remember to use your brain when evaluating products.

Contents 1 Tools of the trade 2 Defending against crackers and script kiddies 2.1 Vulnerability Scanning 2.2 Auditing 3 Security impact of Virtualization 4 Network Security 5 Intrusion Detection 5.1 HIDS 5.2 NIDS 5.2.1 Snort 5.2.2 Honeypots 6 Forensic tools 6.1 Extracting data from mobile phones 7 Linux Security 8 OpenBSD Security 8.1 See Also 9 Windows Security 9.1 Password auditing and recovery 9.2 Miscellaneous 10 Identity

Interesting reading:

• Stupid Security
• SANS and their Reading Room
• DoxPara Research
• Secunia - Vulnerability and Virus Information

Miscellaneous articles and tools:

• The Six Dumbest Ideas in Computer Security, by Marcus Ranum
• Artificial Ignorance, by Marcus Ranum
• WikID Two-Factor Authentication (Open Source)

[edit] Tools of the trade

• Top 100 Network Security Tools

[edit] Defending against crackers and script kiddies

You really cannot prevent an attack; however, you can defend your assets in several ways (layered defense) to minimize the damage they can do:

• Put a firewall at your network perimeter
  • Filter both outgoing and ingoing traffic (egress and ingress filtering)
  • Use a "default deny" policy, also known as "whitelisting"
  • Remember that a firewall is only a small part of your total defense
• Keep your systems updated with regard to security patches (applications too!)
• Disable unneeded services; they open an attack vector

Think of the "Trust, but Verify" mantra:

• Perform regular audits to verify their effectiveness

[edit] Vulnerability Scanning

• Nessus
• Internet Security Scanner

Some background on the vulnerabilities you may find:

• Open Source Vulnerability Database
• CVE - Common Vulnerabilities and Exposures

[edit] Auditing

Auditing is an important tool to help you improve security. Some Linux-based Live CD's with a large selection of security-related tools:

• Security Tool Distribution (based on Knoppix)

• BackTrack is the result of merging Auditor and Whax:
  • Auditor
  • WHAX (based on SLAX, was called Whoppix while based on Knoppix)

[edit] Security impact of Virtualization

• Compatibility is Not Transparency: VMM Detection Myths and Realities (PDF) - detecting rootkits that use virtualization technology.

[edit] Network Security

• pfSense - Firewall appliance, based on FreeBSD and PF. Strongly recommended!
• Juniper NetScreen-5 Series
• NIDS - Network Intrusion Detection Systems
  • Snort (bleeding edge rulesets can be found at Emerging Threats)

Internet technology is not immune from attack:

• DNS Cache Snooping
• Talisker Radar
• Promiscuous Mode IP Accounting

[edit] Intrusion Detection

Two main flavors:

• Host Intrusion Detection System (HIDS)
• Network Intrusion Detection System (NIDS)

[edit] HIDS

• Log analysis
• Port Scan Attack Detector, spun off from Bastille Linux
• Sentry Tools - Portsentry. Originally created by Psionic (acquired by Cisco)

[edit] NIDS

There are two approaches to Network Intrusion Detection: at the macroscopic or microscopic level.

• Tools like Snort intercept and classify all network traffic; it works at the macro level. By design, most of the traffic being intercepted is legitimate; the bad traffic needs to be filtered out.
• Honeypots are "dummy" hosts in your network that look like a legitimate host. They attract malicious traffic. By design, they do not normally receive any legitimate data, so most (if not all) traffic must be malicious in nature.

The accuracy of a Traffic Intercept NIDS (Snort) depends on the quality of the signatures. In contrast, a Honeypot can be used to trigger an alert on reception of any traffic since it is most likely malicious in nature.

[edit] Snort

Snort and Snort signature management

• Snort - the best (Open Source) NIDS around
• Oinkmaster updates and manages your Snort signatures
• Bleeding Snort - latest Snort signatures

Snort/IDS consoles

• Aanval - a very nice, commercial Snort frontend (multiple sensors, syslog analysis etc.)
• Sguil - an open source Snort frontend, better than ACID (ACID -> BASE -> Aanval)
• OSSIM

[edit] Honeypots

Honeypots are an active form of intrusion detection; they simulate a valuable yet unprotected target. Honeypots normally do not receive any data (they are not part of your production environment). This means that most if not all traffic must be malicious in nature. Honeypots allow you to detect attacks in an early stage.

[edit] Forensic tools

[edit] Extracting data from mobile phones

• TULP2G - short for "Telefoon Uitlees Programma, 2e Generatie"
• Gammu

[edit] Linux Security

IT-Security in an online world is extremely important. All my servers run RedHat Linux (actually, the CentOS derivate), so I'll concentrate on Linux security here.

First of all, make sure that you have a proper firewall that blocks most of the unwanted traffic. I personally like OpenBSD's pf a lot. Hopefully it is ported to Linux soon...

Keep your software up to date at all times; especially the services (like HTTP and PHP) that are facing the Internet.

For Apache, there is a nice module called mod_security.

Most attacks on Unix boxes seem to concentrate on PHP applications nowadays.

[edit] OpenBSD Security

At work, we use PF-based OpenBSD firewalls.

[edit] See Also

• PF Homepage
• Peter Hansteen's "Firewalling with OpenBSD's PF Packet Filter" lecture
• Firewall Failover with pfsync and CARP
• OnLAMP interviewed the main PF developers (part 1, part 2).

[edit] Windows Security

[edit] Password auditing and recovery

• Cain & Abel password recovery tool - very powerful, and free!
• LCP - password auditing and recovery

[edit] Miscellaneous

• SiteAdvisor rates download sites for adware/spyware - promising! (read their blog too)

[edit] Identity

Protect your online identity - use a fake one ;-)

• Fake Name Generator
• Credit card generator (cannot be used to buy stuff, rest assured)