ORLANDO, Fla.—A well-known security consultant on Tuesday urged cash-strapped businesses to consider using free, readily available open-source security tools and applications to help cope with the rising spate of malicious hacker attacks.
In what has become a recurring theme at this years InfoSec World conference here, president and principal consultant at Sph3r3 LLC Matt Luallen said enterprises must embrace the same hacking tools used by the bad guys to find potential faults and vulnerabilities within critical information infrastructure.
“You can use open-source applications alongside commercial applications [to cut down on costs],” Luallen said during a show-and-tell with dozens of toolsets that can handle anything from fault identification to spam detection to incident response.
“There are some open-source utilities that blow away commercial products, and you should take advantage of them.”
“Some of these tools work so well that, at the very least, you should start evaluating them for widespread use in your organization,” Luallen said, seeking to dismiss fears that the absence of product support when using open-source utilities could be a deterrent.
“These open-source tools have better product support—its called Google Groups. If you do a search on Google Groups, in most situations, youll have an international community available with answers round-the-clock.”
“Im not here to tell you that you should get rid of commercial products. There are some fantastic commercial products out there. However, in many cases, it is practical, cheaper and even better to look for an open-source alternative,” Luallen said.
“Remember, the attack utilities are open-source as well. Its important that you understand the tools the bad guys are using to find holes in your system. You have to use those tools, too, and find the same faults.”
During his presentation, Luallen touched on the concept of “Google hacking,” wherein attackers use cunning search queries to uncover security flaws in a business network.
Searching for certain keywords or document extensions can put sensitive corporate data in the hands of the wrong person, and Luallen said businesses should start using the same techniques to pinpoint problem areas.
He recommended SiteDigger 2.0, a free Windows utility from McAfee Inc.s Foundstone unit that automates Google security queries to the Google web service API.
SiteDigger can be used to search Googles cache to look for vulnerabilities, errors, configuration issues, proprietary information and interesting security nuggets on Web sites.
Luallen said popular open-source repositories like Freshmeat.net, SourceForge and Googles Linux search can be used to find thousands of useful security-related utilities.
Next Page: Avoiding the risks.
Avoiding the risks
However, he urged that administrators exercise caution when using new open-source tools because of the risk of downloading tainted files.
Luallen also recommended the use of NetFlow, a traffic profile monitoring technology that has been adopted by companies such as Cisco Systems Inc., Foundry Networks Inc. and Juniper Networks Inc.
NetFlow describes the method for a router to export statistics about the routed socket pairs.
Open-source implementations of the technology can be used to isolate traffic to a single malicious IP address and produce results of traffic to a compromised host.
NetFlow results can also be inverted to see a list of hosts contacted by an attacker.
Also making Luallens list was Spam Assassin, the spam-filtering tool being managed by the open-source Apache Foundation.
Spam Assassin can be used in a business to identify unwanted e-mail and set up routing filters.
“Spam Assassin can run out-of-the-box in 15 to 20 minutes, and its a fantastic product,” Luallen said.
He also urged the audience to get familiar with Nessus, the open-source vulnerability scanner that automates the discovery and testing or security flaws.
Nessus features client-server technology that allows tests to be conducted from various points in the network.
“It has a plug-in architecture that lets you use new vulnerability testing logic, and you can even write your own scanning scripts,” Luallen said.
Luallens open-source security toolset list also included Nikto, a scanner that performs tests against Web servers for potentially dangerous files; WinFingerPrint, which uses SMB to enumerate OS, users, groups, password policies, service packs and hotfixes; IPerf, a bandwidth-measuring utility; and OpenSSL, the open-source effort to develop a full-featured toolkit implementing SLL and TLS protocols.
Luallen also encouraged businesses to pay attention to publicly posted security policies from security research institutions.
“Security is a process, not a product. End-user awareness is a gigantic part of the process,” he said, adding that the SANS Institute and the University of Toronto offer useful policy documents.