Building Your Skills Through Security Tools
In today’s IT industry, any enterprise that employs people, handles data or sells a product is forced to protect itself against unwanted threats. As a result, technology professionals with security backgrounds are always in demand.
As the need for security-knowledgeable professionals has swiftly expanded in recent years, so has the demand for attendant certifications to verify a candidate’s knowledge in the area. Many modern credentials examine a candidate’s knowledge of specific tools or the output these tools deliver to ensure each candidate has the ability to detect, recognize and respond to a security incident.
Regardless of whether your specific administration security function is on the Microsoft Windows platform, Linux, UNIX or a specific vendor’s version of each, there are many tools in the security space that can help all administrators secure the enterprise, as well as certify their skills. Building your skills with some of these tools can ensure that when it comes time to seek a professional with the necessary security skill, you can place yourself at the forefront of that skill search.
As an aside, please note that the tools being examined in brief here can be used to initiate or simulate an attack on a system to assess its security. As a responsible administrator, it is important you understand the security policy governing your environment and that you examine the impact of running such a scan before performing any kind of security assessment on your corporate network. Some companies carry prohibitive policies toward these types of tools that might require case-by-case management approval.
SensePost Footprint Tools
SensePost (which Secure Data purchased in July) began in 2000 as a consulting firm that specialized in security assessments. Since then, many of the individual tools from the firm’s security research have been released to the public either on an evaluation or a subscription basis.
One of the primary tools released to administrators is “BiDiBLAH,” which forms a platform from which a security administrator can execute myriad functions to perform various types of information attacks. These include:
- Platform and application fingerprinting (using certain types of requests to determine what software is running based on the format of the response).
- Vulnerability scanning (using known types of attacks to determine whether the target system is immune).
- DNS and IP scanning (taking known information such as a domain name to get more information about the internal workings of the network from a domain name or Internet services provider).
As a tool, BiDiBLAH was really developed to assist SensePost’s security practice by automating some of the standard methods SensePost security consultants would use to examine a technology infrastructure. Once SensePost had identified a common methodology of testing infrastructures, a software product could take that architecture of testing and build an automated process around it, immediately saving SensePost consultants time in the field.
The commercial applications of such a tool are not merely limited to SensePost’s own consultants, and as a result, the BiDiBLAH tool is available to administrators on a subscription basis.
The framework of SensePost tools are examined in the Certified Ethical Hacker exam, as the tools integrate several core security functions such as operating system and application fingerprinting, remote vulnerability scanning, DNS and NetBlock walking and other concepts. For more information, visit http://www.sensepost.com/research/bidiblah/.
The NMap security scanner has been available as an open-source product for years.
Originally developed as a command-line UNIX/Linux tool over the years, it has been adapted to Windows and extended to include the ability to export reporting in various modern formats, including XML and HTML.
At its core, NMap is an administration tool that rapidly scans enterprise networks. NMap works principally by using remote port probes and service requests to identify the operating system and what services are available on the target computer.
One key feature that sets NMap apart as a critical component of the administrator’s toolbox is the flexibility of the scanning engine — each scan can be customized to scan individual computers or ranges of addresses, to load addresses from a file or to scan a specific DNS name (resolving the name in the process).
Once the target has been specified, an administrator with appropriate rights to the source system (that from which the scan is being run) can choose from several different attack methods, each originating differently on the source system and can use different features of the underlying network protocol. To evade intrusion prevention either on the remote system or on the network itself, the administrator can specify the speed at which probes are run, as well as how the system handles situations in which attacks are dropped before making it to the target.
As a result of NMap’s granular control and flexibility as an operating system fingerprinting and port-scanning tool, an administrator can quickly find out whether there are vulnerable or unauthorized services somewhere in the network environment. For more information, visit http://insecure.org/nmap/index.html.
On first glance, many security consultants would argue that SolarWinds is not really a security tool — it is a suite of network management software, including Engineer’s Toolset, which focuses on network discovery, analysis and diagnostics; Orion Network Performance Monitor, which provides insight into device monitoring across the network; and LANsurveyor, which completes network mapping and documentation. Part of any security assessment is first gathering intelligence on the network that needs to be examined.
Although SolarWinds’ suite of network assessment tools are not going to be the first tool you reach for to start vulnerability scanning, get an operating system fingerprint or start investigating ports, it is a great place to start to figure out the topology of the network that you will need to examine later.
As any professional involved with security can tell you, even fully documented networks often have connections or devices that are either simply undocumented or not supposed to be connected. As a result, the foundation of later security breaches can start with an undocumented device connection.
A systems administrator’s first line of security review should be periodically assessing exactly how the network is set up, what is connected where and how that connection list compares with associated documentation. For more information, visit http://www.solarwinds.com/.
Security Configuration Wizard
Given the amount of enterprise computing running on a Microsoft platform, it is important that administrators involved in the Windows-based computing space make sure one of the most critical Microsoft tools ever released is in their toolbox. The Security Configuration Wizard is an automated method to secure the underlying platform based on the standard Windows services that are going to run on the server.
On Windows Server 2003 (and 2003 R2), the Security Configuration Wizard is a small tool that uses a large XML database to understand the necessary service, policy and registry changes that implement a given role’s core (default) functions while disabling, securing and closing unnecessary applications.
This system preparation is known in the industry as reducing the attack surface. When you remove unnecessary services or close settings that allow unnecessary communication, you are theoretically reducing the possible number of methods by which a server can be attacked.
Administrators can use provided tool kits to extend the Security Configuration Wizard to create custom roles that might fit specific security requirements of the enterprise or to accommodate specific products that are not natively part of Windows but are common to the computing environment the administrator is attempting to secure. In Windows Server 2008, the Security Configuration Wizard is integrated by default and will assist with implementing security during server roles deployment. For more information, visit http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx.
During the course of an attack, or when you suspect one is occurring, one of the key functions an administrator needs to do is monitor the traffic going to and from a specific host or device to determine whether it fits suspicious patterns. Ethereal is an open-source, multiplatform graphical tool that does exactly that.
Ethereal places an interface in what is known as “promiscuous” mode, in which the network interface listens not just for traffic destined for the local machine but also for any other traffic that is being sent across the network to which the host is connected.
Ethereal can then apply filters or known traffic patterns to attempt to decode what kind of traffic this is, as well as expose the raw packet information for each bit of network traffic for advanced analysis.
One of the unique things about Ethereal is the integration of free “interpreting” filters that can be applied to captured network traffic to attempt to examine the conversation of network information according to a specific traffic profile, for example, interpreting the network traffic as HTTP and filtering all traffic not on associated ports or going to associated servers. This allows the administrator to take a deeper look at how connections and data are being passed back and forth to a specific host on the network.
Ethereal also has some integrated traffic statistical functions and traffic conversation endpoints examination (which gives insight as to which hosts use the network the most). For more information, visit http://www.ethereal.com/.
The Metasploit Project is actually a framework of individual exploit modules that apply a variety of security-related compromise functions within the interface of the Metasploit tool. Administrators can think of Metasploit as a launch tool that loads many discrete modules that can be used from within the tool but might not be directly associated with the parent Metasploit Project.
As Metasploit is another open-source project supported by a community of security professionals and individual developers, there are literally hundreds of modules developed for the framework to build a nearly plug-and-play security assessment tool for any administrator with security responsibilities.
Although fully supported, comprehensive tools such as SensePost’s BiDiBLAH are available to the industry, the real value in Metasploit is its “free” price tag, which enables companies with low security budgets and even those that do not have a formal budget devoted to security protection to obtain basic tools to examine the security and vulnerability of the network infrastructure. Unlike tools such as Ethereal or NMap, which examine the network-based traffic patterns over the network, Metasploit is more geared toward taking advantage of known exploits on an application or service.
The Metasploit Project is a little more advanced than some of the other products, and administrators who would like to take advantage of Metasploit’s vulnerability-testing capability might want to invest some time in the documentation before trying to use the tool to examine their own network integrity. For more information, visit http://www.metasploit.com/.
Hiring a Professional
Although there are a multitude of security tools listed here, and many that were not included (there are entire books on available security tools), it is also important network or systems professionals recognize when it is time to hire an expert.
A network professional or manager should certainly examine developing a policy by which security assessments are executed against the network environment, particularly environments in which applications are hosted that are exposed to the outside world. If the threat to your infrastructure warrants an outside professional, look for a firm that can provide customer references that are similar to the size and nature of your company, with preference given to a company with experience in your industry.
Even if your firm is not in the market to examine professional security services, you as an administrator have the opportunity to apply these and other tools to enhance your recognition of security threats, protect your infrastructure and make yourself more valuable to the enterprise.
Wayne Anderson is a highly certified system engineer course developer for Avanade, a global Microsoft consultancy. He can be reached at editor (at) certmag (dot) com.