Top tools for testing your online security, part 2

Michael Cobb explains what tools are helpful in maintaining Web security, including security scanners, benchmarking tools, monitoring services and online resources.

by Michael Cobb

Top tools for testing your site's security and defenses

The following tools help analyze a security status in more detail and find indications of a system compromise.

Security scanners
You can't rely solely on patches to keep your system secure, but a good security scanner will help you find the holes that hackers exploit. The scanner typically launches probes, collects results and compares the results with a database of vulnerability fingerprints. In this @11283 sense, a security scanner is similar to a virus scanner but more introspective, determining whether devices comply with established security policy. Good vulnerability scanners provide documentation about the nature of any vulnerability found and links to further information and fixes as well as regularly-updated vulnerability checklists. In addition to commercial scanners, there are public-domain vulnerability scanners, such as ShieldsUP! (www.grc.com) and nmapNT (www.eeye.com).

Even if your system is initially set up in a perfectly secure and pristine state, it will degrade over time. The more people with access to a system, the faster this degradation occurs. Therefore, the more administrators you have, the more often you should audit. Security scanning helps you audit the system to verify that your intended configuration is effective and up to date.

Benchmarking tools
Wouldn't it be great if you could see how other security experts have configured their Web servers, and then check to see whether your setup matches the industry best practice? The Center for Internet Security (CIS) (www.cisecurity.org) is defining consensus best-practice security configurations for computers connected to the Internet. Their free Benchmark and Scoring Tools provide a quick and easy way to evaluate a system and compare its level of security against minimum due care security benchmarks, which are kept up to date as new vulnerabilities are discovered.

Various reports guide you in how to harden both new and active systems while monitoring them to ensure that security settings continuously conform to the configuration specified in the benchmark. You can benefit from this knowledge, expertise and experience for free, so don't waste the opportunity. By demonstrating compliance with an accepted security standard, you can help protect yourself from prosecution or regulatory sanction.

Monitoring services
Many organizations outsource the job of monitoring and testing their Web site's security to a managed security service provider. The advantage of outsourcing these services is immediate access to experienced security specialists. This can solve problems of staff costs or shortages as it reduces the number of skill sets necessary in your security department personnel. The service level agreement will be an important part of the contract between you and your service provider, so look for firm commitments rather than vague assurances. The agreement should at least specify the following:

  • 24/7 services
  • Response times
  • Customer reports
  • Lapse times for policy changes
  • Financial penalties for poor performance
Other useful tools, available for free, include those for mapping listening TCP/UDP ports to the program listening on those ports. TCPView and several other monitoring programs can be downloaded from www.sysinternals.com. A good file integrity checking tool is Osiris, available from http://www.hostintegrity.com. Microsoft offers pulist and pstat, which show detailed information about running processes, along with other Windows 2000 Resource Kit Tools.

Help is out there -- Useful sites and services
It is imperative that you stay informed about security issues and take time each day to visit sites such as SearchSecurity, SANS, CERT and NTBugtraq, which provide bulletins, news stories and other related security information. You should also subscribe to their security bulletins or newsletters. Join the user groups and discussion forums run by the vendors of your hardware and software. Software vendors also provide a wealth of information on known security bugs for their programs along with possible solutions.

It can also be enlightening to visit hacker Web sites and monitor the postings and information available on them. These sites often provide tools that can be useful in your vulnerability testing. Google maintains a list with brief descriptions of such sites at http://directory.google.com/Top/Computers/Hacking/.

Read more on IT risk management