What’s in Your [Security] Wallet?

What’s in Your [Security] Wallet?

No, this blog post isn’t about the credit cards or identity theft. It’s about the tools that, as a security professional, you should keep stored in your “security wallet.”

Like any tradecraft, security professionals should have a set of tools, in this case, applications, websites, and resources, that they keep on-hand. These items become your “security wallet,” and are all part of a talk titled Cybersecurity Tips, Tools and Techniques for All Security Professionals, which DirectDefense will be giving at upcoming events.

Tools for Your Toolkit

There are many free security tools readily available that fit on an 8Gb USB thumb drive. These tools help IT or security professionals in a variety of ways to diagnose and troubleshoot problems.

• Windows SysInternals – This is the toolbox for Windows. Maintained by Mark Russinovich, these are the applications that are not included with the Windows Operating System but should be. The tools we use most are Process Explorer, Autoruns, and Zoomit.
• Wireshark – Wireshark is an open-source network analyzer that works on many platforms. You can use it to look into network packets for both security and network troubleshooting.
• NMap/Zenmap – Nmap and the GUI version, Zenmap are a network scanning and security auditing tool. Often featured in movies, this open-source application is used for network inventory, IP, and port discovery, OS fingerprinting, and monitoring host or service uptime.

Linux OS

• Ubuntu / CentOS / LinuxMint (https://livecdlist.com/ or https://distrowatch.com/) – Linux provides greater flexibility for security testing than any other OS.
• Kali – A Linux-based operating system comes complete with many security tools. You need to install it on a clean thumb drive and boot from it. Kali is also a fine environment to learn and practice Linux.

Techniques to Have at Your Fingertips

It’s important to know where to turn to find information on cybersecurity. Below are some of our go-to resources, which address both the basics of cybersecurity and take deep dives into technology.

• Get aware with StaySafeOnline.org & StopThinkConnect.org – The National Cybersecurity Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) provide general consumer and business cybersecurity awareness materials that solve the problem of a lack of cybersecurity awareness across all sectors.
• NIST Computer Security Resource Center (NIST) – For more than 20 years, NIST has provided free publications on a multitude of technical and non-technical security topics. You may also want to bookmark their comprehensive Glossary. While it’s required for U.S. Federal Government agencies, many private-sector organizations also turn to them for guidance. If you’re looking for a security policy, start here first.
• Center for Information Security (CIS) – CIS provides technical guidance on protecting public and private organizations against cyber threats. The CIS Critical Security Controls and CIS Benchmarks are the global standards and recognized best practices for securing IT systems, networks, applications, and data. CIS also provides security awareness newsletters, vulnerability advisories through the MS-ISAC, direction for hardening OS images and applications, and many other resources.
• Web and Application Security – Open Web Application Security Project (OWASP) – OWASP is an online community that produces free articles, methodologies, documentation, tools, and technologies in the field of web application security. They’ve maintained the Top 10 Most Critical Web Application Security Risks for more than a dozen years and updated it for 2017. OWASP provides cheat sheets, developer guides, and applications to help anyone involved with application generation.

Other Helpful Tips for IT or Security Professionals

It’s one thing to have tools; it’s another to know how to use them. In a recent blog, DirectDefense’s Stephen Deck provides numerous tips for practicing your cyber skills. From Stephen’s blog, “One of the greatest aspects of InfoSec is there are many ways to gain experience without paid work. Focus your learning on the fundamentals, which apply to the widest breadth of positions and make learning more advanced subjects easier.” Here are a few ways to start practicing:

• Build a home training lab – Most training courses focus on Linux because of the extremely liberal licensing. However, most enterprises have a significant Microsoft presence. A membership to visualstudio.com (previously MSDN) could be worthwhile, although there’s a cost involved for an annual subscription. For training, you can build an entire active directory domain using this license, virtualization software and a laptop with reasonable storage and RAM. Creating this type of environment provides experience with both the server and desktop versions of Windows, as well as enterprise management techniques.
• Download Virtualization Software – Either Virtualbox or VMWare work well. Virtualbox is free and allows snapshots of virtual machines. VMWare Workstation / Fusion is great if you have the money or are eligible for a discount.
• Learn to use Linux text parsing tools – See the Linux distribution sites listed above and pick one to use. grep, cut, sort, uniq, awk, and sed are great Linux tools for any IT job. Many security tools run from the command line, and the ability to quickly parse text from one tool and feed it to another is indispensable.
• Learn a scripting language – You do not need to be a scripting expert, but writing simple programs with loops that use variables and call operating system commands is extremely helpful. We highly recommend PowerShell as a starting point. Almost everyone in InfoSec will be either attacking, defending, or investigating Windows systems. Bash scripting is another useful language since text processing in Linux is broadly applicable for text processing and automating many testing tools. More full-featured scripting languages such as Python, Perl, and Ruby are fantastic if you have spare cycles. However, these are not as readily available in most enterprise environments.
• Practice on vulnerable Linux distributions – Vulnhub.com is a great resource for finding vulnerable Linux distributions. These distributions allow you to practice offensive skills and exploit development. The Kioptrix distribution is a great starting point since it has several levels and readily-available walkthroughs. Vulnhub also has some great training resources listed on the site at https://www.vulnhub.com/resources/. Exploit-exercises.com is another site with distributions that focus specifically on the exploitation of Linux binaries.
• Try online challenges – There are lots of challenges posted online that already have hints and walkthroughs. A few examples are https://holidayhackchallenge.com and https://www.root-me.org. These challenges have offensive and defensive components, giving a good cross-section of exercises. Root-me also contains several exercises to practice programming and scripting tasks.
• Online training resources – We are fans of the classes on opensecuritytraining.info. These courses are free and go very in-depth on a variety of topics including forensics, assembly language, and exploits. Cybrary is another option with several free, full courses.
• Read books – There are some fantastic books available that cover both the system administration and security space. The CyberSecurity Canon site lists must-read cybersecurity books and even has a Hall of Fame for the best of the best. Each book on the site is reviewed. No Starch Press has fantastic resources available at a reasonable cost. Wiley Publishing also creates the “Hacker’s Handbook” series that offers some very in-depth material on a variety of security topics.

These are just a small handful of good tools and resource sites, but there are many others out there. Feel free to contact us or join us at one of our upcoming events.

Written by: Ron Woerner

Ron Woerner, CISSP, CISM, CEH, PCI QSA has over 25 years of IT and security experience and is a noted consultant, speaker and writer in the security industry. At DirectDefense, he works as an IT Risk and Compliance Consultant performing security audit and risk assessments for small, medium and large organizations. Ron has established security practices for multiple international organizations. He has been a featured speaker at the (ISC)2, ISACA, RSA conferences and was the AFA CyberPatriot Mentor of the Year in 2014.

Neither the writer of this article nor DirectDefense are directly associated with sites and tools linked in this article. As always, use at your own risk.

   By: Ron Woerner   04.11.18