Digg this story   Add to del.icio.us  
Security Tools: From Mermaids to Suckling Pigs
Scott Granneman, 2003-05-14

The recent Nmap-hackers survey provides a glimpse of what security professionals are packing in their tool-belts these days.

One of my favorite authors is Jorge Luis Borges. Borges, for those of you who have not had the pleasure yet, was an Argentine writer whose short stories exhibited a fascination with mirrors, labyrinths, infinity, mysticism, and the nature of reality and identity. He delighted in creating literary patterns, supposedly real books, games, puzzles, and lists. To give you a taste of the unique Borges, here's a list from a piece by Borges titled "The Analytical Language of John Wilkins", in which he describes a Chinese encyclopedia, the Celestial Emporium of Benevolent Knowledge, in which animals are categorized into the following groupings:

1. Those that belong to the Emperor
2. Embalmed ones
3. Those that are trained
4. Suckling pigs
5. Mermaids
6. Fabulous ones
7. Stray dogs
8. Those included in the present classification
9. Those that tremble as if they were mad
10. Innumerable ones
11. Those drawn with a very fine camelhair brush
12. Others
13. Those that have just broken a flower vase
14. Those that from a long way off look like flies

Now that's quite a list! If you're not quite sure what it means, explore Borges a bit more, and I think you'll begin to understand what's going on. As a consolation prize, let me tell you about a list that will be easier to understand and immediately useful to your career as a security pro.

In May 2003, Fyodor, the creator of the essential security tool Nmap, surveyed members of the Nmap-hackers list to find out their favorite security tools. Respondents could provide up to eight software candidates. Fyodor had earlier performed the same survey in June 2000, which had resulted in a list of 50 essential programs. The poll this time around had 1854 participants, and resulted in a list of 75 items.

Before we go any further, I am well aware of the problems with this survey. It is not scientific, it draws from a limited pool of respondents, and those respondents were obviously self-selected. One might presume a bias towards open source tools, since Nmap is itself an open source tool released under the GNU GPL, but that presumption is not necessarily borne out, as we'll see. One minor problem with the survey is that the results do not include Nmap, since Fyodor disallowed voting for his own tool!

In spite of these problems, the list Fyodor's respondents created is amazingly useful and very interesting. It would be well worth your time to check out that list and look over the results. Take a moment to go take a look, and then come back and let's think about some of the lessons we can draw from the "Top 75 Security Tools" list.

Back? Great. I hope you noticed the good mix of tools mentioned on the list. Vulnerability assessments, intrusion detection systems, sniffers, scanners, password crackers, integrity checkers: they were all there. It's a good reminder that security is a multi-layered process. We need a variety of tools to check a variety of issues. Make sure you've got a couple available to you from every category.

We might as well get the platform wars out of the way. On the one hand, many of the tools run on both open source operating systems (BSD and Linux) and closed systems like Windows. By my count, of the first 50 listed items, 13 run on Linux and/or BSD only, 12 on Windows only, and the rest run on both open source OS's and Windows. This is a good thing, as Martha Stewart would say, as it means that there are a variety available to both OS persuasions, open and closed. Better yet, if you really love to run a certain piece of software on your Linux box, and you find yourself in a Windows-only environment, there's a decent chance that your software will still be available.

On the other hand, however, many of the tools that run on BSD and Linux actually come with an installation of those operating systems, which means that they're available for immediate use. Windows, on the other hand, includes none of the tools recommended for that OS, except for the absolute basics, like traceroute and ping. Does that help to make open source OS's better platforms for security experts? I'll leave that one to Slashdot.

Open source tools do make an excellent showing; again, not surprising, given the survey source. But even a closed source advocate has to admit that open source software covers all the bases. And most of the time, it's free. It's pretty hard to argue with that.

Speaking of basic tools, it's gratifying to see those make the list. With really powerful, sexy software like Nessus and Ethereal available to us, it's easy to forget about traceroute, ping, whois, and dig, among others. Their appearance on the list is a great reminder that we shouldn't forget those simple, yet amazingly useful, tools that can still provide us with a great deal of information. Ping might be almost 20 years old, but I still use it almost every day.

Another category easy to overlook is that of scripting languages. At first it might seem odd that Python and Perl are on the list, but it makes sense. Many of the tools listed can be extended using those two powerful languages; in addition, it's surprising what a little customized Perl script can do for you in a pinch.

The classics come out on top, of course, the tools that every security professional should have in his toolbox: nessus, ethereal, snort, netcat, dsniff, to name just a few. No surprises there, but it's good to see that so many folks are still getting great use out of them. It validates the trust many of us put in them.

Up-and-Coming Security Tools

Some interesting trends are apparent in the results. Notice the importance of tools specifically designed to target or protect Web servers: Whisker/Libwhisker, Nikto, N-Stealth, Achilles, and SPIKE Proxy. Not a shocker, since the Web plays such a central role in IT. Still, if you manage a Web server, you would be remiss if you didn't check these out.

One trend that shouldn't surprise anyone involved in security is the prevalence of poor passwords among users. For every password cleverly set to "password" or "1234", there's a tool to exploit it, including John the Ripper, L0pht Crack, Cain & Abel, Brutus, THC-Hydra, pwdump3, and Crack/Cracklib. Try a selection out against your servers and workstations, and then start educating your users. That should keep you busy for a few hours... uh, days... uh, weeks. Sigh.

One up-and-comer that makes a completely expected appearance is the growth of cool new tools for testing the security of wireless networks. Back in 2000, when the first survey took place, this was a non-existent category, but now we've got three excellent downloads for you to investigate: Kismet, Network Stumbler, and AirSnort. Two quick assignments: (1) run Kismet or Network Stumbler in your office to see how many employees have set up unauthorized wireless networks, and (2) drive through the business district of your city with a laptop or Zaurus running the same software, with your jaw dropping regularly as you discover how many open, unprotected wireless networks are available to anyone with a laptop and a wireless card.

Conspicuous by Their Absence

Still, I'm puzzled by a few aspects of Fyodor's list. Shorewall, an excellent firewall tool for Linux, is missing. And why does ZoneAlarm get mentioned, while the superior, albeit commercial, Sygate Personal Firewall is ignored? Better marketing, I suppose. Where are the end-user encryption tools? Sure, PGP/GPG is on the list, but nothing else. Is it because encryption software is still too hard to use? Finally, I'm shocked that there aren't more patch management tools for Windows listed, besides hfnetchk. This is a huge problem for Windows shops. I predict we'll see more listed when the next survey results appear.

Fyodor's list is an excellent resource, one that will repay any time and energy you can devote to it. If you're new to the security field, you couldn't ask for a better resource to get you started. Even if you're a security professional who's been at this for years, there will still be gaps in your knowledge, and this list can help you discover new tools and reacquaint yourself with old ones. At the least, you should know what the bad guys are going to use against you. Fyodor's list may not be as much fun as mermaids and suckling pigs, but it could prove a heck of a lot more useful.

Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Linux Phrasebook, is in stores now.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus