Re: [SAGE] Security Tools..

["Harvey Rothenberg" <hrberg@infinet.com>]

To All:

----- Original Message -----
From: "Heather Mitchell" <Heather.Mitchell@owen.vanderbilt.edu>
To: <sage-members@sage.org>
Sent: Friday, December 30, 2005 7:13 PM
Subject: RE: [SAGE] Security Tools..


>
> Jennifer Davis wrote:
>
> > what tool that you couldn't survive without when it comes to security?
>
> Ethereal -- it's been very useful in a couple of attacks where the
> miscreant was spoofing ip addresses but not MAC addresses. And the
> output was easier than tcpdump for the PHB to understand, so we could
> get a timely decision to take necessary but unprecedented action.
>
> Netstat -- underused, imho. An excellent tool for pinpointing naughty
> services that shouldn't be listening, yet are (like when a novice dba
> convinces a junior admin who should have known better to turn telnet
> back on because he "didn't know how to use SSH").
>
> The log parser of your choice -- I like swatch and MS Log Parser (it's a
> Windows world). But I find that while snort may alert me to attempted
> abnormal naughtiness, logs help me find "normal" naughtiness --
> acceptable behavior occurring in unacceptable parameters (wrong time,
> wrong place, wrong person, etc.). Also, logs help me prove that
> sometimes a cigar is just a cigar, despite the paranoid suspicions of
> the boss, and sometimes me!
>
> Tripwire -- or some other config/change management tool. Some day
> someone is going to do something naughty, intentionally or otherwise.
> Unless I can be pretty confident that I know what was and was not
> affected, due diligence will require me to format hard drives and start
> all over. Who wants to have to do that? Do you know for sure that you
> can rebuild that 15-year old VAX whose operating system came on 26
> diskettes? Do you even know where those diskettes are? Are you sure?? :)
>
> ProcExplorer and Pskill -- free tools from sysinternals.com for Windows.
> Hands down the best tools for discovering what's really running, which
> process owns what, etc. And pskill lets you kill the pesky services that
> windows tells you can't be killed. :)
>
>
> > If you have any tips, or best practices to share that would be useful
> too.
>
> I don't know about best practices, but I do kinda have a tip. Security
> is a big hairy umbrella for a lot wildly disparate things. It's also
> full of fun tools. :) It helps me stay focused if I remember that I have
> three main goals: 1) keep people out. That's firewalls, snort,
> permissions, av, vulnerability testing, etc. 2) know when they get in
> (they will get in). That's log watching, config/change management,
> knowing processes, services, normal system behavior, etc.  3) recover.
> That's figuring out what was compromised, returning to a known good
> state, and remedying the exposed weakness.  With those in mind, I find I
> can keep from getting carried away by the "ooo, cool! It lets you see
> peristalsis as it happens!" factor.
>

I agree with Heather's 2 cents,  and I would like to add to this some books
that address these programs.  The one book, " Open Source Security Tools:
Securing Your Unix or Windows Systems" by Tony Howlett from Prentice Hall ($
49.99),  I found will take you through these programs and more.  It will
explain HOW TO configure the program and to basically use the program.  I
found this approach helpful in being able to make these tools initially
useful.  At least it provide a way to get up and running for you to be able
to venture for from there.

>
> Just my $.02,
> Heather
>
> Heather Mitchell
> Computer Systems Analyst
> Owen Graduate School of Management
> Vanderbilt University
> Heather.Mitchell@owen.vanderbilt.edu
>
>
>
>
>
> -----Original Message-----
> From: owner-sage-members@usenix.org
> [mailto:owner-sage-members@usenix.org] On Behalf Of Jennifer Davis
> Sent: Friday, December 30, 2005 4:52 PM
> To: sage-members@sage.org
> Subject: [SAGE] Security Tools..
>
>
> OK .. BayLISA is organizing an event with regards to tools system
> administrators can use towards security.  nmap, snort, nessus... what
> else is there?
>
> If you could go, what tool have you been wanting to learn more about and
> haven't had the opportunity.. or what tool that you couldn't survive
> without when it comes to security?
>
> network/systems.. anything.  If you have any tips, or best practices to
> share that would be useful too.
>
> Jim Dennis will be one of the moderator/presenters, so it should be
> quite educational :) better yet.. we will be recording it!  Sadly, I
> don't think Google Video can handle 5 hours of material.. But! For the
> cost of the DVD/Shipping we should be able to get a DVD out to you.
>
> Jennifer

You may find these other books of some assistance:

Linux System Security: An Administratior's Guide to Open Source Security
Tools
By Scott Mann from Prentice Hall ($ 49.99)

SELinux: NSA's Open Source Security Enhanced Linux
By Bill Mc Carty from O'Reilly ($ 39.95)

[ From my exposure to Windows and Linux this distribution provides the
Grandularity of control that AD still may not provide.  Both are not easy to
implement.  Like anything worth while,  it takes proper planning.]

Security Survival:  A Source Book from the Open Group
By X, Open Guide from Prentice Hall ($ 60.00)

Building Open Source Network Security Tools:  Components and Techniques
By Mike Schiffman  from Wiley ($ 45.00)

Hack Proofing Linux: A Guide to Open Source Security
By James Stanger  from Pub Group West ($ 49.95)

I hope all find this information of assistance.

Harvey Rothenberg
Micro/Intel Unixes and Security Specialist