When it comes to detecting, preventing and analyzing information security threats, security teams need all the help they can get.
Cyber attackers were able to compromise organizations within minutes in 60% of the data breach cases studied in Verizon Enterprise Solutions’ Data Breach Investigations Report 2015. Unfortunately, companies aren’t getting any faster at detecting those threats. Verizon calls this a “detection deficit” between attackers and defenders.
Free, cheap and easy security tools are one way to help close the gap. We asked infosec and network security pros to offer up their favorite free security tools and, no surprise, their responses ran the gamut from upfront vulnerability scanners to post-discovery malware detonators and analysis tools.
“There’s no perfect [security] tool that everybody loves,” says Rob Westervelt, information security analyst at IDC. “It’s what they feel comfortable using.”
[ RELATED: Free and cheap ways to learn about IT security ]
Todd Borandi focuses his security team on using a small set of tools that they understand very well. “These tools should change as frequently as tools used by those who would seek to expose information we are working hard to protect,” says Borandi, lead information security architect. His team may use anything from publicly accessible websites, like Rapid7 Metasploit, that constantly change payloads and update vulnerabilities, to other open source web pen testing tools “favored by the bad guys,” he says.
Rob Westervelt, information security analyst at IDC
Though threats are constantly changing, Westervelt believes security tools don’t have to be new to be effective. “Incident response people are still in love with some tools and are so skilled at using them that they still have the upper hand, at least for a while,” he adds.
Security professionals offer up their favorite free security tools.
Team Cymru's Unwanted Traffic Removal Service (UTRS) helps mitigate the largest, most concentrated distributed denial-of-service attacks and helps eliminate traffic that is invalid or unwanted.
The Border Gateway Protocol-based solution distributes routes and rules to participating networks using only vetted information about current and ongoing unwanted traffic. Receiving a UTRS BGP feed is open to most networks that are already holders of a registered autonomous system number and currently originate prefixes into the global Internet routing table.
The service is an important safeguard at DePaul University in Chicago. “With IT on a pretty tight budget, it's good to have allies in the network protection fight,” says Arlene Yetnikoff, director of information security. The service “is one we can turn to quickly in the event of an attack.”
Secpod Saner, a free vulnerability and compliance scanner with remediation for personal computers, was one of a dozen security tools selected for the Black Hat Asia 2015 Arsenal in March. Developers say that anti-malware products typically focus on cleaning already infected systems based on known malware signatures, but 67% of malware is actually unknown. The enterprise-grade tool identifies security loopholes and misconfigurations on desktop systems and end-user applications, and then proactively fixes them.
An IT security pro at a New York financial firm recommends Rapid7 Nexpose Community edition vulnerability scanner, which aims to support the entire vulnerability management spectrum, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. The free, community edition scans 32 IPs on networks, operating systems and databases.
Rapid7 also offers a free version of its Metasploit penetration testing software for small businesses. The simple web interface lets companies safely simulate attacks on their network to uncover security issues.
Though password management tools have been around for years, users have shied away from them because they were too manual or too difficult to configure and manage, Westervelt says. But new versions, like LastPass, are more automated and easy to use. LastPass offers a free version for computers, and for an additional fee users can download the mobile app for smartphones and tablets.
“It’s very intuitive,” says Westervelt. “It automatically notices when you’re on a site that has [your password] in the vault.”
Sometimes security features are hiding in plain sight. “I think that WSUS and EMET from Microsoft are overlooked by a lot of companies, but they are great tools to use,” says Steven Becker, an associate vice president of IT security in New York.
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. It uses security mitigation technologies that throw obstacles in the way of the bad guys.
“EMET gives the ability to force programs to use different security mechanisms that are available in Windows,” Becker says. For instance, “EMET uses a few different memory addressing protections that make it harder for malware to find the memory space it wants to execute in.”
Other advanced features for certificate pinning can aid against phishing attacks, he adds. “Although it requires some homework, it is possible to push EMET and its protection profiles to an enterprise environment through group policy objects.”
An overwhelming majority of attacks exploit known vulnerabilities where the patch had been available for months prior to the breach, according to Verizon’s DBIR 2015. “So keeping software updated helps immensely against known vulnerabilities,” Becker says. Windows Server Update Services allows administrators to manage the distribution of updates that are released through Microsoft Update to computers in their network.
“Ensuring that production machines have the proper security updates in a controlled manner is a huge burden that can be completely automated through the proper use of WSUS and group policy,” Becker says. WSUS can also push out third-party updates, such as Java or Adobe Flash, using several different open source package publishers. Both Microsoft security tools are “free” to licensed Windows software or server customers.
Malware Detection and Analysis
Security training pro Stu Sjouwerman has two free security tools in his arsenal. “Malwarebytes is doing a great job defending against ransomware,” says Sjouwerman,cofounder of security training company KnowBe4, in Clearwater, Fla.
The free scanner detects and removes malware like worms, Trojans, rootkits, rogues and spyware. For more protection, the premium edition offers a real-time scanner that automatically prevents malware and websites from infecting a PC.
ModSecurity, the open source Web application firewall, provides a toolkit for real-time web application monitoring, logging, and access control.“It helps us block any and all attacks on our website,” Sjouwerman says.
Incident response teams that like to detonate malware in secure sandboxes for analysis might want to try Maltrieve, a free tool for retrieving malware directly from the source for security research.“It parses URL lists to get malware location information,” and it supports other forensics and malware analysis tools, Westervelt says.
For companies looking to sharpen their pentesting skills and knowledge, the Root the Box open source platform is a real-time scoring engine for computer wargames where hackers can practice and learn. Root the Box attempts to engage novice and experienced hackers by combining a fun game-like environment, with realistic challenges for some applicable, real-world learning.
“The reason that this is my favorite free tool is that it addresses the [biggest] threat in security today -- the lack of knowledgeable security professionals,” says Chris Silvers, principal consultant at CG Silvers Consulting, an information security consultancy. “Combined with intentionally vulnerable virtual machines, Root the Box can be an integral part of a security training class,” he says.
Advice for using free security tools
Before using any free security tool, first talk to your security peers and find out what works for them and why, Westervelt says. Next, take a close look at how active the development community is behind the tool. “If there’s only a single developer or small group of active contributors to an open source project, it could very well die on the vine,” he says.
Finally, determine how practical the tool is to your workflow. “You don’t want to disrupt your entire workflow with the introduction of a new tool,” Westervelt says. “You may not only impact your own workflow but that of your other team members” with a new tool. “That goes back to why you need a new tool in the first place. Maybe a process improvement will solve the problem.”
The threat environment is constantly changing. “Security pros have to be ready to absorb new tool capabilities quickly,” Borandi says. That requires a highly skilled security team. At the end of the day, he says, “my best tools are my relationships with peers and the education of my team using the tools.”