ISP Planet - Technology - Security Tools for the Budget Conscious ISP - Part II: Vulnerability Assessment and Audit

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

General

Security Tools for the Budget Conscious ISP, Part II: Vulnerability Assessment and Audit

In this article we identify the tools that are available to you as you examine your system's vulnerabilities before and after an attack.

by Lisa Phifer
VP Core Competence, Inc.
[January 30, 2004]

As described in Part 1 of this article, open source and shareware tools can help to bridge gaps between need and budget. To put together a good security toolbox, you'll want to gather a variety of security utilities, ranging from vulnerability assessment and audit to traffic analysis and forensics.

Here in Part 2, we identify both commercial products and freely-available tools in the first two categories. We also illustrate a few open source and shareware tools.

Vulnerability Scan and Assessment Services
You can conduct your own vulnerability scan or contract a third party to do it for you. Ad hoc in-house testing can cost less, but a trained third-party can spot vulnerabilities you might otherwise overlook and offer expert advice on how to fix them.

When outsourcing, request an example of the report that will be delivered—it should describe executed tests, discovered problems, associated risk levels, and recommended fixes. Beware of services that add little value to shareware scanner output.

Commercial vulnerability scanning and assessment services are widely available, ranging from automated vulnerability scans to customized on-site testing and consultation. Here's a diverse, far-from-exhaustive list of commercial services:

To learn more about managed vulnerability services, see our 2003 Managed Security Service Provider Survey. A thorough vulnerability assessment is much more than just a quick scan-and-report. But, if that's all you need, here are some free vulnerability scan services:

Gibson Research ShieldsUp is a fast, free, and rather superficial Web-based scan-on-demand service. ShieldsUp is designed for home users to check Internet-connected PCs, but can be used to scan Internet-facing firewalls and servers too. To view sample ShieldsUp output, click here.
QualysGuard Free Scan Services include remote scans for Real-Time Top 10 vulnerabilities, SANS Top 20 CVEs, Slammer, Slapper, and Nimda. Free services are provided by Qualys to promote their more extensive commercial services.
Secunia Online Vulnerability Scanner is a free on-line vulnerability scan-and-report service based on Nessus. Secunia also offers several commercial security services, including a vulnerability tracking service.
Subject, Wills, and Co. offers a free "security hack" consisting of automated vulnerability testing plus up to one hour of consulting. Many firms that offer security consulting services offer free assessments like this to drum up new business.

Network Vulnerability Assessment Tools
To conduct your own in-house vulnerability assessment, you'll need some tools to identify network nodes and the operating systems and services they appear to be running.

You may want to conduct scans from multiple locations inside and outside your network. Start where many hackers start—outside your network, somewhere on the Internet—to learn what they can easily find out about you. Never scan a network that doesn't belong to you or that you don't have permission to scan. Beware that scans can impact target networks and systems (i.e., some scans are gentler than others). Scans usually trigger security events, generating copious log records, SNMP traps, and/or e-mail alerts, so advise your NOC staff before conducting a scan.

Security Tools for the Budget Conscious ISP, Part II:
Introduction and Vulnerability Scan and Assessment Services

>Security Tools for the Budget Conscious ISP, Part II:
Network Vulnerability Assessment Tools

Security Tools for the Budget Conscious ISP, Part II:
System Vulnerability Assessment Tools

Security Tools for the Budget Conscious ISP, Part II:
Web Vulnerability Assessment Tools

Security Tools for the Budget Conscious ISP, Part II:
Security Administration Tools

Security Tools for the Budget Conscious ISP, Part II:
Security Audit Tools and Conclusion

Feedback

ISP-Planet's RSS feed

WebMediaBrands Corporate Info

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Whitepaper: Introducing the Azure Services Platform
Whitepaper: Introduction to Microsoft .NET Services for Developers
Whitepaper: Securing Microsoft's Cloud Infrastructure
Internet.com eBook: Becoming a Better Project Manager
Microsoft Partner Portal: What Azure Means for Microsoft Partners

Internet.com eBook: Web Development Frameworks for Java
Internet.com eBook: Developing a Content Management System Strategy
Article: Ten Things IT Professionals Should Know About Windows 7
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Get Started with .NET Services

MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Amyuni: PDF & PDF/A Engine for .NET and ActiveX Apps
Red Gate Free Trial: SQL Toolbelt
Iron Speed Designer Application Generator

Download Award-Winning Red Gate SQL Backup Pro
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
Internet.com Hot List: Java EE 6 Platform Highlights the JavaOne Conference

MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES