If the probability of your assets being prodded by attackers foreign and domestic doesn't scare the bejesus out of you, don't read this article. If you're operating in the same realm of reality as the rest of us, here's your shot at redemption via some solid preventive pen testing advice from a genuine pro.
CSO speaks with pen test tool designer/programmer/aficionado, Evan Saez, Cyber Threat Intelligence Analyst, LIFARS, about the latest and greatest of these tools and how to apply them.
Available pen test tools
The pen test tools for this discussion are Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish (Evan Saez is a developer on the Jawfish project). These tools are key to securing your enterprise because these are the same kinds of tools that attackers use. If you don't find your holes and seal them, they will exploit them.
Metasploit is a framework with a large programmer fan base that adds custom modules, test tools that test for weaknesses in operating systems and applications. People release these custom modules on GitHub and Bitbucket. Bitbucket, like GitHub is an online repository for coding projects. "Metasploit is the most popular pen test tool," says Saez.
The Nessus Vulnerability Scanner is a popular, signature-based tool for locating vulnerabilities. "Nessus' can only compare scans to a database of known vulnerability signatures," says Saez.
The Nmap network scanner enables pen testers to determine the types of computers, servers, and hardware the enterprise has on its network. The fact that these machines are identifiable via these external probes is in itself a vulnerability. Attackers use this information to lay the ground work for attacks.
Burp Suite is another popular web application pen test tool. It maps and analyzes web applications, finding and exploiting vulnerabilities, according to Burp Suite web security tool vendor, PortSwigger.
OWASP ZAP (Zed Attack Proxy) is the web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. ZAP is an open source tool now available on GitHub.
SQLmap automates the discovery of SQL Injection holes. It then exploits those vulnerabilities and takes complete control of databases and underlying servers.
Kali Linux is an all-in-one tool comprising a suite of dedicated, pre-installed penetration testing (and security and forensics) tools. "It has tools for people who have no knowledge of security," says Saez.
Unlike most tools, which are signature-based, Jawfish is a pen test tool that uses genetic algorithms. "Genetic algorithms look for things in the context of search," says Saez. Based on search criteria, as Jawfish gets closer to what it is looking for, in this case a vulnerability, it can find a result. Jawfish does not require a signature database.
Sign up for CIO Asia eNewsletters.