As we mentioned in the first article, Top Five Hacker Tools Every CISO Should Understand, the role of the CISO continues to evolve within organizations towards that of an executive level position.
Nonetheless, CISOs need to keep on top of the best tools and technologies available that can benefit their organization’s security posture.
We recently spoke to Nabil Ouchn (@toolswatch), the founder of the portal ToolsWatch.org and organizer of the Arsenal Tools exhibit at the BlackHat Conferences, and asked him to assemble what he believed to be the top ten hacker tools every CISO should understand.
Here are five more hacker tools for the CISO playbook, according to Ouchn:
Vega Open Source Web Application Scanner
“How many applications are developed internally in large companies that are not subject to a regular security inspection?” Ouchn asks. “This is one of the CISO’s biggest fears: Deploying an application without validating the security status.
“Fortunately Vega Open Source can do the job and check whether the developers have followed a Security Development Lifecycle. Vega is a free and open source scanner designed to test the security of web applications,” Ouchn explains.
“Vega can help CISO’s internal teams to find and validate SQL Injection, Cross-Site Scripting (XSS) and all the vulnerabilities described in the OWASP Top Ten, and can significantly reduce the exposure of an application.”
“This tool can be part of a continuous loop for securing applications and can used in two different ways: By the development team to ensure that their processes is clean against the OWASP Top Ten most exploited issues, and by Red tiger teams to assess the application prior to its deployment,” Ouchn continued.
“Solutions for Web Application security are many, and the choice should not be limited only to Vega, so we could also include in the same vein tools like Wa3f, Watobo or Netsparker Community, Burp Suite, and Zap. Each solution has its strong point and can be used to fill the application security gap.”
Open Vulnerability Assessment Language Interpreter (OVAL)
It is very important to keep an eye on the security status of internally deployed systems, and OVAL Interpreter has been developed with this task in mind, Ouchn says.
“It provides a non-intrusive way to check the OS compliance and security levels. An ideal tool for OS / Systems configuration management. The hands-on is very simple and the added value is enormous. The tool is part of a bundle toolkit created by Mitre for analysis of configuration and vulnerabilities,” Ouchn said. “A CISO must add this tool to his arsenal.”
“The icing on the cake is that the tool generates an HTML report and has several testcases called “Definitions” to conduct with an application’s inventory, patch management overview, vulnerability checking, etc. A must for CISO and system administrators.” (See also Open-SCAP and XCCDF Interpreter).
Scuba – The Free Database Vulnerability Scanner
“Databases are critical assets for an information system, and therefore CISOs must implement the best strategy to protect them,” Ouchn said.
“To do so, we must draw a picture of the vulnerabilities they suffer from, and that is where Scuba comes into play. It ships with an average 1200 built-in testcases to check for vulnerabilities and configurations. It also overs the basics of the most common databases such as Oracle and Microsoft SQL Server,” Ouchn continued.
“A CISO should always instruct database admins to constantly assess the configuration of their databases. While Scuba cannot perform the exploitation of vulnerabilities, Metasploit is already in the Arsenal for that,” Ouchn says.
“To fill the gap, we also recommend using the OpenVAS (Open Source Vulnerability Scanner) with its several dedicated database plugins.” (See also oriented database Nessus plugins.)
Drozer – An Android Device’s Metasploit
“In the last decade, mobile phones have become a thorn in the side for security managers, and their security should not escape the attention of the CISO,” Ouchn said.
“Drozer is the perfect tool to demonstrate how an Android application poorly developed or subject to compromise could become a Trojan in an enterprise network environment and ruin the whole security in depth strategy.”
“Drozer can perform an Android systems security assessment prior to a massive deployment within a company, and a wise CISO can indeed ensure that the devices comply with the security policy by checking the installed packages, the services in use, the possible vulnerabilities identified, and the opportunities to exploit them,” Ouchn continued.
“We must not fool ourselves, smartphones and other intelligent mobile devices are rooted in the culture, and an aware CISO must manage and secure them as best they can.” (See also SPF – Smartphone Pentesting Framework).
PwnPad – The Sexiest Pentesting Tablet
“I saved the best for last. One of the gadgets that has taken the security and hacking community by storm right now is the PwnPad Nexus tablet created by Pwnie Express. In fact, this one has all the ingredients to compromise your network,” Ouchn said.
“The tablet has been designed in such a way to work in all cases: It has WiFi dongle for cracking Wireless networks and a Bluetooth dongle and support for Mobile Data, and the best tools used by security professionals are already integrated and pre-configured.”
“It only takes few clicks and little effort to configure a malicious rogue AP and trap anyone who connects into it, so this is a great tool for performing pentesting, wireless assessment (WiFi / Bluetooth) and Awareness campaigns to educate internal users to avoid connecting to any open WiFi network,” Ouchn continued. “The Pwnpad hardware is a must for a CISO’s Red Tiger team.”
“The tablet has a significant cost if you opt to buy it, however there’s an option to build your own using the Community Release (here is my own: http://www.toolswatch.org/2013/05/installing-my-own-pwnpad-community-for-fun-and-for-less-than-300/)”.