Tools of our trade – a multi part series
IT Audit & Security testing is a hot topic lately. With the reoccurrence of cyberattacks discussed by the media, and in talking with my friends, one might think what we as security professionals do is some kind of voodoo magic and a losing fight. Fortunately, and unfortunately, it’s about 90% math/science and 10% luck. Luck, because so many factors need to be in place for our tools to produce the results that we’re looking for. To perform a penetration test, we often need to have the right person with elevated permissions fall victim to a phishing email, while at the same time have the anti-virus software not catch our malicious code, all in concert with the intrusion detection signatures on the firewall missing us knocking on the proverbial “virtual” door.
In this blog series, our goal is to demystify the tools we use during our assessments, to help bring some light to what, and more importantly, WHY, the tasks that we perform actually work. At the same time, our intention is to help other firms understand what tools are out there, and maybe, just maybe, they can put in place the controls to make our efforts just a little bit harder. While there is competition in our industry, there is also recognition and acceptance that we need to share information and discoveries to help each other continue to be proactive in preventing security threats.
As we navigate through this series, we will bucket the tools into three categories. First, our staff. The most important tool any of us have is our knowledge of IT and Security. The best hammer, screwdriver, or PHP script is useless without knowledge by its operator. Our staff have the training and inherent curiosity to keep pushing buttons, knocking on doors, and seeking out the “bad” to help complete the assignment. Second, we have free tools that anyone can download from the internet, or write their own scripts for. Third, and lastly, we will describe the software and hardware products that we use, which cost money. Some of the products we use are relatively inexpensive; $35 for a Raspberry PI , Rubber Ducky USB stick, or LAN Turtle. On the other end of the pricing spectrum are the tools that cost thousands. Generally, these more expensive tools are used for reporting and consolidating our efforts. During an engagement, we collect vast amounts of data and the ability to organize both individually and in teams can be a time consuming task. These more expensive tools help us do just that.
Some of the blog posts in this series will be somewhat technical. Other times, we will share techniques so simple; you will hit yourself on the head thinking, “Damn, I just fell for that last week.”
Our goal is to educate our clients and prospective clients on the tools of our trade. This won’t be a series on how to hack, or sessions to train on hacking. There are plenty of resources on the internet for that. We will put the “board member/business/CEO/CIO/executive” spin on our writing to try and make everyone a little more secure, because at the end of the day, we’re all on the same team.