Security Tools are Not Infallible

30 SEP 1997 Rob Thomas

So there I was, happily dozing on an overcrowded train on my way home this evening. I was surrounded by a batch of folks holding an animated discussion about their network. Interesting, I is everywhere. Just then, as I was about to drift off, one of the fellows beside me shouted to the rest:

"We just downloaded SATAN today, so we're SAFE!"

The emphasis on "SAFE" was his, not mine.

Strange, I thought. They had only downloaded SATAN, and felt that they were already safe from the predators on the Internet and intranet? I asked the fellow what made him feel good about SATAN in comparison with other tools he could be using (with or instead of SATAN). He replied, stunned, "What other tools?"

What other tools?

This is a fundamental problem with the bevy of security tools out there today. Too many folks download them, run them, and review the output, without any idea about what the tool is trying to tell them. Worse, they are not aware of the weaknesses (nor the strengths) of the tool. In short, they may be using a screwdriver to saw wood.

It is ever so important that you take the time to truly CRITIQUE the security tools you utilize. If they are commercial tools, grill the vendor on exactly what the tool checks. How does the tool know that something is awry? How often is the tool updated to keep pace with the Black Hat community and its bag o' tricks? If the tool is a freeware distribution, read the source code! There is no better documentation, as the source code will tell you exactly what the tool will do and, perhaps more importantly, will NOT do. Whether free or commercial, you need to be intimately familiar with the strengths and weaknesses of the tools you use to test and audit your system and network security.

Always greet any new security tool with a healthy dose of skepticism. Remember, the tool is only as effective as the author(s) ability to code for various holes, issues, and weaknesses. And, although the author(s) probably tested the tool extensively upon his/her network, the tool has never run on YOUR network. Be equally critical of the output, and you should always run multiple tools to get a good point/ counter-point regarding your overall security picture.

Don't be afraid to ask for help. When it comes to security, you can never have enough feedback or assistance. Turn to your peers or local guru(s) to sanity check your auditing plan, testing tools, and the resulting output. After all, if you do not understand what the tool is telling you, how can you patch the holes in your networks and systems?

The best bet is to be an informed consumer. Keep up with the latest developments in the security world. Go beyond sales literature and industry hype. Peruse the various exploit and bug lists to see what the Black Hats have found. Check with your vendor(s) to see what patches are available. And keep up with both CERT and AUSCERT advisories. In short, STAY CURRENT.

This takes, as I have always said, a dedicated effort. It never ends, and there is never a completely, 100% safe network. However, if you commit yourself to the pursuit of security knowledge and you stay current, you are already way ahead of the game.

And to that fellow I chatted with on the train this evening, welcome to the list. ;-)