From: Stephen J. Smoogen (smooge@gmail.com)
Date: Mon Aug 22 2005 - 10:52:16 EDT
On 8/20/05, David Boynton <david.boynton2@cox.net> wrote:
> Hello everyone,
>
> Is anyone aware of any security baseline assessment tools like the ones
> provided by the Center for Internet Security? We are researching the
> possibility of using a "Baseline Compliance" metric, so the tools will need
> to be mostly automated (no manual checklists - we have enough of those!)
>
> Thanks for any and all help!
>
> Moderator: I know this barely qualifies as penetration testing, but the mod for Security Management kicked it back because it will start a discussion of technical tools. Please help me out! :)
>
At the moment, we are writing our own. I have found that the CIS tools
linked to from the NIST.gov worked well for a first best guess, but in
order to see if 4000 desktops matched those and could report
centrally.. plus deal with specialized network areas.. they needed a
lot of work.
To keep this with a penetration point of view, most of the baseline
tools are sort of a reverse penetration test. Penetrators usually go
for flag A, B, C... make sure they are turned off. It also seems to be
a lot harder to write versus some scripts to exploit :).
-- Stephen J Smoogen. CSIRT/Linux System Administrator ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:46 EDT