As the part of the CISO keeps on evoling inside associations towards that of an official level position, we see a becoming stress on conventional business organization aptitudes over the more specialized abilities that formerly characterized the top security administration work.
Regardless, Cisos need to stay up to date with the most recent down-in-the-weeds apparatuses and innovations that can advantage their association's security carriage, and also those instruments that are broadly accessible which could be abused by pernicious on-screen characters to distinguish and endeavor system security shortcomings.
In light of that reality, we as of late identifies with Nabil Ouchn (@toolswatch), the coordinator of the Arsenal Tools show and exercises at the Blackhat Conferences in both the US and Europe since 2011, and being the author of the entry Toolswatch.org.
Toolswatch is a free intelligent administration intended to help examiners, entrance analyzers, and other security experts keep their moral hacking tool stash forward with the most recent and most prominent assets.
Ouchn is a persuasive security master with in excess of 15 years involvement in weakness administration, consistence evaluation and entrance testing, and Co-Founder of a creative Saas Multi-Engines Threats Scanning Solution.
As a major aspect of his exploration, Ouchn keeps up a few undertakings, including Default Password Enumeration (DPE), the open source connected & cross-connected defenselessness database vfeed, and the Firefox Catalog of Auditing augmentations called Firecat.
We asked Ouchn to amass what he accepted to be the top programmer devices each CISO ought to in any event comprehend, if not effectively empower for mix into their own security programs.
"Keep in mind the paper Improving the Security of Your Site by Breaking Into It composed 20 years prior by Dan Farmer and Wietse Venema?" Ouchn asked. "It is still substantial today. The best approach to alleviating the vulnerabilities and dangers to a data framework stays being able to demonstrate that they exist."
"The accompanying is my rundown of instruments each CISO ought to be on top of, and it was tricky to thin it down to these few things with such a large number of significant apparatuses out there," Ouchn said. "My decisions were determined by a blend of the apparatus' quality and their usability."
ARMITAGE
“Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, I will focus on Armitage an open source effort to bring user-friendly interface to Metasploit,” Ouchn said.
“Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. The compromised devices are depicted with a lightning round,” Ouchn continued.
“This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture,” Ouchn said.
“In fact, the framework has several capabilities to exploit vulnerabilities in almost any type of layer to therefore infiltrate (by pivoting) systems to reach the network’s nerve center. Armitage should definitely be part of the CISO’s Arsenal and his internal Red Tiger team.”
HASHCAT
“There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it,” Ouchn noted.
“Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies to any system that requires authentication.”
“HashCat has shown that the selection of a strong password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered,” Ouchn said.
“A CISO should certainly incorporate this password cracking tool in his arsenal because it allows to check the complexity of the company password policy. Of course, the complexity of a password is not the only criterion for a well-constructed policy, as there are a plethora of criteria: Duration, length, entropy, etc… So HashCat is a must have for any CISO.” (See also John the Ripper).
WIFITE
“You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way,” Ouchn says.
“The grip is instantaneous. It is written in Python and runs on all platforms. CISOs should need only to supply the WiFi interface they use and it does the job, verifying that the corporate wireless networks are configured according to the applicable Security Policy, and better yet, it can be used to identify any open and accessible network that can potentially be harmful in terms of Phishing” Ouchn continued.
“Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way for a CISO to validate the security of wireless networks. (See also AirCrack).
WIRESHARK
“Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network,” Ouchn says.
“On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.”
“WireShark allows a CISO to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user,” Ouchn explained.
“Beyond the sniffing features, WireShark is also a great way to validate the network filtering policy. When placed near filtering devices, it can detect the protocols and communication flow in use. WireShark should be considered by any conscious CISO to validate the filtering policy and the need for encryption.(See also Cain & Abel).
SOCIAL ENGINEERING TOOLKIT (SET)
“Those who attended the latest demo by David Kennedy (SET lead developer and author) at the BlackHat Arsenal in Las Vegas understand the importance of such a tool” Ouchn said.
SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload,” he continued. “The simplicity of use via an intuitive menu makes it an even more attractive tool.”
“It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users,” Ouchn says.
“This will confirm the users security perception within the company and validate the best Awareness Policy to deploy. The SET tool is very well maintained and is also based on a framework already mentioned above: Metasploit.”