In this unit, we begin to discuss some security tools, such as password crackers, disassemblers, packet sniffers, etc. We will discuss many of these tools in the next section of the course, which covers networks. You will also use these tools much more extensively in your ethical hacking and penetration testing courses.
In this discussion, consider the use of these tools on your own networks. Should IT professionals in an organization be using these tools? What would be your feelings if your IT group was considering the banning of these tools on their network, with disciplinary ramifications? Is this a good idea, or are there good reasons for IT professionals to have these tools? What about non-IT employees?
I support the use of these tools by a very small number of experienced members of the IT team at an organization. This would be contingent on them having very clearly defined engagement policies using these tools to find vulnerabilities and very clear definitions of where any investigation is to stop and how to document findings.
I would completely oppose these tools being used by non-IT employees. I can not see the benefit to allowing the to use something with this power, especially if they aren’t formally trained on the tools.
I agree that the security team should be allowed to use these tools but that the use of them should be strongly controlled. Only a very select set of users should be allowed to use them. They should only be used to test the defences of the company and there should be strict rules about when they can be used. There should also be required approvals before they can be used, and how they will be used should be well documented. After the use of them, what they were used for and the results of the tests should be well documented as well.
I also agree that anyone outside the very select group of IT security personnel should not have access to use such tools. Even members of IT not on the security team should not be able to use these tools. There is no reason anyone outside of the security team should need to use these tools. The use of them also comes with considerable risk, and people outside of the security team using them brings so much more risk.
I think these tools should only be used when permission is specifically granted to use them. For the most part, if you’re using these tools for educational purposes, you should point them at systems you own. The first thing we learned in the intro to ethical hacking course is to only use tools on machines you own or machines that you have been granted written permission to use them on. I think regular use of these tools should be prohibited in an organization. If a variety of people are using tools against a network/system without any policies or procedures governing these tests, then there are too many risks. However, there should be periodic penetration tests where experienced professionals probe the system with permission from the necessary authorities. I think that these tools serve a legitimate, non-malicious function and that it is important to have professionals who specialize with these tools, but due to the nefarious potential of the tools, they need to be strictly managed to ensure they are only being used for good. Non-IT employees might benefit from being exposed to these tools, but the associated risks are significant so I would avoid allowing them any access.
I believe that these tools are essential in vulnerability testing of your organization. These tools ultimately protect outsiders from getting data that people would not want to have disclosed to the public. Not every IT professional however should have access to these tools, only ones that know how to you them wisely should have access. These tools could lead to vulnerabilities that you want to keep private and thus is outside IT organizations were to have access to this it could lead to knowledge that you do not want in other people’s hands.
I believe that organizations should continue to allow the IT security professionals to use these security tools because it is necessary to identify weaknesses in the system. Tools such as Nessus can help an organization identify common vulnerabilities and exposure and provide ways to help the organization fix it. Without these tools available to the internal IT group, then pen testing and vulnerability scanning would need to be outsourced, usually at a premium. Outsource services can return vulnerabilities that could be easily fixed and managed internally. Policy should be in place that address who can use it, what they can use it for, and appropriate levels of scan that will not disrupt business operations. These tools should not be used by employee that are not qualified or required to use them. Doing so, would lead to improper use and may cause business disruption to critical systems or may destroy critical data.
These tools, when in the proper hands, can improve the strength of security on your network. It can’t hurt to have an engineer trained in pen testing techniques working with these tools inside your network. These tools should not however be made readily available to the rest of your IT staff or non-IT staff. They can cause harm if not used properly.
I agree with everyone who has commented thus far. These tools are critical to helping a Security team, or audit team conduct penetration testing to ensure that the network is secure. As stated above, they should only be used by the Security Team, and only with the permission of the company. No employees should use these tools without notifying the company. If it is found that an employee uses tools on the network without permission, it is justifiable to provide discipline to the employee. We have used these tools in prior classes, such as introduction to ethical hacking, and learned that running tools like WireShark, or NMAP command should only be done with the permission of your company, especially if you were scanning active servers, etc. If there are employees capable of conducting penetration tests, then these tools should be used.
NMAP is really great tool for all kind of passive/active scanning activities. I use it regularly to scan for open ports and services without interrupting any services. For example, if I scan just for servers availability and response time, I would need to an authorization for this type of info gathering. However, for more verbose scanning I would definitely need authorization from Change Advisory Board Committee at our company and scheduled date/time accordingly.
I have mixed feelings for considering the banning of security tools on network for IT group with disciplinary ramifications.
The security team in an IT company which owns this trustworthiness should be only allowed to own and run such tools and that also with appropriate permissions.
When you grant permission to carry out a penetration testing there is also a agreement between the client and tester to maintain confidentiality with all the results obtained through the test.
If any of the general IT team member is allowed to use such tool then he can run a vulnerability scanner and find out the vulnerability in the network and he can even make it public.So there should a strict watch and rule for general IT employees to prevent installation any of the security tools.The rule should contain strict disciplinary action if any employee found using such tools .
There are many security tools that are very beneficial for security professionals, including:
– WireShark for sniffing network data and detailed protocols and packets analysis
– EtherCap for MITM attacks
– Kismet for detailed Wireless scans and vulnerability analysis
– Cain and Abel for password cracking / recovery
– Metasploitable for vulnerability exploitation
All these tools can be used in pen. testing activities by IT Security professional, but also can be dangerous if in hands of non-IT users. These tools should be always allowed to use by IT professionals in an organization in order to perform vulnerability scans and test network security level of protection as part of normal security job activities. However, in order to make sure that tools are used by authorized IT professionals only, company should have security policies and technical controls that address the following:
– what tools are allowed
– what activities should be conducted by those tools
– what systems are allowed to be tested
– who are authorized
– what machines are allowed to install these tools
– what switchport are allowing to capture/mirror traffic
– what SIEM is in use to monitor and alert abnormal activities in network flow and traffic type
Non-IT personnel should never be allowed to install and use these tools in order to avoid security violations, network bandwidth saturation, unexpected traffic flow interruptions, and other downtimes that can be caused by non-IT users.
Non-IT personnel might not understand the result of the scan and/or not to know how to interpret these results as well. Scan can be performed from both outside and inside of the network . From outside scanning, it gives idea of which ports should be closed or what vulnerabilities are discovered. From inside,scanning it gives idea of vulnerabilities of devices such as severs/routers/switches etc…I think these tools can be use with care by IT persons.
I feel IT personnel in my organization should use password crackers. This helps in hardening the systems and close any loopholes or backdoors. It’s best they do all the penetration testing to see if the systems are “hackable” Passwords are the most widely used form of authentication throughout the world so it’s important to see if your password policy is effective through testing.For instance, if you can replay a cookie, session ID, a Kerberos ticket, an authenticated session, or other resource that authenticates the user after the password authentication process, you can access the password protected resource without ever knowing the password.These are important tests to carry out even to test your infrastructure.
I believe non-IT professionals should be allowed access to these tools just to see how far they can go. If your system is secure then a lay person should not be able to penetrate. If a lay person can then your set up has some serious problems and you need to immediately get back to the drawing board.
The danger with professionals is that they can do testing in a controlled environment and miss out on a lot of real life situations.The difference with the lay person is that they would work in the real world and so would encounter actual issues or loopholes if any at some point.
BAD IDEA. If tools were banned from IT or anyone using in the company I would be searching for a new company to work for. Saying that, I encourage any ethical IT or non-IT professional learn any new tool that was being used to help figure out problems or make their lives easier and more efficient. The ramification of not being able to use a tool is like taking your car to the mechanic and tell them not to place a tool on the car and fix it. Applications, networks or servers don’t always tell the entire story of what the problem is and its needed to display what was on the network at that particular time. The only time I think it’s a bad idea for non IT professionals to have wireshark is because they will see a red line in the capture for example, a retransmission and they want to blame the network when in fact they did not follow the packets and see that it was retransmitted and continued on its communication .25 ms later. I don’t get too upset because they are only trying to figure out a problem and need an explanation.
I think even for IT professionals who have needs of these tools should apply for admissions to use them. With internal access, it is much easier to hack than external people. There should be a control administrator who can choose to approve or deny the use of these tools in a company. Also, a specific time schedule and signatures must be required. It will help us to know when and who used what tools. Non-IT employees should not use these tools unless they have special situations. Then they need to write reports to the administrator, he/she can decide if they have to use these tools by themselves.
I think IT professionals in an organization should be authorized to use these security tools but segregation of duty, background scan, appropriate training and ethical guidelines are also necessary for them. These security tools are usually used by security professionals to protect and recover systems, data and networks, and detect vulnerabilities and attacks. Without these tools, they can hardly complete their work. However, these tools also give them a great deal of power on setting system authorization. This would be kind of dangerous that they can even authorize themselves and cause internal hacking. For example, password crackers can be used to help a user recover a forgotten password and check for easily crackable passwords, while it can be also used to gain unauthorized access to a system. Another example is packet sniffer that can be used to analyze network problems and detect network intrusion attempts by intercepting and logging traffics over networks, but it can also be used to spy on network user traffic and collecting personal information or passwords in the same way. It is obvious that there should be restriction on what security professionals can do, and thus enforcement on restriction policies and segregation of duty are necessary. In addition, all security professionals should have background scan before employment. Training and education is also needed to make them aware of their liabilities and responsibilities. An organization should develop a thorough ethical guidelines or policies and require security persons to sign on them. In addition, non-IT employees should not be able to access these security tools to avoid possible internal hacking either intentionally or unintentionally. Non-IT employees may accidentally cause damage to systems or network if they are given access to these tools.
I feel that IT professionals should definitely be allowed access to these tools as well as non-IT professionals although I know there may be some ramifications if this individual were in fact able to do harm to the system. As Mushima alluded to, your system should be hardened to the point that no lay person with access to these tools should be able to affect your system. If they are, further hardening implementations should be taken because your system security is faulty.. Also, proper IDS and IPS systems should be able to detect any unauthorized access and the proper authorities should be alerted. Hopefully, the company culture makes it so if any employee discovers a loop-hole, they would alert the proper authorities. I would rather have a loyal employee discover the vulnerability than a malicious outsider.