In this unit, we begin to discuss some security tools, such as password crackers, disassemblers, packet sniffers, etc. We will discuss many of these tools in the next section of the course, which covers networks. You will also use these tools much more extensively in your ethical hacking and penetration testing courses.
In this discussion, consider the use of these tools on your own networks. Should IT professionals in an organization be using these tools? What would be your feelings if your IT group was considering the banning of these tools on their network, with disciplinary ramifications? Is this a good idea, or are there good reasons for IT professionals to have these tools? What about non-IT employees?
Ahmed A. Alkaysi says
It really depends on the job of the individual. I don’t see why an Application Developer or a Database Administrator will require access to these tools. So it should be banned to them. However, if you are part of the pen testing or cyber security team, you would most likely need access to one of these tools to do your job. In general, these tools should be banned unless a clearance has been provided and there is a Business objective to needing them.
Non-IT employees should never have access to these tools, at all. There is simply no reason to why they should. What does an Accountant or Business Analyst needs these tools for? While certain jobs within IT might need the ability to use some of the features the tools provide, Non-IT professionals wouldn’t and shouldn’t ever need it.
Neil Y. Rushi says
You’re absolutely right Ahmed – those who are in the company handling the cyber security roles should have access to the tools. I can only see a software developer have access to it if it was made in-house or a combo of on-shelf and in-house development. But if they had nothing to do with it, they shouldn’t touch it. Non-IT employees shouldn’t be exposed to the tools.
Jason A Lindsley says
Ahmed, I agree with your comment that this should be based on job function. Another key requirement that we learn about in Ethical Hacking and Penetration Testing is the requirement for written permission. Even those that are trained and experienced with using these tools (e.g. packet sniffers and password crackers) should formally obtain written permission on a clearly defined scope and objective before using these tools, especially in a production environment. If used inappropriately, these tools could result in disruption of IT systems or inappropriate disclosure of information.
Ronghui Zhan says
I agreed with it. By doing this, we know who uses what. We have records. When bad things happen, we know what’s going on.
Younes Khantouri says
Ahmed,
These tools are tested and certified, using them won’t be a big issue. However, non every IT employee should be able to use these tools as well as the other employees who are not belong to the IT department. In other word, restriction from using these tools should be applied depends to people roles after a discussion.
Fred Zajac says
The decision to allow certain penetration and vulnerability scan tools should be properly discussed prior to deployment, and each tool should be assigned to the utility owner. The utility owner will be the only authorized administrator, which would assign other users.
I believe the decision to allow these tools is based on the job description of the individual. In my experience, a technology professional will pitch the business case of an application to the C-level executives. If the business calls for specific tools to mitigate the risks from a high-level threat, it may be a good idea to have these tools available to those who are authorized to use them.
Donald Hoxhaj says
Hi Fred,
I absolutely agree with you that security tool implementation or withdrawal needs to be discussed with employees and those at the user levels before making a decision. Most organizations try to force upon decisions or changes on employees without a consent. Nevertheless, as you mentioned, as long as the situation demands and specific tools are required to mitigate certain risks, both IT and Non-IT employees should be required to have adequate knowledge about their uses and implementation.
Oby Okereke says
Personally, I will find it rather worrisome should Non-IT employees have access to these security tools in a workplace. Security tools such as password crackers, disassemblers, packet sniffers etc., should be part of an arsenal of a Cyber-Security professional. It should be approved by Management prior to its adoption in the workplace. Overall, Organization policies should trump any business reasons for these tools to be used in the environment to avoid any subsequent abuse even in the hands of trusted IT Professionals whose job descriptions approves the use of such tools.
Donald Hoxhaj says
If the organizational requirement and the job role demands one to use these tools for either data protection or operational security, then one should definitely use it. It absolutely depends on the need of the hour and the revenue leakage in times of a security lapse. In my view, if any organization or IT Group decides to ban these tools, I think it would make a big disaster out of it. Unless an organization has planned well, it is fine. If not, then it would end up making security compromises for which the employees would be blamed in the end for lapses. It is important that a management discusses well in advance on the impact of banning these tools on business operations. Network vulnerability is huge and the rate of security breach has been steadily increasing. The importance of these tools I feel would be much appreciated by an IT professional than a non-IT employee. However, as long as these tools protect personal or organizational data, even Non-IT employees should be trained on these and allowed to use in their systems
Younes Khantouri says
Donald,
Organizations should define the tools that suppose to be used to monitoring and maintaining the security level of the IT resources. It has a lot to do with the job roles demands to use these tools.
Shi Yu Dong says
It truly relies on the activity of the person. I don’t perceive any reason why an Application Developer or a Database Administrator will expect access to these devices. So it ought to be restricted to them. In any case, in the event that you are a piece of the pen testing or digital security group, you would in all likelihood require access to one of these devices to carry out your activity. All in all, these instruments ought to be prohibited unless a freedom has been given and there is a Business target to requiring them.
Non-IT workers ought to never approach these instruments, by any stretch of the imagination. There is essentially no motivation to why they should. What does an Accountant or Business Analyst need these devices for? While certain occupations inside IT may require the capacity to utilize a portion of the highlights the apparatuses give, Non-IT experts wouldn’t and shouldn’t ever require it.
Younes Khantouri says
Security Tools:
I do believe that in so many cases companies define the tools that suppose to be used to monitoring and maintaining the security level of the IT resources. It has a lot to do with the job roles demands to use these tools. In my opinion, organizations should use anything to protect IT resources including using such resting tools. The biggest question at this point will be: How much these tools can reflect the organization security?
In so many cases, especially if these tools are tested and certified, using them won’t be a big issue. However, non every IT employee should be able to use these tools as well as the other employees who are not belong to the IT department. In other word, restriction from using these tools should be applied depends to people roles after a discussion.
Fraser G says
Should IT professionals in an organization be using these tools? What would be your feelings if your IT group was considering the banning of these tools on their network, with disciplinary ramifications? Is this a good idea, or are there good reasons for IT professionals to have these tools? What about non-IT employees?
Employees should be using whatever tools are necessary to make their network more secure. At the end of the day, a tool is a computer program, it has no inherent intent or morality. Many tools that are considered “hacker” tools aren’t available under a vendor labeled product (although that seems to be changing).
Banning these tools is a bad idea, it shows you don’t trust your employees and gives them a handicap. Using the tools should require explicit permission (that has been recorded) as well as some sort of sign off from a boss / leaderl. Training should be given, if possible and needed. Its a very fine line between having a set of useful but potentially dangerous tools and arming your employees without them knowing what they are doing. Striking a balance is difficult but important – bad actors will use whatever tools they have to infiltrate your network and you shouldnt limit yourself when preparing.
Brent Hladik says
In this discussion, consider the use of these tools on your own networks. Should IT professionals in an organization be using these tools?
Password crackers no packet sniffers potentially. Personally I feel it is unethical for companies to use password crackers as that violates personal privacy. The only reason why this would be acceptable to use is if there was absolute facts that someone had committed a crime against the company and they IT security needed to verify if any information was stolen on their system or something. Packet sniffers would used potentially for the same reason.
What would be your feelings if your IT group was considering the banning of these tools on their network, with disciplinary ramifications?
I think it would be a good thing to do as it would make me feel safer knowing that there wouldn’t be others potentially trying to break into my system.
Is this a good idea, or are there good reasons for IT professionals to have these tools?
Mainly a good idea for like I mentioned before for forensic reasons if a company needed to verify what was stored on someones computer if there was any reasonable doubt that a person was committing a crime or now.
What about non-IT employees?
Would feel the same as would think they would be more dangerous to use these as they would be playing with the tools more potentially causing more damage.
Ryan P Boyce says
Personally, I would not be comfortable with my organization using password crackers in the environment. I think a good motto for anyone in IT security is, “Don’t trust anyone”. Even if there are policies in place that restrict their use to only certain areas or somehow require admins to avoid cracking employee passwords, I would still not be comfortable. For packet sniffers, I would not be as concerned as I would be with password crackers. I’m sure somewhere in my employer’s network, packet sniffers are employed. The justification here is that encrypted data within the packet is still encrypted upon inspection.
Sachin Shah says
Non-IT employees should have no access to these tools. I am a developer and not in security but I actually worked with vendors to address connectivity issues. I was able to download wireshark and packet sniffer tools. I work with vendors who have vpn accounts and we send data via HTTPs, TCP-IP and FTP. having these tools at my disposal lets us know which side is rejecting connection. I do not feel everyone in IT should have use of these tools but certain members it could benefit.