October 2007

Why Good Security Testing Tools Matter

The right security testing tool can mean the difference between identifying security vulnerabilities before they become a problem or simply discovering problems after they occur.

Kevin Beaver, CISSP
Principle Logic LLC

When it comes to identifying vulnerabilities and minimizing security risks, traditional techniques such as security audits may not be up to the task. Malicious outsiders and rogue employees don't stop at, "Yes, laptop encryption is in place," "Yes, strong passwords are being used," or "Yes, a no wireless policy exists." These individuals are looking beyond these basic controls, which are often not implemented correctly. They also know that policies are minimally enforced at best in many organizations. As a result, internal auditors need to extend their testing several steps further to validate that problems exist and determine how these vulnerabilities can be exploited. This means auditors must take the lead and work like hackers and rogue employees do, think like they do, and — most important — use good tools like they do.


Like chemists, carpenters, and doctors, internal auditors need to use the right tool for the right job if they are going to stay ahead of the curve. This is because the tools of a professional are often different from those of a novice. For instance, the tools used by a biochemist are far more precise than those used by a middle school student taking a chemistry course. The same is true for professional internal auditors focused on IT security: Knowing the right tool for the job and how to use it can distinguish a professional auditor from someone who is dabbling in IT security. In fact, the quality of the tools used for performing security assessments will directly impact the number of vulnerabilities discovered and the overall success of the testing activity. However, auditors should not rely on tools alone to detect all security vulnerabilities to corporate assets. Auditors need to rely on experience and technical knowledge to root out the less-than-obvious vulnerabilities.

Selecting the wrong tool also can be an expensive venture. The same is true of freeware and open source tools. Although auditors and organizations may not lose money directly, the time lost in trying to get software installed and then generating an end report can be substantial. Furthermore, auditors need to consider how the test will be conducted. Often, manual testing alone is too time consuming, limited, and difficult. The same goes for finding tools that operate based on the testing style and abilities of the company's IT network. The good news is that many of the newer security tools — even the free or inexpensive ones — are full of value. Auditors simply have to know what to look for and how to find them.


The uniqueness of IT environments from organization to organization makes a "one-size-fits-all" approach to security impossible. Consequently, because every network and business environment is different, it might be difficult to recommend specific security testing tools. However, many software programs are classified based on a number of widely recognized ethical hacking methodologies, including:

  1. Reconnaissance tools, which enable auditors to see what can be discovered about the organization and its network assets by using the tool from the Internet or inside the corporate network. Reconnaissance tools are typically freeware and open source, including Internet search engines such as Google. For instance, auditors can use www.whois.net to obtain Internet domain information or perform a Google search to find sensitive files stored on Web servers.
  2. Enumeration tools, which allow users to glean more detailed information from specific hosts on the corporate network — such as workstations, servers, Web applications, databases, and network infrastructure systems — by finding storage-related systems or live hosts and the services they are running. Most enumeration tools are freeware or open source. Typically, system enumeration capabilities are built into vulnerability scanners, so auditors may be able to skip this type of tool for all but the most niche technologies (e.g., a storage system) that need to be tested.
  3. Vulnerability scanning tools, which root out specific weaknesses in corporate hosts, applications, databases, and source code, such as identifying operating system weaknesses, scanning for Web application flaws, or listing database misconfigurations. There are freeware, open source, and commercial vulnerability scanning tools on the market, but the commercial ones are the easiest to use and are better able to detect the most current vulnerabilities with the smallest amount of false positives (i.e., vulnerabilities that are incorrectly reported).
  4. Exploitation tools, which enable auditors to take that final step in security testing by identifying additional vulnerabilities that can be exploited. There are commercial and open source (e.g., Metasploit) exploitation tools, with the former being as valuable as the latter and less expensive. Metasploit, for example, can be used to exploit a missing patch on a server and obtain full administrator-level and command-prompt access to the system.

An important point to keep in mind is that during each of the ethical hacking phases (i.e., reconnaissance, enumeration, vulnerability scanning, and exploitation), general tools that can support any live system with an Internet protocol (IP) address are sufficient. However, auditors also may need technology-specific tools to find issues in niche and newer technologies. Specific tools needed include those for wireless networks, Web applications, databases, storage systems, Voice over IP, and software source code. The goal is for auditors to use these tools with a malicious mindset when looking for security vulnerabilities that originate outside or inside the company's IT network.


Traits of a Good Security Tool

When selecting a security testing tool or recommending the purchase of one, internal auditors should pay attention to the following traits:

  • The amount of time needed to set up and use the tool.
  • The tool's ease of use.
  • The application's reporting features.
  • The availability of a demo or trial version.
  • The vendor's reputation and level of customer support available.
Just like any tool used in life, there are good and bad security testing applications. The key to finding the right tool is to know what to look for. Perhaps the most important attribute of a good security testing tool is its ease of use. The last thing auditors should do is spend time setting up and running the tool to then troubleshoot issues constantly. If the software is not relatively simple to use, auditors should determine whether or not the tool is worth using. Most likely auditors will opt not use the tool given the existence of user-friendly tools that can perform complex types of security testing.

Another attribute to look for in a security tool is its broad reporting features. In today's world of big governance, auditors have to keep solid records to properly document their work. In the context of security assessments, this means having documentation to back up an action. By and large, most tools have at least some form of rudimentary reporting feature. Hence, auditors should look for tools that have pre-canned report templates for colorful executive summaries and that include the technical details needed for remediation reports. These templates will help to take the pain out of the testing process — especially toward the end of the project when it takes time to generate detailed reports. It's important to point out that not all tools will have reporting features. In this case, a screen shot of the findings may be enough.

Finally, when evaluating commercial tools, as well as freeware and open source applications to an extent, auditors need to make sure the tool's developer or vendor is easy to work with. Companies and auditors should not invest time and money on a tool that doesn't have a reasonable level of support or good customer service.


Whether auditors are doing the actual work or want to make sure their IT and security staff are using what's best for the organization, good security testing tools do make a difference. Remember: There is no single best tool — auditors might need to use a combination of freeware, open source, and commercial products. Either way, the auditor and the organization may have to spend some money to be able to perform the audit as effectively as possible.

Furthermore, when auditors spend a relatively small amount of time conducting research — that is, asking tool vendors questions to make sure their solution is a good fit or trying the tools before buying them — they will be able to obtain the information needed to select the tool that best meets the organization's audit needs. In addition, when a good tool is selected, the auditor will know it — amazingly, he or she will be able to minimize the time and effort needed to install the tool, run tests, and report results. Most important, auditors will be able to maximize the number of vulnerabilities discovered to help reduce the risks associated with their organization's information systems. In the long run, the time spent researching a good security testing tool will add up to considerable business value that an auditor or organization can't afford to overlook.

Kevin Beaver, CISSP, is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments on compliance and risk management. Beaver has authored and co-authored seven books on information security, including Hacking for Dummies, Hacking Wireless Networks for Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance. He's also the creator of the Security on Wheels information security audio books.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


April 2014IaCover 


IIA Academic_Nov 2013

IIA SmartBrief

 Write for FSA Times



facebook IAO