Session #E9 Using Free Tools to Assess and Audit Your Wi...
Transcript of Session #E9 Using Free Tools to Assess and Audit Your Wi...
![Page 1: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/1.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Session #E9
Using Free Tools to Assess and Audit Your Wi-Fi Network
April 21, 201111:30am – 12:45pm
Lisa Phifer, Core Competence, IncDiana Kelley, SecurityCurve
[email protected]@securitycurve.com
© 2011 Lisa Phifer and Diana Kelley
AGENDA
Business Justification for Wi-Fi Vulnerability Assessment?
The Wi-Fi VA Lifecycle: – Plan > Scan > Validate > Remediate
Building a Wi-Fi VA Toolkit – Create your “kit”– Buy or download tools– Define and automate tasks
Lessons Learned
![Page 2: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/2.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Business Justification for Wi-Fi VA
Situational Awareness– Understand where exposures exist– Create plan to address risks
Cost Savings– Remediate during other scheduled
maintenance Audit Readiness
– HIPAA• Protect PHI transmitted electronically over
open networks– PCI-DSS (including Wireless) Guidelines– DoD 8100.2
• 4.2 and 4.3 “No Fly” Zones
© 2011 Lisa Phifer and Diana Kelley
Wi-Fi VA In-House, Outsource or Both?
Outsource– 3rd party assessor
• Conducts on-site testing– External scanning company
• Conducts remote scans PROs
– Don’t need in-house expertise– No hardware/software costs for testing
CONs– Costly, esp. for on-site testing– NB: External scanning not a
replacement for on-site testing
![Page 3: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/3.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Wi-Fi VA In-House, Outsource or Both?
In-house– Perform assessments using internal
resources PROs
– May cost less– Increased control over the process
CONs– Requires in-house expertise– Cost of tools/software can increase cost
Use best-of-both combination of approaches– In-house for repeated, routine checks – Outsource for periodic external validation
© 2011 Lisa Phifer and Diana Kelley
Strategy for Vulnerability Assessment
Identify assets and resources Determine relative values Enumerate and validate threats and
vulnerabilities Manage risk
– Accept– Mitigate or Eliminate– “Transfer”
![Page 4: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/4.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Wi-Fi VA Lifecycle
© 2011 Lisa Phifer and Diana Kelley
Define the Course of Action
Scope– What systems will be covered– What diagnostics will be run?– What reports will be generated?
Background– RF floorplans (AP mounts, SSIDs,
coverage areas)– Network maps (subnets/VLANs,
controller/AP IP/MACs)– Intended device settings, security
policies
![Page 5: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/5.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Define the Course of Action
Equipment– Required software and hardware
Personnel– Assign roles – Define responsibilities
Reporting and Response– What kinds of reports are required?– Who will review reports?– What is the response plan?
© 2011 Lisa Phifer and Diana Kelley
See What’s Out There
Scan for vulns & exposures– Throughout your airspace– From the wired network
What to Look For– Rogues– Data Leaks– Misconfigured Devices– Availability and Coverage Gaps
Demos in just a few minutes...
![Page 6: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/6.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Trust but Verify
Reports from scanning tools– Review scans
• Eliminate false positives• Accepted/know exposures
– Confirm vulns and exposures• This is often a manual task
– Revise reports with verified information Prioritize
– Assess vulns and impacts– Generate priority lists
© 2011 Lisa Phifer and Diana Kelley
Responsive Action
Create remediation plan– Baseline from priority lists– Determine action
• Mitigate• Remediate• Accept• Defer or Transfer**
– Verify success• Did the mitigation/remediation take effect?• Is it working as expected?
![Page 7: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/7.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Wi-Fi VA Lifecycle Example
*CDE=Cardholder Data Environment
© 2011 Lisa Phifer and Diana Kelley
Building a Wi-Fi VA Toolkit
An iterative 3-step process1. Create your “kit”2. Buy or download tools3. Define and automate tasks
![Page 8: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/8.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
1. Create your “kit”
Smartphones or Tablets– For initial surveys, quick tests
Laptops or Netbooks– For everything else
802.11 NIC(s)– Chipset matters!
Antennas– Omni + Directional
GPS receiver– For multi-site/outdoor VA
© 2011 Lisa Phifer and Diana Kelley
Choose operating system(s)
Tools now emerging for iOS, Android, Symbian– Some require jailbreak / root
Tools for Windows XP/Vista/7 are limited– Many require RFMON mode (e.g., AirPcap)
For broadest tool selection, choose Linux – (Dual) boot your favorite distro from HDD– Boot from Live CD / DVD / USB stick– Run VM image (not great choice for Wi-Fi)– Start here: http://www.securitydistro.com
![Page 9: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/9.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Choose NIC(s)
Match NIC vendor/model/version to – Tool-supported chipsets and drivers
Some lists to consult...– Wireless NICs with Linux device drivers
• http://linuxwireless.org/en/users/Drivers– Windows MONMODE NIC = AirPcap Nx
• http://www.cacetech.com/products/airpcap.html– BackTrack4 compatible NICs
• http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers– Aircrack-ng compatible NICs
• http://www.aircrack-ng.org/doku.php?id=compatibility_drivers– MadWifi compatible NICs
• http://madwifi-project.org/wiki/Compatibility
![Page 10: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/10.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
2. Buy a commercial toolkit
http://www.immunityinc.com
© 2011 Lisa Phifer and Diana Kelley
2. Or roll your own...
� Start by downloading a free security distro– Create your own bootable USB– Add / update tools as needed– Remember: Purchase $ < Lifetime Use $
� In this rest of this preso, we discuss– Freely available Wi-Fi tools for– Common over-the-air VA tasks
� Should be combined with– Wired-side / upper-layer VA tools– Remote VA services (scanners, crackers)– Commercial tools justified by risk/effort
![Page 11: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/11.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Tools to Listen for Surprises
Airgrab (MacOS)– http://www.airgrab.com
Cloud Stumbler (Java, Android)– http://meraki.com/tools/stumbler/
HandyWi (Symbian)– http://www.handywi.com/
Heatmapper (Win32 XP/Vista/7)– http://www.ekahau.com/
InSSIDer (Win64)– http://www.metageek.net/
Wifi Analyzer (Android)– http://a.farproc.com/wifi-analyzer
WiFiFoFum (iOS, WinMo, Android)– http://www.aspecto-software.com
Scan:� 2.4 GHz Band� 5 GHz Band� 20 & 40 MHz Ch
Looking for:� Rogue SSIDs� Evil Twin APs� Ad Hoc Clients� Co-Channel Use� RF Interference� Coverage Gaps
Many tools included with Linux security distros!
© 2011 Lisa Phifer and Diana Kelley
Windows Example - InSSIDer
![Page 12: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/12.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Windows Example - Heatmapper
© 2011 Lisa Phifer and Diana Kelley
iOS Example - WiFiFoFum
![Page 13: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/13.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Android Example – Wifi Analyzer
© 2011 Lisa Phifer and Diana Kelley
Tools to Spot Policy Violations
Kismet (Linux, OS X, Win with RFMON)– http://www.kismetwireless.net
Airodump-ng (Linux, Win with RFMON)– http://www.aircrack-ng.org
Android-Arts Packet Sniffer (Android)– http://sites.google.com/site/androidarts/
Pirni (iOS – jailbroken)– http://code.google.com/p/pirni-derv/
Wireshark (Linux, OS X, Win)– http://www.wireshark.org/
Monitor/Capture:� Auth Chs� Auth APs� Live Clients
Looking for non-compliant:� SSIDs� Rates, Opts� Modes� Vendors� Encryption � Authentication� QoS Priorities� Apps Used� Relationships� Locations
![Page 14: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/14.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Linux Example – Airodump-ng
To scan all channels: airodump-ng mon0To capture on one: -channel # -bssid # -write pcap
© 2011 Lisa Phifer and Diana Kelley
Smartphone Examples
Pirni for iOS Sniffer for Android
![Page 15: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/15.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Windows Example – Wireshark
Without RFMON:Captures only (decrypted) data frames --
broadcasts and packets addressed to tester
© 2011 Lisa Phifer and Diana Kelley
With RFMON:captures all
802.11 frames –Management
Control& Data
Analyze Beacons (above)WLAN Stats (at right)
Using AirPcap NX
![Page 16: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/16.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Tools to Verify Network Security
Nmap, Zenmap– http://nmap.org/
LANScan (iOS)– http://www.nutectools.com/
Network Discovery (Android)– http://rorist.github.com/
Security Auditor's Research Assistant– http://www-arc.com/sara/
Nessus– http://www.nessus.org/nessus/
AP Hopper– http://aphopper.sourceforge.net/
Wicrawl– http://midnightresearch.com/
EAPeak– EAPeak-v0.0.4_BH_Europe.tar.bz2
Scan & assess:� APs� Controllers�Gateways� Switches
Looking for:� Reachable NWs� Exposed services� Default logins� Weak PWs� Missing patches� Config errors� Missing ACLs� Poor segmentation
© 2011 Lisa Phifer and Diana Kelley
iOS Example – LAN Scan
![Page 17: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/17.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Android Example – Network Discovery
© 2011 Lisa Phifer and Diana Kelley
Python Example - EAPeak
To analyze traffic: eapeak –f pcap
![Page 18: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/18.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Tools toFind Client Vulnerabilities
WiFiDEnum– http://labs.arubanetworks.com
WiFish Finder– http://www.airtightnetworks.com/
Karma– http://trailofbits.com/karma/– http://www.digininja.org/jasager/
Aircrack-ng suite– http://www.aircrack-ng.org
coWPAtty– http://www.willhackforsushi.com/
Thomas Roth’s CCS– http://stacksmashing.net/
cloud-cracking-suite/
Scan & assess:� Wi-Fi Clients
Looking for:� Buggy drivers� Open/Hotspot
probed SSIDs� “Allow Any” PNL� Weak PSKs
Plus the usual...� Missing PFWs� Missing VPNs� Open shares
© 2011 Lisa Phifer and Diana Kelley
Example - WiFiDEnum
![Page 19: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/19.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Example – WiFish Finder
From defcon-17-md_sohail_ahmad-wi-fish.pdf
© 2011 Lisa Phifer and Diana Kelley
Example – Aircrack-ng on Windows
![Page 20: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/20.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Example – Aircrack-ng on Linuxassisted by aireplay-ng
© 2011 Lisa Phifer and Diana Kelley
![Page 21: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/21.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Example – Airdrop-ng
Repeatedly deauthenticatesall or some clients
(based on specified rules)to force reauthentications
![Page 22: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/22.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Tools toValidate Wi-Fi Defenses
MDK3– http://homepages.tu-
darmstadt.de/~p_larbig/wlan/ Airpwn
– http://airpwn.sourceforge.net/ Wifizoo
– http://community.corest.com/~hochoa/ Metasploit (+ KARMA = Karmetasploit)
– http://www.metasploit.com/– http://www.offensive-security.com/
metasploit-unleashed/Karmetasploit_Configuration
Ubitack– http://code.google.com/p/ubitack/
Assess:� Controllers� WIPS
By sending:� Deauths� Floods� Exploits� Spoofed
sources� Injected
packets� Fuzzing
© 2011 Lisa Phifer and Diana Kelley
Example – MDK3
![Page 23: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/23.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Example - Karmetasploit
Create AP that responds to all probesCreate tap interface for Karma to use
© 2011 Lisa Phifer and Diana Kelley
msfconsole –r karma.rcUses Metasploit to run fake servers forHTTP, HTTPS, POP, FTP, SMTP, etc
![Page 24: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/24.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Karmetasploitbrowserexploit
KarmetasploitFTP, POPlogin caps
© 2011 Lisa Phifer and Diana Kelley
3. Define and automate tasks
VA tasks must be– Defined unambiguously– Performed repeatedly– With reliable results
Scripts can be your friend– Automate prerequisites– Run tests in the same order– Repeat tests to eliminate anomalies
and average variable results– Save results to named folders/files– Record context (timestamp, site ID)
Steps: Define > Validate > Automate > Refine
![Page 25: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/25.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Frameworks can help tounderstand which toolsare good for which tasksand test sequencing
© 2011 Lisa Phifer and Diana Kelley
http://wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework_001.html
![Page 26: Session #E9 Using Free Tools to Assess and Audit Your Wi ...corecom.com/ccftp/WirelessVA-2011.pdf · Business Justification for Wi-Fi Vulnerability Assessment? The Wi-Fi VA Lifecycle:](https://reader033.fdocuments.us/reader033/viewer/2022060212/5f0514c27e708231d4112aaa/html5/thumbnails/26.jpg)
Page MIS Training Institute© Lisa Phifer and Diana Kelley
© 2011 Lisa Phifer and Diana Kelley
Lessons Learned
Tools are only part of the overall solution– Scanners help show where the
exposures/problems are– Still need to have a remediation plan to
ensure exposures are addressed
Free vs. Commercial tools and services– Free software + Cost of learning curve +
Time spent running manual tests– Commercial + lower personnel/time cost +
3rd party expertise
© 2011 Lisa Phifer and Diana Kelley
Lessons Learned
Aggregate findings– Normalize results from different tools– Eliminate overlaps
Keep trending information to– Spot changes over time– Resolve repeat false positives– Measure improvement