SANS Institute

The most trusted source for computer security training, certification and research.

Internet Security Tools for Defense In-Depth

Home

Global Information Assurance Certification

Global Information Assurance Certification
Number of Certified Professionals
28,186

Opened my eyes to things that I thought I already knew, and I'm already learning new material on day 1
-Anthony Fischer, Front Porch, Inc.

Check Them Out!

SANS is hands down the best bang for the buck available, no one else even comes close!
-Derek Masseth, University of Arizona

Applicable Sections in Compliance Mandates

Click for a complete view of all vendor products PDF icon

Defensive Wall 4: Summary

Vendors sell software and hardware with vulnerabilities baked in. Your own programmers and system administrators also make mistakes. That means every user organization has the never-ending task of finding, removing and replacing the bad code or reconfiguring the misconfigured systems.

Defensive Wall 4: Eliminating Security Vulnerabilities

4.1 Network Discovery Tools

Actively scan networks and/or analyze network traffic to determine what hosts are active. A second class of tool passively watches the network, constantly finding and characterizing all hosts that are active. Both can find new devices that have appeared or existing hosts that have vulnerable or infected software active.

Compliance Mandates: PCI DSS 11.2, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5

Tools:
Tenable Network Security: Passive Vulnerability Scanner
Sourcefire RNA
Solarwinds: LANsurveyor
Nmap (free)

top^

4.2 Vulnerability Management

These tools discover vulnerabilities and monitor the organization's progression eliminating the vulnerabilities that are found.

Compliance Mandates: PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2

Tools:
Tenable Network Security Nessus
Sourcefire RNA
McAfee Foundstone Foundscan
nCircle IP360
SAINT Scanner
Rapid 7 Nexpose
QualysGuard

top^

4.3 Penetration Testing and Ethical Hacking

Automated penetration testing tools use multi-stage threat techniques to more closely simulate techniques used by skilled attackers. These tools go further than simple vulnerabilitiy scanning and can find more complex vulnerabilities.

Compliance Mandates: PCI DSS 11.3, SOX A13.3, GLBA 16 CFR Part 314.4 (c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001/27002 12.6, 15.2.2

Tools:
Core Security Core IMPACT - Click here to listen to an archived webcast presentation regarding this vendor/product
Metasploit (free)
SAINT Corporation SAINT Exploit

top^

4.4 Patch and Security Configuration Management and Compliance

To reduce exposure to attacks, known vulnerabilities should be fixed as quickly and as efficiently as possible. Patch management systems automatically deliver and install the correct patches; security configuration management systems automatically eliminate configuration weaknesses from weak passwords to unnecessary services.

Compliance Mandates: PCI DSS 2.2, 6.1, 6.3.1, SOX A13.3, DS9, HIPAA 164.308(a)(1), 164.310(b) and (c), FISMA CA-7, CM-1, CM2, CM-3, CM-4, CM-6, CP-10, PL-3, SA-4, SA-10, SI-2, ISO 27001/27002 10.4.2, 10.10.1, 12.4.1, 12.5.3, 12.5.2, 12.6.1

Tools:
Configuresoft Enterprise Configuration Manager (ECM)
BigFix Unified Platform - Click here to listen to an archived webcast presentation regarding this vendor/product
Microsoft SMS and WSUS (free)
Shavlik Security Suite
HP Business Services Automation solutions
BMC Configuration Automation

top^

<< previous wall | next wall >>