You can't secure what you don't acknowledge.SM

Tuesday, August 19, 2014

CommView for WiFi - a great option for wireless network analysis

Several years ago I wrote about the neat WEP/WPA recovery tools offered as part of TamoSoft's wireless network analyzer called CommView for WiFi. Well, those tools are no longer available but CommView for WiFi is as relevant as ever. I've been using it for years. It seems that it hasn't changed a ton other than some UI and packet analysis enhancements - probably just oversights on my part since I don't use it every day.

I've featured CommView for WiFi in my book Hacking For Dummies but wanted to tell you about it here as well. It's an enterprise-ready tool by itself but when you add on the remote agent and TamoGraph Site Survey, it's everything you'll likely need in terms of wireless network analysis, monitoring, as well as site surveying for new wireless deployments and troubleshooting.

The following are screenshots showing CommView for WiFi's main interface and its packet generator tool:


CommView for WiFi also has tab called Latest IP Connections that's really neat. In order to protect the infected, I chose not to show this, however, in the few minutes I had the tool loaded to write this blog post, CommView for WiFi detected outbound communication sessions with several interesting hosts including one in Russia. Yet another reason to get control of BYOD and mobile security!

I see that CommView for WiFi's reviews aren't stellar over at CNET but I think that's because of the junk adware wrapper code that CNET includes with its downloads. No worries, just download it directly from TamoSoft and you should be good to go. Michael Berg at TamoSoft is continually updating the program and is very responsive when questions arise.

Yet another great "you get what you pay for" network/security tool.

Monday, August 18, 2014

A resource to help with PCI DSS 3.0's penetration testing methodology requirements

PCI DSS has been getting a lot of buzz lately and the latest version 3.0 will continue gaining momentum until the many small and medium-sized businesses get their arms around the new requirements. Of particular interest is the updated requirement 11.3 (below) which is much more prescriptive on how to find the actual security flaws that matter.

I've always believe that you can't secure what you don't acknowledge...PCI DSS 3.0 now mandates a formal methodology for security testing that:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.


These updates are no doubt an evolution of the realization that many people were simply performing basic vulnerability scans of network hosts or hiring fly-by-night "pen-testers" to seek out one or two easy wins in the cardholder data environment rather than performing a more in-depth security assessment that looks at everything that matters.

I suspect many people (especially those working in SMBs with limited resources) will migrate towards the NIST standard similar to how many people have jumped on the "cybersecurity" bandwagon. There's also the resourceful Open Source Security Testing Methodology Manual (OSSTMM) that's been around quite some time.

The important thing you need to know is that none of these standards will be a best-fit, end all be all solution for your organization. Similar to exercise and diet programs for individuals and strategic corporate plans for businesses, every person/organization has their own unique needs when it comes to information security testing. The interesting thing to be in many of these standards, and just general popular belief, is that open source tools are all you need to perform an effective security assessment. I've said time and again, in all but a handful of scenarios, you're going to get what you pay for with your security testing tools. Outside of the awesome Metasploit tool and a few mostly forgettable others I've used over the years, I've yet to find any open source tool that works a fraction as well as the commercial alternatives.

With PCI DSS 3.0, or whatever requirement, your information security test tools and methodologies will absolutely define your testing outcomes and ultimately your business risks. Before going down yet another confusing path in the name of security and compliance, everything you need to know to get started - and darn near master - your penetration testing is outlined in my book Hacking For Dummies...I hope this helps and best of luck: