Read the 2018 follow-up to this article.
We all probably know the feeling of not having the right tools for the job. I’ll fess up: I’ve tried in desperation to remove a screw with a knife blade or clean a shirt stain with dish soap more than once.
If you’ve been in a similar position, you know exactly what I’m talking about. Having the right tool for the job makes a hard job easy — and conversely, the lack thereof can make simple jobs hard. Risk management tools can be the same way.
Strong Security Needs the Right Tools
In security, sometimes the path to acquiring the right tool can be challenging; there might not be budget, there might be competing priorities or maybe there’s nobody with time and inclination to support it. Whatever the reason, sometimes there are things we want to do, but we just can’t get started because we don’t have the right tools for the job.
Risk management (as anyone who has ever tried to do it in the field can attest) can be challenging to do well, particularly when we’re strapped for time, budget or resources. There are excellent tools out there but — let’s be honest — asking executives to allocate budget to a risk management tool when they’re already inundated with demands for direct business-facing tools can make for a tough sell, especially when it’s hard to articulate a clear ROI.
When this happens, we have three options: do nothing; try to make do with what we have now or what we can pull off manually; or get creative. Hidden in that third option is a wealth of possibilities. For example, just like many of the best technical security tools are open-source, free and ripe for the using, so, too, are there a number of free and open-source tools that can help with risk management efforts.
Five Helpful Risk Management Tools
Below, I’ve outlined a few of these tools. I’ll warn you in advance that these are not the only tools; there are literally hundreds of fantastic resources out there that can help you conduct risk management. However, I’ve selected these tools in particular because they have zero licensing costs, can be picked up rapidly, require minimal support once set up and can be decommissioned just as quickly with minimal impact.
That last part is important. Maybe you’re thinking long term and you want to keep your options open and move to a commercial risk management product once you get budget. If that’s the case, using something in the short term that doesn’t lock you in is advantageous. With that in mind, the tools below just might be what you’re looking for to give your risk management efforts an immediate shot in the arm.
One of the hardest parts of a risk management project can be keeping track of what devices, services, applications and other assets you have fielded already. If you don’t know what you have out there, how can you systematically evaluate the impact of a given vulnerability? If you don’t know what devices support certain business activities, how can you evaluate disruption or extent of compromise in the event of an incident? Short story: You can’t.
So if you don’t already have a tool to assist in keeping that asset inventory current, you might consider some free and open-source options in this arena. For example, SpiceWorks might be an option; while it’s not open-source, it is free.
If you prefer an open-source alternative, GLPI (GNU GPL v 2) might be a fit. If you need to automate discovery, you might look at something like OCS Inventory NG, which can feed data into either platform to help you gather data about what you have out there.
2. Risk Tracking
Believe it or not, there are free tools you can use to help track risks and mitigations, visualize risks by severity, create reports and complete other logistical legwork items. Better yet, you can do it for free.
Tools such as SimpleRisk can help you get started. It’s worth noting that the extras you might want for enterprise use aren’t free, but included in the core bundle are many useful features that can get your program well underway.
3. Threat Analysis
Analyzing the universe of threats that exists and assessing the risks to your organization that might arise as a result of it can be challenging. Having a tool that helps automate and streamline the process can be very helpful.
The Practical Threat Analysis (PTA) tool can help you create a threat model, systematically evaluate threats and impacts, and build a risk register based on the work you do. Sure, the interface is a bit dated and the most recent update was from a few years back (2013), but it’s free to use and can help simplify the launch of a program.
4. Vulnerability Information
Sometimes there’s just no substitute for a vulnerability scan in determining what technical vulnerabilities exist in a given environment. While there are a number of great commercial tools out there, useful tools to have in your arsenal are the tried-and-true scanning tools such as OpenVAS for host scanning or Vega for application scanning.
As a practical matter, the ongoing monitoring of the environment is an important part of a holistic risk management process. Why? Because unexpected changes or downtime are both potentially symptomatic of a risk coming to pass — and also something that could impact the risk environment itself (for example, if a control, countermeasure or mitigation stops functioning appropriately).
Consequently, continuous monitoring of the environment can tie directly back to your ongoing risk monitoring. In this regard, tools such as Nagios or Icinga 2 can be both valuable and beneficial.
As I mentioned before, these are not the only tools out there. There is a ton of value that free and open-source software can bring to the table for a security practitioner — and the risk management portion of the work we do is no exception. These tools might help scratch an itch that you have in your risk management efforts.