Read the 2018 follow-up to this article.

We all probably know the feeling of not having the right tools for the job. I’ll fess up: I’ve tried in desperation to remove a screw with a knife blade or clean a shirt stain with dish soap more than once.

If you’ve been in a similar position, you know exactly what I’m talking about. Having the right tool for the job makes a hard job easy — and conversely, the lack thereof can make simple jobs hard. Risk management tools can be the same way.

Strong Security Needs the Right Tools

In security, sometimes the path to acquiring the right tool can be challenging; there might not be budget, there might be competing priorities or maybe there’s nobody with time and inclination to support it. Whatever the reason, sometimes there are things we want to do, but we just can’t get started because we don’t have the right tools for the job.

Risk management (as anyone who has ever tried to do it in the field can attest) can be challenging to do well, particularly when we’re strapped for time, budget or resources. There are excellent tools out there but — let’s be honest — asking executives to allocate budget to a risk management tool when they’re already inundated with demands for direct business-facing tools can make for a tough sell, especially when it’s hard to articulate a clear ROI.

When this happens, we have three options: do nothing; try to make do with what we have now or what we can pull off manually; or get creative. Hidden in that third option is a wealth of possibilities. For example, just like many of the best technical security tools are open-source, free and ripe for the using, so, too, are there a number of free and open-source tools that can help with risk management efforts.

Five Helpful Risk Management Tools

Below, I’ve outlined a few of these tools. I’ll warn you in advance that these are not the only tools; there are literally hundreds of fantastic resources out there that can help you conduct risk management. However, I’ve selected these tools in particular because they have zero licensing costs, can be picked up rapidly, require minimal support once set up and can be decommissioned just as quickly with minimal impact.

That last part is important. Maybe you’re thinking long term and you want to keep your options open and move to a commercial risk management product once you get budget. If that’s the case, using something in the short term that doesn’t lock you in is advantageous. With that in mind, the tools below just might be what you’re looking for to give your risk management efforts an immediate shot in the arm.

1. Inventorying

One of the hardest parts of a risk management project can be keeping track of what devices, services, applications and other assets you have fielded already. If you don’t know what you have out there, how can you systematically evaluate the impact of a given vulnerability? If you don’t know what devices support certain business activities, how can you evaluate disruption or extent of compromise in the event of an incident? Short story: You can’t.

So if you don’t already have a tool to assist in keeping that asset inventory current, you might consider some free and open-source options in this arena. For example, SpiceWorks might be an option; while it’s not open-source, it is free.

If you prefer an open-source alternative, GLPI (GNU GPL v 2) might be a fit. If you need to automate discovery, you might look at something like OCS Inventory NG, which can feed data into either platform to help you gather data about what you have out there.

2. Risk Tracking

Believe it or not, there are free tools you can use to help track risks and mitigations, visualize risks by severity, create reports and complete other logistical legwork items. Better yet, you can do it for free.

Tools such as SimpleRisk can help you get started. It’s worth noting that the extras you might want for enterprise use aren’t free, but included in the core bundle are many useful features that can get your program well underway.

3. Threat Analysis

Analyzing the universe of threats that exists and assessing the risks to your organization that might arise as a result of it can be challenging. Having a tool that helps automate and streamline the process can be very helpful.

The Practical Threat Analysis (PTA) tool can help you create a threat model, systematically evaluate threats and impacts, and build a risk register based on the work you do. Sure, the interface is a bit dated and the most recent update was from a few years back (2013), but it’s free to use and can help simplify the launch of a program.

4. Vulnerability Information

Sometimes there’s just no substitute for a vulnerability scan in determining what technical vulnerabilities exist in a given environment. While there are a number of great commercial tools out there, useful tools to have in your arsenal are the tried-and-true scanning tools such as OpenVAS for host scanning or Vega for application scanning.

5. Monitoring

As a practical matter, the ongoing monitoring of the environment is an important part of a holistic risk management process. Why? Because unexpected changes or downtime are both potentially symptomatic of a risk coming to pass — and also something that could impact the risk environment itself (for example, if a control, countermeasure or mitigation stops functioning appropriately).

Consequently, continuous monitoring of the environment can tie directly back to your ongoing risk monitoring. In this regard, tools such as Nagios or Icinga 2 can be both valuable and beneficial.

As I mentioned before, these are not the only tools out there. There is a ton of value that free and open-source software can bring to the table for a security practitioner — and the risk management portion of the work we do is no exception. These tools might help scratch an itch that you have in your risk management efforts.

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…