I’ve seen several recent posts about lots of free and open source tools in the security community. These kinds of tools are incredibly important, but they often are targeted towards individuals with some experience to be able to use. This is a challenge for small businesses or nonprofits who may not have the resources or staff to put those tools into practice.
If you’re a small business or nonprofit, this article is for you. There are a ton of free services that can provide real value today, even if you are the only IT person in the company and you don’t have any security experience.
The Shadowserver Foundation was created in 2004 as a nonprofit to help with security reporting and investigation. One of the free services that Shadowserver offers is a report for owners of networks to show vulnerable services that are running on your network so that you can remove them or offer more secure options. This is a really easy way for organizations that may not have scanning tools to prevent an incident before it happens.
To sign up, go to https://www.shadowserver.org/what-we-do/network-reporting/get-reports/. You’ll need to provide some detailed information and the Shadowserver team will verify if you actually own the network first.
2. CISA Alerts
How do you know when the next big cybersecurity incident is about to happen? The US Cybersecurity and Infrastructure Security Agency was created in 2018 to improve cybersecurity protections across both federal and state agencies, in addition to helping secure elections. The agency also creates alerts for when major threats to the nation’s cybersecurity are discovered. To sign up for these alerts, visit: https://www.cisa.gov/uscert/ncas/alerts and navigate to the bottom of the page where you can enter your email to receive alerts, tips, and other guidance. Many state or industry Information Security Advisory Councils also offer alerts when software vulnerabilities are discovered.
Ok, I know this sounds like a weird service. But I promise it’s legit. Individuals can go to this website, put their email address in, and learn if their email has been included in any data breach going back over 10 years. But you can also sign up your whole company to learn when any of your organization’s emails have been included in a breach. When this happens, you can help educate your users or proactively require them to change their passwords. To sign up, go to https://haveibeenpwned.com/DomainSearch, but you’ll have to prove you own that domain first.
One of the most frequent questions I get from users is if a file attachment or website link is malicious. Virustotal.com has the answers. Just upload a file or link that you’d like to check, and Virustotal will compare your sample against the databases of 80 different security vendors. The service is provided for free by Google subsidiary Chronicle.
One of the most common bad guy tactics today is to use Domain Generation Algorithms to create large numbers of DNS names to use for their command and control networks. OpenDNS, now owned by Cisco. All you need to do is to swap your current DNS to the OpenDNS servers (22.214.171.124 and 126.96.36.199) and they will automatically block malicious command and control domains. There are also paid versions of this service that Cisco offers that provide additional capabilities and reporting for larger organizations. For more info, visit: https://www.opendns.com/home-internet-security/. Note, however, that there are some privacy implications with sending DNS queries to Cisco, so keep that in mind if you have use cases where privacy is a priority.
One of the most common ways that bad guys perform research about corporate networks is to look at the certificates than an organization has created. I recommend using a certificate naming convention that doesn’t give away what software you’re using. But knowing what certificates you have can also help find services you might not have been aware of. No sign up required, you can search just like Google.
Shodan is a bit like Google in that it’s a search engine, except Shodan was designed to detect and monitor vulnerable devices on your network. You can search by domain name or IP address by going to Shodan.io. There are paid versions of the service if you intend to use it more frequently.
8. CISA vulnerability scan
In addition to the alerts above, CISA also offers free vulnerability scans for Federal, state, local, tribal and territorial governments, or any organization that has been deemed, “critical infrastructure”. There are lots of great tools out there for organizations to use for vulnerability scanning, but if you can’t afford one or don’t know where to start, this is a great first step. To get started, all you need to do is send an email to [email protected] with the subject line “Requesting Cyber Hygiene Services”.
9. Google reCAPTCHA
Does your website have a form? If so, you’ve probably gotten zillions of fake responses. Google offers their reCAPTCHA service for free up to 1 million assessments per month, although they charge for other enterprise versions. Note, however, that there are some privacy implications with sharing web information with Google, so keep that in mind if you have use cases where privacy is a priority.
If you’re a University, state or local government, or nonprofit, you should look into Dorkbot, a free service from the University of Texas at Austin. Dorkbot is probably my favorite name for any security service. It helps you identify any web pages that are vulnerable to SQL injection or XSS type attacks, or other OWASP top 10 vulnerabilities. To sign up, visit: https://security.utexas.edu/dorkbot
Bonus – Well Aware Free Cybersecurity personality test.
We think that one of the biggest things missing from security awareness programs is helping people believe that they can make a difference when it comes to cybersecurity. When you discover which of the 20 different cybersecurity personality types you are, you can focus on building cybersecurity habits that are the most impactful for you. Our free cybersecurity personality test requires that you share your email address. you can take our free cybersecurity personality test by going to: https://wellawaresecurity.com/cyber-personality-test/.