Disabling Command line Utilities like NETSTAT... 2473



  • Just wondering what the forum might think about the need to disable NETSTAT utility. I know that by using this tool you can figure out a lot of information about networks, possibly leaving them vulnerable to attack.
    My question is does this Util need to be disabled, and if done, does this limit any internal assessments we might run against the network?
    Again, thanks for the help.
    JL



  • Hi JL - While there’s nothing specificallly within SOX 404, I would suggest that using Network vulnerability assessment and penetration testing (a.k.a., Pen tests) are a GOOD THING . However, I qualify this in saying that only authorized, trained, and fully approved security personnel should be using these tools .
    Personally I used to perform Pen testing on a quarterly basis for a former company, (as I worked a decade or so in IT security). It is a best practice to test your network, Internet, client, router, and other security controls (including even social engineering tests with the Help Desk to see if passwords might be reset).
    In essence each quarter, I would become ‘Harry the Hacker’ (lol) 😉 🙂 … I had lots of formal training and numerous commercial tools (e.g., Bindview, KSA, RealSecure, SolarIP Winds, NetTools, FTP testing tools, LophtCrack, etc). It’s very important to always let Admins know when you test and to only run tools that analyze and won’t cause harm to your existing IT security.
    More importantly, I always found something that needed improvement . Our security even improved on a measured basis, as we cut weak passwords in half in about an 18 month period. Companies can start with Pen tests with an external consulting firm. Hopefully over time, one of the senior security professionals can start testing and adding more tests as they learn each quarter.

    While Pen Testing falls more into the ITGC area, it can also be helpful in affirming good levels of IT security controls are present for SOX 404 compliancy (esp. with the SOX external auditor). For example, if there are any vulnerabilities on the Financial servers or Internet applications, it’s highly important to solve them, whether it’s directly related to SOX or not.



  • I wholeheartedly agree with Harry’s response.
    I’ve been involved in several penetration tests myself (going back to when Bindview was a DOS tool :oops: ) and it is an extremely useful technique that almost always finds something useful.
    It does need to be well managed and use of the tools does need to be properly controlled. I’ve certainly had situations where the utility or tool would be installed, tests run in the presence of an administrator and then the tool uninstalled - so to your initial question it should, perhaps, be disabled except specifically when it needs to be run.



  • What? You are all pen testers here? Denis, Harry… We should rename the forum - what about ‘Hackers that make more money as compliance experts’?
    Well err… me too… during my previous life (before meeting the attorneys and becoming an expert witness - do you know that my first SOX presentations were for the court and for attorneys? - ) … I have been Certified Information Systems Security Professional (CISSP), Steganography Investigator, Internet Security Systems (ISS) Certified in Internet Scanner, Database Scanner and System Scanner, Checkpoint Certified Security Administrator (CCSA), Microsoft Certified System Engineer certified in Windows NT and Windows 2000 (MCSE), Microsoft Certified Trainer (MCT)…
    What? netstat -a… connections and listening ports… listening and established connections…
    Netstat… the great challenge in computer forensics experts… humiliated in the court of law…
    You are the computer forensics investigator you have two options… if you just unplug, you may lose information… if you give a netstat -a you find something valuable… but you touch original evidence (the suspect’s PC) and you will have problems in the court…
    Netstat… I like this command so much and it is so useful… don’t lose this functionality… and don’t document anything about it. [Auditing Standard No 5, Top-Down approach… no high risk.]



  • Better that it’s us than the Chaos Computer Club :lol:



  • Networking is a subject I know little about but you might check into disabling ICMP echo which does not allow systems to get the address from pinging a server, I beleive this would also render a netstat against the system useless. Just something to digg up. I know this is a standard security feature in many UNIX shops.



  • Guess who else used to be a CISA … 🙂
    Looks like former IT geeks have a greater propensity to use internet forums than the purely financial guys …



  • Looks like former IT geeks have a greater propensity to use internet forums than the purely financial guys …
    True - An Internet search on my name might show more of a current than former status as an IT ‘geek’ 😉 🙂
    I’m a member of several technical and business forums, as they provide a valuable resource. They help solve day-to-day problems (as users practically share good solutions).
    They are also my #1 source of continuing education. Over the past couple of years of involvement here, I’m much more versed on SOX IT and corporate requirements as a result of reading from the many experts who share here on a regular basis 🙂


Log in to reply