0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for August 2009

Security Reputation Monitoring

with 4 comments

Recently I had a financial-sector client contact me regarding tools and techniques for security and reputation monitoring. The client had recently had their web site scraped and placed under a similar domain. It was apparently a simple identity theft attack (on arbitrary users), but it scared them nonetheless.

Wanting to prevent or minimize the risk of this type of thing, they were in need of some simple reputation and keyword monitoring tools, so we came up with a few immediately:

  • Google Alerts – The best place to do basic reputation and keyword monitoring. You can set up RSS feeds or daily/weekly/instant emails that will alert you when a new page is indexed containing the keyword.
  • Twitter Search – Monitor any time a  keyword is mentioned on twitter. Also very useful.

You’ll want to pick some keywords to monitor. Other folks have talked specifically about what keywords you should be monitoring. It’s also a good idea monitor your website for those specific keywords with Google’s power search operators (inurl: and site:)

  • inurl:KEYWORD
  • inurl:COMPANY.COM KEYWORD
  • site:COMPANY.COM KEYWORD

Then we started thinking about monitoring for more direct IT security issues. Several things came to mind immedately, such as:

You should also be monitoring your domain to ensure you don’t have any google dorks showing up within the domain. You can do that by setting up google alerts such as:

  • site:COMPANY.COM “ORA-00921”
  • site:COMPANY.COM “ODBC”
  • (so on and so forth for the entire GHDB – Note that there are tools out there that help with this, such as MRL’s SEAT, or cdc’s Goolag)

You’ll definitely want to get analytics on your website, and monitor where your users are sourcing from. This will provide additional lists of sites that are linking to you.  There are definitely some IRC and forums it would be handy to keep an eye on. we’ll save that for the commercial version of this article 😉

Thinking a bit more in-depth about what classes of things you’d want to monitor, i come up with a couple classes:

  1. Direct conversation about your company, brand, people, or reputation. (twitter, google alerts)
  2. Disclosure of vulnerability within your company’s software (XSSed, GHDB searches)
  3. Disclosure of vulnerabilities within critical (debatable) software your company is running. (full disclosure,various vendors)
  4. Current threat levels / What sort of attacks are other companies seeing? (isc.sans.org, mailing lists)

Thoughts? Other sources which should be monitored?

Advertisements

Written by jcran

August 4, 2009 at 3:03 PM

Posted in Uncategorized