0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Security Reputation Monitoring

with 4 comments

Recently I had a financial-sector client contact me regarding tools and techniques for security and reputation monitoring. The client had recently had their web site scraped and placed under a similar domain. It was apparently a simple identity theft attack (on arbitrary users), but it scared them nonetheless.

Wanting to prevent or minimize the risk of this type of thing, they were in need of some simple reputation and keyword monitoring tools, so we came up with a few immediately:

  • Google Alerts – The best place to do basic reputation and keyword monitoring. You can set up RSS feeds or daily/weekly/instant emails that will alert you when a new page is indexed containing the keyword.
  • Twitter Search – Monitor any time a  keyword is mentioned on twitter. Also very useful.

You’ll want to pick some keywords to monitor. Other folks have talked specifically about what keywords you should be monitoring. It’s also a good idea monitor your website for those specific keywords with Google’s power search operators (inurl: and site:)

  • inurl:KEYWORD
  • inurl:COMPANY.COM KEYWORD
  • site:COMPANY.COM KEYWORD

Then we started thinking about monitoring for more direct IT security issues. Several things came to mind immedately, such as:

You should also be monitoring your domain to ensure you don’t have any google dorks showing up within the domain. You can do that by setting up google alerts such as:

  • site:COMPANY.COM “ORA-00921”
  • site:COMPANY.COM “ODBC”
  • (so on and so forth for the entire GHDB – Note that there are tools out there that help with this, such as MRL’s SEAT, or cdc’s Goolag)

You’ll definitely want to get analytics on your website, and monitor where your users are sourcing from. This will provide additional lists of sites that are linking to you.  There are definitely some IRC and forums it would be handy to keep an eye on. we’ll save that for the commercial version of this article 😉

Thinking a bit more in-depth about what classes of things you’d want to monitor, i come up with a couple classes:

  1. Direct conversation about your company, brand, people, or reputation. (twitter, google alerts)
  2. Disclosure of vulnerability within your company’s software (XSSed, GHDB searches)
  3. Disclosure of vulnerabilities within critical (debatable) software your company is running. (full disclosure,various vendors)
  4. Current threat levels / What sort of attacks are other companies seeing? (isc.sans.org, mailing lists)

Thoughts? Other sources which should be monitored?

Advertisements

Written by jcran

August 4, 2009 at 3:03 PM

Posted in Uncategorized

4 Responses

Subscribe to comments with RSS.

  1. I’d also recommend Yahoo! Pipes (why aren’t you using this more often? We keep talking about it ;]) You could set up a multiple searches and have them run there, aggregating the results.

    Zach

    August 4, 2009 at 3:50 PM

  2. @zach – most definitely. actually meant to include that, so thanks for the heads up. aggregation of the feeds would be very easy using something like pipes.

    jcran

    jcran

    August 4, 2009 at 4:02 PM

  3. Or, you know…we could always work together on something like that. *cough*

    Zach

    August 4, 2009 at 6:28 PM

  4. […] article on setting up some automated reputation monitoring activities. Security Reputation Monitoring << HexEsec | a pentester’s view Tags: ( reputation […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: