Cybersecurity can be super expensive for SME’s as the IT skills needed require professionals with many years of experience, intensive training and certifications, and very often pricey software, tools and subscriptions.
The quandary is that companies can’t afford not to do more for cybersecurity, as the increase in cyber attacks such as ransomware, data breaches and more tear across the business landscape worldwide. Cybersecurity can no longer be an afterthought for SME’s - they must get it right today.
What’s a company to do? Well, some expenditure is unavoidable, but like in many areas of IT open source solutions if selected wisely can be a big money saver. Trained cybersecurity professionals are still needed, but many of the tools we detail below can help small businesses bridge the gap between not paying enough attention to cybersecurity and employing sufficient security for their risk profiles.
Here we list the top open source categories and solutions:
Every company should start by conducting a cybersecurity risk assessment to ensure awareness of all their valuable assets, both physical and digital, local and in the cloud. From there they should initially and regularly scan all their assets and networks for vulnerabilities to achieve a clear awareness of their current status.
Commercial tools like Nessus and Qualys are often the industry go-tos, but since scanning is such an important activity there are many open source options as well, many specialized for certain tasks or asset types. Our list here is just touching on some main ones satisfying most environment’s needs. For many more can check a collection at OWASP: https://owasp.org/www-community/Vulnerability_Scanning_Tools :
OpenSCAP - https://www.open-scap.org/ - Security Content Automation Protocol (SCAP) is a U.S. standard maintained by the National Institute of Standards and Technology (NIST). The project is a collection of open source tools for conducting vulnerability assessments and implementing the standards.
Wapiti - https://wapiti.sourceforge.io/ - Wapiti works as a "black-box" vulnerability scanner, that means it won't study the source code of web applications but will work like a fuzzer, scanning the pages of the deployed web application, extracting links and forms and attacking the scripts, sending payloads and looking for error messages, special strings or abnormal behaviors.
Nikto - https://cirt.net/nikto2 - Web server scanner which performs comprehensive tests against web servers for multiple items, including dangerous files/programs, checks for outdated versions and configuration issues.
w3af - http://w3af.org/ - w3af is a web application attack and audit framework that helps secure web applications by finding and exploiting all web application vulnerabilities.
Vulnerability Reporting and Management
You found the vulnerabilities, now you need to track and manage them over time to ensure remediations are put into place:
Dradis - https://dradisframework.com/ce/ - Security project framework for collaboration and reporting. Combines the output of 19+ different security scanning tools, manual findings, and notes to generate consistent reports
These two are indispensable in the assessment and monitoring of your networks and assets:
Nmap - https://nmap.org/ - The go-to utility for network discovery and security auditing. It’s useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. If you want a graphical user interface instead of using the command line can use their Zenmap: https://nmap.org/zenmap/
WireShark - https://www.wireshark.org/ - The go-to network protocol analyzer. It lets you see what’s happening on your network, capture the packets live and conduct deep inspection of hundreds of protocols affording you a full view and interaction with your network environment.
Keep your servers, networks and web apps secure!
pfSense - https://www.pfsense.org/ - One of the most popular, and can be thought of as more than just a firewall as it’s extended to also do network address translation, load balancing, routing, VPN connections, dynamic DNS, DHCP and more. There are paid tiers but the base software is quite extensible with advanced features.
OPNsense - https://opnsense.org/ - A branch of pfSense and m0n0wall, is a firewall with similar features, can even add on a web application firewall, and some intrusion detection and prevention.
IPFire - https://www.ipfire.org/ - Open source firewall, intrusion protection system, network segmentation, VPN connections and more.
Intrusion Detection and Prevention Systems (IDS and IPS)
These utilities are super useful! :-)
Zeek - https://zeek.org/ - A well regarded and often used IDS-like sensor that sits on hardware or software devices to observe and log network traffic for use in a SIEM, for example.
Snort - https://www.snort.org/ - Detects and acts on real-time malicious network activity using the Community Ruleset (paid subscribers get a ruleset by Cisco Talos) for an active IPS solution. Also sniffs and log packets for network traffic debugging.
Suricata - https://suricata.io/ - Top alternative to Snort, is an open source threat detection engine, combining intrusion detection, prevention, network security monitoring and PCAP processing, it works to identify, stop, and assess attacks.
OSSEC - https://www.ossec.net/ - A host-based IDS with log monitoring, SIEM features, file integrity checking, rootkit detection and more.
Kismet - https://www.kismetwireless.net/ - A wireless network and device detector, sniffer and listed here as useful as a wireless intrusion detection system.
Sguil - http://bammv.github.io/sguil/index.html - Boasts a GUI that provides access to real time events, session data, and raw packet captures. Sguil facilitates the practice of network security monitoring and event driven analysis.
Anti-Virus / Anti-malware
Anti-virus and anti-malware is more often handled by subscription services, many of which have free versions available, so those are barely in the scope of this article, and we’ll just refer you to a collection of free versions of commercial ones here: https://www.pcmag.com/picks/the-best-free-antivirus-protection and for open source we’ll just mention:
ClamAV - https://www.clamav.net/ - Open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. Can be used in a variety of situations including email scanning, web scanning, and endpoint security.
Cloud Service Security
The use of cloud computing and storage is a boon for businesses enabling greater resources without adding too much complexity and managerial overhead, but it’s also simultaneously spread out companies attack surfaces and risk profiles. These open source tools can help check them for vulnerabilities:
Scout Suite - https://github.com/nccgroup/ScoutSuite - An open source security-auditing tool enabling security assessments of AWS, Azure, Google Cloud, Alibaba Cloud and Oracle Cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas, misconfigurations and more.
Prowler - https://github.com/toniblyx/prowler - auditing tool for Amazon Web Services (AWS) that is used to evaluate cloud infrastructure against AWS benchmarks, GDPR compliance and HIPAA compliance. It can perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
A SIEM helps bring all your logs into one place for centralized monitoring, alerts and analysis. The SIEM will help correlate events across your devices and network to achieve a comprehensive view.
ELK or Elastic Stack - https://www.elastic.co/what-is/elk-stack - "ELK" is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch. Like many software in our article here, there are paid solutions beyond the base open source solution and that’s certainly the case here as well, with the paid versions having confusingly similar names, so you gotta pick between them carefully.
Alien Vault and OSSIM (AT&T Cybersecurity) - https://cybersecurity.att.com/products/ossim - Can integrate other open source tools such as Snort IDS and OpenVAS vulnerability scanner, and provide an integrated web administrative tool to manage the whole security environment.
In lieu of “perfect coding” and configuration of your website or web application, adding a web application firewall (WAF) can help add an extra layer of protection to help achieve “defense in depth” in case one or another safeguard fails.
ModSecurity - https://github.com/SpiderLabs/ModSecurity - ModSecurity is an open source, cross platform WAF engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. Consider including the OWASP Core Rule Set (CRS).
Shadow Daemon - https://shadowd.zecure.org/overview/introduction/ - Shadow Daemon is a collection of tools to detect, record, and block attacks on web applications. Shadow Daemon intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis, and interface to increase security, flexibility, and expandability.
Multi-tool Distribution Suites:
These suites include many of them aforementioned tools within them and much more, and are key starting points for many cybersecurity professionals’ work:
Kali Linux - https://www.kali.org/ - The go-to suite for vulnerability scanning, penetration testing and all related tools mostly from the “offensive” side perspective.
Security Onion - https://securityonionsolutions.com/software - A granddaddy in this space, it’s like the Kali Linux distribution but for the defensive side. Includes Elasticsearch, Logstash, Kibana, Suricata, Zeek, Wazuh, Stenographer, TheHive, Cortex, CyberChef, NetworkMiner, and many other security tools. Security Onion can help cover your SIEM, IDS and similar needs.
This is a tricky recommendation, as your passwords are so important and valuable long-term that you don’t want to skimp to save a little money here risking anything could go wrong. These open source password managers are definitely worth a look, though:
Bitwarden - https://bitwarden.com/ - We’re big fans of Bitwarden. They have the free open source tier for personal and small 2 person teams, and reasonably priced paid versions to be able to use at a business.
Quick Online Website Security Scanners
Your company surely has a website in its digital realm and these online scanners are good for a quick glance at your website’s security status. They are cursory and only surface layer, though, and shouldn’t replace more in depth vulnerability scanning, but they are surely very helpful.
At SEIRIM Cybersecurity in Shanghai we're putting together a free online cybersecurity training series. When complete we'll make a big presentation for it, but until then here is a sample entry focused on Phishing - training users how to detect, not fall victim to, and what to do in case of phishing attacks:
Keep in mind that many of these solutions actually expand out from their category to do a little more than just what they're mainly known for.
While it’s possible to use open source tools for many of your security software needs, in many cases the open source options require much more hands-on configuring and debugging as they may lack the ease of use of more polished commercial offerings.
A dedicated IT person can make them worth well with some extra time in most cases. In some categories, like Kali Linux for offensive side tools, for example, the open source tool is actually the preferred industry choice and not a compromise..