Common freeware concerns
Some enterprises worry that freeware tools, which tend to be open source, are somehow more likely to have flaws that bad guys can exploit. However, freeware often receives more scrutiny from researchers since it is often easier to review; tools can be easily downloaded and researchers aren't subjected to the often lengthy and cumbersome procurement process that's required to review some commercial products. This means that serious security flaws are often worked out earlier in the freeware product life cycle than its commercial counterparts. And, since only certain people can gain access to commercial software during the development phase, a major exploitable flaw may go unnoticed for quite some time. This means when an actual attacker finds ways to exploit the flaw, things can get very ugly very quickly, as illustrated by some of the vulnerabilities in intrusion prevention systems and backup products in the past two years.
Another common concern about freeware is the lack of vendor support. This is a significant issue, and one that has to be carefully managed. While some freeware tools have active user groups and Web sites, where ideas and solutions are exchanged by users and developers alike, others are foisted on the world by a single developer who then moves onto other affairs, with little or no support for such "abandonware." Information security practitioners should strive to use tools that have community support. Alternatively, some managed security services providers and other vendors will provide support services for free products (for a charge, of course).
Another often-cited concern is that no one is legally liable if the tool causes problems. This argument is centered on the premise that an enterprise could sue the vendor who sold it flawed commercial software. Unfortunately, the license agreements of commercial software almost always absolve the vendors from liability for any damage caused by their tools, even when the vendor is at fault. Therefore, legal claims in the commercial market are often just as limited as they are in the free software market.
And without debating whether freeware tools are cheaper than commercial tools, cost is certainly an issue to consider. In the end, the price of software is usually dwarfed by the costs associated with running and supporting it, whether the actual software is free or commercial. When such costs are pulled together for comparison, often, the price of free and commercial tools comes remarkably close.
The benefits of freeware
Still not convinced? Then focus on these two factors:
- Freeware tools are often better than their commercial counterparts, and some even offer features that aren't commercially available yet.
- Organizations no longer have to rely on glossy vendor brochures that promise miracle cures for the latest information security dilemmas, as many freeware tools often come with a "try-before-you-buy" opportunity, meaning you can test a given function in a free tool to see how it applies to your environment and operations, and then decide whether that functionality is important to you, with no direct software cost. If it proves desirable, you can opt to continue relying on the free tool, or purchase a commercial product that provides a similar function.
So, with the promise of useful features and try-before-you buy capabilities, and the often neutralized economic, support, and liability issues, which free tools should you look at for your enterprise? There are a bunch that I've seen small, medium and large enterprises use with good results, including some of following:
While not every enterprise will want to run each of these tools and adapt processes around them, they should at least be considered; don't rule them out simply because they are free. I recommend giving in-house infosec pros the ability to use freeware tools where they make sense.
About the author: This was first published in December 2006
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.
This was first published in December 2006