If starting from square one, the Cybersecurity and Infrastructure Security Agency (CISA) offers many high-level checklists and guides, namely the CISA Cybersecurity Performance Goals Checklist and the CISA Cyber Essentials Starter Kit. Although slightly dated, they’re a solid first step in triaging major control areas. For small businesses, the Federal Communications Commission created the Small Biz Cyber Planner 2.0, and the Global Cyber Alliance offers a Cybersecurity Toolkit for Small Business.
For a guiding cybersecurity philosophy or framework, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is a popular and robust one to choose, as is the Center for Internet Technology’s (CIS) Critical Security Controls®. Alternatively, to combine multiple frameworks, some organizations choose to create a combined control framework. Whichever route a security team chooses, CISA’s Cybersecurity Evaluation Tool can help evaluate an environment against a choice of frameworks, including the NIST CSF and the Payment Card Industry’s Data Security Standard.
Whether starting from scratch, making updates, or just looking for a comparison to best practices, the SANS Institute provides free cybersecurity policy templates to help keep organizations running smoothly and securely.
To drill down into specifics, CIS can help with general hardening benchmarks for specific technologies, including cloud services, network devices, endpoint operating systems, mobile devices, browsers, databases, virtualization, and web infrastructure. To evaluate the most common existing technologies, CIS offers the Configuration Assessment Tool Lite. A paid version can support all the different technologies as well as the Defense Information Systems Agency Security Technical Implementation Guides, another great hardening standards resource that can be accessed for free.
An open-source governance, risk, and compliance tool named CISO Assistant can help track open initiatives, findings, risk management, and more. The tool also has an expansive list of compliance frameworks that it supports and a paid upgrade if support is needed.
Lastly, a great addition to any cybersecurity program is tabletop exercises. They provide a safe simulation of adverse events and allow organizations to put their processes to the test and practice their response. Coming up with realistic scenarios and preparing the materials can be difficult. However, CISA has already put together tabletop exercise packages with built-in scenarios that in-house teams can use to perform their own exercises.
Vulnerability management
A critical element of establishing and maintaining a good cybersecurity posture is keeping technology up to date via a robust vulnerability management program. This program is typically supported by an enterprise vulnerability scanner that can interrogate assets on the network and identify missing patches or misconfigurations. If such a tool is cost prohibitive, a common option is to use the less user-friendly Greenbone OpenVAS and combine it with CISA’s known-exploited vulnerabilities catalog as the key information source for high-risk vulnerabilities to look for. Other open-source vulnerability scanners that can fit the bill include Nuclei and Tsunami.
Once the scans are complete, managing the identified vulnerabilities can become a monumental task for underresourced organizations. Several open-source vulnerability management and reporting tools can assist with that, but one referenced by the SANS Institute is VulnWhisperer and another is Faraday. Setting up these platforms can assist with the triage, assignment, and, ultimately, remediation of the vulnerabilities in an environment.
One important prerequisite to vulnerability management is asset management. An organization can’t protect its technology assets if it doesn’t know what assets it has and where they are. Basic network scanners like Zenmap can help with asset discovery, but more autonomous and advanced network discovery and asset management tools, such as runZero, offer a free tier for small organizations and can prove invaluable.
One last note for small businesses is that CISA offers enrollment in its Cyber Hygiene services program to assist in vulnerability identification and management.
Protecting web services and applications
Any internet-facing services represent a large risk to organizations because they are typically accessible to the entire internet by design. Anyone who has stood up a webserver and looked at the logs knows that, almost immediately, the web service is hit with internet background radiation, or seemingly random web traffic including reconnaissance bots and malicious attempts to compromise the service. Thus, it’s important to constantly evaluate these web services and applications and manage their vulnerabilities, too.
To start, Qualys offers some free services to check up on encryption levels, certificate health, and basic web vulnerabilities. Several tools can scan websites to test for vulnerabilities, including Zap, Nikto, Wapiti, WhatWeb, Sitadel, w3af, and afrog, among others. For application programming interfaces (APIs) specifically, free tools include GraphQL, Pynt, VulnAPI, and WuppieFuzz, and Grype is a Unix-focused scanner with software bill of materials abilities.
For free, basic protection against distributed denial of service attacks and other unwanted bot traffic, CloudFlare offers a free plan with easy setup for websites and APIs. For small and medium-sized businesses, CloudFlare also offers Secure Access Service Edge technology, which provides a zero-trust approach to network access and can replace virtual private network (VPN) technologies.
Lastly, some services can perform free external network reporting for certain organizations that could be worth signing up for to get alerts when they find vulnerable web infrastructure.
Logging and detections
Organizations should harden their defenses to keep their sensitive information away from threat actors while also recognizing that no system is entirely immune to breaches. Developing and enhancing logging and detection activities is a critical step in enhancing cybersecurity maturity.
To help, CISA developed a Logging Made Easy solution that packages multiple components, including Wazuh and Elastic SIEM. Other open-source network security monitoring tools include SecurityOnion, UTMstack, and Zeek, which overlap in functionality with internal detection or prevention systems, such as Snort and Clear NDR®. Specific network traffic analysis tools can come in handy, too, including RITA and CISA’s Malcolm.
Once detections are in place, the next step is to evaluate their effectiveness. Organizations can test their detections with open-source tools that simulate threat actors like Atomic Red Team, Stratus Red Team, and Metta, and by using the MITRE ATT&CK® framework alongside Caldera. By confirming that it can detect common threat actor tradecraft and identify any gaps in those detections, organizations can speed up the time to detection for real incidents.
Another strategy that helps catch threat actors is the use of decoy technologies. By using free tools, such as CanaryTokens and DejaVu, detection teams can deploy these pieces of digital bait to try and ensnare threat actors who have found a way to access an organization’s infrastructure.
Endpoint protection
Because users make mistakes, protecting endpoints is a clear priority. Most modern operating systems come with some sort of endpoint protection; however, going beyond stopping malware and integrating with a logging and monitoring solution helps close the gap on endpoint security. Microsoft Defender™, which ships with modern Microsoft Windows™ operating systems, has this functionality, however other endpoint detection and response (EDR) and extended detection and response (XDR) solutions can help as well. Wazuh, as mentioned earlier, is an open-source EDR and XDR solution, as is OpenEDR. WHIDS can sit alongside EDR agents and uses Sysmon from the Microsoft Sysinternals™ tool set to collect information about system health and feed that additional information to a monitoring solution.
One powerful yet underutilized feature on Windows systems is Microsoft AppLocker™, which provides application control by only allowing users to run code from preapproved applications. For those who have trouble with its deployment, DenyLocker inverts the model and allows a less effective but easier-to-manage approach by simply providing lists of disallowed applications.
What about Unix-based systems? Several of the EDR agents discussed here support Unix systems, but Lynis is a focused tool that can evaluate Unix endpoint security and configurations. Additionally, AIDE as well as OSSEC offer more continual integrity and security monitoring.
At the browser level, it is possible to harden browser deployments, but an easy win is to install browser extensions that prevent unwanted ads and scripts that also protect privacy, such as uBlock Origin and AdblockPlus.
To secure user traffic, configuring a public domain name system resolver that can refuse to resolve known-malicious sites is fairly straightforward by using CloudFlare’s 1.1.1.1 (and 1.1.1.2), Quad9, or ControlD. To go a step further, CloudFlare also offers a free WARP service that operates as a VPN to secure users’ traffic no matter how they connect to the internet.
Finally, to deal with user passwords, updating configurations requirements to enforce long, strong passwords as well as multifactor authentication generally is supported with most authentication providers. Several free password managers, including Bitwarden, KeePassXC, and Proton Pass, can help users and IT administrators set good passwords.
Windows Active Directory
Most organizations use some form of Windows infrastructure, typically supported by Windows Active Directory (AD). AD provides identity services and configuration capabilities and is therefore a huge target for threat actors. The open-source Bloodhound Community Edition is a huge help in identifying attack paths that adversaries might take to compromise the Windows infrastructure and take over an organization’s environment. It’s a little less easy to run than the paid version, but helpful add-ons such as FalconHound and BlueHound, can expand its capabilities. Other free tools that help identify and close AD gaps are Purple Knight, Forest Druid, and PingCastle.
Once the main misconfigurations are identified and fixed, another area that’s received scrutiny in recent years is AD’s Certificate Services. This optional but often-enabled feature offers an alternate form of authenticating that can allow adversaries to bypass passwords altogether and still take over user accounts and critical AD infrastructure. Luckily, the researchers who first identified and disclosed the flaws support a free tool called PSPKIAudit to identify and help remediate the certificate misconfigurations.
Another common area of exploitation in Windows environments is network shares. Often, sensitive information is mistakenly left in shared folders and not restricted to only those who need to access it. Worse, shares with excessive access can be used as proliferation points for ransomware attacks. Luckily, open-source tools such as shareenum can identify promiscuous share permissions, and MANSPIDER and Snaffler can identify rogue sensitive files and information.
Cloud hardening
Migrations to the cloud hopefully include thorough security planning, but sometimes the focus on rapid deployment results in cybersecurity as a low priority. As such, organizations might be running cloud infrastructure with misconfigurations that could have high impact if exploited.
Fortunately, several tools can help identify common cloud misconfigurations and provide guidance for hardening, including ScubaGear, Prowler, CloudSploit, and ScoutSuite, which can evaluate many different cloud providers. For an Amazon Web Services™-specific review, CloudGPT can help. For Microsoft Azure™ and Microsoft Entra™ ID, PowerZure and ROADtools can be of assistance. Lastly, the Threatmapper scanner can assist with securing cloud development pipelines.
Industry perspective
While performing our research to identify the free and open-source tools and resources cybersecurity stakeholders might find helpful, we reached out to some industry specialists for their perspective. Some challenged the assumption that resource-constrained teams want more software to implement. For any of these tools and resources, organizations need people and time to get them implemented and working correctly. From their perspective, the real cost-saver is AI.
They explained that providing AI with enough context on the problem to be solved and feeding it the right data allows users to ask better questions about how to move forward. The more transparent and detailed the prompt, the more useful and aligned the AI’s output can be. Using AI as a thought partner instead of a thought leader helps teams generate ideas and refine direction and maintains valuable human input.
Following are examples of how cybersecurity teams can effectively use AI:
- Describing issues with current security tooling and asking for detailed troubleshooting steps as well as configuration enhancements
- Describing tedious repeatable processes and requesting code solutions to automate those tasks
- Providing cybersecurity initiatives and asking the AI to summarize a business case to share with the executive team
- Providing contracts and amendments and asking the AI to summarize and flag any pertinent contract sections on IT and security
- Providing network diagrams and configurations and asking the AI to recommend network architecture design and additional controls
AI is a transformational tool, and since cybersecurity adversaries are already using it, it’s only logical that cybersecurity teams do the same to stay ahead.
No budget, no problem
Being put in a position to support an organization’s cybersecurity program with limited budget and resources is never easy. However, by taking advantage of free, community-built tools and resources, security teams can still shore up cybersecurity gaps and continue to build their maturity. Furthermore, by leaning into AI and using it strategically, underresourced cybersecurity teams can force-multiply and get more done with less.
