Categories Topics
Description
Diagnostic Tools (security of)

Overview
Diagnostic tools include network diagnostic, monitoring and scanning tools used to diagnose or troubleshoot applications, systems or networks to ensure confidentiality, integrity and/or availability of critical applications or systems. Since many diagnostic utilties have powerful functionality that could expose vulnerabilties on the network or system, they should be carefully controlled and limited to only authorized personnel in accordance with his or her job responsibilities.

Guidelines
Diagnostic or "utilties" software should be carefully controlled and monitored for misuse. For example, system scanning or debugging software should not be included in production system configurations as they could be misused to expose senstive information to unauthorized individuals (e.g. vulnerabilities on network, insecure credentials, etc.). System configurations should typically remove such utilities from the standard build and only use when needed. When utilties are used in production, they should also be carefully monitored and authorized before use. Additionally, scanning utilities should only be limited to authorized personnel (e.g. security or operations group) as part of job responsibilities. If such scanning is needed for troubleshooting in production, it should be authorized and also documented as part of change management processes to ensure confidentiality, integrity and availability of information. Additional measures can include integrity checking software to monitor unauthorized usage of sensitive utilities.