2 Days Left to Save $400 on SANS Baltimore 2015

Reading Room

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,340 original computer security white papers in 88 different categories.

SURVEY: What Are Their Vulnerabilities? A SANS Continuous Monitoring Survey. Sharing your insights Enters You in a $400 Amazon Gift Card Drawing! https://www.surveymonkey.com/r/2015SANSSurveyVM_CM

Latest 25 Papers Added to the Reading Room

  • An Introduction to Linux-based malware Masters
    by Matthew Koch - July 23, 2015 in Malicious Code

    Abstract Although rarely making news headlines Linux malware is a growing problem. As a result, Linux systems are left in an insecure state with minimal defenses against malware. This becomes increasingly problematic with the growth of networkable embedded devices often referred to as the Internet of Things (IoT). This paper will discuss attack vectors for Linux malware, analyze several pieces of malware and describe defensive capabilities.

  • Incident Tracking In The Enterprise by Justin Hall - July 20, 2015 in Incident Handling

    Some organizations employ Computer Security Incident Response Teams (CSIRTs) to investigate and respond to security incidents. They often find these investigations to be poorly executed, time consuming, and ultimately ineffective at discovering the root cause of a breach. Unfortunately, this is not usually due to the skill of the investigators, but rather due to the tools and processes they use to manage the investigations. This paper describes the use of purpose built case management software, integrated into the incident response process, to track these investigations. CSIRTs that take an organized, formal tracking approach will collaborate better and find their investigations to be more complete and useful to risk managers.

  • Two-Factor Authentication (2FA) using OpenOTP by Colin Gordon - July 17, 2015 in Authentication

    This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as 2FA. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access.

  • Leveraging the Federal Public Trust Clearance Model in State Government Personnel Security Programs Masters
    by Joseph C. Impinna - July 17, 2015 in Best Practices

    Security clearances are a requirement when working with classified information at the federal level. In recent years, incidents involving unauthorized disclosures of highly sensitive classified information have brought the security clearance adjudication process under scrutiny. These incidents have reinforced the principle that a personnel security program that properly vets individuals is critical to any organization that wishes to protect its data. Although the effects of an incident at the state level may be narrower in scope than at the federal level, the need to safeguard sensitive information is the same. The national security clearance model is used at many state agencies that work with the Department of Defense and other federal entities. However, an agency that does not access national security data still has a responsibility to uphold public trust. For these organizations, the background check processes can vary greatly from state to state or even between agencies. An effective personnel security program is much more than simply granting access to protected information through a public trust clearance. To achieve the assurance implied with a clearance, other components must be included. While a direct implementation of the federal model may not be feasible, using just a few concepts to design a system tailored to the state level would significantly improve the security posture of the issuing agency.

  • Psychology and the hacker - Psychological Incident Handling by Sean Atkinson - July 9, 2015 in Incident Handling

    The understanding of the processes, techniques and skills of hackers or cyber-criminals can be ascertained through the practical application of forensic psychology techniques and behavioral analysis. The actions and methods used within an attack, through the monitoring of logs and forensic discovery, will contribute to a profile of the person/persons behind the intrusion. This information will be a new vector in determining infiltration techniques, if the actions leave a persistent threat (backdoor) or if it is a one-time smash and grab. If applied correctly, the detective controls can shorten avenues of determining risk and threats, as well as the magnitude of investigation required based upon the behavioral profile. Incident handling is based on the detection, response and resolution of security incidents. Given a new understanding of the person/persons behind such an incident, the process will be a preliminary part of the incident handling process. Using the methods of behavioral analysis, it creates a new dimension of understanding to the malicious activity and network analysis of what occurred in the environment.

  • A Concise Guide to Various Australian Laws Related to Privacy and Cybersecurity Domains Masters
    by Babu Veerappa Srinivas - July 6, 2015 in Legal Issues

    There are many laws in Australia related to privacy and cyber security domains. In this paper, the author intends to collate the current laws related to privacy and cyber security domains so that interested readers could get relevant information specific to Australia in one concise document. Additionally, there are no industry specific acts or regulations like HIPAA, SOX or GLBA. Because of this, some organizations do not know their obligations in relation to these laws. This paper presents research on the current applicable cyber security related laws, Acts and regulations published by the Federal and State Governments, established relationship with other applicable Acts, performed a gap assessment and identified relevant industry frameworks that can be adopted as best practices. For ease of future research, the source of these current artefacts and database are cited for throughout the document. Disclaimer: Contents of this document must not be construed as legal advice. Readers are encouraged to seek legal advice prior to consideration.

  • A Framework for Assessing 20 Critical Controls Using ISO 15504 and COBIT 5 Process Assessment Model (PAM) Masters
    by Muzamil Riffat - July 6, 2015 in Auditing & Assessment

    The 20 critical controls, maintained by the Council on CyberSecurity, present a prioritized road map for organizations to enhance their information security posture. However, an initial review that serves as a "baseline" must first be performed to know the current information security posture and to ascertain the effort required to implement the critical controls. Furthermore, assessments or audits should be performed periodically to gauge the continual improvement in information security as well as to what extent the critical controls have been implemented. This paper presents a unified and repeatable framework that could be used for the initial gap analysis as well as to measure the continual enhancements in implementation of the critical controls. The concepts presented in this paper draw heavily from the contents contained in "ISO/IEC 15504 Information technology - Process assessment" standard and COBIT5 Process Assessment Model (PAM). The information presented in ISO 15504 and COBIT 5 PAM is adapted for the assessment of critical controls. A unified approach in assessing the implementation status of each critical control as well as the sub-controls is presented based on an incremental measuring scale. The other peripheral elements of the assessment such as the details of assessment process (planning, initiation, fieldwork reporting), assessor qualifications, and competency are also detailed out resulting in a comprehensive framework for assessing the 20 critical controls.

  • Securing Single Points of Compromise (SPoC) Masters
    by David Belangia - June 30, 2015 in Best Practices

    Securing the Single Points of Compromise that provide central services to the institutions environment is paramount to success when trying to protect the business. (Fisk, 2014) Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react. While guidance is readily available for securing the individual critical asset, protecting these assets as a group is not often discussed. Using best business practices to protect these resources as individual assets while leveraging holistic defenses for the group increases the opportunity to maximize protection time, allowing detection and reaction time for the SPoCs that is commensurate with the inherent risk of these centralized services

  • Tactical Data Diodes in Industrial Automation and Control Systems by Austin Scott - June 30, 2015 in Firewalls & Perimeter Protection

    In recent years, there has been an increased interest in the use of Data Diodes (also known as unidirectional gateways) within Industrial Automation and Control System (IACS) networks. As a result, there has been a substantial amount of confusion around where and how best to use this effective barrier technology. Although not a direct replacement for Firewalls, Data Diodes are well suited for specific tasks within IACS networks such as data replication, system state monitoring, remote backup management and patch management. This paper demystifies the use of Data Diodes within the IACS domain by detailing the process and challenges of building a simple Data Diode and applying it an IACS network.

  • BYOD: Do You Know Where Your Backups Are Stored? Masters
    by Marsha Miller - June 30, 2015 in Mobile Security

    Ever striving to reduce costs, companies in increasing numbers are testing Bring Your Own Device (BYOD) as a mobile solution. Although security has become a hot topic, ensuring the protection of confidential information during synchronization of a mobile device to a personal storage location may be overlooked. This paper will touch on elements of how and where data is stored on a mobile Apple and Android device, the default backup solutions, a few legal aspects to consider, and some security solutions offered by AirWatch and Good.

  • Accessing the inaccessible: Incident investigation in a world of embedded devices Masters
    by Eric Jodoin - June 24, 2015 in Internet of Things

    There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.

  • The State of Security in Control Systems Today Analyst Paper
    by Derek Harp and Bengt Gregory-Brown - June 24, 2015 

    By reading this report, ICS professionals will gain insight into the challenges facing peers, as well the approaches being employed to reduce the risk of cyberattack.

  • Six Steps to Stronger Security for SMBs Analyst Paper
    by Eric Cole, PhD - June 23, 2015 in Security Awareness

    An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.

  • Security Spending and Preparedness in the Financial Sector: A SANS Survey Analyst Paper
    by Jaikumar Vijayan - June 23, 2015 

    Financial services organizations are being breached too often. Find out how the threat landscape and the tools to secure data are changing in the 2015 SANS Financial Services Survey.

  • eAUDIT: Designing a generic tool to review entitlements Masters
    by Francois Begin - June 22, 2015 in Information Assurance, Auditing & Assessment, Best Practices, Case Studies, Compliance, HIPAA, Legal Issues, Security Policy Issues, Risk Management, Standards, System Administration, Tools

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Case Study: Critical Controls that Sony Should Have Implemented by Gabriel Sanchez - June 22, 2015 in Case Studies

    What would soon characterize one of the worst hacks in recent history began when screenwriter Evan Goldberg and actor Seth Rogen joked about making a comedy about assassinating the leader of North Korea, Kim Jong-un.

  • Enabling Big Data by Removing Security and Compliance Barriers Analyst Paper
    by Barbara Filkins - June 17, 2015 

    The rewards that big data can bring are widely recognized: scientific insight, competitive intelligence and improved fraud detection, as well as the benefits derived from sophisticated analyses of vast sets of transactional and behavioral data.

  • Using windows crash dumps for remote incident identification by Zong Fu Chua - June 16, 2015 in Forensics

    With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it.

  • Conquering Network Security Challenges in Distributed Enterprises Analyst Paper
    by John Pescatore - June 11, 2015 

    Enterprises continue to have difficulties detecting, blocking and responding to threats.

  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 in Industrial Control Systems, Internet of Things

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest trend of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.

  • Applying Lessons Learned for the Next Generation Vulnerability Management System Masters
    by John Dittmer - June 8, 2015 in Threats/Vulnerabilities

    The objective of this paper is to recommendations for improving a vulnerability management system in development.

  • New Critical Security Controls Guidelines for SSL/TLS Management Analyst Paper
    by Barbara Filkins - June 4, 2015 

    Security flaws like Heartbleed, POODLE, BEAST and a series of high-profile certificate thefts and misappropriations have shaken public confidence in "secure" SSL/TLS certificates. It is possible for organizations to safeguard themselves and retain most of the benefits of using the web's most common authentication system, however, as long as they're rigorous about setting and enforcing the right policies on who do trust among many questionable nodes in the global network of trust.

  • Practical Attack Detection, Analysis, and Response using Big Data, Semantics, and Kill Chains within the OODA Loop Masters
    by Brian Nafziger - June 3, 2015 in Information Warfare

    The traditional approach to using toolsets is to treat them as independent entities detect an event on a device with one tool, analyze the event and device with a second tool, and finally respond against the device with a third tool. The independent detection, analysis, and response processes are traditionally static, slow, and disjointed.

  • Improving Detection, Prevention and Response with Security Maturity Modeling Analyst Paper
    by Byron Acohido - May 29, 2015 in Security Modeling

    An Analyst Program whitepaper written by Byron Acohido. It discusses various security maturity models and how organizations can use them to improve their defense posture while reducing the time needed to respond to incidents and contain the damage.

  • Integration of Network Conversation Metadata with Asset and Configuration Management Databases by William Yeatman - May 26, 2015 in Best Practices

    As an alternative the loss of access to plaintext IP payloads in an increasingly encrypted and privacy conscious world, network layer security analysis requires a shift of attention to examination and characterization of the packet and network conversation meta- information derived from packet header information. These characteristics can be incorporated into and treated as an integral part of asset and configuration management baselines. Changes detected in the expected endpoints, frequency, duration, and packet sizes can be flagged for review and subsequent response or adjustment to the baseline.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.