More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,250 original computer security white papers in 83 different categories.
Latest 25 Papers Added to the Reading Room
Let's face it, you are probably compromised. What next?
by Jonathan Thyer - December 15, 2014 in Forensics
Over the past several years, the information technology industry has dramatically shifted from a desktop workstation centric, corporate owned computing asset model to a model of performing business processing tasks from anywhere with any capable device. This is evident through the dramatic increase in tablet, and smartphone use by organizational employees, and demand of employees to be able to use their own devices to manage daily business tasks.
Energy and Utilities Defense Response based on 2014 Attack Pattern
by Adi Sitnica - December 11, 2014 in SCADA
False sense of security and management not understanding the value of cyber security are just a few of the issues why the Energy and Utilities industry are behind in terms of elevating cyber security to a status level on par or higher with physical security.
New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations
by Barbara Filkins - December 9, 2014
- Associated Webcasts: SANS 2nd Survey on the State of Information Security in Health Care Institutions: Part 2 SANS 2nd Survey on the State of Information Security in Health Care Institutions: Part 1
- Sponsored By: Qualys Tenable Network Security Cigital, Inc. FireEye CloudPassage Trend Micro Inc. RiskIQ
See the results of the 2014 SANS Health Care Cybersecurity survey.
Evidence Collection From Social Media Sites
by Keil Hubert - December 2, 2014 in Legal Issues
Original content written and posted by an individual to a social media site may identify or substantiate an employee's misconduct, whether their own or misconduct by a fellow employee. Capturing evidence from social media sites can significantly support the evidence gathered from other sources (e.g., text messages, e-mails, etc.) in the construction of an event timeline. Proper capture, handling, and presentation of evidence from social media sites will help the investigator explain what happened to upper management, to legal, and to law enforcement agencies.
Auditing Using Vulnerability Tools to Identify Today's Threats to Business Performance
by Carlos Vazquez - December 2, 2014 in Auditing & Assessment
A properly implemented vulnerability management program represents a key element in an organization's information security program by providing a business oriented approach to risk mitigation. This program provides a way to assess the potential business impact and probability of threats and risks to an organization's information infrastructure before those events occur.
Security Skills Assessment and Training: The Critical Security Control that can make or break all others
by Paul Hershberger - December 2, 2014 in Management & Leadership
Across the security community, 2013 has been noted as the year of the breach. Symantec reported 8 breaches with more than 10M identities exposed per breach representing a 700% increase from the year prior(Symantec Corporation, 2014). The year was filled with salacious headlines pulling readers across into the latest exploits of cyber crime and espionage rings.
Faster than a speeding bullet: Geolocation data and account misuse
by Tim Collyer - December 1, 2014 in Logging Technology and Techniques
Today's global economy and mobile workforce have a large impact on modern network security, elevating the importance of a "defense in depth" approach. Geolocation information has become an important element to monitor as part of such a layered defense. Incorporating geolocation information into network security programs does not necessarily require additional expenditure if the appropriate resources (such as a SIEM) are already in place. By tracking the geographic location for account logins, it is possible to discover anomalies by calculating the distance between two logins from the same account.
Securing Personal and Mobile Device Use with Next-Gen Network Access Controls
by Deb Radcliff, executive editor - November 24, 2014 in Network Access Control
- Associated Webcasts: Securing Personal and Mobile Device Use with Next-Gen Network Access Controls
- Sponsored By: ForeScout Technologies
An updated SANS Analyst Program whitepaper. It covers the essentials of applying NAC to secure guest networking, as well as leveraging NAC for BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) situations and ensuring endpoint compliance with network policy.
Point of Sale Systems and Security: Executive Summary
by Wes Whitteker - November 20, 2014 in Intrusion Prevention, Threats/Vulnerabilities
- Sponsored By: Bit9 + Carbon Black
The last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive "offense must inform defense" approach to POS security.
Agile defensive perimiters: forming the security test regression pack
by Michael Hendrik Matthee - November 20, 2014 in Securing Code
A common approach is that software delivery is realized through a set of sequential deliverables in a phased and systematic manner. The software process model of the IEEE attempts to bring order to the delivery process by identifying a set of universal artefacts and activities in software construction (Gustafson, Melton, Chen, Baker, & Bieman, 1988).
Cyberspace: America's New Battleground
by Maxwell Chi - November 20, 2014 in Information Warfare
In 2010, Nick Percoco, head of the cyber security team at IT security service provider TrustWave Holdings Inc., was called out to the headquarters of a leading U.S. defense contractor to investigate some anomalies (Taylor, 2011). The anomalies seemed innocent at first. A few employees had reported peculiar behavior by their PCs when they clicked on an innocuous-looking email attachment they had received.
Implementing a Shibboleth SSO Infrastructure
by Rich Graves - November 17, 2014 in Authentication
Secure authentication and authorization across organizational boundaries is a hard problem. Consider an academic publisher that wishes to make scientific journals available to currently enrolled students, but not staff, faculty, or alumni, at universities that have paid a site license fee. Students could register with a site-specific username and password - though such credentials are likely to be shared or forgotten, diminishing security and increasing user frustration and support burden.
Rate my nuke: Bringing the nuclear power plant control room to iPad
by Mikko Niemel - November 14, 2014 in SCADA
Industrial Control Systems monitor and control industrial processes that exist in the physical world and by design, are isolated from public networks. However, the prevailing use case, connectivity, and integration of mobile devices in the workplace has impacted the industrial environment. These isolated control system networks are now under pressure due to market demand to become Internet-accessible. Therefore, a security architecture for mobile device usage in th industrial environment must be designed with security controls and proper certificate-based authentication.
Securing DNS to Thwart Advanced Targeted Attacks and Reduce Data Breaches
by John Pescatore - November 12, 2014
- Associated Webcasts: Protecting DNS: Securing Your Internet Address Book
Internet traffic is severely affected when critical DNS services are not reliable or are compromised by cyber attacks. However, DNS services can be secured with the right configuration and deployment of appropriate solutions.
Password Security-- Thirty-Five Years Later
by George Khalil - November 12, 2014 in Security Basics
Computer historians trace the first use of a computer password back to Massachusetts Institute of Technology in the 1960s (McMillan, 2012). MIT's time-sharing computer, called Compatible Time-Sharing System (CTSS), was designed to accommodate multiple users on many terminals.
Secure Design with Exploit Infusion
by Wen Chinn Yew - November 11, 2014 in Application and Database Security
In the age of a highly digitally connected world, the ever-increasing security threat has prompted many initiatives to address it. One important area is to build security into software development.
Be Ready for a Breach with Intelligent Response
by James Tarala - November 5, 2014
- Associated Webcasts: Be Ready for a Breach with Intelligent Response
- Sponsored By: McAfee, a division of Intel Security
By preparing a careful plan and resilient response infrastructure before an attack, organizations can limit both data loss and the reactive, post-incident expenses. The result: greatly reduced impact and costs associated with events.
That's where the Data is! Why Break into the Office of Personnel Management Systems - Because That Is Where the Sensitive Information for Important People Is Maintained!
by David Belangia - November 4, 2014 in Best Practices
To obtain the most complete information about American personnel who have security clearance, an adversary would clearly be interested in compromising the information being collected by the Office of Personnel Management (OPM). The aggregation of information about an individual and their life history is collected and maintained by this organization and available in one place.
Application White-listing with Bit9 Parity
by Mike Weeks - October 29, 2014 in Case Studies, Commercial Software
Antivirus is a requirement for a host of compliance standards and is championed to be a critical component for any security baseline (PCI-DSS 3.0-5.1). A recent google search for "Cyber Security Breaches" in Google News shows 16,700 results in Google News.
Data Center Server Security Survey 2014
by Jacob Williams - October 29, 2014
- Associated Webcasts: Data Center Server Security: A SANS Survey
- Sponsored By: IBM McAfee, a division of Intel Security
Learn how organizations are tackling the difficult problem of data center security, explore their best practices and consider improvements needed for data centers to meet compliance demands while reducing overall risk and management complexity.
The Best Defenses Against Zero-day Exploits for Various-sized Organizations
by David Hammarberg - October 27, 2014 in Best Practices
Zero-day exploits are vulnerabilities that have yet to be publicly disclosed. These exploits are usually the most difficult to defend against because data is generally only available for analysis after the attack has completed its course. These vulnerabilities are highly sought after by cyber criminals, governments, and software vendors who will pay high prices for access to the exploit (Bilge & Dumitras, 2012).
The Spy with a License to Kill
by Matthew Hosburgh - October 24, 2014 in SCADA
The opening scene of GoldenEye underscores the skills and precision of James Bond, 007. Years of experience and training make impossible missions look routine. These skills alone would not allow 007 to succeed; rather, a calculated plan that targeted the vulnerabilities in the Archangel Chemical Weapons Facility coupled with 007's skills provided for a successful mission.
Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsight
by Jerry Shenk - October 23, 2014 in Security Awareness
- Associated Webcasts: Detecting Risky Activity "Wherever" Before It Becomes A Problem
- Sponsored By: Rapid7 Inc.
A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.
Reducing the Catch: Fighting Spear-Phishing in a Large Organization
by Joel Anderson - October 20, 2014 in Forensics
The phishing problem isn't new. Over 150 years ago, Charles Dickens wrote a passionate and witty letter about fraudsters of his day who, like Nigerian 419 scammers today, preyed upon the generosity and gullibility of well-meaning folk. The differences in our time are that of scale and scope, as the perpetrators have taken on seven league boots and covered continents with their shameless appeals.
Intelligence-Driven Incident Response with YARA
by Ricardo Dias - October 20, 2014 in Forensics
The concept of threat intelligence is gaining momentum in the cyber-security arena. As targeted attacks increase in number and sophistication, organizations are beginning to develop and integrate the concept of threat intelligence into their cyber-defensive strategies. By doing so, organizations are taking the next step forward to respond to cyber-attacks. Recent threat reports reveal promising results.
All papers are copyrighted. No re-posting or distribution of papers is permitted.