6 Days Left to Save $200 on Automotive Cybersecurity Summit 2017

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

How are you responding to incidents and attacks? What solutions work best? Share your experiences in our 2017 SANS Incident Response Survey and enter to win a $400 gift card.https://www.surveymonkey.com/r/2017SANSIRSurvey

ICS security: SANS needs your input on attacks and threats and how you're preventing and mitigating them in the industrial control systems environments. Share your experiences and enter to win a $400 Amazon gift card! https://www.surveymonkey.com/r/2017SANSICSSurvey

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,650 original computer security white papers in 102 different categories.

Latest 25 Papers Added to the Reading Room

  • Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 Analyst Paper
    by John Pescatore - March 20, 2017 in Cloud Computing, Data Protection

    Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.


  • Tracking Online Counterfeiters by Emilio Casbas - March 16, 2017 in Intrusion Detection

    The counterfeiting market makes-up a vast global business where the impact of fraudulent activity is hard to quantify. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents their most common tactics and its relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites.


  • Securing DNS Against Emerging Threats: A Hybrid Approach Analyst Paper
    by John Pescatore - March 16, 2017 in DNS Issues

    This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.


  • Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation STI Graduate Student Research
    by Jeremiah Hainly - March 15, 2017 in Automation, Incident Handling, Free and Open Source Software

    Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.


  • Detection of Backdating the System Clock in Windows by Xiaoxi Fan - March 15, 2017 in Forensics

    In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches, system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that "the system clock has not been backdated," he or she must examine multiple artifacts for corroboration.


  • Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey Analyst Paper
    by Dave Shackleford - March 14, 2017 in Threats/Vulnerabilities

    Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.


  • Cloud Security Monitoring STI Graduate Student Research
    by Balaji Balakrishnan - March 13, 2017 in Cloud Computing

    This paper discusses how to apply security log monitoring capabilities for Amazon Web Services (AWS) Infrastructure as a Service(IaaS) cloud environments. It will provide an overview of AWS CloudTrail and CloudWatch Logs, which can be stored and mined for suspicious events. Security teams implementing AWS solutions will benefit from applying security monitoring techniques to prevent unauthorized access and data loss. Splunk will be used to ingest all AWS CloudTrail and CloudWatch Logs. Machine learning models are used to identify the suspicious activities in the AWS cloud infrastructure. The audience for this paper are the security teams trying to implement AWS security monitoring.


  • Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper
    by Benjamin Wright - March 7, 2017 in Data Protection, Legal Issues

    The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.


  • In-Depth Look at Tuckman's Ladder and Subsequent Works as a Tool for Managing a Project Team STI Graduate Student Research
    by Aron Warren - March 1, 2017 in Best Practices, Management & Leadership

    Bruce Tuckman's 1965 research on modeling group development, titled "Developmental Sequence in Small Groups," laid out a framework consisting of four stages a group will transition between while members interact with each other: forming, storming, norming, and performing. This paper will describe in detail the original Tuckman model as well as derivative research in group development models. Traditional and virtual team environments will both be addressed to assist IT project managers in understanding how a team evolves over time with a goal of achieving a successful project outcome.


  • Medical Data Sharing: Establishing Trust in Health Information Exchange STI Graduate Student Research
    by Barbara Filkins - March 1, 2017 in HIPAA, Legal Issues

    Health information exchange (HIE) "allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient's vital medical information electronically--improving the speed, quality, safety and cost of patient care" (HealthIT.gov, 2014). The greatest gain in the use of HIE is the ability to achieve interoperability across providers that, except for the care of a given patient, are unrelated. But, by its very nature, HIE also raises concern around the protection and integrity of shared, sensitive data. Trust is a major barrier to interoperability.


  • Next-Gen Endpoint Risks and Protections: A SANS Survey Analyst Paper
    by G. W. Ray Davidson, PhD - February 27, 2017 in Clients and Endpoints

    Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.


  • Migration to Office 365, a Case Study on Security and Administration in the Non-profit Sector by Richard Snow - February 27, 2017 in Microsoft Windows

    A non-profit serves a mixed community of staff and volunteers. Its email archiving and spam filter services were going to reach the end of life in January 2017. Generous charity pricing for Office 365 from Microsoft was an incentive to move away from the existing hosted Exchange platform. The company needed to develop a strategy for migration to Microsoft Office 365. It had to upgrade Microsoft Office software as well as migrate email. How could it accomplish the transition as well as maintain or improve security?


  • Tor Browser Artifacts in Windows 10 STI Graduate Student Research
    by Aron Warren - February 24, 2017 in Forensics

    The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.


  • OS X as a Forensic Platform STI Graduate Student Research
    by David M. Martin - February 22, 2017 in Mac/Apple Issues, Forensics

    The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options.


  • DevSecOps Transformation: The New DNA of Agile Business Analyst Paper
    by Dave Shackleford - February 21, 2017 in Security Trends, Threats/Vulnerabilities

    This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.


  • Indicators of Compromise TeslaCrypt Malware STI Graduate Student Research
    by Kevin Kelly - February 16, 2017 in Security Awareness, Best Practices

    Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections.


  • PLC Device Security - Tailoring needs by Wen Chinn Yew - February 15, 2017 in Threats/Vulnerabilities

    Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio.


  • Impediments to Adoption of Two-factor Authentication by Home End-Users STI Graduate Student Research
    by Preston Ackerman - February 10, 2017 in Authentication

    Cyber criminals have proven to be both capable and motivated to profit from compromised personal information. The FBI has reported that victims have suffered over $3 billion in losses through compromise of email accounts alone (IC3 2016). One security measure which has been demonstrated to be effective against many of these attacks is two-factor authentication (2FA). The FBI, the Department of Homeland Security US Computer Emergency Readiness Team (US-CERT), and the internationally recognized security training and awareness organization, the SANS Institute, all strongly recommend the use of two-factor authentication. Nevertheless, adoption rates of 2FA are low.


  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 in Active Defense, Forensics, Malicious Code

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.


  • The DevSecOps Approach to Securing Your Code and Your Cloud Analyst Paper
    by Dave Shackleford - February 7, 2017 in Security Trends, Threats/Vulnerabilities

    DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.


  • Moving Toward Better Security Testing of Software for Financial Services Analyst Paper
    by Steve Kosten - February 7, 2017 in Application and Database Security

    The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.


  • Dissect the Phish to Hunt Infections STI Graduate Student Research
    by Seth Polley - February 3, 2017 in Security Awareness

    Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt?


  • Forensication Education: Towards a Digital Forensics Instructional Framework STI Graduate Student Research
    by J. Richard “Rick” Kiper - February 3, 2017 in Best Practices, Forensics, Training

    The field of digital forensics is a diverse and fast-paced branch of cyber investigations. Unfortunately, common efforts to train individuals in this area have been inconsistent and ineffective, as curriculum managers attempt to plug in off-the-shelf courses without an overall educational strategy. The aim of this study is to identify the most effective instructional design features for a future entry-level digital forensics course. To achieve this goal, an expert panel of digital forensics professionals was assembled to identify and prioritize the features, which included general learning outcomes, specific learning goals, instructional delivery formats, instructor characteristics, and assessment strategies. Data was collected from participants using validated group consensus methods such as Delphi and cumulative voting. The product of this effort was the Digital Forensics Framework for Instruction Design (DFFID), a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula.


  • From Security Perspective, the Quickest Way to Assess Your Web Application by Mohammed Alduhaymi - February 3, 2017 in Web Application Security

    The aim of this paper is to explain how to assess web applications with a fast, easy and effective method. A framework has been created as a Chrome Extension to solve two problems. 1. The first problem is when the IT team wants to know the security posture of their web application, but they did not have the budget/time to hire a penetration tester. Therefore, they can use this framework "WPSecAnalyzer Chrome Extension" to check their web application scores from a security perspective without having a deep knowledge of penetration testing. 2. The second problem is when the penetration tester wants to do the reconnaissance phase, he will use many tools, which will consume his time/effort. Consequently, to reduce the time/effort consumed he can use "WPSecAnalyzer Extension" to check many issues/vulnerabilities from one place with an efficient and effective method. The Chrome Extension which is called "WPSecAnalyzer" checks and verifies eleven issues/vulnerabilities on any website the end user visits, and provides him with a report based on the findings. The report will have the score of the website, as well as a list of the findings based on eleven issues/vulnerabilities.


  • Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Risk STI Graduate Student Research
    by Oleg Bogomolniy - February 1, 2017 in Legal Issues

    There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying "cyber risks of daily life"; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.