Take 10% Off More Than 30 OnDemand and vLive Online Courses Now

Reading Room

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,340 original computer security white papers in 88 different categories.

SURVEY: What Are Their Vulnerabilities? A SANS Continuous Monitoring Survey. Sharing your insights Enters You in a $400 Amazon Gift Card Drawing! https://www.surveymonkey.com/r/2015SANSSurveyVM_CM

Latest 25 Papers Added to the Reading Room

  • PKI Trust Models: Whom do you trust? Masters
    by Blaine Hein - July 28, 2015 in Encryption & VPNs

    There has been a substantial amount of attention in the media recently regarding Public Key Infrastructures (PKI). Most often, secure web server exploits and signed malware have generated this attention and have led to the erosion of trust in PKI. Despite this negative media attention, there has been very little detailed discussion of the topic of PKI Trust proliferation and control. PKI is an integral part of our daily lives even though, for the most part, we never notice it. Europe is several years ahead of North America in the ubiquitous deployment of PKI to its citizens, but North America has begun to catch up. This paper covers four major areas including the definition of trust and trust models, implementation of trust, auditing of trust, and managing trust. The paper provides proof of concept tools to allow administrators to understand their current level of PKI trust and techniques manage trust.

  • Coding For Incident Response: Solving the Language Dilemma Masters
    by Shelly Giesbrecht - July 28, 2015 in Forensics, Incident Handling, Scripting Tips, Tools

    Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.

  • Beyond the Point of Sale: Six Steps to Stronger Retail Security Analyst Paper
    by Robert L. Scheier - July 28, 2015 in Security Awareness

    A whitepaper by Robert Scheier. It addresses the complex nature of IT in the retail environment and outlines a six-step process for enhancing security of small shopkeepers as well as big-box chains.

  • An Introduction to Linux-based malware Masters
    by Matthew Koch - July 23, 2015 in Malicious Code

    Abstract Although rarely making news headlines Linux malware is a growing problem. As a result, Linux systems are left in an insecure state with minimal defenses against malware. This becomes increasingly problematic with the growth of networkable embedded devices often referred to as the Internet of Things (IoT). This paper will discuss attack vectors for Linux malware, analyze several pieces of malware and describe defensive capabilities.

  • Incident Tracking In The Enterprise by Justin Hall - July 20, 2015 in Incident Handling

    Some organizations employ Computer Security Incident Response Teams (CSIRTs) to investigate and respond to security incidents. They often find these investigations to be poorly executed, time consuming, and ultimately ineffective at discovering the root cause of a breach. Unfortunately, this is not usually due to the skill of the investigators, but rather due to the tools and processes they use to manage the investigations. This paper describes the use of purpose built case management software, integrated into the incident response process, to track these investigations. CSIRTs that take an organized, formal tracking approach will collaborate better and find their investigations to be more complete and useful to risk managers.

  • Two-Factor Authentication (2FA) using OpenOTP by Colin Gordon - July 17, 2015 in Authentication

    This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as 2FA. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access.

  • Leveraging the Federal Public Trust Clearance Model in State Government Personnel Security Programs Masters
    by Joseph C. Impinna - July 17, 2015 in Best Practices

    Security clearances are a requirement when working with classified information at the federal level. In recent years, incidents involving unauthorized disclosures of highly sensitive classified information have brought the security clearance adjudication process under scrutiny. These incidents have reinforced the principle that a personnel security program that properly vets individuals is critical to any organization that wishes to protect its data. Although the effects of an incident at the state level may be narrower in scope than at the federal level, the need to safeguard sensitive information is the same. The national security clearance model is used at many state agencies that work with the Department of Defense and other federal entities. However, an agency that does not access national security data still has a responsibility to uphold public trust. For these organizations, the background check processes can vary greatly from state to state or even between agencies. An effective personnel security program is much more than simply granting access to protected information through a public trust clearance. To achieve the assurance implied with a clearance, other components must be included. While a direct implementation of the federal model may not be feasible, using just a few concepts to design a system tailored to the state level would significantly improve the security posture of the issuing agency.

  • Psychology and the hacker - Psychological Incident Handling by Sean Atkinson - July 9, 2015 in Incident Handling

    The understanding of the processes, techniques and skills of hackers or cyber-criminals can be ascertained through the practical application of forensic psychology techniques and behavioral analysis. The actions and methods used within an attack, through the monitoring of logs and forensic discovery, will contribute to a profile of the person/persons behind the intrusion. This information will be a new vector in determining infiltration techniques, if the actions leave a persistent threat (backdoor) or if it is a one-time smash and grab. If applied correctly, the detective controls can shorten avenues of determining risk and threats, as well as the magnitude of investigation required based upon the behavioral profile. Incident handling is based on the detection, response and resolution of security incidents. Given a new understanding of the person/persons behind such an incident, the process will be a preliminary part of the incident handling process. Using the methods of behavioral analysis, it creates a new dimension of understanding to the malicious activity and network analysis of what occurred in the environment.

  • A Concise Guide to Various Australian Laws Related to Privacy and Cybersecurity Domains Masters
    by Babu Veerappa Srinivas - July 6, 2015 in Legal Issues

    There are many laws in Australia related to privacy and cyber security domains. In this paper, the author intends to collate the current laws related to privacy and cyber security domains so that interested readers could get relevant information specific to Australia in one concise document. Additionally, there are no industry specific acts or regulations like HIPAA, SOX or GLBA. Because of this, some organizations do not know their obligations in relation to these laws. This paper presents research on the current applicable cyber security related laws, Acts and regulations published by the Federal and State Governments, established relationship with other applicable Acts, performed a gap assessment and identified relevant industry frameworks that can be adopted as best practices. For ease of future research, the source of these current artefacts and database are cited for throughout the document. Disclaimer: Contents of this document must not be construed as legal advice. Readers are encouraged to seek legal advice prior to consideration.

  • A Framework for Assessing 20 Critical Controls Using ISO 15504 and COBIT 5 Process Assessment Model (PAM) Masters
    by Muzamil Riffat - July 6, 2015 in Auditing & Assessment

    The 20 critical controls, maintained by the Council on CyberSecurity, present a prioritized road map for organizations to enhance their information security posture. However, an initial review that serves as a "baseline" must first be performed to know the current information security posture and to ascertain the effort required to implement the critical controls. Furthermore, assessments or audits should be performed periodically to gauge the continual improvement in information security as well as to what extent the critical controls have been implemented. This paper presents a unified and repeatable framework that could be used for the initial gap analysis as well as to measure the continual enhancements in implementation of the critical controls. The concepts presented in this paper draw heavily from the contents contained in "ISO/IEC 15504 Information technology - Process assessment" standard and COBIT5 Process Assessment Model (PAM). The information presented in ISO 15504 and COBIT 5 PAM is adapted for the assessment of critical controls. A unified approach in assessing the implementation status of each critical control as well as the sub-controls is presented based on an incremental measuring scale. The other peripheral elements of the assessment such as the details of assessment process (planning, initiation, fieldwork reporting), assessor qualifications, and competency are also detailed out resulting in a comprehensive framework for assessing the 20 critical controls.

  • Securing Single Points of Compromise (SPoC) Masters
    by David Belangia - June 30, 2015 in Best Practices

    Securing the Single Points of Compromise that provide central services to the institutions environment is paramount to success when trying to protect the business. (Fisk, 2014) Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react. While guidance is readily available for securing the individual critical asset, protecting these assets as a group is not often discussed. Using best business practices to protect these resources as individual assets while leveraging holistic defenses for the group increases the opportunity to maximize protection time, allowing detection and reaction time for the SPoCs that is commensurate with the inherent risk of these centralized services

  • Tactical Data Diodes in Industrial Automation and Control Systems by Austin Scott - June 30, 2015 in Firewalls & Perimeter Protection

    In recent years, there has been an increased interest in the use of Data Diodes (also known as unidirectional gateways) within Industrial Automation and Control System (IACS) networks. As a result, there has been a substantial amount of confusion around where and how best to use this effective barrier technology. Although not a direct replacement for Firewalls, Data Diodes are well suited for specific tasks within IACS networks such as data replication, system state monitoring, remote backup management and patch management. This paper demystifies the use of Data Diodes within the IACS domain by detailing the process and challenges of building a simple Data Diode and applying it an IACS network.

  • BYOD: Do You Know Where Your Backups Are Stored? Masters
    by Marsha Miller - June 30, 2015 in Mobile Security

    Ever striving to reduce costs, companies in increasing numbers are testing Bring Your Own Device (BYOD) as a mobile solution. Although security has become a hot topic, ensuring the protection of confidential information during synchronization of a mobile device to a personal storage location may be overlooked. This paper will touch on elements of how and where data is stored on a mobile Apple and Android device, the default backup solutions, a few legal aspects to consider, and some security solutions offered by AirWatch and Good.

  • Accessing the inaccessible: Incident investigation in a world of embedded devices Masters
    by Eric Jodoin - June 24, 2015 in Internet of Things

    There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.

  • The State of Security in Control Systems Today Analyst Paper
    by Derek Harp and Bengt Gregory-Brown - June 24, 2015 

    By reading this report, ICS professionals will gain insight into the challenges facing peers, as well the approaches being employed to reduce the risk of cyberattack.

  • Six Steps to Stronger Security for SMBs Analyst Paper
    by Eric Cole, PhD - June 23, 2015 in Security Awareness

    An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.

  • Security Spending and Preparedness in the Financial Sector: A SANS Survey Analyst Paper
    by Jaikumar Vijayan - June 23, 2015 

    Financial services organizations are being breached too often. Find out how the threat landscape and the tools to secure data are changing in the 2015 SANS Financial Services Survey.

  • eAUDIT: Designing a generic tool to review entitlements Masters
    by Francois Begin - June 22, 2015 in Information Assurance, Auditing & Assessment, Best Practices, Case Studies, Compliance, HIPAA, Legal Issues, Security Policy Issues, Risk Management, Standards, System Administration, Tools

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Case Study: Critical Controls that Sony Should Have Implemented by Gabriel Sanchez - June 22, 2015 in Case Studies

    What would soon characterize one of the worst hacks in recent history began when screenwriter Evan Goldberg and actor Seth Rogen joked about making a comedy about assassinating the leader of North Korea, Kim Jong-un.

  • Enabling Big Data by Removing Security and Compliance Barriers Analyst Paper
    by Barbara Filkins - June 17, 2015 

    The rewards that big data can bring are widely recognized: scientific insight, competitive intelligence and improved fraud detection, as well as the benefits derived from sophisticated analyses of vast sets of transactional and behavioral data.

  • Using windows crash dumps for remote incident identification by Zong Fu Chua - June 16, 2015 in Forensics

    With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it.

  • Conquering Network Security Challenges in Distributed Enterprises Analyst Paper
    by John Pescatore - June 11, 2015 

    Enterprises continue to have difficulties detecting, blocking and responding to threats.

  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 in Industrial Control Systems, Internet of Things

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest trend of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.

  • Applying Lessons Learned for the Next Generation Vulnerability Management System Masters
    by John Dittmer - June 8, 2015 in Threats/Vulnerabilities

    The objective of this paper is to recommendations for improving a vulnerability management system in development.

  • New Critical Security Controls Guidelines for SSL/TLS Management Analyst Paper
    by Barbara Filkins - June 4, 2015 

    Security flaws like Heartbleed, POODLE, BEAST and a series of high-profile certificate thefts and misappropriations have shaken public confidence in "secure" SSL/TLS certificates. It is possible for organizations to safeguard themselves and retain most of the benefits of using the web's most common authentication system, however, as long as they're rigorous about setting and enforcing the right policies on who do trust among many questionable nodes in the global network of trust.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.