SANS Information Security Reading Roomhttp://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPData Center Server Security Survey 2014https://www.sans.org/reading-room/whitepapers/analyst/data-center-server-security-survey-2014-35567Learn how organizations are tackling the difficult problem of data center security, explore their best practices and consider improvements needed for data centers to meet compliance demands while reducing overall risk and management complexity. Wed, 29 Oct 2014 00:00:00 +0000Application White-listing with Bit9 Parityhttps://www.sans.org/reading-room/whitepapers/commerical/application-white-listing-bit9-parity-35572Antivirus is a requirement for a host of compliance standards and is championed to be a critical component for any security baseline (PCI-DSS 3.0-5.1). A recent google search for "Cyber Security Breaches" in Google News shows 16,700 results in Google News. Wed, 29 Oct 2014 00:00:00 +0000The Best Defenses Against Zero-day Exploits for Various-sized Organizationshttps://www.sans.org/reading-room/whitepapers/bestprac/defenses-zero-day-exploits-various-sized-organizations-35562Zero-day exploits are vulnerabilities that have yet to be publicly disclosed. These exploits are usually the most difficult to defend against because data is generally only available for analysis after the attack has completed its course. These vulnerabilities are highly sought after by cyber criminals, governments, and software vendors who will pay high prices for access to the exploit (Bilge & Dumitras, 2012).Mon, 27 Oct 2014 00:00:00 +0000The Spy with a License to Killhttps://www.sans.org/reading-room/whitepapers/scada/spy-license-kill-35557The opening scene of GoldenEye underscores the skills and precision of James Bond, 007. Years of experience and training make impossible missions look routine. These skills alone would not allow 007 to succeed; rather, a calculated plan that targeted the vulnerabilities in the Archangel Chemical Weapons Facility coupled with 007's skills provided for a successful mission. Fri, 24 Oct 2014 00:00:00 +0000Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsighthttps://www.sans.org/reading-room/whitepapers/awareness/detect-investigate-scrutinize-rapid7-userinsight-35552A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.Thu, 23 Oct 2014 00:00:00 +0000Intelligence-Driven Incident Response with YARAhttps://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542The concept of threat intelligence is gaining momentum in the cyber-security arena. As targeted attacks increase in number and sophistication, organizations are beginning to develop and integrate the concept of threat intelligence into their cyber-defensive strategies. By doing so, organizations are taking the next step forward to respond to cyber-attacks. Recent threat reports reveal promising results. Mon, 20 Oct 2014 00:00:00 +0000Reducing the Catch: Fighting Spear-Phishing in a Large Organizationhttps://www.sans.org/reading-room/whitepapers/forensics/reducing-catch-fighting-spear-phishing-large-organization-35547The phishing problem isn't new. Over 150 years ago, Charles Dickens wrote a passionate and witty letter about fraudsters of his day who, like Nigerian 419 scammers today, preyed upon the generosity and gullibility of well-meaning folk. The differences in our time are that of scale and scope, as the perpetrators have taken on seven league boots and covered continents with their shameless appeals. Mon, 20 Oct 2014 00:00:00 +0000Breaches Happen: Be Preparedhttps://www.sans.org/reading-room/whitepapers/riskmanagement/breaches-happen-prepared-35527A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls. Tue, 14 Oct 2014 00:00:00 +0000An Analysis of Meterpreter during Post-Exploitationhttps://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537Much has been written about using the Metasploit Framework to gain access to systems, utilizing exploits, and the post-exploitation modules. What has received less attention is how they work, what they actually do on the system and how it can be detected. That is the focus of this research paper. Tue, 14 Oct 2014 00:00:00 +0000Forensicator FATE - From Artisan To Engineerhttps://www.sans.org/reading-room/whitepapers/forensics/forensicator-fate-artisan-engineer-35522The SANS Investigative Forensic Toolkit (SIFT) is an awesome set of (free!) tools for the forensics professional. Using these tools effectively however can be overwhelming, especially in the case of a large complex case such as an APT intrusion. Mon, 13 Oct 2014 00:00:00 +0000Finding the Advanced Persistent Adversaryhttps://www.sans.org/reading-room/whitepapers/hackers/finding-advanced-persistent-adversary-35512The Advanced Persistent Threat was born long before the days of computers. However, the security industry has brought more emphasis to this “scare-word”. Its first real use as the term APT came from the US Air force in 2006 due to the sole fact that nation state and government backed espionage turned to significantly more advanced attacks.Fri, 10 Oct 2014 00:00:00 +0000Hardening Retail Securityhttps://www.sans.org/reading-room/whitepapers/analyst/hardening-retail-security-35517Read this article and learn what IT security staff in the retail industry say about their security budgets, behavioral baselining, and endpoint forensics practices.Fri, 10 Oct 2014 00:00:00 +0000Analytics and Intelligence Survey 2014https://www.sans.org/reading-room/whitepapers/analyst/analytics-intelligence-survey-2014-35507This paper explores the use of analytics and intelligence today and exposes the impediments to successful implementation.Wed, 08 Oct 2014 00:00:00 +0000Security Operations Centre (SOC) in a Utility Organization https://www.sans.org/reading-room/whitepapers/scada/security-operations-centre-soc-utility-organization-35502Cyber security threats are an increasing manifold, irrespective of the size of an organization. This is evident after reviewing many industry reports such as Verizon 2014 Data Breach Investigation Report (Verizon, 2014), Trustwave 2014 Global Security Report ((Trustwave, 2014) and Symantec Internet Security Threat Report 2014 (Symantec, 2014). Tue, 07 Oct 2014 00:00:00 +0000Ninth Log Management Survey Reporthttps://www.sans.org/reading-room/whitepapers/analyst/ninth-log-management-survey-report-35497Using the results of the 2014 Log Management Survey, this paper identifies strengths and weaknesses in log management systems and practices, and provides advice for improving visibility across systems with proper log collection, normalization and analysis.Fri, 03 Oct 2014 00:00:00 +0000Data Charging Bypass: How your IDS can help.https://www.sans.org/reading-room/whitepapers/mobile/data-charging-bypass-ids-help-35482The recent increase in the number of smart devices, the introduction of high speed mobile connections (4G/LTE), as well as the hype in social networking has all led to the dramatic increase in mobile Internet traffic. Thu, 02 Oct 2014 00:00:00 +0000A Practical Big Data Kill Chain Frameworkhttps://www.sans.org/reading-room/whitepapers/warfare/practical-big-data-kill-chain-framework-35487Traditional toolsets using atomic syntactic-based detection methods have slowly lost the ability, in and of themselves, to detect and respond to today's well-planned, multi-phased, multi-asset, and multi-day attacks thereby leaving a gap in detecting these attacks. Thu, 02 Oct 2014 00:00:00 +0000Creating a Threat Profile for Your Organizationhttps://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492Developing a detailed threat profile, provides organizations with a clear illustration of the threats that they face, and enables them to implement a proactive incident management program that focuses on the threat component of risk. Organizations are facing new types of advanced persistent threat (APT) scenarios that existing risk management programs are not able to evaluate completely and incident management programs are not able to defend against. This paper provides information about how to expand existing risk management models to better illustrate APTs and provides a framework on how to gather threat related information so that detailed threat profiles that include APTs can be developed for organizations. Thu, 02 Oct 2014 00:00:00 +0000Next Generation Firewalls and Employee Privacy in the Global Enterprisehttps://www.sans.org/reading-room/whitepapers/monitoring/generation-firewalls-employee-privacy-global-enterprise-35467An obligation to protect company resources is something nearly every organization tries to instill in their staff.Tue, 30 Sep 2014 00:00:00 +0000Validating Security Configurations and Detecting Backdoors in New Network Deviceshttps://www.sans.org/reading-room/whitepapers/networkdevs/validating-security-configurations-detecting-backdoors-network-devices-35472With the discovery of admin (root level) backdoors in network devices of Barracuda in January last year, it once again has become apparent that internet-facing network devices are vulnerable to unauthorized remote access (Goodin, Secret backdoors found in firewall, VPN gear from Barracuda Networks, 2013). Tue, 30 Sep 2014 00:00:00 +0000A Guide on How to Find Cardholder Data without Automated Tools for PCI Assessorshttps://www.sans.org/reading-room/whitepapers/auditing/guide-find-cardholder-data-automated-tools-pci-assessors-35477The PCI Data Security Standard requires organizations to determine the scope of their compliance obligation accurately. A critical aspect of PCI DSS scope definition is identifying all the locations where cardholder data is stored. During the course of an assessment, PCI Assessors must validate that the perceived compliance scope is in fact accurately defined and documented. Automated discovery tools, while effective to find cardholder data, sometimes are not an option due to the negative impact they may have in a production environment. In this paper, the author discusses audit techniques and tips on how to find cardholder data without using automated tools.Tue, 30 Sep 2014 00:00:00 +0000Home Field Advantage - Using Indicators of Compromise to Hunt down the Advanced Persistent Threathttps://www.sans.org/reading-room/whitepapers/detection/home-field-advantage-indicators-compromise-hunt-down-advanced-persistent-threat-35462Current cyber defense strategies focus on building a wall around the network and "digging in". Behind this cyber version of the Maginot Line, network defenders attempt to block adversary intrusions in any way possible. Thu, 25 Sep 2014 00:00:00 +0000Modeling Security Investments With Monte Carlo Simulationshttps://www.sans.org/reading-room/whitepapers/dlp/modeling-security-investments-monte-carlo-simulations-35457Technical leaders and architects are frequently the interface from sponsors and management into projects. Wed, 24 Sep 2014 00:00:00 +0000A Qradar Log Source Extension Walkthroughhttps://www.sans.org/reading-room/whitepapers/logging/qradar-log-source-extension-walkthrough-35452The acronym SIEM refers to "Security Information and Event Management". Due to the many and varied functions provided, a concise definition is illusive. Mon, 22 Sep 2014 00:00:00 +0000Security Visibility in the Enterprisehttps://www.sans.org/reading-room/whitepapers/projectmanagement/security-visibility-enterprise-35442A large (Fortune 100) company decided to improve its corporate "security visibility." Through this effort they intended to move from simply meeting regulatory and compliance requirements toward a more mature model capable of focusing on specific areas of risk. Fri, 19 Sep 2014 00:00:00 +0000