SANS Information Security Reading Roomhttp://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPTunneling, Pivoting, and Web Application Penetration Testinghttps://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117When conducting a web application penetration test there are times when you want to be able to pivot through a system to which you have gained access, to other systems in order to continue testing. There are many channels that can be used as avenues for pivoting. This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter sessions. and Ncat HTTP proxy; within the context of using them with key tools in the penetration tester’s arsenal including: Nmap, the Burp Suite, w3af, Nikto, Iceweasel, and Metasploit.Mon, 03 Aug 2015 00:00:00 +0000PKI Trust Models: Whom do you trust?https://www.sans.org/reading-room/whitepapers/vpns/pki-trust-models-trust-36112There has been a substantial amount of attention in the media recently regarding Public Key Infrastructures (PKI). Most often, secure web server exploits and signed malware have generated this attention and have led to the erosion of trust in PKI. Despite this negative media attention, there has been very little detailed discussion of the topic of PKI Trust proliferation and control. PKI is an integral part of our daily lives even though, for the most part, we never notice it. Europe is several years ahead of North America in the ubiquitous deployment of PKI to its citizens, but North America has begun to catch up. This paper covers four major areas including the definition of trust and trust models, implementation of trust, auditing of trust, and managing trust. The paper provides proof of concept tools to allow administrators to understand their current level of PKI trust and techniques manage trust.Tue, 28 Jul 2015 00:00:00 +0000Coding For Incident Response: Solving the Language Dilemmahttps://www.sans.org/reading-room/whitepapers/tools/coding-incident-response-solving-language-dilemma-36107Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.Tue, 28 Jul 2015 00:00:00 +0000Beyond the Point of Sale: Six Steps to Stronger Retail Securityhttps://www.sans.org/reading-room/whitepapers/awareness/point-sale-steps-stronger-retail-security-36102A whitepaper by Robert Scheier. It addresses the complex nature of IT in the retail environment and outlines a six-step process for enhancing security of small shopkeepers as well as big-box chains.Tue, 28 Jul 2015 00:00:00 +0000An Introduction to Linux-based malwarehttps://www.sans.org/reading-room/whitepapers/malicious/introduction-linux-based-malware-36097Abstract Although rarely making news headlines Linux malware is a growing problem. As a result, Linux systems are left in an insecure state with minimal defenses against malware. This becomes increasingly problematic with the growth of networkable embedded devices often referred to as the “Internet of Things” (IoT). This paper will discuss attack vectors for Linux malware, analyze several pieces of malware and describe defensive capabilities.Thu, 23 Jul 2015 00:00:00 +0000Incident Tracking In The Enterprisehttps://www.sans.org/reading-room/whitepapers/incident/incident-tracking-enterprise-36092Some organizations employ Computer Security Incident Response Teams (CSIRTs) to investigate and respond to security incidents. They often find these investigations to be poorly executed, time consuming, and ultimately ineffective at discovering the root cause of a breach. Unfortunately, this is not usually due to the skill of the investigators, but rather due to the tools and processes they use to manage the investigations. This paper describes the use of purpose built case management software, integrated into the incident response process, to track these investigations. CSIRTs that take an organized, formal tracking approach will collaborate better and find their investigations to be more complete and useful to risk managers.Mon, 20 Jul 2015 00:00:00 +0000Two-Factor Authentication (2FA) using OpenOTPhttps://www.sans.org/reading-room/whitepapers/authentication/two-factor-authentication-2fa-openotp-36087This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as “2FA”. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access. Fri, 17 Jul 2015 00:00:00 +0000Leveraging the Federal Public Trust Clearance Model in State Government Personnel Security Programshttps://www.sans.org/reading-room/whitepapers/bestprac/leveraging-federal-public-trust-clearance-model-state-government-personnel-security-programs-36082Security clearances are a requirement when working with classified information at the federal level. In recent years, incidents involving unauthorized disclosures of highly sensitive classified information have brought the security clearance adjudication process under scrutiny. These incidents have reinforced the principle that a personnel security program that properly vets individuals is critical to any organization that wishes to protect its data. Although the effects of an incident at the state level may be narrower in scope than at the federal level, the need to safeguard sensitive information is the same. The national security clearance model is used at many state agencies that work with the Department of Defense and other federal entities. However, an agency that does not access national security data still has a responsibility to uphold public trust. For these organizations, the background check processes can vary greatly from state to state or even between agencies. An effective personnel security program is much more than simply granting access to protected information through a public trust clearance. To achieve the assurance implied with a clearance, other components must be included. While a direct implementation of the federal model may not be feasible, using just a few concepts to design a system tailored to the state level would significantly improve the security posture of the issuing agency.Fri, 17 Jul 2015 00:00:00 +0000Psychology and the hacker - Psychological Incident Handlinghttps://www.sans.org/reading-room/whitepapers/incident/psychology-hacker-psychological-incident-handling-36077The understanding of the processes, techniques and skills of hackers or cyber-criminals can be ascertained through the practical application of forensic psychology techniques and behavioral analysis. The actions and methods used within an attack, through the monitoring of logs and forensic discovery, will contribute to a profile of the person/persons behind the intrusion. This information will be a new vector in determining infiltration techniques, if the actions leave a persistent threat (backdoor) or if it is a one-time “smash and grab”. If applied correctly, the detective controls can shorten avenues of determining risk and threats, as well as the magnitude of investigation required based upon the behavioral profile. Incident handling is based on the detection, response and resolution of security incidents. Given a new understanding of the person/persons behind such an incident, the process will be a preliminary part of the incident handling process. Using the methods of behavioral analysis, it creates a new dimension of understanding to the malicious activity and network analysis of what occurred in the environment.Thu, 09 Jul 2015 00:00:00 +0000A Concise Guide to Various Australian Laws Related to Privacy and Cybersecurity Domainshttps://www.sans.org/reading-room/whitepapers/legal/concise-guide-australian-laws-related-privacy-cybersecurity-domains-36072There are many laws in Australia related to privacy and cyber security domains. In this paper, the author intends to collate the current laws related to privacy and cyber security domains so that interested readers could get relevant information specific to Australia in one concise document. Additionally, there are no industry specific acts or regulations like HIPAA, SOX or GLBA. Because of this, some organizations do not know their obligations in relation to these laws. This paper presents research on the current applicable cyber security related laws, Acts and regulations published by the Federal and State Governments, established relationship with other applicable Acts, performed a gap assessment and identified relevant industry frameworks that can be adopted as best practices. For ease of future research, the source of these current artefacts and database are cited for throughout the document. Disclaimer: Contents of this document must not be construed as legal advice. Readers are encouraged to seek legal advice prior to consideration. Mon, 06 Jul 2015 00:00:00 +0000A Framework for Assessing 20 Critical Controls Using ISO 15504 and COBIT 5 Process Assessment Model (PAM)https://www.sans.org/reading-room/whitepapers/auditing/framework-assessing-20-critical-controls-iso-15504-cobit-5-process-assessment-model-36067The 20 critical controls, maintained by the Council on CyberSecurity, present a prioritized road map for organizations to enhance their information security posture. However, an initial review that serves as a "baseline" must first be performed to know the current information security posture and to ascertain the effort required to implement the critical controls. Furthermore, assessments or audits should be performed periodically to gauge the continual improvement in information security as well as to what extent the critical controls have been implemented. This paper presents a unified and repeatable framework that could be used for the initial gap analysis as well as to measure the continual enhancements in implementation of the critical controls. The concepts presented in this paper draw heavily from the contents contained in "ISO/IEC 15504 Information technology - Process assessment" standard and COBIT5 Process Assessment Model (PAM). The information presented in ISO 15504 and COBIT 5 PAM is adapted for the assessment of critical controls. A unified approach in assessing the implementation status of each critical control as well as the sub-controls is presented based on an incremental measuring scale. The other peripheral elements of the assessment such as the details of assessment process (planning, initiation, fieldwork reporting), assessor qualifications, and competency are also detailed out resulting in a comprehensive framework for assessing the 20 critical controls.Mon, 06 Jul 2015 00:00:00 +0000Securing Single Points of Compromise (SPoC)https://www.sans.org/reading-room/whitepapers/bestprac/securing-single-points-compromise-spoc-36062Securing the Single Points of Compromise that provide central services to the institution’s environment is paramount to success when trying to protect the business. (Fisk, 2014) Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react. While guidance is readily available for securing the individual critical asset, protecting these assets as a group is not often discussed. Using best business practices to protect these resources as individual assets while leveraging holistic defenses for the group increases the opportunity to maximize protection time, allowing detection and reaction time for the SPoCs that is commensurate with the inherent risk of these centralized services Tue, 30 Jun 2015 00:00:00 +0000Tactical Data Diodes in Industrial Automation and Control Systemshttps://www.sans.org/reading-room/whitepapers/firewalls/tactical-data-diodes-industrial-automation-control-systems-36057In recent years, there has been an increased interest in the use of Data Diodes (also known as unidirectional gateways) within Industrial Automation and Control System (IACS) networks. As a result, there has been a substantial amount of confusion around where and how best to use this effective barrier technology. Although not a direct replacement for Firewalls, Data Diodes are well suited for specific tasks within IACS networks such as data replication, system state monitoring, remote backup management and patch management. This paper demystifies the use of Data Diodes within the IACS domain by detailing the process and challenges of building a simple Data Diode and applying it an IACS network. Tue, 30 Jun 2015 00:00:00 +0000BYOD: Do You Know Where Your Backups Are Stored?https://www.sans.org/reading-room/whitepapers/mobile/byod-backups-stored-36047Ever striving to reduce costs, companies in increasing numbers are testing Bring Your Own Device (BYOD) as a mobile solution. Although security has become a hot topic, ensuring the protection of confidential information during synchronization of a mobile device to a personal storage location may be overlooked. This paper will touch on elements of how and where data is stored on a mobile Apple and Android device, the default backup solutions, a few legal aspects to consider, and some security solutions offered by AirWatch and Good.Tue, 30 Jun 2015 00:00:00 +0000Accessing the inaccessible: Incident investigation in a world of embedded deviceshttps://www.sans.org/reading-room/whitepapers/internet/accessing-inaccessible-incident-investigation-world-embedded-devices-36052There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory. Wed, 24 Jun 2015 00:00:00 +0000The State of Security in Control Systems Todayhttps://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042By reading this report, ICS professionals will gain insight into the challenges facing peers, as well the approaches being employed to reduce the risk of cyberattack. Wed, 24 Jun 2015 00:00:00 +0000Six Steps to Stronger Security for SMBshttps://www.sans.org/reading-room/whitepapers/analyst/steps-stronger-security-smbs-36037An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.Tue, 23 Jun 2015 00:00:00 +0000Security Spending and Preparedness in the Financial Sector: A SANS Surveyhttps://www.sans.org/reading-room/whitepapers/analyst/security-spending-preparedness-financial-sector-survey-36032Financial services organizations are being breached too often. Find out how the threat landscape and the tools to secure data are changing in the 2015 SANS Financial Services Survey.Tue, 23 Jun 2015 00:00:00 +0000eAUDIT: Designing a generic tool to review entitlementshttps://www.sans.org/reading-room/whitepapers/riskmanagement/eaudit-designing-generic-tool-review-entitlements-36027In a perfect world, identity and access management would be handled in a fully automated way.Mon, 22 Jun 2015 00:00:00 +0000Case Study: Critical Controls that Sony Should Have Implementedhttps://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022What would soon characterize one of the worst hacks in recent history began when screenwriter Evan Goldberg and actor Seth Rogen joked about making a comedy about assassinating the leader of North Korea, Kim Jong-un.Mon, 22 Jun 2015 00:00:00 +0000Enabling Big Data by Removing Security and Compliance Barriershttps://www.sans.org/reading-room/whitepapers/analyst/enabling-big-data-removing-security-compliance-barriers-36017The rewards that big data can bring are widely recognized: scientific insight, competitive intelligence and improved fraud detection, as well as the benefits derived from sophisticated analyses of vast sets of transactional and behavioral data.Wed, 17 Jun 2015 00:00:00 +0000Using windows crash dumps for remote incident identificationhttps://www.sans.org/reading-room/whitepapers/forensics/windows-crash-dumps-remote-incident-identification-36012With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it. Tue, 16 Jun 2015 00:00:00 +0000Conquering Network Security Challenges in Distributed Enterpriseshttps://www.sans.org/reading-room/whitepapers/analyst/conquering-network-security-challenges-distributed-enterprises-36007Enterprises continue to have difficulties detecting, blocking and responding to threats.Thu, 11 Jun 2015 00:00:00 +0000The Perfect ICS Stormhttps://www.sans.org/reading-room/whitepapers/internet/perfect-ics-storm-36002As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest “trend” of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.Mon, 08 Jun 2015 00:00:00 +0000Applying Lessons Learned for the Next Generation Vulnerability Management Systemhttps://www.sans.org/reading-room/whitepapers/threats/applying-lessons-learned-generation-vulnerability-management-system-35997The objective of this paper is to recommendations for improving a vulnerability management system in development. Mon, 08 Jun 2015 00:00:00 +0000