Last Day to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Reading Room

Information Assurance

Featuring 9 Papers as of October 3, 2012

Click Here

  • Recovering Security in Program Management by Howard Thomas - October 3, 2012 

    Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.

  • Defense in Depth: An Impractical Strategy for a Cyber World by Prescott Small - February 20, 2012 

    Defense in Depth was developed to defend a kinetic or real world military or strategic assets by creating layers of defense that compel the attacker to expend a large amount of resources, while straining supply lines.

  • Reducing Organizational Risk Through Virtual Patching Masters
    by Joseph Faust - January 11, 2011 

    Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (Shrinking time from, 2006). It has also been identified that 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

  • About Face: Defending Your Organization Against Penetration Testing Teams Masters
    by Terrence OConnor - December 6, 2010 

    In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing teams time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.

  • Determining the Role of the IA/Security Engineer by Brian Dutcher - October 14, 2010 

    What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?

  • The Many Issues of a Human Review Downgrader by Jon Johnson - May 5, 2005 

    The government and military have always dealt with this problem. They have created information domains, which are various labels denoting the level of sensitivity of data such as top secret (TS) and unclassified [1].

  • Security Issues When Data Traverses Information Domains: Do Guards Effectively Address the Problem? by Charles Maney - July 25, 2004 

    The sharing of information has become an integral part of our society. Because of this, it has become increasingly important to protect that information as well as the resources that facilitate the information exchange.

  • Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer by Matthew Cho - May 23, 2003 

    This research paper describes the roles and responsibilities of the Chief Information Security Officer and the importance of these roles and responsibilities to public and private organizations worldwide. In addition, this paper explains the return on investment and the importance and how it relates to the Chief Information Security Officer.

  • Building an Information Assurance Framework for a Small Defense Agency by Janet Haase - April 8, 2002 

    This paper attempts to glean best practices from many sources to define the steps we must to take to implement and manage an Information Assurance Framework.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.