Reading Room

Auditing & Assessment

Featuring 83 Papers as of July 14, 2016


  • Using Information Security as an Auditing Tool by Adi Sitnica - July 14, 2016 

    As cyber-attacks are gaining visibility within mainstream media, what once was knowledge for information security expertise is now a concern of everyday individuals. With solutions and information readily available, where does one start in the pursuit of information security? The understanding of the organization's system and network infrastructure is required, but what type of approach can be taken? Investigation leads to using information security as an auditing tool to analyze and report on an organization's strengths, weaknesses and needs. As a result, the organization inherently gains visualization of the current posture, its gaps and a method for continuous remediation.

  • A Framework for Assessing 20 Critical Controls Using ISO 15504 and COBIT 5 Process Assessment Model (PAM) Masters
    by Muzamil Riffat - July 6, 2015 

    The 20 critical controls, maintained by the Council on CyberSecurity, present a prioritized road map for organizations to enhance their information security posture. However, an initial review that serves as a "baseline" must first be performed to know the current information security posture and to ascertain the effort required to implement the critical controls. Furthermore, assessments or audits should be performed periodically to gauge the continual improvement in information security as well as to what extent the critical controls have been implemented. This paper presents a unified and repeatable framework that could be used for the initial gap analysis as well as to measure the continual enhancements in implementation of the critical controls. The concepts presented in this paper draw heavily from the contents contained in "ISO/IEC 15504 Information technology - Process assessment" standard and COBIT5 Process Assessment Model (PAM). The information presented in ISO 15504 and COBIT 5 PAM is adapted for the assessment of critical controls. A unified approach in assessing the implementation status of each critical control as well as the sub-controls is presented based on an incremental measuring scale. The other peripheral elements of the assessment such as the details of assessment process (planning, initiation, fieldwork reporting), assessor qualifications, and competency are also detailed out resulting in a comprehensive framework for assessing the 20 critical controls.

  • eAUDIT: Designing a generic tool to review entitlements Masters
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015 

    Patch management tools may produce conflicting results.

  • Palo Alto Firewall Security Configuration Benchmark Masters
    by Ryan Firth - February 20, 2015 

    This security configuration benchmark was created and tested against Palo Alto Networks' PAN-OS 6.1 software.

  • Auditing Using Vulnerability Tools to Identify Today's Threats to Business Performance by Carlos Vazquez - December 2, 2014 

    A properly implemented vulnerability management program represents a key element in an organization's information security program by providing a business oriented approach to risk mitigation. This program provides a way to assess the potential business impact and probability of threats and risks to an organization's information infrastructure before those events occur.

  • A Guide on How to Find Cardholder Data without Automated Tools for PCI Assessors Masters
    by Christian Moldes - September 30, 2014 

    The PCI Data Security Standard requires organizations to determine the scope of their compliance obligation accurately. A critical aspect of PCI DSS scope definition is identifying all the locations where cardholder data is stored. During the course of an assessment, PCI Assessors must validate that the perceived compliance scope is in fact accurately defined and documented. Automated discovery tools, while effective to find cardholder data, sometimes are not an option due to the negative impact they may have in a production environment. In this paper, the author discusses audit techniques and tips on how to find cardholder data without using automated tools.

  • Critical Security Controls: From Adoption to Implementation Analyst Paper
    by James Tarala - September 18, 2014 

    This SANS survey report explores how widely the CSCs are being adopted, as well as what challenges adopters are facing in terms of implementation of the controls and what they are looking for to improve their implementation practices.

  • Continuous Diagnostics and Mitigation : Making it Work Analyst Paper
    by John Pescatore - August 6, 2014 

    Security professionals in federal, state and local agencies face many unique challenges in protecting critical systems and information. The CDM program has tremendous potential for both increasing the security levels at those agencies and reducing the cost of demonstrating compliance. However, to be successful, the program must address the following: lack of awareness, low inspector general awareness and lack of information on how to use the program. For use of the program to result in better security, additional staffing and skills are needed, as are success stories to guide organizations attempting to implement CDM.

  • Understanding what Service Organizations are trying to SSAE Masters
    by Michael Hoehl - January 14, 2014 

    Today, many companies are choosing to perform common business functions like Finance, Human Resources, Legal, Sales, and Procurement with the use of information systems that reside remotely at a vendor.

  • Methodology for Firewall Reviews for PCI Compliance by K. Warren - April 17, 2013 

    The focus of the firewall review methodology described in this document is on ensuring ongoing compliance with PCI DSS rather than compliance at a point in time such as when the PCI assessor is coming.

  • Oracle Audit Vault Analyst Paper
    by Tanya Baccam - March 4, 2012 

    Review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases.

  • Auditing Windows Environments PowerShell XML output, windows security, ossams by Cody Dumont - February 7, 2012 

    A security professional often performs security assessments for customers and will use many tools to collect data. Each tool stores data in a separate format; this requires the assessor to develop a proprietary automated process or use a manual process to correlate all the data.

  • Auditing ASP.NET applications for PCI DSS compliance by Christian Moldes - February 7, 2012 

    This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

  • Base64 Can Get You Pwned by Kevin Fiscus - September 12, 2011 

    Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.

  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

  • Wireless Networks and the Windows Registry - Just where has your computer been? Masters
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Auditing for Policy Compliance with QualysGuard and CIS Benchmarks by Stewart James - February 18, 2011 

    In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice (SANS, 2010a). There is always a risk that the efforts to gain compliance with an external body fade after the initial audit is performed. Ongoing reporting and measuring is required to ensure consistent compliance. Once an initial audit it is completed, it is possible for people to focus on other areas of their business, unless there are follow up audits to ensure ongoing compliance, it is quite possible for some items to fall out of compliance. Continual measurement and reporting will aide in raising awareness to any areas that may need addressing.

  • A Real-Time Approach to Continuous Monitoring Analyst Paper
    by James Tarala - February 12, 2011 

    The paper identifies the components of a comprehensive CM program and how organizations can use this approach to decrease risk and improve efficiency.

  • How to Choose a Qualified Security Assessor Analyst Paper
    by Dave Shackleford - November 9, 2010 

    An overview of new guidance for Qualified Security Assessors as a result of the new Payment Card Industry Data Security Standard (PCI DSS v2.0).

  • Successful SIEM and Log Management Strategies for Audit and Compliance by David Swift - November 9, 2010 

    While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.

  • Choosing corporate level instant messaging system and implementing audit controls by Mikko Niemelä - September 14, 2010 

    Instant messaging system (IM) is a type of communications service over the Internet that enables users to exchange messages and presence status. Instant messaging systems are split in to two groups: public instant messaging systems and corporate-grade instant messaging systems. The most popular public systems are AOL Instant Messenger, ICQ, MSN Messenger, and Yahoo! Instant Messenger. Corporate-grade leaders are Microsoft Office Live Communications, IBM Lotus Sametime, Skype for business and Jabber. (Amman, Mohammad; van Oorschot, P.C, 2005)

  • Outsourced Information Technology Environment Audit by Navaratnasingam Arunanthy - April 27, 2010 

    Outsourcing was hyped in the mid 90s as one way to reduce IT cost, as well as to gain expertise for better business operations. Today some or many of the information technology activities in many organizations are outsourced. IT outsourcing occurs when an organization contracts a service provider to perform an IT function instead of performing the function itself. The service provider could be a third party or another division or subsidiary of a single corporate entity. Increasingly, organizations are looking offshore for the means to minimize IT service costs and related taxes.(CICA, 2003) Outsourced environments are complex and highly integrated with organizations and operations. As complexity increases managing relationships with service providers becomes challenging. A survey performed by the IT Governance Institute indicates that problems with outsourcers increased on year 2007 from 74 Compound Problem Index (CPI) on year 2005 to 127 CPI. The CPI is the result of multiplying the outcomes from the several questions about the IT-related problems experienced by the749 respondents.(ITGI, 2008)

  • Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010 

    With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • One Admin's Documentation is their Hacker's Pentest Masters
    by Rob VandenBrink - March 8, 2010 

    This paper describes the background, design and specifics of an automated, script based documentation system for IT infrastructure called IT-DOCS. We begin with a short background on scripting, outlining common motives for scripting for simplifying common, repetitive operations, to facilitate repeatability for benchmarks and audits, and for training and education purposes. It is felt that the IT-DOCS project fills all three of these goals.

  • Analyzing Enterprise PKI Deployments by Walter Goulet - February 25, 2010 

    PKI deployments can provide many security services and benefits to enterprises. However, unless the PKI is deployed and operated in accordance with security best practices, the security benefits will not be realized as attackers can take advantage ofweaknesses in the deployment to forge certificates, gain access to the infrastructure and so on.

  • Simple Windows Batch Scripting for Intrusion Discovery Masters
    by Tim Proffitt - September 29, 2009 

    Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

  • IT Audit for the Virtual Environment Analyst Paper
    by J. Michael Butler, Rob Vandenbrink - September 6, 2009 

    This paper will help IT managers and auditors come together and understand the virtualization process and the new risk and audit areas this technology presents.

  • Top Virtualization Security Mistakes (and How to Avoid Them) Analyst Paper
    by Jim D. Hietala - August 9, 2009 

    This paper explores practical security issues that can arise when virtualization technologies are deployed without proper planning and controls and offers advice on how to avoid making mistakes in critical areas of deployment and management.

  • Post Acquisition Audit in 30 Days Masters
    by Brad Ruppert - May 4, 2009 

    This paper will discuss the steps required to develop a high level risk-based post acquisition IT audit and means of conducting the audit in less than 30 days.

  • Auditing Nokia Firewall by Richard Sokal - June 18, 2008 

    The subjects of this Audit are Nokia IP530 Appliances running Checkpoint Firewall software. The Nokia/Checkpoint firewalls serve as components of the security architecture that protects EastCoast Enterprises corporate information assets from both external and internal threats.

  • Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard Masters
    by Tim Proffitt - March 31, 2008 

    With todays global marketplace, companies cannot afford to tarnish their reputation with a public security incident. Corporations can suffer major financial losses if a security incident is encountered in the business. The fear of revenue loss should motivate companies to begin taking proactive measures against vulnerabilities in their infrastructure. The concept of vulnerability assessment is a critical process that should be followed in any organizations as a way to identify, assess and respond to new vulnerabilities before those vulnerabilities become a threat.

  • The SANS Database Audit and Compliance Survey Analyst Paper
    by Barbara Filkins - February 9, 2008 

    The 2007 Database Audit and Compliance survey demonstrates need for methods and tools to monitor compliance with regulations and protect sensitive information in databases.

  • Auditing a Corporate Log Server by Roger Meyer - February 1, 2008 

    This paper details an audit of a corporate log server. The goal of the audit is to measure if implemented security controls are adequate on the server and to validate the configuration, since prevention is always better than cure.

  • WiFi with BackTrack by Antonio Merola - December 24, 2007 

    The idea behind this paper is to help auditors (especially whom not familiar with Linux) with wireless issues; it is a real hassle getting wireless works, either simply joining a network as legitimate client or conducting wireless audit, along with the plethora of tools available to wireless PenTesters. Before you eventually "go off", after days gone-by looking here and there, have a look to this guide, I do really hope you master Wi-Fi with BackTrack after this reading.

  • Certification and Accreditation: A madmans dilemma - Controls by Robert Edwards - November 5, 2007 
  • NSS Vs NDS by Robert Edwards - November 5, 2007 
  • A Taxonomy of Information Systems Audits, Assessments and Reviews Masters
    by Craig Wright - June 20, 2007 

    The paper will cover the types, history and basis for each type of service. The paper statistically compares the strengths and weaknesses of each and sets out a scientifically repeatable foundation for the deterministic nomenclature used in the industry.

  • VPNScan: Extending the Audit and Compliance Perimeter Masters
    by Rob VandenBrink - February 12, 2007 

    This paper outlines specifically how VPNSCAN was built, with policy and implementation issues found in various customer environments.

  • Aligning an information risk management approach to BS 7799-3:2005 by Ken Biery - November 13, 2006 

    This paper discusses the need and importance of information risk management in terms of business and organizational priorities.

  • A Guide to Security Metrics by Shirley Payne - June 26, 2006 

    This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 

    Key elements of information security risk, offering insight into risk assessment methodologies.

  • A Practical Guide to Auditing an ASP by Johanna Ollinger - May 17, 2005 

    Auditing an Application Service Provider (ASP) can be a difficult and arduous task for the auditor and auditee alike. Since ASPs service such a wide variety of businesses there may be several regulations that an ASP may be audited against.

  • Sarbanes-Oxley Information Technology Compliance Audit by Dan Seider - May 17, 2005 

    This paper provides a basic review of the background literature (i.e. extensive but not exhaustive) and develops a process model so that a professional IT Auditor may readily appreciate the subtleties of the Sarbanes Oxley audit process.

  • B.A.S.E. - A Security Assessment Methodology by Gregory Braunton - May 5, 2005 

    At a fundamental level, much like a chain, the Internet is a collection of organizations' business networks inter-linked that form the digital infrastructure of the world. This infrastructure forms a global information grid that harnesses the potential (good and bad) for any node to access any other node worldwide.

  • Information Systems Security Architecture: A Novel Approach to Layered Protection by George Farah - January 22, 2005 

    The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

  • The Application Audit Process - A Guide for Information Security Professionals by Robert Hein - January 22, 2005 

    This paper is meant to be a guide for IT professionals, whose applications are audited, either by an internal or external IS audit. It provides a basic understanding of the IS Audit process

  • Information Systems Security Architecture A Novel Approach to Layered Protection by George Farah - January 19, 2005 

    The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

  • Using Vulnerability Assessment Tools To Develop an OCTAVE Risk Profile by Andrew Storms - March 25, 2004 

    Threats to information technology are ever increasing and many organizations are spending much money and time in attempting to fix security problems. Before one can think about remediation, assets worth protecting and knowing what to protect those assets from must be defined.

  • Red Teaming: The Art of Ethical Hacking by Christopher Peake - December 13, 2003 

    This paper justifies the need for Red Teaming which is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access, to provide an accurate situational awareness for network/system security.

  • Wireless Network Audits using Open Source tools by Edouard Lafargue - October 31, 2003 

    The intention of this paper is to show that Open Source tools are particularly well-suited for doing WiFi surveys, and will detail a practical setup and the capabilities it offers.

  • Auditing-In-Depth For Solaris by Jeff Pike - October 31, 2003 

    The goal of this paper is to provide an effective and simple method for in-depth auditing and hardening of Solaris.

  • Data-Centric Quantitative Computer Security Risk Assessment by Brett Berger - September 26, 2003 

    In this paper a quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification.

  • Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy. by Ragi Guirguis - September 8, 2003 

    The purpose of this research was to investigate a convenient, efficient, and cost-effective method for conducting vulnerability assessments.

  • The Institutional Need for Comprehensive Auditing Strategies by Steward Milus - August 8, 2003 

    This paper examines the challenges in today's regulatory environment for financial institutions (primarily from the large institution's perspective, since they undergo the greatest scrutiny) and makes the argument that a high level, comprehensive auditing strategy is needed to allow organizations to respond effectively.

  • Security Auditing: A Continuous Process by Pam Page - August 8, 2003 

    This paper will help you determine how to successfully configure your W2K file and print server, monitor your server, have an action plan and be prepared for a successful security audit on that server. Although this audit will center on W2K servers, the same principals can be applied to other server audits.

  • Strategies for Improving Vulnerability Assessment Effectiveness in Large Organizations by Robert Huber - June 3, 2003 

    This paper will detail how to reduce the impact of the vulnerability assessment program in your organization, how to provide actionable items to those responsible for performing the work, how to effectively reduce high risk, and how to provide senior management with metrics that show actual risk reduction.

  • Security Program Management and Risk by Archie Andrews - June 2, 2003 

    This paper argues for building a security management program on a foundation of business risk assessment and risk management. It defines and explains risk, risk assessment, risk management and relates business risk management to security risk management.

  • Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance. Masters
    by Kevin Bong - May 30, 2003 

    The process involves listing each technology and vendor service and categorizing these systems based on the data they process or store.

  • Application Of The Nsa Infosec Assessment Methodology by Kathryn Cross - May 23, 2003 

    This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.

  • Security Assessment Guidelines for Financial Institutions by Karen Nelson - May 8, 2003 

    This paper will discuss the five information security assessment processes, identified by the Federal Financial Institutions Examination Council (FFIEC)1 and other financial regulators, as core components of a financial institution information security program, especially in fulfilling Gramm-Leach-Bliley Act (GLBA), and relevant with other, similar requirements.

  • Information Classification - Who, Why and How by Sue Fowler - March 23, 2003 

    This paper will clarify who should be determining appropriate company protection needs.

  • Case Study - TruSecure Security Certification by David Vos - March 5, 2003 

    This paper describes the security certification process conducted by TruSecure Security Corporation on a company called K-Co; a fictitious name used to protect the innocence of the financial firm used in this case study.

  • Quantitative Risk Analysis Step-By-Step by Ding Tan - December 23, 2002 

    In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management.

  • How-To Make Linux System Auditing a Little Easier by Paul Santos - September 15, 2002 

    A discussion of various programs and utilities that can be used to audit your Linux system and how to put them all together in one script to make daily system auditing a little easier

  • Evaluating Untrusted Software In a Controlled Environment by Jeff Reava - June 20, 2002 

    To address the key business concern of "is this software safe to download and use?", a lightweight filtering methodology is proposed that will yield a reasonably reliable answer with a very modest resource and time investment.

  • Proactive Vulnerability Assessments with Nessus by Jason Mitchell - April 26, 2002 

    A discussion of vulnerability scanning in general, what Nessus is all about, how to begin scanning your network, and finally why a vulnerability scanner is an essential component of an effective security model.

  • A Qualitative Risk Analysis and Management Tool - CRAMM by Zeki Yazar - April 11, 2002 

    This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches, with a thorough look at CRAMM.

  • Conducting a Security Audit of an Oracle Database by Egil Andresen - March 8, 2002 

    Auditing access controls to oracle databases.

  • Seeking Security: The New Paradigm for Government Agencies by Stephan Chapman - March 1, 2002 

    This guide is divided into five comprehensive activities to be used by "Any-Agency" IT operations personnel to begin to eliminate the security vulnerabilities associated with IT assets.

  • Defining a Risk Assessment Process for Federal Security Personnel by Kathleen Federico - January 26, 2002 

    One goal of this paper is to provide general guidance on security resources for federal information system security officers within a federal agency.

  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment

  • Auditing Inside the Enterprise via Port Scanning & Related Tools by Bob Konigsberg - January 18, 2002 

    A number of commercial, freeware, demo, and open source tools to maintain and verify state of all systems on an network are described along with how best to use those tools to identify problems.

  • Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment by Alexander Lopyrev - November 27, 2001 

    New 3rd generation scanning tools implement a client/server solution with centralized console to manage remote scanning agents, making it easy to conduct scans on a regular basis and quickly report vulnerabilities.

  • Port Scanning Techniques and the Defense Against Them by Roger Christopher - October 5, 2001 

    A discussion on port scanning and how to limit the exposure of open ports to authorized users as well as deny access to the closed ports.

  • Conducting a Penetration Test on an Organization by Chan Wai - October 4, 2001 

    A methodology for executing penetration testing.

  • System Identification for Vulnerability Assessment by Michael Harris - September 19, 2001 

    A description of one company's journey using existing software utilities to identify the hardware and software that places their network at risk.

  • Footprinting: What Is It, Who Should Do It, and Why? by James McGreevy - August 31, 2001 

    There are many devices available to the hacker to footprint your company's network: use these tools to find the weaknesses before they do.

  • A Perspective on Threats in the Risk Analysis Process by Arthur Nichols - August 31, 2001 

    A close look at one of the initial steps in Risk Analysis, Threat Analysis, demonstrating why it is important in successfully identifying key assets.

  • Footprint Your Intranet by Bob Brown - August 30, 2001 

    Software tools are available to help maintain a current knowledge of an organization's intranet, a network "footprint".

  • The Art of Reconnaissance - Simple Techniques by Sai Bhamidipati - August 18, 2001 

    After reading myriad articles on Internet security and hacking, the author is convinced that every security conscious computer professional must learn the ways of the hacker.

  • Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment by Ted Mina - July 26, 2001 

    In this paper we will focus on how to properly assess the security of application software.

  • Information System Security Evaluation Team: Security Insurance? by Bruce Swartz - July 21, 2001 

    This document proposes an idea that can help certain organizations (those with multiple geographically dispersed entities) establish and maintain a relatively high degree of security and reduce the risk of disruption of business operations.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.