Reading Room

Auditing & Assessment

Featuring 70 Papers as of April 18, 2013

• • Overview
  • Download
  Methodology for Firewall Reviews for PCI Compliance K. Warren - April 18, 2013

  The focus of the firewall review methodology described in this document is on ensuring ongoing compliance with PCI DSS rather than compliance at a point in time such as when the PCI assessor is coming.

• • Overview
  • Download
  Auditing ASP.NET applications for PCI DSS compliance Christian Moldes - February 7, 2012

  This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

• • Overview
  • Download
  Auditing Windows Environments PowerShell XML output, windows security, ossams Cody Dumont - February 7, 2012

  A security professional often performs security assessments for customers and will use many tools to collect data. Each tool stores data in a separate format; this requires the assessor to develop a proprietary automated process or use a manual process to correlate all the data.

• • Overview
  • Download
  Base64 Can Get You Pwned Kevin Fiscus - September 12, 2011

  Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.

• • Overview
  • Download
  Scoping Security Assessments - A Project Management Approach Ahmed Abdel-Aziz - June 7, 2011

  Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

• • Overview
  • Download
  Wireless Networks and the Windows Registry - Just where has your computer been? Jonathan Risto - May 6, 2011

  The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

• • Overview
  • Download
  Auditing for Policy Compliance with QualysGuard and CIS Benchmarks Stewart James - February 18, 2011

  In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice (SANS, 2010a). There is always a risk that the efforts to gain compliance with an external body fade after the initial audit is performed. Ongoing reporting and measuring is required to ensure consistent compliance. Once an initial audit it is completed, it is possible for people to focus on other areas of their business, unless there are follow up audits to ensure ongoing compliance, it is quite possible for some items to fall out of compliance. Continual measurement and reporting will aide in raising awareness to any areas that may need addressing.

• • Overview
  • Download
  Successful SIEM and Log Management Strategies for Audit and Compliance David Swift - November 9, 2010

  While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.

• • Overview
  • Download
  Choosing corporate level instant messaging system and implementing audit controls Mikko Niemelä - September 14, 2010

  Instant messaging system (IM) is a type of communications service over the Internet that enables users to exchange messages and presence status. Instant messaging systems are split in to two groups: public instant messaging systems and corporate-grade instant messaging systems. The most popular public systems are AOL Instant Messenger, ICQ, MSN Messenger, and Yahoo! Instant Messenger. Corporate-grade leaders are Microsoft Office Live Communications, IBM Lotus Sametime, Skype for business and Jabber. (Amman, Mohammad; van Oorschot, P.C, 2005)

• • Overview
  • Download
  Outsourced Information Technology Environment Audit Navaratnasingam Arunanthy - April 27, 2010

  Outsourcing was hyped in the mid 90s as one way to reduce IT cost, as well as to gain expertise for better business operations. Today some or many of the information technology activities in many organizations are outsourced. IT outsourcing occurs when an organization contracts a service provider to perform an IT function instead of performing the function itself. The service provider could be a third party or another division or subsidiary of a single corporate entity. Increasingly, organizations are looking offshore for the means to minimize IT service costs and related taxes.(CICA, 2003) Outsourced environments are complex and highly integrated with organizations and operations. As complexity increases managing relationships with service providers becomes challenging. A survey performed by the IT Governance Institute indicates that problems with outsourcers increased on year 2007 from 74 Compound Problem Index (CPI) on year 2005 to 127 CPI. The CPI is the result of multiplying the outcomes from the several questions about the IT-related problems experienced by the749 respondents.(ITGI, 2008)

• • Overview
  • Download
  Effective Use Case Modeling for Security Information & Event Management Daniel Frye - March 10, 2010

  With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

• • Overview
  • Download
  One Admin's Documentation is their Hacker's Pentest Rob VandenBrink - March 8, 2010

  This paper describes the background, design and specifics of an automated, script based documentation system for IT infrastructure called IT-DOCS. We begin with a short background on scripting, outlining common motives for scripting for simplifying common, repetitive operations, to facilitate repeatability for benchmarks and audits, and for training and education purposes. It is felt that the IT-DOCS project fills all three of these goals.

• • Overview
  • Download
  Analyzing Enterprise PKI Deployments Walter Goulet - February 26, 2010

  PKI deployments can provide many security services and benefits to enterprises. However, unless the PKI is deployed and operated in accordance with security best practices, the security benefits will not be realized as attackers can take advantage ofweaknesses in the deployment to forge certificates, gain access to the infrastructure and so on.

• • Overview
  • Download
  Simple Windows Batch Scripting for Intrusion Discovery Tim Proffitt - September 29, 2009

  Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

• • Overview
  • Download
  Post Acquisition Audit in 30 Days Brad Ruppert - May 4, 2009

  This paper will discuss the steps required to develop a high level risk-based post acquisition IT audit and means of conducting the audit in less than 30 days.

• • Overview
  • Download
  Auditing Nokia Firewall Richard Sokal - June 18, 2008

  The subjects of this Audit are Nokia IP530 Appliances running Checkpoint Firewall software. The Nokia/Checkpoint firewalls serve as components of the security architecture that protects EastCoast Enterprises corporate information assets from both external and internal threats.

• • Overview
  • Download
  Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard Tim Proffitt - March 31, 2008

  With todays global marketplace, companies cannot afford to tarnish their reputation with a public security incident. Corporations can suffer major financial losses if a security incident is encountered in the business. The fear of revenue loss should motivate companies to begin taking proactive measures against vulnerabilities in their infrastructure. The concept of vulnerability assessment is a critical process that should be followed in any organizations as a way to identify, assess and respond to new vulnerabilities before those vulnerabilities become a threat.

• • Overview
  • Download
  Auditing a Corporate Log Server Roger Meyer - February 1, 2008

  This paper details an audit of a corporate log server. The goal of the audit is to measure if implemented security controls are adequate on the server and to validate the configuration, since prevention is always better than cure.

• • Overview
  • Download
  WiFi with BackTrack Antonio Merola - December 24, 2007

  The idea behind this paper is to help auditors (especially whom not familiar with Linux) with wireless issues; it is a real hassle getting wireless works, either simply joining a network as legitimate client or conducting wireless audit, along with the plethora of tools available to wireless PenTesters. Before you eventually "go off", after days gone-by looking here and there, have a look to this guide, I do really hope you master Wi-Fi with BackTrack after this reading.

• • Download
  NSS Vs NDS Robert Edwards - November 5, 2007
• • Download
  Certification and Accreditation: A madmans dilemma - Costs Robert Edwards - November 5, 2007
• • Download
  Certification and Accreditation: A madmans dilemma - Controls Robert Edwards - November 5, 2007
• • Download
  Certification and Accreditation for Dummies Robert Edwards - November 5, 2007
• • Overview
  • Download
  Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC) Robert Edwards - November 5, 2007

  Article published by ISACA in ONLINE Journal dated 1 June 2007.

• • Overview
  • Download
  A Taxonomy of Information Systems Audits, Assessments and Reviews Craig Wright - June 20, 2007

  The paper will cover the types, history and basis for each type of service. The paper statistically compares the strengths and weaknesses of each and sets out a scientifically repeatable foundation for the deterministic nomenclature used in the industry.

• • Overview
  • Download
  VPNScan: Extending the Audit and Compliance Perimeter Rob VandenBrink - February 12, 2007

  This paper outlines specifically how VPNSCAN was built, with policy and implementation issues found in various customer environments.

• • Overview
  • Download
  A Guide to Security Metrics Shirley Payne - January 18, 2007

  This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

• • Overview
  • Download
  Aligning an information risk management approach to BS 7799-3:2005 Ken Biery - November 13, 2006

  This paper discusses the need and importance of information risk management in terms of business and organizational priorities.

• • Overview
  • Download
  An Introduction to Information System Risk Management Steve Elky - June 6, 2006

  Key elements of information security risk, offering insight into risk assessment methodologies.

• • Overview
  • Download
  A Practical Guide to Auditing an ASP Johanna Ollinger - May 17, 2005

  Auditing an Application Service Provider (ASP) can be a difficult and arduous task for the auditor and auditee alike. Since ASPs service such a wide variety of businesses there may be several regulations that an ASP may be audited against.

• • Overview
  • Download
  Sarbanes-Oxley Information Technology Compliance Audit Dan Seider - May 17, 2005

  This paper provides a basic review of the background literature (i.e. extensive but not exhaustive) and develops a process model so that a professional IT Auditor may readily appreciate the subtleties of the Sarbanes Oxley audit process.

• • Overview
  • Download
  B.A.S.E. - A Security Assessment Methodology Gregory Braunton - May 5, 2005

  At a fundamental level, much like a chain, the Internet is a collection of organizations' business networks inter-linked that form the digital infrastructure of the world. This infrastructure forms a global information grid that harnesses the potential (good and bad) for any node to access any other node worldwide.

• • Overview
  • Download
  Information Systems Security Architecture: A Novel Approach to Layered Protection George Farah - January 22, 2005

  The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

• • Overview
  • Download
  The Application Audit Process - A Guide for Information Security Professionals Robert Hein - January 22, 2005

  This paper is meant to be a guide for IT professionals, whose applications are audited, either by an internal or external IS audit. It provides a basic understanding of the IS Audit process

• • Overview
  • Download
  Information Systems Security Architecture A Novel Approach to Layered Protection George Farah - January 19, 2005

  The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

• • Overview
  • Download
  Using Vulnerability Assessment Tools To Develop an OCTAVE Risk Profile Andrew Storms - March 25, 2004

  Threats to information technology are ever increasing and many organizations are spending much money and time in attempting to fix security problems. Before one can think about remediation, assets worth protecting and knowing what to protect those assets from must be defined.

• • Overview
  • Download
  Red Teaming: The Art of Ethical Hacking Christopher Peake - December 13, 2003

  This paper justifies the need for Red Teaming which is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access, to provide an accurate situational awareness for network/system security.

• • Overview
  • Download
  Application Of The Nsa Infosec Assessment Methodology Kathryn Cross - October 31, 2003

  This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.

• • Overview
  • Download
  Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance. Kevin Bong - October 31, 2003

  The process involves listing each technology and vendor service and categorizing these systems based on the data they process or store.

• • Overview
  • Download
  Security Program Management and Risk Archie Andrews - October 31, 2003

  This paper argues for building a security management program on a foundation of business risk assessment and risk management. It defines and explains risk, risk assessment, risk management and relates business risk management to security risk management.

• • Overview
  • Download
  Strategies for Improving Vulnerability Assessment Effectiveness in Large Organizations Robert Huber - October 31, 2003

  This paper will detail how to reduce the impact of the vulnerability assessment program in your organization, how to provide actionable items to those responsible for performing the work, how to effectively reduce high risk, and how to provide senior management with metrics that show actual risk reduction.

• • Overview
  • Download
  Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment Ted Mina - October 31, 2003

  In this paper we will focus on how to properly assess the security of application software.

• • Overview
  • Download
  Information System Security Evaluation Team: Security Insurance? Bruce Swartz - October 31, 2003

  This document proposes an idea that can help certain organizations (those with multiple geographically dispersed entities) establish and maintain a relatively high degree of security and reduce the risk of disruption of business operations.

• • Overview
  • Download
  The Art of Reconnaissance - Simple Techniques Sai Bhamidipati - October 31, 2003

  After reading myriad articles on Internet security and hacking, the author is convinced that every security conscious computer professional must learn the ways of the hacker.

• • Overview
  • Download
  Footprint Your Intranet Bob Brown - October 31, 2003

  Software tools are available to help maintain a current knowledge of an organization's intranet, a network "footprint".

• • Overview
  • Download
  Footprinting: What Is It, Who Should Do It, and Why? James McGreevy - October 31, 2003

  There are many devices available to the hacker to footprint your company's network: use these tools to find the weaknesses before they do.

• • Overview
  • Download
  A Perspective on Threats in the Risk Analysis Process Arthur Nichols - October 31, 2003

  A close look at one of the initial steps in Risk Analysis, Threat Analysis, demonstrating why it is important in successfully identifying key assets.

• • Overview
  • Download
  System Identification for Vulnerability Assessment Michael Harris - October 31, 2003

  A description of one company's journey using existing software utilities to identify the hardware and software that places their network at risk.

• • Overview
  • Download
  Conducting a Penetration Test on an Organization Chan Wai - October 31, 2003

  A methodology for executing penetration testing.

• • Overview
  • Download
  Port Scanning Techniques and the Defense Against Them Roger Christopher - October 31, 2003

  A discussion on port scanning and how to limit the exposure of open ports to authorized users as well as deny access to the closed ports.

• • Overview
  • Download
  Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment Alexander Lopyrev - October 31, 2003

  New 3rd generation scanning tools implement a client/server solution with centralized console to manage remote scanning agents, making it easy to conduct scans on a regular basis and quickly report vulnerabilities.

• • Overview
  • Download
  Auditing Inside the Enterprise via Port Scanning & Related Tools Bob Konigsberg - October 31, 2003

  A number of commercial, freeware, demo, and open source tools to maintain and verify state of all systems on an network are described along with how best to use those tools to identify problems.

• • Overview
  • Download
  An Overview of Threat and Risk Assessment James Bayne - October 31, 2003

  The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment

• • Overview
  • Download
  Seeking Security: The New Paradigm for Government Agencies Stephan Chapman - October 31, 2003

  This guide is divided into five comprehensive activities to be used by "Any-Agency" IT operations personnel to begin to eliminate the security vulnerabilities associated with IT assets.

• • Overview
  • Download
  Case Study - TruSecure Security Certification David Vos - October 31, 2003

  This paper describes the security certification process conducted by TruSecure Security Corporation on a company called K-Co; a fictitious name used to protect the innocence of the financial firm used in this case study.

• • Overview
  • Download
  Proactive Vulnerability Assessments with Nessus Jason Mitchell - October 31, 2003

  A discussion of vulnerability scanning in general, what Nessus is all about, how to begin scanning your network, and finally why a vulnerability scanner is an essential component of an effective security model.

• • Overview
  • Download
  Information Classification - Who, Why and How Sue Fowler - October 31, 2003

  This paper will clarify who should be determining appropriate company protection needs.

• • Overview
  • Download
  Evaluating Untrusted Software In a Controlled Environment Jeff Reava - October 31, 2003

  To address the key business concern of "is this software safe to download and use?", a lightweight filtering methodology is proposed that will yield a reasonably reliable answer with a very modest resource and time investment.

• • Overview
  • Download
  How-To Make Linux System Auditing a Little Easier Paul Santos - October 31, 2003

  A discussion of various programs and utilities that can be used to audit your Linux system and how to put them all together in one script to make daily system auditing a little easier

• • Overview
  • Download
  Quantitative Risk Analysis Step-By-Step Ding Tan - October 31, 2003

  In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management.

• • Overview
  • Download
  A Qualitative Risk Analysis and Management Tool - CRAMM Zeki Yazar - October 31, 2003

  This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches, with a thorough look at CRAMM.

• • Overview
  • Download
  The Institutional Need for Comprehensive Auditing Strategies Steward Milus - October 31, 2003

  This paper examines the challenges in today's regulatory environment for financial institutions (primarily from the large institution's perspective, since they undergo the greatest scrutiny) and makes the argument that a high level, comprehensive auditing strategy is needed to allow organizations to respond effectively.

• • Overview
  • Download
  Security Auditing: A Continuous Process Pam Page - October 31, 2003

  This paper will help you determine how to successfully configure your W2K file and print server, monitor your server, have an action plan and be prepared for a successful security audit on that server. Although this audit will center on W2K servers, the same principals can be applied to other server audits.

• • Overview
  • Download
  Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy. Ragi Guirguis - October 31, 2003

  The purpose of this research was to investigate a convenient, efficient, and cost-effective method for conducting vulnerability assessments.

• • Overview
  • Download
  Data-Centric Quantitative Computer Security Risk Assessment Brett Berger - October 31, 2003

  In this paper a quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification.

• • Overview
  • Download
  Wireless Network Audits using Open Source tools Edouard Lafargue - October 31, 2003

  The intention of this paper is to show that Open Source tools are particularly well-suited for doing WiFi surveys, and will detail a practical setup and the capabilities it offers.

• • Overview
  • Download
  Auditing-In-Depth For Solaris Jeff Pike - October 31, 2003

  The goal of this paper is to provide an effective and simple method for in-depth auditing and hardening of Solaris.

• • Overview
  • Download
  Security Assessment Guidelines for Financial Institutions Karen Nelson - October 31, 2003

  This paper will discuss the five information security assessment processes, identified by the Federal Financial Institutions Examination Council (FFIEC)1 and other financial regulators, as core components of a financial institution information security program, especially in fulfilling Gramm-Leach-Bliley Act (GLBA), and relevant with other, similar requirements.

• • Overview
  • Download
  Conducting a Security Audit of an Oracle Database Egil Andresen - March 8, 2002

  Auditing access controls to oracle databases.

• • Overview
  • Download
  Defining a Risk Assessment Process for Federal Security Personnel Kathleen Federico - January 26, 2002

  One goal of this paper is to provide general guidance on security resources for federal information system security officers within a federal agency.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.