Featuring 64 Papers as of January 20, 2016
Implementing Least Privilege in an SMB
by Tim Ashford - January 20, 2016
To better understand the problem at hand, it is perhaps best to look at how SMBs got to where they are today, in terms of privileged account access at the desktop.
Two-Factor Authentication (2FA) using OpenOTP
by Colin Gordon - July 17, 2015
This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as 2FA. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access.
Implementing a Shibboleth SSO Infrastructure
by Rich Graves - November 17, 2014
Secure authentication and authorization across organizational boundaries is a hard problem. Consider an academic publisher that wishes to make scientific journals available to currently enrolled students, but not staff, faculty, or alumni, at universities that have paid a site license fee. Students could register with a site-specific username and password - though such credentials are likely to be shared or forgotten, diminishing security and increasing user frustration and support burden.
Beyond the cookie: Using network traffic characteristics to enhance confidence in user identity
by Courtney Imbert - August 19, 2014
Throughout history, authenticating to a computer system was simple: the user provided credentials, the system checked the credentials against a trusted source, and the system permitted or denied access to a protected resource.
Implementing IEEE 802.1x for Wired Networks
by Johan Loos - March 14, 2014
Most companies do not have an extra of security layer in place when client computers are connecting to a wired network.
An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools
by Tom Webb - January 2, 2014
We are all familiar with how password authentication works as we log into dozens of systems each day to check email or view bank account balance.
The Dangers of Weak Hashes
by Kelly Brown - November 20, 2013
In June of 2012 a hacker posted more than 8 million passwords to the internet belonging to LinkedIn and eHarmony (Goodin, 2012).
SSL/TLS: What's Under the Hood
by Sally Vandeven - August 19, 2013
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both protocols used for the encryption of network data.
Daisy Chain Authentication
by Courtney Imbert - August 8, 2013
"Daisy chain authentication", a term originally coined by Wired writer Mat Honan, is defined as an attacker using normal but alternative authentication methods to break into an account, building upon public or previously compromised data to gain access to other accounts.
SANS Institute Product Review: Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2
by Dave Shackleford - October 22, 2012
- Sponsored By: Oracle
Review of Oracle Identity Manager (OIM) 11g R2, an enterprise IAM product that offers end users a personalized experience through a friendly interface, while managing workflow approvals and executing changes at both the user and administrator levels.
SANS Institute Product Review: Demystifying External Authorization: Oracle Entitlements Server Product Review
by Tanya Baccam - April 20, 2012
- Sponsored By: Oracle
Product review of Oracle Entitlements Server (OES) -- a solution that provides flexibility in access control allowing for dynamic changes, understands multiple systems and applies complex rules in a flexible manner.
Adding Enterprise Access Management to Identity Management
by J. Michael Butler - October 4, 2011
- Sponsored By: FoxT
This paper discusses the difference between IDM and EAM and explains how these two enterprise functions can work together for better control of access to operating systems, applications and related data.
Kerberos Token Size and DoS
by Joshua Sprenger - July 25, 2011
Kerberos has been the default authentication protocol for Windows since XP/2000. Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.
Extending Role Based Access Control
by J. Michael Butler - April 29, 2011
- Sponsored By: FoxT
This paper discusses advantages and disadvantages of RBAC, along with options to consider when planning to extend RBAC to allow for centralization and standardization in a heterogeneous environment of multiple, diverse operating systems.
Smart Strategies for Securing Extranet Access
by Dave Shackleford - March 1, 2010
- Sponsored By: Oracle
This paper discusses how to use risk-based authentication and entitlement management to enforce authentication security and achieve granular authorization using centralized role-based policies.
Two-Factor Authentication: Can You Choose the Right One?
by Emilio Valente - May 1, 2009
The focus of this paper is enterprise solutions for two-factor authentication.
OS and Application Fingerprinting Techniques
by Jon Mark Allen - October 22, 2008
This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f.
Simple Formula for Strong Passwords (SFSP) Tutorial
by Bernie Thomas - May 17, 2005
The practice of using passwords for user authentication exposes organizations' and individual users' data to disclosure alteration and/or destruction. However, a large portion of the security issues that make this true can be satisfactorily addressed using a simple method that I would like to introduce as the Simple Formula for Strong Passwords (SFSP) [Note 1].
Installing a Secure Network DHCP Registration System
by Pam Fournier - May 5, 2005
One limitation of DHCP is that there is no accountability for IP address usage. NetReg is a Network DHCP Registration System which provides a means of linking user information to MAC and IP addresses on the network.
Secure implementation of Enterprise single sign-on product in an organization
by Ravikanth Ponnapalli - January 18, 2005
Single Sign-On is a very important component of the security architecture of an organization. In IT, it is generally believed that it is expensive to deploy an enterprise Single Sign-On solution that is secure and scalable. However, there is a growing awareness in IT management about the advantages of implementation of enterprise Single Sign-On.
An Exploration of Voice Biometrics
by Lisa Myers - July 25, 2004
Biometrics is, in the simplest definition, something you are. It is a physical characteristic unique to each individual. Using biometrics to identify individuals is a practice as old as ancient Egypt. Today, it is becoming more and more popular to use biometrics to identify people and authenticate them for access to secure areas and systems.
Single Sign On Concepts & Protocols
by Sandeep Sandhu - March 25, 2004
This paper describes the characteristics and concepts of a few important protocols and technologies that have been used for implementing authentication and single sign-on (SSO) mechanisms for computer networks.
Dont Blink:Iris Recognition for Biometric Identification
by Mary Dunker - March 8, 2004
This paper explores the origins of iris recognition, how it works, how it stacks up against other forms of biometric identification and what is required to perform the identification.
Biometrics: An In Depth Examination
by Kyle Cherry - March 2, 2004
The purpose of this paper is to give the reader a good foundational understanding of biometric security systems. The intent is not to make the reader an expert in any one system.
Convergence of Logical and Physical Security
by Yahya Mehdizadeh - January 11, 2004
This paper will demonstrate that the convergence of logical and physical security brings significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect, and also recommends practical steps to take in this direction.
Preventing the fraudulent use of Internet DSL accesses by dial-up accounts: a network authentication issue.
by Bruno Germain - October 31, 2003
This document provides details of a typical deployment between DSL providers and ISPs in order to highlight the areas of vulnerability of the model.
Strengthening Authentication with Biometric Technology
by Tricia Olsson - October 10, 2003
This paper looks at the danger and cost of identity theft, uncover the problem with current authentication practices, demonstrate how a biometric solution can be used to provide stronger authentication, and look at the added benefit of using multiple factor authentication practices.
Considerations For Implementing Single Sign-On Within The Enterprise
by Russell Hobbs - October 6, 2003
The goal of this paper is to provide insight into many important areas that should be considered before implementing an enterprise SSO system.
Common issues in PKI implementations - climbing the "Slope of Enlightenment"
by Angela Keith - September 8, 2003
This paper is an attempt to go beyond the many conceptual papers published about Public Key Infrastructure (PKI) and look at the actual problems experienced when implementing it.
Biometric Scanning Technologies: Finger, Facial and Retinal Scanning
by Edmund Spinella - August 22, 2003
This paper discusses several Biometric scan technologies: finger-scan, facialscan and retinal-scan.
Passwords are DEAD! (Long live passwords?)
by David Beverstock - August 8, 2003
Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use.
L is for Login
by Carolee Rand - August 8, 2003
This paper will look at login commands, authentication mechanisms, passwords and password management programs used in several UNIX platforms, highlighting aspects of Solaris 8 and Red Hat Linux (RH) 7.3.
Identity Protection and Smart Card Adoption in America
by Stephen Irwin - July 14, 2003
This paper will address smart card technology as a viable alternative to present financial and identity standards, and why it will be woven into the American identity fabric over the next decade.
It's All About Authentication
by Douglas Graham - June 3, 2003
This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect in information security.
by Kevin Kaufman - June 3, 2003
Information security magazines of all nature are publishing more and more articles about identity management and improved access control measures.
Shedding some light on Voice Authentication
by Dualta Currie - April 4, 2003
This paper attempts to explain, in non -technical language, the technologies behind one particular type of biometric authentication, voice authentication.
An Introduction to Identity Management
by Spencer Lee - March 22, 2003
The purpose of this document is to offer a broad overview of current identity management technologies and provide a framework for determining when an identity management system would benefit your company.
Biometrics: Are YOU the Key to Security?
by Patricia Wittich - February 26, 2003
This paper will discuss the concepts behind the emerging biometrics craze along with its efficiency, cost, privacy issues, and success versus failure rate.
In Pursuit of Liberty?
by Randy Mahrt - February 26, 2003
This paper explores the Liberty specification version 1.0 that was released on July 15, 2002.
Iris Recognition: Closer Than We Think?
by Miltiades Leonidou - September 24, 2002
This overview covers the new and emerging biometric technique of Iris Recognition, with focus on image processing and computer vision aspects. Algorithms, systems and their experimental results will be reported.
Combating the Lazy User: An Examination of Various Password Policies and Guidelines
by Sam Wilson - September 16, 2002
This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.
Single Sign On Through Password Synchronization
by Nancy Loveland - September 3, 2002
This paper is a case study on a project to provide a Single Sign On (SSO) solution to web based applications that use the mainframe as the data store.
Biometric Selection: Body Parts Online
by Steven Walker - July 26, 2002
The purpose of this paper is to provide information that will assist a biometric implementer evaluate and select biometric technology. The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.
Making Smart Cards Work In the Enterprise
by Brett Lewis - April 4, 2002
The time has come for enterprises to begin considering whether smart cards can be used to improve security in their environments. Smart cards offer a secure and convenient form factor on which employees can carry digital credentials for accessing parking facilities, buildings, computers, and network resources. Indeed, the ability for an employee to carry both physical and logical access credentials can be provided on a single card. Adding to the significance of smart cards, that same card can also be used for employee photo identification, and potentially a multitude of other applications, including encryption, digital signatures, secure storage of employee medical information, and electronic wallet for cafeterias and vending machines. Done right, a single-card solution can provide return on investment in the forms of vastly improved security, reduced need for certain security and IT personnel functions, and customer satisfaction. This paper examines some of the key benefits that can be realized from employing smart cards, and it explains how smart cards can be used to significantly improve both physical and logical security. Additionally, it provides an overview of some strategic infrastructure elements needed to make smart cards work in an enterprise environment, including complimentary technologies, personnel, hardware, software, and perhaps most importantly, policies and procedures.
Biometrics: A Double Edged Sword - Security and Privacy
by Wayne Penny - March 18, 2002
This paper presents an overview of biometrics in general and describes some of the issues related to biometrics vulnerabilities and security, and its other side, the protection of one's privacy. It considers that for biometrics to be publicly accepted, implementations will require cooperation between organizations and individuals, working with developed open standards that meet the demand for security and demonstrate the protection of personal privacy.
Iris Recognition Technology for Improved Authentication
by Penny Khaw - March 7, 2002
Iris recognition technology does provide a good method of authentication to replace the current methods of passwords, token cards or PINs and if used in conjunction with something the user knows in a two-factor authentication system then the authentication becomes even stronger.
Smart Cards: How Secure Are They?
by John Abbott - March 1, 2002
The author looks at the history, types and uses of smart cards and how they may be vulnerable. Since smart cards were never designed to be standalone systems, the author examines some of the applications that have incorporated smart cards into their design to see how they work, looks at the motivation for why they might be threatened, reviews some of the documented attacks, and puts forth a cost/benefit analysis of incorporating smart cards. Finally, there is a determination of how secure smart cards really are.
Web Single Sign-On Meets Business Reality
by Tim Mather - February 18, 2002
This paper discusses some of the real-world operational challenges in getting a Web-only SSO deployed, starting with the impetus for why to deploy SSO; some considerations in vendor selection; operational considerations in a deployment, including challenges with having SSO and load balancing work effectively together; and, some compensating security controls.
Java Smart Cards Are Here To Stay: Benefits And Concerns
by Sonia Otero - February 16, 2002
In this paper, the author describes the extensive security layers involved in Java smart cards, as well as their vulnerabilities. The conclusion is that the benefits seem to outweigh the disadvantages, since certain sectors of society have already accepted the risks.
Build a Web Interface to Allow Users to Change their Passwords (The Web Password Page)
by Mark Holbrook - January 26, 2002
The purpose of this paper is to show you (the System Administrator) how to break free from the mundane task of periodically changing user passwords (in keeping with good security practices from GIAC Security Essentials). This document is designed to show you step-by-step how to build a web page for users to update their passwords on a UNIX or Windows server, easily, securely and without spending too much money on software!
Securing Access: Making Passwords a Legitimate Corporate Defense
by David Sherrod - January 15, 2002
This paper outlines four easy steps to secure access to your systems using strong passwords, even those selected by users.
Biometric Technology Stomps Identity Theft
by Seyoum Zegiorgis - January 7, 2002
This paper discusses the benefits of implementing a biometric technology product--one more tool for safeguarding the information assets and key installations of an organization--the privacy issues associated with the deployment of a BTP
More Than a Pretty Face, Biometrics and SmartCard Tokens
by Gregory Williams - December 24, 2001
This paper will address many of the types of Biometrics available as well as the use of smart card technology.
Authentication and Authorization: The Big Picture with IEEE 802.1X
by Arthur Fisher - December 21, 2001
This paper explores how Auth-x brings authentication and authorization down to a port level, enabling true privilege-based management of network services.
Biometrics and User Authentication
by Michael Zimmerman - December 17, 2001
The purpose of this paper will be to look at the use of biometrics technology to determine how secure it might be in authenticating users, and how the users job function or role would impact the authentication process or protocol. We will also examine personal issues of privacy in the methods used for authentication; the cost of implementing a biometrics authentication system; the efficiency of biometrics authentication; and the potential for false positive or negative recognition of individual users.
A Concept for Universal Identification
by Daniel Williams - December 13, 2001
The goal of this paper is to provide a detailed look at a new perspective for a unified, secure and consolidated form of personal identification. The advanced yet inexpensive technology exists today to step up modern identification to the next level.
Technical Aspect of Implementing/Upgrading SAP Security 4.6
by Mary Sims - November 15, 2001
This paper will discuss the technical aspect of securing the SAP environment and, even more specifically, the details of controlling security for the SAP Release 4.0 and above.
An Overview of Different Authentication Methods and Protocols
by Richard Duncan - October 23, 2001
This overview will generalize several Authentication Methods and Authentication Protocols in hopes of better understanding a few options that are available when designing a security system.
Inadequate Password Policies Can Lead to Problems
by Leonard Hermens - October 10, 2001
This paper explores how, overall, the security administrator's duty is to reasonably ensure the security of the network, and how he/she can do this by setting effective password policies
Password Protection: Is This the Best We Can Do?
by Jason Mortensen - August 20, 2001
This paper explores how a combination of user education, strict password policies, encrypted network traffic, onetime passwords, Public-Key Infrastructure systems, and the use of biometrics, authentication can make computer systems less vulnerable to attacks.
Clear Text Password Risk Assessment Documentation
by Kimberly Rallo - August 16, 2001
This paper will present a risk assessment on sending clear text passwords across an enterprise network.
Overview of S/Key usage with OpenBSD
by Christian Lecompte - July 21, 2001
An evaluation of S/Key usage and integration with the The OpenBSD Operating System.
by Ali Merayyan - July 16, 2001
The author discusses protecting data by denying direct physical access onto a user's computer; that is, protect sensitive data terminals from being used by unauthorized users.
Biometrics: Technology That Gives You a Password You Can't Share
by Yevgeniy Libov - July 9, 2001
This paper examines biometrics technology as a means for making user authentication more secure based on a unique identifier, the fingerprint.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.