Security Training
Security Certification
Internet Storm Center
Cyber Security Graduate School
Security Awareness Training
Penetration Testing
Industrial Control Systems
Cyber Defense Foundations
IT Audit
Computer Forensics
Software SecuritySecurity Awareness
Featuring 52 Papers as of May 1, 2013
-
Information Risks & Risk Management
John Wurzler - May 1, 2013
In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.
-
Robots.txt
Jim Lehman - May 31, 2012
Every minute of every day the web is searched, indexed and abused by web Robots; also known as Web Wanderers, Crawlers and Spiders.
-
A Process for Continuous Improvement Using Log Analysis
David Swift - October 26, 2011
A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.
-
Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls
Craig Wright - September 19, 2011
Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.
-
Scoping Security Assessments - A Project Management Approach
Ahmed Abdel-Aziz - June 7, 2011
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
-
Measuring Psychological Variables of Control In Information Security
Josh More - January 12, 2011
Perceived Control is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of Actual Control that they may have. It is often paired against constructs such as Vicarious Control and Vicarious Perceived Control, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.
-
Which Disney© Princess are YOU?
Joshua Brower - March 18, 2010
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
-
Security Concerns in Using Open Source Software for Enterprise Requirements
Sreenivasa Vadalasetty - October 8, 2009
This paper highlights the security concerns of the end users in considering open source software for their enterprise requirements.
-
Prelude as a Hybrid IDS Framework
Curt Yasm - March 24, 2009
In this paper, I will discuss the Open Source Security Information Management (SIM) system known as Prelude.
-
The Importance of Security Awareness Training
Cindy Brodie - January 14, 2009
One of the greatest threats to information security could actually come from within your company or organization. Inside attacks have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).
- Making Security Awareness Efforts Work for You Rebecca Fowler - May 20, 2008
-
The Controlled Event Framework for Information Asset Security
Chris Cronin - February 20, 2008
This paper proposes a framework for implementing, operating and testing document security controls within an organization. While much security management is meant to prevent people from doing things they ought not do, a framework is meant to help people do what they ought to do. In the case of the Controlled Event Framework for Information Asset Security, people are directed with some specificity on how to handle documents so they do their work effectively and securely.
-
Data Leakage - Threats and Mitigation
Peter Gordon - October 24, 2007
This paper explores data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged.
-
Identity Theft
Ian Wolff - July 2, 2007
The research shows that with the help of technology, legislation and general consumer awareness identity thieves can be thwarted.
-
Social Engineering Your Employees to Information Security
Martin Manjak - December 19, 2006
Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.
-
Vendor-Supplied Backdoor Passwords - A Continuing Vulnerability
Astrid Todd - May 7, 2005
Vendor-supplied passwords embedded in software/hardware continue to be a securing vulnerability. Securing your network against vendor-supplied backdoor passwords is an ongoing process of staying informed through security mailing lists and bulletins, increased scrutiny of software/hardware before purchase, intense review of vendor documentation, application of vendor-supplied patches, and proper handling of default passwords/accounts.
-
Building a Security Policy Framework for a Large, Multi-national Company
Leslie VanCura - May 5, 2005
Information Security is not just technology. It is a process, a policy, and a culture. Our organization had spent millions of dollars on technology to keep the "bad guys" out, but we had spent little time building the foundations of our Information Security Program.
-
The Role of the Security Analyst in the Systems Development Life Cycle
Brad Gray - May 5, 2005
This paper will proceed in a very logical manner to describe how a sequential development life cycle increases in depth as security is applied. Each major portion of the paper will address a phase of the system development lifecycle.
-
A Discussion of Spyware
Patria Leath - January 28, 2005
The insidious nature of spyware combined with the lack of user awareness and spyware's potential for surveillance, data gathering and system hijacking pose a threat to home users and businesses. Commercial interests, the technology industry, consumers and legislators must combine efforts to address this threat.
-
Developing a Security-Awareness Culture - Improving Security Decision Making
Chris Garrett - January 18, 2005
CIOs, managers and staff are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, for example, security policies, new technologies, new patches, new threats, new sources of information, the list is endless.
-
Examination of PC security: How we got where we are and how to fix it
Thomas Sprinkmeier - November 30, 2004
This essay explores the reasons for the poor state of PC security that currently exists. This essay focuses on the end users rather than the administrators. Threats and solutions are examined form an end-user's perspective.
-
Moving from Consciousness to Culture: Creating an Environment of Security Awareness
Mary Munley - July 25, 2004
Although the aftermath of September 11th has brought to the forefront the realization that security threats are real, most companies are still far from creating a culture of security awareness within their organizations.
-
Overview of Security Issues Facing Computer Users
Michael Boeckeler - June 9, 2004
Every security safeguard a computer user takes will reduce the number of people skilled enough to break into their computer. After all, there are a finite number of people who have the skill required to break into computer systems.
-
Vendors and External Outsource Providers How Safe is Your Companys Confidential Data
Stan Gucwa - March 9, 2004
Let us assume your business is fairly accomplished in the Risk Assessment evolutionary ladder. Perhaps your company already assesses its network configurations regularly, all the applications in use have been reviewed for stringent security guidelines, maybe the IT team has even classified all your corporate information assets, and the vulnerability assessments are complete.
-
The Many Facets of an Information Security Program
Robert Behm - March 9, 2004
This document is a review of the various programs and processes that should be in place within any organization for the protection of their information assets. The many areas of any organization's security program play key roles in supporting the certification and accreditation (C&A) process of an organization's information assets.
-
System Vulnerability Mitigation
Kevin Vasquez - March 4, 2004
This essay addresses various facets of IT security and offers insight into the different areas that should be considered when attempting to adequately protect a system.
-
Securing Wireless Networks for HIPAA Compliance
Daniel Odorisio - March 3, 2004
The intent of this paper is to discuss wireless networks and why it is useful to organizations, namely healthcare organizations. Once we have established the foundation for why we need wireless, we will cover the vulnerabilities and problems with wireless networks.
-
The Relevance of Quantum Cryptography in Modern Cryptographic Systems
Christoph Guenther - March 3, 2004
This paper explains the basic principles of quantum cryptography and how these principles apply to quantum key distribution. One specific quantum key distribution protocol called is described in detail and compared to traditional (nonquantum) cryptographic systems.
-
Attacks Against The Mechanical Pin Tumbler Lock
Craig Kawaga - March 3, 2004
This paper examines an overview of the common pin tumbler lock and the five methods to exploit them. Pin tumbler locks are found in a vast majority of residential, commercial, government and educational institutions.
-
Distributed Computing: An Unstoppable Brute Force
Michael Hill - March 2, 2004
Distributed computing allows groups to accomplish work that was not feasible before with supercomputers, due to cost or time constraints. Although the primary functions of distributed computing systems is to produce needed processing power to complete complex computations, distributed computing also reaches outside of the processing arena to other areas such as network usage.
-
Creating the effective Security Awareness Program and Demonstration
Fred Hinchcliffe - October 31, 2003
Statistics gathered at the writing of this document indicate there are in excess of 160,000,000 computers that have access to the internet in some way.
-
Awareness, A Never Ending Struggle
Douglas Alred - October 31, 2003
This paper provides examples the importance of computer security awareness training and discusses some key points to any successful awareness program.
-
awareness, quality assurance, security, techniques, implement, sans, white paper
Elizabeth Stanton - October 31, 2003
This paper discusses how quality is the responsibility of the whole organization and security is a part of the totality of quality of a system, implicit in customers' expectations.
-
Developing an Integrated Security Training, Awareness, and Education Program
Courtney Gilbert - October 31, 2003
This essay describes how to successfully implement a comprehensive Security Training, Awareness, and Education program within a federal arena and further illustrates these processes are applicable and utilized in commercial organizations as well by using the Instructional System Design (ISD) process or model.
-
Selling Security To Management
Jeff Hall - October 31, 2003
This document will help you understand how to create presentations that will engage management and will discuss the common presentation pitfalls that befall technology people.
-
Security Awareness Training and Privacy
Michelle Johnston - October 31, 2003
An organization's security policy sets the standard for the way in which critical business information and systems will be protected from both internal and external threats.
-
The Ultimate Defense of Depth: Security Awareness in Your Company
Brian Voss - October 31, 2003
By including the human factor in your security infrastructure via an effective Security Awareness Program, you will be implementing the ultimate defense of depth.
-
Security Awareness Training Quiz - Finding the WEAKEST link!
David Sustaita - October 31, 2003
This paper discusses the need to employ not only an company wide security overview but also put in place a testing mechanism to make sure their employees understand the basics of computer security.
-
Secure This: Organizational Buy-in (A communications approach)
Wendy Ady - October 31, 2003
This paper will discuss the importance and recommend methods for soliciting and securing the organization's executive buy-in using a communications theory perspective.
-
Ghosts in the machine: The who, why, and how of attacks on information security
Cary Barker - October 31, 2003
To provide the best security one, needs to know the enemy: who they are, why they are attacking, and how they attack.
-
The Need for Information Security in Today's Economy
Jeff Tarte - October 31, 2003
The role of Information Security is essential for the protection of consumers, businesses, governments, and the U.S. and World economy from the threats caused by the natural advancement of Information Technology and society as we know it.
-
Community Policing on the Internet
Tim Brown - October 31, 2003
This paper applies the principles of community policing and crime prevention to the Internet and details establishing relationships between law enforcement and potential victims, their individual roles and responsibilities, and some of the problems the relationship may alleviate such as fears a victim may have concerning the reporting of cybercrime.
-
Introduction and Education of Information Security Policies to Employees in My Organization
Harbinder Kaur - October 31, 2003
This paper discusses a regional Information Security Office in Asia Pacific, setup to introduce the Information Security Policies to all Asia Pacific staff and educate them on these policies.
-
Essential Information Security For Corporate Employees
Lloyd Guyot - October 31, 2003
This paper was written to raise security awareness and provide corporate employees with essential security information that emphasizes critical issues surrounding an implementation of security "best practices" throughout an organization.
-
Security Awareness Starts in IT
William Farrar - October 31, 2003
This practical defines the current state of business operations, security design function, introduction policy development, security awareness, and communicates our new found knowledge to the IT security design team.
-
Modeling the Silicon Curtain
John Saunders - October 31, 2003
This paper presents the available range of modeling and simulation capabilities in Information Assurance and establishes some principles for extending these capabilities into the community.
-
Security Awareness: Help the Users Understand
Kenton Smith - October 31, 2003
The purpose of this paper is to give you a guideline that you can use to put on a basic security awareness workshop.
-
License to Surf?
Eddy Vanlerberghe - October 31, 2003
This paper discusses the similarity between car and computer evolutions, used to highlight security shortcomings in today's personal computer usage, as well as hint at possible remedies.
-
Methods and Techniques of Implementing a Security Awareness Program
William Hubbard - October 31, 2003
This paper will illustrate why security awareness is so important and what it is supposed to accomplish.
-
Security Awareness - Implementing an Effective Strategy
Chelsa Russell - October 31, 2003
This paper examines the importance of security awareness, how it supports the fundamental goals of an information security program and provides a recommendation for implementing an effective security awareness strategy.
-
Consumer Labeling for Software Security
Tom Melton - January 27, 2002
There are steps we can take to improve computer security. For corporate computers, the answer is twofold: make security a priority for the organization and get security expertise either by hiring or training.
-
Data Center Physical Security Checklist
Sean Heare - December 1, 2001
This paper presents an informal checklist compiled to ascertain weaknesses in the physical security of the data centers that their organization utilizes.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.
