Reading Room

Security Basics

Featuring 82 Papers as of June 14, 2013

• • Overview
  • Download
  Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture - June 14, 2013

  An ever-increasing number of high profile data breaches have plagued organizations over the past decade.

• • Overview
  • Download
  Surfing the Web Anonymously - The Good and Evil of the Anonymizer Peter Chow - October 8, 2012

  Companies of all sizes spend large amounts of time, resources, and money to ensure that their network resources and Internet connections are not being misused.

• • Overview
  • Download
  Recovering Security in Program Management Howard Thomas - October 3, 2012

  Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.

• • Overview
  • Download
  Using SNORT® for intrusion detection in MODBUS TCP/IP communications Javier Jimenez Diaz - December 19, 2011

  Not long ago, analog and purpose built communications systems use to be prevalent technologies on industrial plants. It wasnt common to find either interoperability or compatibility among them. In the 70s communication Networking began to be used in Direct Digital Control (Berge Jonas, 2004).

• • Overview
  • Download
  Scoping Security Assessments - A Project Management Approach Ahmed Abdel-Aziz - June 7, 2011

  Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

• • Overview
  • Download
  Measuring effectiveness in Information Security Controls Manuel Humberto Santander Peláez - July 6, 2010

  The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.

• • Overview
  • Download
  Preparing to face new vulnerabilities Jacelyn Faucher - June 25, 2008

  This document illustrates the benefit of being prepared to deal with new vulnerabilities. We don't really know when that's going to happen, but it will. Let's look at a typical scenario: Monday morning, panic is in the air. The boss heard the existence of a big new vulnerability on the radio on his way to work.

• • Overview
  • Download
  Firefox VS Windows Internet Explorer Robert Comella - January 29, 2008

  In my years as an IT professional I can not tell you the number of times I have had a client ask, When you go online, do you use Internet explorer? Are there any other choices? Are they better? In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with No and ABSOLUTELY! Unfortunately the last is a little harder to answer and its best short answer is, it depends. That, of curse, begs the question, On what does it depend? and that is what this paper examines.

• • Overview
  • Download
  Computer Security Education The Tool for Today Ian Burke - October 25, 2007

  ecurity education, for a long time, has been seen as a thing reserved for security professionals. The Computer Security Act of 1987 put forward for the National Institute of Standards and Technology to create standards and guides for security awareness and training. This act was the first of a string of legislation that would place mandates around security education for non-security professionals. This trend illustrated newfound awareness in the community and in the world around computer security.

• • Overview
  • Download
  GCFW Practical Assignment Critique Bart Hubbs - March 9, 2005

  The purpose of this practical is to critique a GIAC Certified Firewall Analyst (GCFW) practical to enable implementation in a public healthcare company.

• • Overview
  • Download
  Network Security- A Guide for Small and Mid-sized Businesses Jim Hietala - January 26, 2005

  The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.

• • Overview
  • Download
  Transmission Media Security Charles Esparza - January 18, 2005

  When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.

• • Overview
  • Download
  Introduction to Host Based Cyber Defense Roy Nielsen - January 17, 2005

  There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.

• • Overview
  • Download
  The State of Patching Windows Rafael Cappas - July 25, 2004

  Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.

• • Overview
  • Download
  Information Security For Churches and Small Non-Profit Organizations Jay Petel - April 8, 2004

  In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.

• • Overview
  • Download
  The Use and Administration of Shared Accounts David Johnson - December 13, 2003

  This paper will discuss the use and security of shared accounts, and some of associated risks of those uses.

• • Overview
  • Download
  We're Lost, But We're Making Good Time! Benjamin Grubin - October 31, 2003

  Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.

• • Overview
  • Download
  Cyberspace Guardians: A Brief Guide to the Recruitment and Training of Security Personnel Amina Claassen - October 31, 2003

  This paper is an overview of the recruitment and training of entry- and intermediate-level information technology (IT) security staff members (referenced here as "security analysts.")

• • Overview
  • Download
  Keep Current With Little Time Robert Taylor - October 31, 2003

  This paper discusses various ways for security professionals to keep secure networks current with less time.

• • Overview
  • Download
  Managing Desktop Security Amran Munir - October 31, 2003

  This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.

• • Overview
  • Download
  Kiosks: The Interactive Media Solution, or is it? Lisa Evans - October 31, 2003

  This paper addresses the topic of kiosks utilizing computers require information systems support and security to protect both the business and the customer.

• • Overview
  • Download
  Enhanced Security During Organizational Transitions Denis Lynch - October 31, 2003

  The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.

• • Overview
  • Download
  Keeping the Private Intranet Private Michael Wilson - October 31, 2003

  This paper addresses security problems faced by intranet network administrators, how to control those access points and minimize the risk involved.

• • Overview
  • Download
  Making the HelpDesk a Security Asset Douglas Ridgeway - October 31, 2003

  This paper address potential security risks with helpdesks including social engineering, and various methods to reduce the risk of security incidents against the helpdesk.

• • Overview
  • Download
  Defense In Depth Todd McGuiness - October 31, 2003

  This paper will look at three common scenarios, and likely methods for network attacks, and offer countermeasures to protect against these types of attacks.

• • Overview
  • Download
  Security Architecture Model Component Overview Scott Angelo - October 31, 2003

  A successful security architecture combines a heterogeneous combination of policies and leading practices, technology, and a sound education and awareness program.

• • Overview
  • Download
  Security Considerations for Extranets Karen Korow-Diks - October 31, 2003

  This paper identifies potential risks associated with extranets and the actions that can be taken to mitigate against them.

• • Overview
  • Download
  Information Technology Department Network Security Briefing Thad Nobuhara - October 31, 2003

  This paper discusses the role in protecting the corporate network, and the devices connected to the Internet, including employee personal computing devices.

• • Overview
  • Download
  The Password Web Page Curt Kuper - October 31, 2003

  It is important to pick good passwords and change them often. This paper addresses the benefits and merits of the password web page.

• • Overview
  • Download
  Introducing Security to the Small Business Enterprise Jeff Herbert - October 31, 2003

  This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.

• • Overview
  • Download
  Security - What is Enough? Victoria England - October 31, 2003

  This paper will look at the various layers of security businesses have on offer to them today, which will aid the security policy and look at why they should deploy them.

• • Overview
  • Download
  The Cyber Security Management System: A Conceptual Mapping John Dexter - October 31, 2003

  This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.

• • Overview
  • Download
  Security Lifecycle - Managing the Threat Mark King - October 31, 2003

  This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.

• • Overview
  • Download
  Obtaining Better Results from Distributed Environment Security Programs Rhonda Manter - October 31, 2003

  This paper examines common barriers to achieving desired results from information security programs in mid-to-large-sized corporations.

• • Overview
  • Download
  Protection of Information Assets Odd Nilsen - October 31, 2003

  This paper focuses on the protection of information assets, addressing both physical and logical access exposures and controls.

• • Overview
  • Download
  The Need for a REAL Defensive Information Operations Capability Mark Ruchie - October 31, 2003

  This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).

• • Overview
  • Download
  Implementing Defense in Depth at the University Level Michael Runnels - October 31, 2003

  This paper discusses how defense in depth was implemented at a university in the Southwest.

• • Overview
  • Download
  A Certification and Accreditation Plan for Information Systems Security Programs (Evaluating the Eff Brenda Dinges - October 31, 2003

  This paper addresses the need for organizations to implement a comprehensive Information Systems Security Program (ISSP).

• • Overview
  • Download
  Argentina: Preparing for a Security Violation Raymond Hoffman - October 31, 2003

  Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.

• • Overview
  • Download
  Change Control Process for Firewalls Paul Maschak - October 31, 2003

  This paper covers the fundamentals of Change Control and Procedures as it applies to the management of Firewalls.

• • Overview
  • Download
  Implementing/Re-Implementing Change Control Policies Derek Milroy - October 31, 2003

  Implementing change control policies should be done with the same basic methodology as a technology implementation, broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.

• • Overview
  • Download
  Hardening Bastion Hosts Todd Jenkins - October 31, 2003

  This paper discusses some of the benefits to using hardened bastion hosts.

• • Overview
  • Download
  Vulnerability Assessment Susan Cima - October 31, 2003

  The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.

• • Overview
  • Download
  How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study Jerry Goodman - October 31, 2003

  This paper explains the basic process of securing a small to medium sized network utilizing some commonly used products and techniques, within a case study format.

• • Overview
  • Download
  Plugging the holes! Your data is leaking OUT! Robert Downey - October 31, 2003

  Data is essential to the development and success of a company and this paper discusses some of the obvious areas where data can leave the company.

• • Overview
  • Download
  Security for Small and New IT Departments: Get Your Big Rocks In First Greg Rolling - October 31, 2003

  This paper will attempt to assist the small/single-person IS department in setting up and maintaining a secure environment while filling the many roles necessary to the company.

• • Overview
  • Download
  I Think Our Internet Connection is Down Raymond Hillen - October 31, 2003

  The following is a "case analysis" of a real incident that was uncovered while trying to assist a small company with a supposed "down" Internet connection.

• • Overview
  • Download
  AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Securit Matthew Smith - October 31, 2003

  The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values.

• • Overview
  • Download
  Espionage and the Insider Steve Kipp - October 31, 2003

  In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.

• • Overview
  • Download
  Toward Global Security Paul Tremer - October 31, 2003

  By implementing and enforcing strong, multi-layered security policies and processes, constructive progress can and will defeat global threats and malicious activities today and throughout time.

• • Overview
  • Download
  A User's Guide to Security Threats on the Desktop Richard Hagen - October 31, 2003

  This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.

• • Overview
  • Download
  IT Infrastructure Security-Step by Step Karnail Singh - October 31, 2003

  This paper documents the process and methodology for implementing computer security within corporate networks and describes the various aspects of security through a layered model.

• • Overview
  • Download
  Facilitating the Qualitative Security Assessment: Overview of the Process of Defining and Delivering Mike Kleckner - October 31, 2003

  It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.

• • Overview
  • Download
  Extranets: The Weakest Link & Security Slawomir Marcinkowski - October 31, 2003

  This paper focuses on the management processes needed to secure an extranet.

• • Overview
  • Download
  Users Wary of Microsoft's .NET Jeffrey Hudack - October 31, 2003

  This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.

• • Overview
  • Download
  Digital Rights Management Overview Austin Russ - October 31, 2003

  This paper presents an overview of DRM issues addressed, standards, technology and service providers, challenges, and guidance for determining if DRM may be applicable to your organization.

• • Overview
  • Download
  Oh Answer, Where Are Thou? or Gee, There's a Lot to Know Jim Sherrill - October 31, 2003

  This paper reviews the complex environment of information security and looks at several elements of security practices.

• • Overview
  • Download
  A "Bag of Tricks" Approach to Proactive Security Mitch Saba - October 31, 2003

  The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.

• • Overview
  • Download
  Spyware & Network Security Lester Cheveallier - October 31, 2003

  When dealing with network security, a security professional's first concerns are who is trying to access the network and whether or not to allow access.

• • Overview
  • Download
  Ten Days to Network Security Paul Zocco - October 31, 2003

  This paper will present ten days of effective tasks, with a quick task and long term task each day.

• • Overview
  • Download
  Jekyll & Hyde in the Boardroom David Nixon - October 31, 2003

  Business success or failure can hinge on the business implementation of the Chief Technology Officer and the Chief Security Officer, two key IT management positions, discusses in this paper.

• • Overview
  • Download
  The Weakest Link...This Is Not a Game! Jack Daniels - October 31, 2003

  More employees are using their home computers to do office work and security policy as well as education should address this situation by requiring Personal Firewalls and Anti-Virus software.

• • Overview
  • Download
  Outline for a Successful Security Program Jeff Norem - October 31, 2003

  This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.

• • Overview
  • Download
  Why Small Businesses Need to Secure Their Computers (and How to Do it!) Bruce Diamond - October 31, 2003

  This paper discusses why small businesses need to secure their computers and provides information on how to do it!

• • Overview
  • Download
  The Computer Security Threat to Small and Medium Sized Businesses -A Manager';s Primer Michael Regan - October 31, 2003

  This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.

• • Overview
  • Download
  Information Security Primer Craig Lindner - October 31, 2003

  This document discusses fundamental security concepts and architectures applicable to TCP/IP networks.

• • Overview
  • Download
  Information Security 101: Security for Newbies Frederick Kim - October 31, 2003

  This paper provides a guide and a starting point to get a sense of what information security is all about.

• • Overview
  • Download
  Manage your Security Initiative as a Project Rex Robitschek - October 31, 2003

  This paper has been geared toward project managers who already know the methodology, and is intended to give them tools that are pertinent for obtaining executive buy-in.

• • Overview
  • Download
  Organizational IT Security Theory and Practice: And Never the Twain Shall Meet? John Jenkins - October 31, 2003

  This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.

• • Overview
  • Download
  Implementing a Successful Security Assessment Process Bradley Hart - October 31, 2003

  This paper describes implementing a successful security assessment process.

• • Overview
  • Download
  Securing Network Infrastructure and Switched Networks Richard Wagner - October 31, 2003

  This paper describes how to secure a network infrastructure and switched networks.

• • Overview
  • Download
  Implementing an Information Security Program Kevin Nichols - October 31, 2003

  This paper provides the fundamentals of implementing an Information Security Program.

• • Overview
  • Download
  OK, So I Need Security. Where Do I Start? Lyde Andrews - October 31, 2003

  This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.

• • Overview
  • Download
  A Paper on the Promotion of Application Security Awareness Man Yi - October 31, 2003

  Application security is not a new science and the same principals that apply to network security also apply to application security.

• • Overview
  • Download
  Network Security Is Like Eating Crab's Legs - Is the Taste Worth the Effort? Charles Romanus - October 31, 2003

  This paper discusses the balance between network security, network functionality and ease of operation.

• • Overview
  • Download
  Security from Scratch ... How to Achieve It Alan Davies - October 31, 2003

  Since there is no one technology or process that can be implemented in the name of total security, the aim is to develop a defense in depth strategy, as discussed in this paper.

• • Overview
  • Download
  Managing Secure Data Delivery: A Data Roundhouse Model Jim Farmer - October 31, 2003

  The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.

• • Overview
  • Download
  Securing a Wide-Open Computer Network Mark Andrich - October 31, 2003

  This paper describes how to Secure a Wide-Open Computer Network.

• • Overview
  • Download
  Basic Self-assessment: Go Hack Yourself Barry Dowell - October 31, 2003

  System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.

• • Overview
  • Download
  An Instant War, Just Add Chat: The Growth of Instant Messaging Technology Jack Schiller - October 31, 2003

  The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.

• • Overview
  • Download
  Software Piracy- A challenge to E-world Sundeep Bhasin - October 31, 2003

  This paper provides insight to the levels of the society to which the menace of piracy has rooted itself, the cost and the impact of "illegal" software to the companies.

• • Overview
  • Download
  The Bugs are Biting Rishona Phillips - August 8, 2003

  This paper will give a general overview of the problems and challenges of software mistakes and how they affect security.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.