Featuring 84 Papers as of December 4, 2013
Implementing a PC Hardware Configuration (BIOS) Baseline Masters
David Fletcher - December 4, 2013
This paper provides a road map for implementation of the recommended phases identified in NIST SP 800-147, BIOS Protection Guidelines.
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor
Josh More - October 4, 2013
Though we often agree as to what individual words mean, it is often true that complex ideas cannot be adequately described in a reasonable amount of time.
Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
Erik Couture - June 14, 2013
An ever-increasing number of high profile data breaches have plagued organizations over the past decade.
Surfing the Web Anonymously - The Good and Evil of the Anonymizer
Peter Chow - October 8, 2012
Companies of all sizes spend large amounts of time, resources, and money to ensure that their network resources and Internet connections are not being misused.
Recovering Security in Program Management
Howard Thomas - October 3, 2012
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
Using SNORT® for intrusion detection in MODBUS TCP/IP communications
Javier Jimenez Diaz - December 19, 2011
Not long ago, analog and purpose built communications systems use to be prevalent technologies on industrial plants. It wasnt common to find either interoperability or compatibility among them. In the 70s communication Networking began to be used in Direct Digital Control (Berge Jonas, 2004).
Scoping Security Assessments - A Project Management Approach
Ahmed Abdel-Aziz - June 7, 2011
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
Measuring effectiveness in Information Security Controls Masters
Manuel Humberto Santander Peláez - July 6, 2010
The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.
Preparing to face new vulnerabilities
Jacelyn Faucher - June 25, 2008
This document illustrates the benefit of being prepared to deal with new vulnerabilities. We don't really know when that's going to happen, but it will. Let's look at a typical scenario: Monday morning, panic is in the air. The boss heard the existence of a big new vulnerability on the radio on his way to work.
Firefox VS Windows Internet Explorer Masters
Robert Comella - January 29, 2008
In my years as an IT professional I can not tell you the number of times I have had a client ask, When you go online, do you use Internet explorer? Are there any other choices? Are they better? In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with No and ABSOLUTELY! Unfortunately the last is a little harder to answer and its best short answer is, it depends. That, of curse, begs the question, On what does it depend? and that is what this paper examines.
Computer Security Education The Tool for Today
Ian Burke - October 25, 2007
ecurity education, for a long time, has been seen as a thing reserved for security professionals. The Computer Security Act of 1987 put forward for the National Institute of Standards and Technology to create standards and guides for security awareness and training. This act was the first of a string of legislation that would place mandates around security education for non-security professionals. This trend illustrated newfound awareness in the community and in the world around computer security.
GCFW Practical Assignment Critique
Bart Hubbs - March 9, 2005
The purpose of this practical is to critique a GIAC Certified Firewall Analyst (GCFW) practical to enable implementation in a public healthcare company.
Network Security- A Guide for Small and Mid-sized Businesses
Jim Hietala - January 26, 2005
The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.
Transmission Media Security
Charles Esparza - January 18, 2005
When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.
Introduction to Host Based Cyber Defense
Roy Nielsen - January 17, 2005
There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.
The State of Patching Windows
Rafael Cappas - July 25, 2004
Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.
Information Security For Churches and Small Non-Profit Organizations
Jay Petel - April 8, 2004
In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.
The Use and Administration of Shared Accounts
David Johnson - December 13, 2003
This paper will discuss the use and security of shared accounts, and some of associated risks of those uses.
We're Lost, But We're Making Good Time!
Benjamin Grubin - October 31, 2003
Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.
Cyberspace Guardians: A Brief Guide to the Recruitment and Training of Security Personnel
Amina Claassen - October 31, 2003
This paper is an overview of the recruitment and training of entry- and intermediate-level information technology (IT) security staff members (referenced here as "security analysts.")
Keep Current With Little Time
Robert Taylor - October 31, 2003
This paper discusses various ways for security professionals to keep secure networks current with less time.
Managing Desktop Security
Amran Munir - October 31, 2003
This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.
Kiosks: The Interactive Media Solution, or is it?
Lisa Evans - October 31, 2003
This paper addresses the topic of kiosks utilizing computers require information systems support and security to protect both the business and the customer.
Enhanced Security During Organizational Transitions
Denis Lynch - October 31, 2003
The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.
Keeping the Private Intranet Private
Michael Wilson - October 31, 2003
This paper addresses security problems faced by intranet network administrators, how to control those access points and minimize the risk involved.
Making the HelpDesk a Security Asset
Douglas Ridgeway - October 31, 2003
This paper address potential security risks with helpdesks including social engineering, and various methods to reduce the risk of security incidents against the helpdesk.
Defense In Depth
Todd McGuiness - October 31, 2003
This paper will look at three common scenarios, and likely methods for network attacks, and offer countermeasures to protect against these types of attacks.
Security Architecture Model Component Overview
Scott Angelo - October 31, 2003
A successful security architecture combines a heterogeneous combination of policies and leading practices, technology, and a sound education and awareness program.
Security Considerations for Extranets
Karen Korow-Diks - October 31, 2003
This paper identifies potential risks associated with extranets and the actions that can be taken to mitigate against them.
Information Technology Department Network Security Briefing
Thad Nobuhara - October 31, 2003
This paper discusses the role in protecting the corporate network, and the devices connected to the Internet, including employee personal computing devices.
The Password Web Page
Curt Kuper - October 31, 2003
It is important to pick good passwords and change them often. This paper addresses the benefits and merits of the password web page.
Introducing Security to the Small Business Enterprise
Jeff Herbert - October 31, 2003
This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.
Security - What is Enough?
Victoria England - October 31, 2003
This paper will look at the various layers of security businesses have on offer to them today, which will aid the security policy and look at why they should deploy them.
The Cyber Security Management System: A Conceptual Mapping
John Dexter - October 31, 2003
This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.
Security Lifecycle - Managing the Threat
Mark King - October 31, 2003
This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.
Obtaining Better Results from Distributed Environment Security Programs
Rhonda Manter - October 31, 2003
This paper examines common barriers to achieving desired results from information security programs in mid-to-large-sized corporations.
Protection of Information Assets
Odd Nilsen - October 31, 2003
This paper focuses on the protection of information assets, addressing both physical and logical access exposures and controls.
The Need for a REAL Defensive Information Operations Capability
Mark Ruchie - October 31, 2003
This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).
Implementing Defense in Depth at the University Level
Michael Runnels - October 31, 2003
This paper discusses how defense in depth was implemented at a university in the Southwest.
A Certification and Accreditation Plan for Information Systems Security Programs (Evaluating the Eff
Brenda Dinges - October 31, 2003
This paper addresses the need for organizations to implement a comprehensive Information Systems Security Program (ISSP).
Argentina: Preparing for a Security Violation
Raymond Hoffman - October 31, 2003
Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.
Change Control Process for Firewalls
Paul Maschak - October 31, 2003
This paper covers the fundamentals of Change Control and Procedures as it applies to the management of Firewalls.
Implementing/Re-Implementing Change Control Policies
Derek Milroy - October 31, 2003
Implementing change control policies should be done with the same basic methodology as a technology implementation, broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.
Hardening Bastion Hosts
Todd Jenkins - October 31, 2003
This paper discusses some of the benefits to using hardened bastion hosts.
Susan Cima - October 31, 2003
The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.
How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study
Jerry Goodman - October 31, 2003
This paper explains the basic process of securing a small to medium sized network utilizing some commonly used products and techniques, within a case study format.
Plugging the holes! Your data is leaking OUT!
Robert Downey - October 31, 2003
Data is essential to the development and success of a company and this paper discusses some of the obvious areas where data can leave the company.
Security for Small and New IT Departments: Get Your Big Rocks In First
Greg Rolling - October 31, 2003
This paper will attempt to assist the small/single-person IS department in setting up and maintaining a secure environment while filling the many roles necessary to the company.
I Think Our Internet Connection is Down
Raymond Hillen - October 31, 2003
The following is a "case analysis" of a real incident that was uncovered while trying to assist a small company with a supposed "down" Internet connection.
AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Securit
Matthew Smith - October 31, 2003
The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values.
Espionage and the Insider
Steve Kipp - October 31, 2003
In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.
Toward Global Security
Paul Tremer - October 31, 2003
By implementing and enforcing strong, multi-layered security policies and processes, constructive progress can and will defeat global threats and malicious activities today and throughout time.
A User's Guide to Security Threats on the Desktop
Richard Hagen - October 31, 2003
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
IT Infrastructure Security-Step by Step
Karnail Singh - October 31, 2003
This paper documents the process and methodology for implementing computer security within corporate networks and describes the various aspects of security through a layered model.
Facilitating the Qualitative Security Assessment: Overview of the Process of Defining and Delivering
Mike Kleckner - October 31, 2003
It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.
Extranets: The Weakest Link & Security
Slawomir Marcinkowski - October 31, 2003
This paper focuses on the management processes needed to secure an extranet.
Users Wary of Microsoft's .NET
Jeffrey Hudack - October 31, 2003
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
Digital Rights Management Overview
Austin Russ - October 31, 2003
This paper presents an overview of DRM issues addressed, standards, technology and service providers, challenges, and guidance for determining if DRM may be applicable to your organization.
Oh Answer, Where Are Thou? or Gee, There's a Lot to Know
Jim Sherrill - October 31, 2003
This paper reviews the complex environment of information security and looks at several elements of security practices.
A "Bag of Tricks" Approach to Proactive Security
Mitch Saba - October 31, 2003
The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.
Spyware & Network Security
Lester Cheveallier - October 31, 2003
When dealing with network security, a security professional's first concerns are who is trying to access the network and whether or not to allow access.
Ten Days to Network Security
Paul Zocco - October 31, 2003
This paper will present ten days of effective tasks, with a quick task and long term task each day.
Jekyll & Hyde in the Boardroom
David Nixon - October 31, 2003
Business success or failure can hinge on the business implementation of the Chief Technology Officer and the Chief Security Officer, two key IT management positions, discusses in this paper.
The Weakest Link...This Is Not a Game!
Jack Daniels - October 31, 2003
More employees are using their home computers to do office work and security policy as well as education should address this situation by requiring Personal Firewalls and Anti-Virus software.
Outline for a Successful Security Program
Jeff Norem - October 31, 2003
This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.
Why Small Businesses Need to Secure Their Computers (and How to Do it!)
Bruce Diamond - October 31, 2003
This paper discusses why small businesses need to secure their computers and provides information on how to do it!
The Computer Security Threat to Small and Medium Sized Businesses -A Manager';s Primer
Michael Regan - October 31, 2003
This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.
Information Security Primer
Craig Lindner - October 31, 2003
This document discusses fundamental security concepts and architectures applicable to TCP/IP networks.
Information Security 101: Security for Newbies
Frederick Kim - October 31, 2003
This paper provides a guide and a starting point to get a sense of what information security is all about.
Manage your Security Initiative as a Project
Rex Robitschek - October 31, 2003
This paper has been geared toward project managers who already know the methodology, and is intended to give them tools that are pertinent for obtaining executive buy-in.
Organizational IT Security Theory and Practice: And Never the Twain Shall Meet?
John Jenkins - October 31, 2003
This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.
Implementing a Successful Security Assessment Process
Bradley Hart - October 31, 2003
This paper describes implementing a successful security assessment process.
Securing Network Infrastructure and Switched Networks
Richard Wagner - October 31, 2003
This paper describes how to secure a network infrastructure and switched networks.
Implementing an Information Security Program
Kevin Nichols - October 31, 2003
This paper provides the fundamentals of implementing an Information Security Program.
OK, So I Need Security. Where Do I Start?
Lyde Andrews - October 31, 2003
This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.
A Paper on the Promotion of Application Security Awareness
Man Yi - October 31, 2003
Application security is not a new science and the same principals that apply to network security also apply to application security.
Network Security Is Like Eating Crab's Legs - Is the Taste Worth the Effort?
Charles Romanus - October 31, 2003
This paper discusses the balance between network security, network functionality and ease of operation.
Security from Scratch ... How to Achieve It
Alan Davies - October 31, 2003
Since there is no one technology or process that can be implemented in the name of total security, the aim is to develop a defense in depth strategy, as discussed in this paper.
Managing Secure Data Delivery: A Data Roundhouse Model
Jim Farmer - October 31, 2003
The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.
Securing a Wide-Open Computer Network
Mark Andrich - October 31, 2003
This paper describes how to Secure a Wide-Open Computer Network.
Basic Self-assessment: Go Hack Yourself
Barry Dowell - October 31, 2003
System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.
An Instant War, Just Add Chat: The Growth of Instant Messaging Technology
Jack Schiller - October 31, 2003
The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.
Software Piracy- A challenge to E-world
Sundeep Bhasin - October 31, 2003
This paper provides insight to the levels of the society to which the menace of piracy has rooted itself, the cost and the impact of "illegal" software to the companies.
The Bugs are Biting
Rishona Phillips - August 8, 2003
This paper will give a general overview of the problems and challenges of software mistakes and how they affect security.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.