Last day to save $500 for SANS San Diego 2013

Reading Room

Best Practices

Featuring 54 Papers as of July 19, 2013

  • Practical Cyber Security Training Techniques for New IT Support Employees Keil Hubert - July 19, 2013

    It's ludicrous to expect a brand new, fresh faced employee to be fully productive on his or her first day in the office.

  • Security Best Practices for IT Project Managers Michelle Pruitt - June 24, 2013

    For a project manager, a bad week might go something like this:

  • Corporate vs. Product Security Philip Watson - June 3, 2013

    When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.

  • Information Risks & Risk Management John Wurzler - May 1, 2013

    In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

  • Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information Systems Stacy Jordan - November 27, 2012

    When the Internet was invented in the late 1960's to conduct research between specific colleges and the US Department of Defense (DOD), no one envisioned that in the future networks would be connected into a singular global one.

  • Diskless Cluster Computing: Security Benefit of oneSIS and Git Aron Warren - April 16, 2012

    This paper introduces the joining of two software packages, oneSIS and Git. Each package by itself is meant to tackle only a certain class of problem.

  • Securing Blackboard Learn on Linux David Lyon - December 1, 2011

    Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

  • Secure Browsing Environment Robert Sorensen - September 21, 2011

    Today's computing environment is fraught with much treachery. It used to be that one could surf the web without any thought of infection or loss of private information. Those times have changed! One might argue that the safest connection to the web is no connection at all. However, thiS is not feasible in today's social networked world (Powell, 2011). The target has only increased for hackers.

  • Using GUPI to Create A Null Box Robert Comella - September 15, 2010

    When an administrator builds a Linux server, they make many decisions. One of the most difficult is deciding which packages to install. Linux distributions, upon installation, try to pass package selection off as an easy choice. The administrator must simply choose a function from the list and the installation program will automatically install all the necessary software to provide that service. The installation usually works and the resulting machine performs the desired task. Administrators focused only on functionality consider themselves finished and move on to the next task.

  • Writing a Penetration Testing Report Mansour Alharbi - April 29, 2010

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: If you do not document it, it did not happen. (Smith, LeBlanc & Lam, 2004)

  • Effective Use Case Modeling for Security Information & Event Management Daniel Frye - March 10, 2010

    With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • Building Servers as Appliances for Improved Security Algis Kibirkstis - March 8, 2010

    Defense-in-Depth is a term commonly used when describing a layered model for protecting computing environments; by having multiple layers of protection, from the perimeter of the network to each computing system at the core, security-related failures at any single layer should not compromise the confidentiality, integrity or availability of the overall system. In this day and age, simple reliance on firewalls for protecting is generally considered to be imprudent (Brining, 2008), for they offer no network-level protection in case of failure, poor configuration, software misbehavior, or unauthorized access attempts posing as legitimate traffic; nor can they offer any protection if communications circumvent the firewall itself.

  • Preventing Incidents with a Hardened Web Browser Chris Crowley - December 15, 2009

    There is substantial industry documentation on web browser security because the web browser is currently a frequently used vector of attack. This paper investigates current literature discussing the threats present in today's environment.

  • Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data nuBridges, inc - September 29, 2009

    Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

  • Building a Security Practice within a Mixed Product-R&D and Managed-Service Business Evan Scheessele - July 27, 2007

    Information-rich technology businesses offer their security staff more challenges today than ever. Where business is driven by active technology development and technology is delivered to customers in the form of a managed-service, security takes on a scope that impacts the businesss fundamentals. This paper addresses the challenges and best practices related to delivering overall security (here referred to as a security practice) within a complex business. The template business examined in this paper hosts both highly complex networked-product R&D and 24/7 outsourced managed services.

  • Sudo for Windows (sudowin) Andrew Kutz - February 14, 2007

    The original Sudo application was designed by Bob Coggeshall and Cliff Spencer in 1980 within the halls of the Department of Computer Science at SUNY/Buffalo. Sudo encourages the principal of least privilege that is, a user operates with a bare minimum number of privileges on a system until the user requests a higher level of privilege in order to accomplish some task.

  • Beyond the Preoccupation with Certification & Accreditation Kevin Esser - May 5, 2005

    Seeking and achieving formal Certification and Accreditation of systems designed for use within the Department of Defense is a statutory requirement and a necessary part of a system's overall Information Assurance program.

  • Midrange & Mainframe systems for Security Policies compliance control Tool Pierre Cailloux - February 12, 2005

    The goal of this document, within the scope of the practical exam for the GSEC1 SANS2 option 2, is to present a solution for a Company, in order to be able to manage and apply computing security rules on Mainframe and Midrange systems, as well as Facilities Management systems complying with other security rules, specific to customers.

  • Network Security and the SMB Matthew Hawley - January 28, 2005

    Network security is an issue for all businesses. The challenges faced by small-to-medium size businesses (SMBs) are unique and significant.

  • Internal Security in a Engineering Development Environment Art Homs - January 17, 2005

    Organizations that design, develop, test, and support IP based products present unique security challenges in a converged services network. In an ideal scenario, engineering labs where these activities take place are insulated from the corporate environment to prevent interactions that can compromise corporate network confidentiality, integrity, and availability.

  • Patch Management and the Need for Metrics Ken MacLeod - August 28, 2004

    The principle objective of `Patch Management and the Need for Metrics' is to demonstrate that organisations cannot meaningfully assess their security posture; with reference to their patch status, without the use of appropriate metrics.

  • Host Assessment and Risk Rating Radhika Vedaraman - August 28, 2004

    Corporate websites get defaced; business activities of organizations get crippled; identity stolen; confidential information made public - all because of not securing information and resources, and not taking precautions necessary to protect against attacks.

  • Applied Principles of Defense-in-Depth: A Parents Perspective Tom Miles - August 25, 2004

    This paper will seek to shift the paradigm of the traditional information security model as it applies to business and employees to a more personal model of home and fami

  • Using Proactive Depth in Defense to Ease Patch Management Problems David Gadue - August 15, 2004

    Information Security experts agree that "Depth in Defense" is a crucial concept in securing information assets for every organization.

  • Computer Security And The Law: What You Can Do To Protect Yourself Karen Poffenbergen - July 25, 2004

    Working as a defense contractor, one knows the importance of security regulations and directives. However, do these regulations really protect our mission critical data?

  • Beyond Patch Management Dan Shauver - July 25, 2004

    Systems maintenance, including operating system and software upgrades and patch management, has long been a major factor in security-related incidents. Application upgrades and patches can be equally necessary to system integrity, yet are equally likely to be ignored.

  • Printing the Paper and Serving the News after a Localized Disaster John Soltys - June 9, 2004

    A case study detailing the implementation of a business continuity plan for a regional newspaper. This study covers the requirements-gathering process, testing, and implementation of a series of plans jointly developed by members of the newsroom, IT, online staff, and operations.

  • The Art of Web Filtering Robert Alvey - April 8, 2004

    Web Filters are designed to improve the security and productivity of a network, but as with anything else, it must be implemented correctly to work properly. In order to ensure a Web Filter is implemented successfully, several factors need to be considered.

  • Keys to Implementing a Successful Security Information Management Solution (or Centralized Security Monitoring) Michael Martin - January 11, 2004

    This paper provides nine keys to implementing a successful SIM solution.

  • Securing the Network in a K-12 Public School Environment Russell Penner - December 21, 2003

    This paper addresses the K-12 public education data network environment which presents special needs and requirements, including privacy (confidentiality), data integrity, and content filtering.

  • Defense-In-Depth Applied to Laptop Security: Ensuring Your Data Remains Your Data Chris Grant - December 13, 2003

    This paper illustrates how to apply a Defense-In-Depth strategy to protect laptop systems.

  • 8 Simple Rules For Securing Your Internal Network Douglas Ford - November 6, 2003

    This paper will focus on eight areas that a company can look at to make their internal network just as hard and crunchy on the inside as on the outside.

  • Endusers - A Critical Link in the Chain of Security Dana Brigham - October 31, 2003

    Establishing the security of Information System (IS) resources is an important and major undertaking in any organization.

  • Security in Practice- Reducing the Effort Leon Pholi - October 31, 2003

    This paper covers the ten most vital steps in attempting to achieve a good base level of security, which can then be built upon.

  • Designing a Secure Local Area Network Daniel Oxenhandler - October 31, 2003

    This paper examines of some of the issues in designing a secure Local Area Network (LAN) and some of the best practices suggested by security experts.

  • OpenVMS 7.2 Security Essentials Jeff Leving - October 31, 2003

    This paper attempts to build on the foundational article submitted by Steven Bourdon in March 2002 (Bourdon), by providing a security-focused overview of the basic tasks performed when installing a standalone OpenVMS server.

  • Securing an Application: A Paper on Plastic Joe Rhode - October 31, 2003

    This paper discusses the process of integrating a credit card application to the front end of already existing accounting and payments processing applications, the information risk analysis process needed and the action plan to implement the mitigated controls.

  • The Internal Threat to Security Or Users Can Really Mess Things Up Charles Rhodes - October 31, 2003

    This paper describes some of the security measures you can implement which will help insure the availability of your network despite the users actions.

  • Pre-Development Security Planning Keith Marohn - October 31, 2003

    This document will outline the basic steps that should be completed before code development begins to ensure delivery of a successful project.

  • System Administrator - Security Best Practices Harish Setty - October 31, 2003

    This paper discusses some of the best practices, without getting into specifics of any particular operating system or version.

  • Vulnerability Identification and Remediation Through Best Security Practices BJ Bellamy - October 31, 2003

    This paper looks at Vulnerability Identification Studies which focus on identifying the enticements, common vulnerabilities, and information leakage, the things that account for most of the risk to IT (Information Technology) that we face today.

  • Centralized Network Security Management: Combining Defense In Depth with Manageable Security Scott Rasmussen - October 31, 2003

    With a few careful considerations for data redundancy and archival, centralized network security management can take advantage of the full power and potential for defense in-depth and a hardened security posture.

  • A Survival Guide for Security Professionals Conrad Morgan - October 31, 2003

    This survival guide aims to assist security professionals to balance the responsibilities and requirements of their role to avoid stress and burnout.

  • Who Wants To Be A Weakest Link? Russell Hany - October 31, 2003

    This paper emphasizes the need to convey good security practices throughout an organization, because the "weakest link" can be located anywhere along a company's "chain.

  • Securing Our Critical Infrastructures Chris Brooks - October 31, 2003

    In the event of a successful attack, limiting the amount of damage and quickly redistributing the assets to maintain a minimum essential infrastructure is critical in keeping the defense and national economy functioning.

  • Open Source Risk Mitigation Process Carlos Casanova - October 31, 2003

    The Open Source Risk Mitigation Process described in this paper, is a tool for corporations to use when trying to understand why a simple decision to use the "free" Open Source software should be taken very seriously.

  • Secure Computing - An Elementary Issue Susan Briere - October 31, 2003

    This paper was developed as a resource for elementary school technical support personnel responsible for maintaining a safe and secure computing environment.

  • Securing Your RILOE Cards Rick McCarter - October 31, 2003

    This paper outlines the components of the RILOE, detailed features and functionality of the card, pre installation tips, physical installation instructions, physical setup instructions, and initial setup configuration parameters.

  • Implementing Least Privilege at your Enterprise Jeff Langford - October 31, 2003

    This paper provides background on enterprise security, offers some rationale to help develop support for it's acceptance, and identifies ways it can be implemented within your enterprise.

  • Federal Information Technology Management and Security John Hopkins - October 31, 2003

    This paper examines the long-standing vision of one senior OMB manager to re-enforce a seven year-old plan he helped draft that uses the Federal IT budget planning process to accomplish these three principal objectives.

  • A Practical Methodology for Implementing a Patch management Process Daniel Voldal - October 31, 2003

    This paper presents one methodology for identifying, evaluating and applying security patches in a real world environment along with descriptions of some useful tools that can be used to automate the process.

  • A Guide to Government Security Mandates Christian Enloe - October 31, 2003

    This document endeavors to provide the reader with a solid understanding of the certification process, the order in which the steps should be completed, and some lessens learned from actual experience.

  • Using a Capability Maturity Model to Derive Security Requirements Mike Phillips - October 31, 2003

    This paper will discuss the use of these base practices in the formation of security requirements.

  • Implementing an Effective IT Security Program Kurt Garbars - August 28, 2002

    The purpose of this paper is to take the wide variety of federal government laws, regulations, and guidance combined with industry best practices and define the essential elements of an effective IT security program

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.

Additional
Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Last 25 Papers »

Latest Tweets @SANSInstitute

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training and awareness that SANS has to offer."
- Michael Hall, Drivesavers

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP