Featuring 12 Papers as of May 2, 2013
Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI)
Jean-Franc Agneessens - May 2, 2013
The Basic Input/Output System (BIOS) is the code that is the closest you can get to the underlying hardware.
Determining the Role of the IA/Security Engineer
Brian Dutcher - October 14, 2010
What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?
Outsourced Information Technology Environment Audit
Navaratnasingam Arunanthy - April 27, 2010
Outsourcing was hyped in the mid 90s as one way to reduce IT cost, as well as to gain expertise for better business operations. Today some or many of the information technology activities in many organizations are outsourced. IT outsourcing occurs when an organization contracts a service provider to perform an IT function instead of performing the function itself. The service provider could be a third party or another division or subsidiary of a single corporate entity. Increasingly, organizations are looking offshore for the means to minimize IT service costs and related taxes.(CICA, 2003) Outsourced environments are complex and highly integrated with organizations and operations. As complexity increases managing relationships with service providers becomes challenging. A survey performed by the IT Governance Institute indicates that problems with outsourcers increased on year 2007 from 74 Compound Problem Index (CPI) on year 2005 to 127 CPI. The CPI is the result of multiplying the outcomes from the several questions about the IT-related problems experienced by the749 respondents.(ITGI, 2008)
Identity and Access Management Solution
Martine Linares - June 29, 2005
Companies must be able to trust the identities of users requiring access and easily administer user identities in a cost-effective way.
A Security Guide For Acquiring Outsourced Service
Bee Tiow - November 5, 2003
This guide is an attempt to collate all security requirements relating to outsourcing, for which organisations seeking outsourcing should actively look into.
Requirements For Managing Security Information Overload
Sridhar Juvvadis - October 31, 2003
This paper discusses the important criteria in developing an information management solution. These requirements can be used as a guideline for comprehensive evaluation of various solutions.
William Kinsey - October 31, 2003
This paper examines Managed Security Services in the context of providing CIA (confidentiality, integrity, and availability).
Jonathan Faile - October 31, 2003
The primary focus of this paper is outsourcing security services and therefore most of the discussion will reflect that, though some mention of the other two options will be put forth.
Successfully Managing Cyber Security
James Johnson - October 31, 2003
This paper describes how managing a cyber security program involves physically protecting your company's investment in computer hardware, ensuring system availability, verifying information integrity, and securing confidential information.
Web Services Security - An Overview
Scott Burns - October 31, 2003
This paper presents an overview of web services secrity.
Security Issues of Integrating a Stand-alone System into Corporate Network
Edward Jirak - October 31, 2003
This paper describes some methods to improve security on systems that were originally designed as stand-alone or where security issues were ignored. It points out the weaknesses which have to be addressed before integration. It describes various channels into the system and explores ways on how to protect these pathways from being exploited
Extranet Access Management (EAM)
Nev Sealey - October 31, 2003
This document will give an overview of EAM architecture, EAM security, EAM a standard security model, and how EAM integrates with JAVA.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.