Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
Recent economic conditions have created a business problem unique to higher education and its IT infrastructure. In the past ten years, IT systems and infrastructure have experienced a rapid change in complexity as a result of moving from mainframes to web services (Weinschenk, 2003). The technical landscape continues to become more complex as technology advances and application sophistication increases more rapidly, creating a greater dependency on IT services. To stay competitive and efficient, private and for-profit businesses have spent the last ten years keeping up with technology and training their staff. However, the university has been insulated in its own microcosm, having the luxury of ignoring business cycles, as the product offered has not changed drastically. Now, recent economic conditions and rapid advancement in technology have created the perfect storm within the university setting.
By: Cristian Ruvalcaba (posted on December 28, 2009)
The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.
This paper will document both sides of a phishing campaign, the phisher and the phished, providing a unique view as best as I’m able to recreate it from the phisher’s own emails and information from the phished financial institution.
Your neighbor stops you at your curb. He knows you‟re a computer security guru and wants to know the secret to protecting his computer from hackers. You need to get back to mowing the lawn and don‟t really have time to explain log monitoring, patch management, vulnerability assessments, penetration testing, least required access, the CIA triad, and the finer points of risk management. Besides, you know you’re the only guy on the block with syslog servers, hardware firewalls, IDS and HIPS watching the one computer in your house that you only use for online banking. So what do you tell him? “Keep your patches and antivirus software up to date and don‟t run untrusted programs”. You know it’s not enough, but any more advice would commit you to hours of free consulting or get you uninvited to the neighborhood Christmas party. “Don‟t run untrusted programs”…good advice! The problem is most people trust everyone when it comes to free software.
On the technical side, the tools and tactics employed to track and document the incident will be examined. In the broader scope, the high level of cooperation needed between law enforcement, corporate IT departments, and the various ISPs, email providers, and web hosting companies will be explained. Additionally, it will be shown that by taking a proactive approach, one can get a better insight to the incident, and actions of the phisher than by traditional reactionary investigation techniques.
This practical is a case study of an Insurance Company's migration to an enterprise-wide security system. It is the intent of this practical to provide a path to follow when creating or migrating to a security system. Initially, a primitive online security system was the only mechanism to control access to corporate data.
The goal of this case study was to simplify the firewall ruleset validation process by creating a central database of rulesets that enables reporting on existing vendor connections. The overall impact included compliance with auditing requirements, a more robust risk assessment of firewall rulesets, and centralized visibility bringing about management response.
Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT).
The following document describes the tuning methodology design and implementation steps. It provides a step-by-step process of deployment within a medium size organization (all IP ranges have been changed to protect the innocent of course). The paper will focus on providing a methodology that may be used as a starting point to identify and minimize false positives.
This paper aims to discuss the challenges in putting together a secure Check Point Firewall-1 solution to protect our existing information and assets and that of our new acquisition. It is assumed that the reader will have a generic knowledge of firewalls, related terms and their use. In the paper the word 'policy' refers to the security document and the word 'rulebase' refers to the Check Point rules.
As the information security officer at a prominent utilities organization, I witnessed first hand the pitfalls of providing network security only at the network perimeter, the false sense of security, and the potential monetary, regulatory and credibility consequences this traditional solution provides.
By: Christopher Jackson (posted on September 16, 2004)
Many environments find it difficult at best to ensure the security posture of the devices under their direct control. Universities and like organizations have to tackle this problem without the ability to administratively control many of the computers attached to the network.
While conducting research for this practical I found that there were many different arenas that warrant a closer look. I chose honeypots for this practical because they allow an administrator to track and learn from black-hats first hand without the attacker ever being aware that somebody is watching.
I am a Security Analyst/Administrator for a medium sized company, ABC Inc I, along with a team of System Administrators, am tasked with the responsibility of protecting our customer's confidential information, maintaining the integrity of our applications and keeping our systems available.
The Network Operations Center uses numerous tools ranging from Intrusion Detection (Snort) and Intrusion Protection (Tipping Point) to simple SNMP monitors (Netsight Element Manager). I will discuss how they use these tools to maintain a secure IT environment and assist Network Administrators as well as protect the campus community.
I have found myself in the fortunate position of working for a company full of bright, hard working people. While standout individual performances are encouraged and recognized, what makes our company successful is the ability for everyone to come together as a team when a crisis happens.
Spam is a huge annoyance for everyone. Fighting spam is difficult enough, but when spammers team up with hackers to produce ultra-sneaky Trojan horses that turn end-user computers into one stop proxies that allow spammers and hackers to hide their digital tracks, they've gone too far.
The goal of this project was to develop, implement and deploy solutions as well as supporting processes and standards to remediate and mitigate the risks that are inherent to utilizing UNIX server based trust relationships in a enterprise networked environment within 30 days.
The task of designing a secure infrastructure for IIS 5.0 web servers within a DMZ is difficult enough. Securing an existing DMZ becomes exponentially more difficult due to the added requirement of retrofitting those currently working servers with more appropriate security settings, policies and operational procedures while not adversely affecting website or application availability and keep costs to a minimum throughout the process.
Providing highly secure workstations in public university libraries requires defining what is acceptable for the working environment and determining what types of security can be implemented to compensate for lesser security at lower layers at the workstation level.
A large research university presents a formidable challenge to computer security professionals. Among the hazards are a completely porous, non firewalled border and decentralized administration of computers.
Described in this paper are the administrative controls that were implemented to certify and accredit UNIX (herein referred to as UN*X) and Microsoft Windows (herein referred to as Windows) based computer systems for a financial institution (herein referred to as The Firm).
Corporate governance has a long history of ups and downs within US corporations. With the recent streak of scandals affecting public companies, governance and related legislation has again been brought into focus.
Unsolicited commercial e-mail has become an increasing issue in corporate environments. This case study examines the impact of unsolicited commercial email (also known as spam) on the productivity of employees in the research division of a large global corporation.
These multi-functional devices are very simple to setup and use, but may not provide us with the layered Defense In Depth functionality that we desire nor will they provide the additional features of higher end components such as those made by Cisco.
This case study describes the procedures used to improve computer security within my department by following the principles of defense in-depth. It presents a step-by-step approach for improving security by defining risks, assessing vulnerabilities, and implementing measures to reduce the likelihood that those vulnerabilities may be exploited.
We used to be able to say, "If the laptop or computer is not owned by us, then it is not allowed to touch our network." However, over the last few years, business need has exceeded the desire to keep our network "pure" and many non-agency owned computers now have access to our local area network (LAN).
Due to growing concern over Information Security, I was approached by the director responsible for a company sponsored Cyber Cafe to evaluate the Cafe for Information Assurance and Network Security concerns. The director was concerned that a virus or other forms of cyber attack could cause extended downtime, which would have a negative impact on morale and productivity.
There has recently been call for Internet Service Providers to begin filtering traffic related to the spread of malicious data traffic such as viruses, worms and open proxy abuse to and from their end-users. This case study outlines the planning, implementation, and results phase of such an endeavour by a medium sized national Australian ISP.
Vulnerability assessment is an important part of any Defense in Depth implementation. I discovered that in my company vulnerability assessment was not being used to its full advantage inside the perimeter. My team was continually fighting the same battles against unpatched and vulnerable systems as they would acquire various viruses from the network.
This paper describes a method used in an actual case to circumvent seemingly adequate access controls by using the transparent caching mechanism of the WCCP protocol to abuse an otherwise protected network for the purposes of sending spam and connecting anonymously to unsavory sites.
By: Matthew Mickelson (posted on January 11, 2004)
The primary focus of this paper addresses security issues laid out by the CFO; specifically the following key areas for improvement which include: De-Centralized Architecture, Disaster Recovery, Continuity of Operations, Network and Server Availability.
No matter how secure the architecture, how complete the procedures, or how diligent and skilled the network support team is, nothing short of knowing and analyzing all changes inside and outside of the solution can protect an environment completely.
Wireless network cards are becoming quite common at my company especially in notebook computers. With this proliferation of wireless network cards have come requests from the users of these computers to access the corporate network using a wireless connection.
This case study explores sudo and Powerbroker, discussing their strengths and weaknesses as they apply to a large scale work environments and their implications in considering your authentication - authorization process, and offer one possible solution which uses both applications in a manner to minimize some of the risks known to exist with shared accounts, both traditional and super-user.
This paper examines the threats and vulnerabilities of private wireless communications infrastructures, discusses the selection and prioritization of security countermeasures, and describes the security enforcing equipment and security management services that are now being introduced.
This paper provides a case study and serves as a methodology for dealing with any outsource where security is of concern; sighting actual problems encountered and the solutions that were deployed, along with the tools used, and the policies implemented.
This paper provides detail on an automated group provisioning/deprovisioning process developed for the management of security group membership requests and includes the Perl code designed to work with Critical Path's MetaConnect product as a constructed attribute.
This paper will examine the application of the security risk assessment process to a rather complex project from the initial phases of its design prior to security risk assessment to its production state. It will discuss how risks were assessed and identified and show how the risk assessment process changed the final outcome of the project.
This case study opens with recognition of the security and privacy issues within the Agency and walks through the process of remediation, securing the use of sensitive data, development and implementation of strong policies, and initiating a solid monitoring system at very low cost due to a deteriorating budget scenario.
The following discussion provides the process that I used to configure my portion of the label controlled file transfer system, touching on Trusted Solaris (TSOL), the secure operating system, Washington University File Transfer Protocol Daemon (wuftpd), file transfer program, and a chroot jail, along with the suggested direction of implementation.
This case study outlines the steps that my university took to transition from an open network to one that balances the needs of faculty doing teaching and research, students needing to learn as well as be entertained and staff that require a secure and stable network environment to perform their business functions.
This paper will demonstrate how the real-world security problem of remote access to an Enterprise network was addressed and validated (post-implementation) through the Internet Security Alliance's (ISA) Common Sense Guide for Senior Mangers.
As a senior network administrator, I became project leader and was responsible for directing our security initiative to replace our existing remote access facilities with encrypted Virtual Private Networking (VPN) technology.
This paper addresses the added protection mechanisms supplied by the implementation of a Sidewinder firewall appliance, along with strict "least privilege" access control policies would assist the Designated Approval Authority in accepting the new minimized level of risk and, therefore, approve the site's new DITSCAP accreditation.
Our software firm's financial application was developed on a traditional clientserver model and this paper explores some of security issues and the process that we (the software vendor) and our client (the ASP provider) used to securely implement a solution.
This paper explores the issues we had to negotiate in strengthening our passwords, some of the of the special situations which had to be handled as exceptions to the policy, and our planned future directions.
This paper relates the procedures and policies that were put into effect to increase the security of the system, post attack, and how those procedures might affect the way the system will be used in the future to conduct the business of the school.
Several aspects of the university's business environment are unique only to universities and this paper explores the effect of the student user group within the environment and the problems they can create for information security initiatives.
The purpose of this document is to point out some common elements from the guidelines published to regulate computer security and suggest administrative action and technical solutions to build a network that may be connected to the Internet, and still obtain/retain a classification up to and including NATO RESTRICTED.
This paper addresses basic areas of information security such as policy, security awareness training, restricting access, monitoring and intrusion detection, and incident response that can keep your networks as secure as possible.
Using my experience from working at an Australian university, this paper addresses how the number of internal and external threats is increasing and providing intruders with a vast array of "ways to compromise university machines.
This paper is an attempt to not only briefly cover the basics of computer security that should be in use by everyone, but also an attempt to introduce to those unfamiliar with the extra challenges of supporting law enforcement what additional computer security precautions need to be addressed.
By: Nikhil Viswanathan (posted on October 31, 2003)
The aim of this paper was to analyze the security framework of Microsoft .NET, and examine whether its components and features will deliver Microsoft chairman Bill Gates, his ambition of transforming Microsoft into the leading software provider of web services and "trustworthy computing".
Pharmaceutical companies are subject to regulations imposed by the FDA (Food and Drug Administration), and this paper details the relevant regulations for security professionals and the special concerns they pose.
This paper identifies critical computing resources used in a small community college, develops a method of defining risk, presents a network design, as well as, implements security policies to address risks, and formulates a long term strategy for securing vital campus resources.
By: Frederick Garbrecht (posted on October 31, 2003)
This paper presents some of the options available to access the Windows Event log and demonstrate how to implement a versatile centralized remote logging solution using a commercially available Win32 implementation of the Syslog protocol.
By: Gregory J. Golightly (posted on October 31, 2003)
This paper presents a 'before and after' look at helping a non-profit organization with assets of over a billion dollars secure their infrastructure using a best practice approach, expert knowledge, along with vulnerability assessment tools by ISS.
By: Kenneth Underwood (posted on October 31, 2003)
Knowing" what traffic is leaving your network, is like turning on the light, where there was once darkness. This paper will give examples of what I found in our corporate network, and what I did about it.