SANS InfoSec Reading Room - Auditing & Assessment

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 70 papers as of May 25, 2013

Methodology for Firewall Reviews for PCI Compliance

By: K. Warren (posted on April 18, 2013)

The focus of the firewall review methodology described in this document is on ensuring ongoing compliance with PCI DSS rather than compliance at a point in time such as when the PCI assessor is coming.

Auditing ASP.NET applications for PCI DSS compliance

By: Christian Moldes (posted on February 7, 2012)

This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

Auditing Windows Environments PowerShell XML output, windows security, ossams

By: Cody Dumont (posted on February 7, 2012)

A security professional often performs security assessments for customers and will use many tools to collect data. Each tool stores data in a separate format; this requires the assessor to develop a proprietary automated process or use a manual process to correlate all the data.

Base64 Can Get You Pwned

By: Kevin Fiscus (posted on September 12, 2011)

Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.

Scoping Security Assessments - A Project Management Approach

By: Ahmed Abdel-Aziz (posted on June 7, 2011)

Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

Wireless Networks and the Windows Registry - Just where has your computer been?

By: Jonathan Risto (posted on May 6, 2011)

The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

Auditing for Policy Compliance with QualysGuard and CIS Benchmarks

By: Stewart James (posted on February 18, 2011)

In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice (SANS, 2010a). There is always a risk that the efforts to gain compliance with an external body fade after the initial audit is performed. Ongoing reporting and measuring is required to ensure consistent compliance. Once an initial audit it is completed, it is possible for people to focus on other areas of their business, unless there are follow up audits to ensure ongoing compliance, it is quite possible for some items to fall out of compliance. Continual measurement and reporting will aide in raising awareness to any areas that may need addressing.

Successful SIEM and Log Management Strategies for Audit and Compliance

By: David Swift (posted on November 9, 2010)

While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.

Choosing corporate level instant messaging system and implementing audit controls

By: Mikko Niemelä (posted on September 14, 2010)

Instant messaging system (IM) is a type of communications service over the Internet that enables users to exchange messages and presence status. Instant messaging systems are split in to two groups: public instant messaging systems and corporate-grade instant messaging systems. The most popular public systems are AOL Instant Messenger, ICQ, MSN Messenger, and Yahoo! Instant Messenger. Corporate-grade leaders are Microsoft Office Live Communications, IBM Lotus Sametime, Skype for business and Jabber. (Amman, Mohammad; van Oorschot, P.C, 2005)

Outsourced Information Technology Environment Audit

By: Navaratnasingam Arunanthy (posted on April 27, 2010)

Outsourcing was hyped in the mid 90’s as one way to reduce IT cost, as well as to gain expertise for better business operations. Today some or many of the information technology activities in many organizations are outsourced. “IT outsourcing occurs when an organization contracts a service provider to perform an IT function instead of performing the function itself. The service provider could be a third party or another division or subsidiary of a single corporate entity. Increasingly, organizations are looking offshore for the means to minimize IT service costs and related taxes.”(CICA, 2003) Outsourced environments are complex and highly integrated with organizations and operations. As complexity increases managing relationships with service providers becomes challenging. “A survey performed by the IT Governance Institute indicates that problems with outsourcers increased on year 2007 from 74 Compound Problem Index (CPI) on year 2005 to 127 CPI. The CPI is the result of multiplying the outcomes from the several questions about the IT-related problems experienced by the749 respondents.”(ITGI, 2008)

Effective Use Case Modeling for Security Information & Event Management

By: Daniel Frye (posted on March 10, 2010)

With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

One Admin's Documentation is their Hacker's Pentest

By: Rob VandenBrink (posted on March 8, 2010)

This paper describes the background, design and specifics of an automated, script based documentation system for IT infrastructure called IT-DOCS. We begin with a short background on scripting, outlining common motives for scripting – for simplifying common, repetitive operations, to facilitate repeatability for benchmarks and audits, and for training and education purposes. It is felt that the IT-DOCS project fills all three of these goals.

Analyzing Enterprise PKI Deployments

By: Walter Goulet (posted on February 26, 2010)

PKI deployments can provide many security services and benefits to enterprises. However, unless the PKI is deployed and operated in accordance with security best practices, the security benefits will not be realized as attackers can take advantage ofweaknesses in the deployment to forge certificates, gain access to the infrastructure and so on.

Simple Windows Batch Scripting for Intrusion Discovery

By: Tim Proffitt (posted on September 29, 2009)

Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

Post Acquisition Audit in 30 Days

By: Brad Ruppert (posted on May 4, 2009)

This paper will discuss the steps required to develop a high level risk-based post acquisition IT audit and means of conducting the audit in less than 30 days.

Auditing Nokia Firewall

By: Richard Sokal (posted on June 18, 2008)

The subjects of this Audit are Nokia IP530 Appliances running Checkpoint Firewall software. The Nokia/Checkpoint firewalls serve as components of the security architecture that protects EastCoast Enterprises’ corporate information assets from both external and internal threats.

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

By: Tim Proffitt (posted on March 31, 2008)

Auditing a Corporate Log Server

By: Roger Meyer (posted on February 1, 2008)

WiFi with BackTrack

By: Antonio Merola (posted on December 24, 2007)

The idea behind this paper is to help auditors (especially whom not familiar with Linux) with wireless issues; it is a real hassle getting wireless works, either simply joining a network as legitimate client or conducting wireless audit, along with the plethora of tools available to wireless PenTesters. Before you eventually "go off", after days gone-by looking here and there, have a look to this guide, I do really hope you master Wi-Fi with BackTrack after this reading.

NSS Vs NDS

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation: A madmans dilemma - Costs

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation: A madmans dilemma - Controls

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation for Dummies

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC)

By: Robert Edwards (posted on November 5, 2007)

A Taxonomy of Information Systems Audits, Assessments and Reviews

By: Craig Wright (posted on June 20, 2007)

The paper will cover the types, history and basis for each type of service. The paper statistically compares the strengths and weaknesses of each and sets out a scientifically repeatable foundation for the deterministic nomenclature used in the industry.

VPNScan: Extending the Audit and Compliance Perimeter

By: Rob VandenBrink (posted on February 12, 2007)

This paper outlines specifically how VPNSCAN was built, with policy and implementation issues found in various customer environments.

A Guide to Security Metrics

By: Shirley C. Payne (posted on January 18, 2007)

This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

Aligning an information risk management approach to BS 7799-3:2005

By: Ken Biery (posted on November 13, 2006)

This paper discusses the need and importance of information risk management in terms of business and organizational priorities.

An Introduction to Information System Risk Management

By: Steve Elky (posted on June 6, 2006)

Key elements of information security risk, offering insight into risk assessment methodologies.

A Practical Guide to Auditing an ASP

By: Johanna Ollinger (posted on May 17, 2005)

Auditing an Application Service Provider (ASP) can be a difficult and arduous task for the auditor and auditee alike. Since ASPs service such a wide variety of businesses there may be several regulations that an ASP may be audited against.

Sarbanes-Oxley Information Technology Compliance Audit

By: Dan Seider (posted on May 17, 2005)

This paper provides a basic review of the background literature (i.e. extensive but not exhaustive) and develops a process model so that a professional IT Auditor may readily appreciate the subtleties of the Sarbanes Oxley audit process.

B.A.S.E. - A Security Assessment Methodology

By: Gregory Braunton (posted on May 5, 2005)

At a fundamental level, much like a chain, the Internet is a collection of organizations' business networks inter-linked that form the digital infrastructure of the world. This infrastructure forms a global information grid that harnesses the potential (good and bad) for any node to access any other node worldwide.

Information Systems Security Architecture: A Novel Approach to Layered Protection

By: George Farah (posted on January 22, 2005)

The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

The Application Audit Process - A Guide for Information Security Professionals

By: Robert Hein (posted on January 22, 2005)

This paper is meant to be a guide for IT professionals, whose applications are audited, either by an internal or external IS audit. It provides a basic understanding of the IS Audit process

Information Systems Security Architecture A Novel Approach to Layered Protection

By: George Farah (posted on January 19, 2005)

The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

Using Vulnerability Assessment Tools To Develop an OCTAVE Risk Profile

By: Andrew Storms (posted on March 25, 2004)

Threats to information technology are ever increasing and many organizations are spending much money and time in attempting to fix security problems. Before one can think about remediation, assets worth protecting and knowing what to protect those assets from must be defined.

Red Teaming: The Art of Ethical Hacking

By: Christopher Peake (posted on December 13, 2003)

This paper justifies the need for Red Teaming which is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access, to provide an accurate situational awareness for network/system security.

Application Of The Nsa Infosec Assessment Methodology

By: Kathryn Cross (posted on October 31, 2003)

This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.

Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance.

By: Kevin Bong (posted on October 31, 2003)

The process involves listing each technology and vendor service and categorizing these systems based on the data they process or store.

Security Program Management and Risk

By: Archie Andrews (posted on October 31, 2003)

This paper argues for building a security management program on a foundation of business risk assessment and risk management. It defines and explains risk, risk assessment, risk management and relates business risk management to security risk management.

Strategies for Improving Vulnerability Assessment Effectiveness in Large Organizations

By: Robert Huber (posted on October 31, 2003)

This paper will detail how to reduce the impact of the vulnerability assessment program in your organization, how to provide actionable items to those responsible for performing the work, how to effectively reduce high risk, and how to provide senior management with metrics that show actual risk reduction.

Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment

By: Ted Mina (posted on October 31, 2003)

In this paper we will focus on how to properly assess the security of application software.

Information System Security Evaluation Team: Security Insurance?

By: Bruce Swartz (posted on October 31, 2003)

This document proposes an idea that can help certain organizations (those with multiple geographically dispersed entities) establish and maintain a relatively high degree of security and reduce the risk of disruption of business operations.

The Art of Reconnaissance - Simple Techniques

By: Sai Bhamidipati (posted on October 31, 2003)

After reading myriad articles on Internet security and hacking, the author is convinced that every security conscious computer professional must learn the ways of the hacker.

Footprint Your Intranet

By: Bob Brown (posted on October 31, 2003)

Software tools are available to help maintain a current knowledge of an organization's intranet, a network "footprint".

Footprinting: What Is It, Who Should Do It, and Why?

By: James P. McGreevy (posted on October 31, 2003)

There are many devices available to the hacker to footprint your company's network: use these tools to find the weaknesses before they do.

A Perspective on Threats in the Risk Analysis Process

By: Arthur Nichols (posted on October 31, 2003)

A close look at one of the initial steps in Risk Analysis, Threat Analysis, demonstrating why it is important in successfully identifying key assets.

System Identification for Vulnerability Assessment

By: Michael C. Harris (posted on October 31, 2003)

A description of one company's journey using existing software utilities to identify the hardware and software that places their network at risk.

Conducting a Penetration Test on an Organization

By: ChanTuck Wai (posted on October 31, 2003)

A methodology for executing penetration testing.

Port Scanning Techniques and the Defense Against Them

By: Roger Christopher (posted on October 31, 2003)

A discussion on port scanning and how to limit the exposure of open ports to authorized users as well as deny access to the closed ports.

Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment

By: Alexander Lopyrev (posted on October 31, 2003)

New 3rd generation scanning tools implement a client/server solution with centralized console to manage remote scanning agents, making it easy to conduct scans on a regular basis and quickly report vulnerabilities.

Auditing Inside the Enterprise via Port Scanning & Related Tools

By: Bob Konigsberg (posted on October 31, 2003)

A number of commercial, freeware, demo, and open source tools to maintain and verify state of all systems on an network are described along with how best to use those tools to identify problems.

An Overview of Threat and Risk Assessment

By: James Bayne (posted on October 31, 2003)

The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment

Seeking Security: The New Paradigm for Government Agencies

By: Stephan H. Chapman (posted on October 31, 2003)

This guide is divided into five comprehensive activities to be used by "Any-Agency" IT operations personnel to begin to eliminate the security vulnerabilities associated with IT assets.

Case Study - TruSecure Security Certification

By: David Vos (posted on October 31, 2003)

This paper describes the security certification process conducted by TruSecure Security Corporation on a company called K-Co; a fictitious name used to protect the innocence of the financial firm used in this case study.

Proactive Vulnerability Assessments with Nessus

By: Jason Mitchell (posted on October 31, 2003)

A discussion of vulnerability scanning in general, what Nessus is all about, how to begin scanning your network, and finally why a vulnerability scanner is an essential component of an effective security model.

Information Classification - Who, Why and How

By: Sue Fowler (posted on October 31, 2003)

This paper will clarify who should be determining appropriate company protection needs.

Evaluating Untrusted Software In a Controlled Environment

By: Jeff Reava (posted on October 31, 2003)

To address the key business concern of "is this software safe to download and use?", a lightweight filtering methodology is proposed that will yield a reasonably reliable answer with a very modest resource and time investment.

How-To Make Linux System Auditing a Little Easier

By: Paul J. Santos (posted on October 31, 2003)

A discussion of various programs and utilities that can be used to audit your Linux system and how to put them all together in one script to make daily system auditing a little easier

Quantitative Risk Analysis Step-By-Step

By: Ding Tan (posted on October 31, 2003)

In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management.

A Qualitative Risk Analysis and Management Tool - CRAMM

By: Zeki Yazar (posted on October 31, 2003)

This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches, with a thorough look at CRAMM.

The Institutional Need for Comprehensive Auditing Strategies

By: Steward Milus (posted on October 31, 2003)

This paper examines the challenges in today's regulatory environment for financial institutions (primarily from the large institution's perspective, since they undergo the greatest scrutiny) and makes the argument that a high level, comprehensive auditing strategy is needed to allow organizations to respond effectively.

Security Auditing: A Continuous Process

By: Pam Page (posted on October 31, 2003)

This paper will help you determine how to successfully configure your W2K file and print server, monitor your server, have an action plan and be prepared for a successful security audit on that server. Although this audit will center on W2K servers, the same principals can be applied to other server audits.

Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy.

By: Ragi Guirguis (posted on October 31, 2003)

The purpose of this research was to investigate a convenient, efficient, and cost-effective method for conducting vulnerability assessments.

Data-Centric Quantitative Computer Security Risk Assessment

By: Brett Berger (posted on October 31, 2003)

In this paper a quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification.

Wireless Network Audits using Open Source tools

By: Edouard Lafargue (posted on October 31, 2003)

The intention of this paper is to show that Open Source tools are particularly well-suited for doing WiFi surveys, and will detail a practical setup and the capabilities it offers.

Auditing-In-Depth For Solaris

By: Jeff Pike (posted on October 31, 2003)

The goal of this paper is to provide an effective and simple method for in-depth auditing and hardening of Solaris.

Security Assessment Guidelines for Financial Institutions

By: Karen Nelson (posted on October 31, 2003)

This paper will discuss the five information security assessment processes, identified by the Federal Financial Institutions Examination Council (FFIEC)1 and other financial regulators, as core components of a financial institution information security program, especially in fulfilling Gramm-Leach-Bliley Act (GLBA), and relevant with other, similar requirements.

Conducting a Security Audit of an Oracle Database

By: Egil Andresen (posted on March 8, 2002)

Auditing access controls to oracle databases.

Defining a Risk Assessment Process for Federal Security Personnel

By: Kathleen Federico (posted on January 26, 2002)

One goal of this paper is to provide general guidance on security resources for federal information system security officers within a federal agency.