SANS InfoSec Reading Room - Best Practices

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 42 papers as of Nov 8, 2009

Best Practices in Data Protection: Encryption, Key Management and Tokenization

By: nuBridges, inc (posted on September 29, 2009)

Best practices in encryption, key management and tokenization and how an integrated, multi-level solution can effectively meet these best practices.

Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data

By: nuBridges, inc (posted on September 29, 2009)

Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

Building a Security Practice within a Mixed Product-R&D and Managed-Service Business

By: Evan Scheessele (posted on July 27, 2007)

Sudo for Windows (sudowin)

By: Andrew Kutz (posted on February 14, 2007)

The original Sudo application was designed by Bob Coggeshall and Cliff Spencer in 1980 within the halls of the Department of Computer Science at SUNY/Buffalo. Sudo encourages the principal of least privilege that is, a user operates with a bare minimum number of privileges on a system until the user requests a higher level of privilege in order to accomplish some task.

Beyond the Preoccupation with Certification & Accreditation

By: Kevin Esser (posted on May 5, 2005)

Seeking and achieving formal Certification and Accreditation of systems designed for use within the Department of Defense is a statutory requirement and a necessary part of a system's overall Information Assurance program.

Midrange & Mainframe systems for Security Policies compliance control Tool

By: Pierre Cailloux (posted on February 12, 2005)

The goal of this document, within the scope of the practical exam for the GSEC1 SANS2 option 2, is to present a solution for a Company, in order to be able to manage and apply computing security rules on Mainframe and Midrange systems, as well as Facilities Management systems complying with other security rules, specific to customers.

Network Security and the SMB

By: Matthew Hawley (posted on January 28, 2005)

Network security is an issue for all businesses. The challenges faced by small-to-medium size businesses (SMBs) are unique and significant.

Internal Security in a Engineering Development Environment

By: Art Homs (posted on January 17, 2005)

Organizations that design, develop, test, and support IP based products present unique security challenges in a converged services network. In an ideal scenario, engineering labs where these activities take place are insulated from the corporate environment to prevent interactions that can compromise corporate network confidentiality, integrity, and availability.

Patch Management and the Need for Metrics

By: Ken MacLeod (posted on August 28, 2004)

The principle objective of `Patch Management and the Need for Metrics' is to demonstrate that organisations cannot meaningfully assess their security posture; with reference to their patch status, without the use of appropriate metrics.

Host Assessment and Risk Rating

By: Radhika Vedaraman (posted on August 28, 2004)

Corporate websites get defaced; business activities of organizations get crippled; identity stolen; confidential information made public - all because of not securing information and resources, and not taking precautions necessary to protect against attacks.

Applied Principles of Defense-in-Depth: A Parents Perspective

By: Tom Miles (posted on August 25, 2004)

This paper will seek to shift the paradigm of the traditional information security model as it applies to business and employees to a more personal model of home and fami

Using Proactive Depth in Defense to Ease Patch Management Problems

By: David Gadue (posted on August 15, 2004)

Information Security experts agree that "Depth in Defense" is a crucial concept in securing information assets for every organization.

Computer Security And The Law: What You Can Do To Protect Yourself

By: Karen Poffenbergen (posted on July 25, 2004)

Working as a defense contractor, one knows the importance of security regulations and directives. However, do these regulations really protect our mission critical data?

Beyond Patch Management

By: Dan Shauver (posted on July 25, 2004)

Systems maintenance, including operating system and software upgrades and patch management, has long been a major factor in security-related incidents. Application upgrades and patches can be equally necessary to system integrity, yet are equally likely to be ignored.

Printing the Paper and Serving the News after a Localized Disaster

By: John Soltys (posted on June 9, 2004)

A case study detailing the implementation of a business continuity plan for a regional newspaper. This study covers the requirements-gathering process, testing, and implementation of a series of plans jointly developed by members of the newsroom, IT, online staff, and operations.

The Art of Web Filtering

By: Robert Alvey (posted on April 8, 2004)

Web Filters are designed to improve the security and productivity of a network, but as with anything else, it must be implemented correctly to work properly. In order to ensure a Web Filter is implemented successfully, several factors need to be considered.

Keys to Implementing a Successful Security Information Management Solution (or Centralized Security Monitoring)

By: Michael Martin (posted on January 11, 2004)

This paper provides nine keys to implementing a successful SIM solution.

Securing the Network in a K-12 Public School Environment

By: Russell Penner (posted on December 21, 2003)

This paper addresses the K-12 public education data network environment which presents special needs and requirements, including privacy (confidentiality), data integrity, and content filtering.

Defense-In-Depth Applied to Laptop Security: Ensuring Your Data Remains Your Data

By: Chris Grant (posted on December 13, 2003)

This paper illustrates how to apply a Defense-In-Depth strategy to protect laptop systems.

8 Simple Rules For Securing Your Internal Network

By: Douglas Ford (posted on November 6, 2003)

This paper will focus on eight areas that a company can look at to make their internal network just as hard and crunchy on the inside as on the outside.

Endusers - A Critical Link in the Chain of Security

By: Dana Brigham (posted on October 31, 2003)

Establishing the security of Information System (IS) resources is an important and major undertaking in any organization.

Security in Practice- Reducing the Effort

By: Leon Pholi (posted on October 31, 2003)

This paper covers the ten most vital steps in attempting to achieve a good base level of security, which can then be built upon.

Designing a Secure Local Area Network

By: Daniel Oxenhandler (posted on October 31, 2003)

This paper examines of some of the issues in designing a secure Local Area Network (LAN) and some of the best practices suggested by security experts.

OpenVMS 7.2 Security Essentials

By: Jeff Leving (posted on October 31, 2003)

This paper attempts to build on the foundational article submitted by Steven Bourdon in March 2002 (Bourdon), by providing a security-focused overview of the basic tasks performed when installing a standalone OpenVMS server.

Securing an Application: A Paper on Plastic

By: Joe Rhode (posted on October 31, 2003)

This paper discusses the process of integrating a credit card application to the front end of already existing accounting and payments processing applications, the information risk analysis process needed and the action plan to implement the mitigated controls.

The Internal Threat to Security Or Users Can Really Mess Things Up

By: Charles Rhodes (posted on October 31, 2003)

This paper describes some of the security measures you can implement which will help insure the availability of your network despite the users actions.

Pre-Development Security Planning

By: Keith Marohn (posted on October 31, 2003)

This document will outline the basic steps that should be completed before code development begins to ensure delivery of a successful project.

System Administrator - Security Best Practices

By: Harish Setty (posted on October 31, 2003)

This paper discusses some of the best practices, without getting into specifics of any particular operating system or version.

Vulnerability Identification and Remediation Through Best Security Practices

By: BJ Bellamy (posted on October 31, 2003)

This paper looks at Vulnerability Identification Studies which focus on identifying the enticements, common vulnerabilities, and information leakage, the things that account for most of the risk to IT (Information Technology) that we face today.

Centralized Network Security Management: Combining Defense In Depth with Manageable Security

By: Scott Rasmussen (posted on October 31, 2003)

With a few careful considerations for data redundancy and archival, centralized network security management can take advantage of the full power and potential for defense in-depth and a hardened security posture.

A Survival Guide for Security Professionals

By: Conrad Morgan (posted on October 31, 2003)

This survival guide aims to assist security professionals to balance the responsibilities and requirements of their role to avoid stress and burnout.

Who Wants To Be A Weakest Link?

By: Russell T. Hany (posted on October 31, 2003)

This paper emphasizes the need to convey good security practices throughout an organization, because the "weakest link" can be located anywhere along a company's "chain.

Securing Our Critical Infrastructures

By: Chris A. Brooks (posted on October 31, 2003)

In the event of a successful attack, limiting the amount of damage and quickly redistributing the assets to maintain a minimum essential infrastructure is critical in keeping the defense and national economy functioning.

Open Source Risk Mitigation Process

By: Carlos Casanova (posted on October 31, 2003)

The Open Source Risk Mitigation Process described in this paper, is a tool for corporations to use when trying to understand why a simple decision to use the "free" Open Source software should be taken very seriously.

Secure Computing - An Elementary Issue

By: Susan J. Briere (posted on October 31, 2003)

This paper was developed as a resource for elementary school technical support personnel responsible for maintaining a safe and secure computing environment.

Securing Your RILOE Cards

By: Rick McCarter (posted on October 31, 2003)

This paper outlines the components of the RILOE, detailed features and functionality of the card, pre installation tips, physical installation instructions, physical setup instructions, and initial setup configuration parameters.

Implementing Least Privilege at your Enterprise

By: Jeff Langford (posted on October 31, 2003)

This paper provides background on enterprise security, offers some rationale to help develop support for it's acceptance, and identifies ways it can be implemented within your enterprise.

Federal Information Technology Management and Security

By: John Hopkins (posted on October 31, 2003)

This paper examines the long-standing vision of one senior OMB manager to re-enforce a seven year-old plan he helped draft that uses the Federal IT budget planning process to accomplish these three principal objectives.

A Practical Methodology for Implementing a Patch management Process

By: Daniel Voldal (posted on October 31, 2003)

This paper presents one methodology for identifying, evaluating and applying security patches in a real world environment along with descriptions of some useful tools that can be used to automate the process.

A Guide to Government Security Mandates

By: Christian Enloe (posted on October 31, 2003)

This document endeavors to provide the reader with a solid understanding of the certification process, the order in which the steps should be completed, and some lessens learned from actual experience.

Using a Capability Maturity Model to Derive Security Requirements

By: Mike Phillips (posted on October 31, 2003)

This paper will discuss the use of these base practices in the formation of security requirements.

Implementing an Effective IT Security Program

By: Kurt Garbars (posted on August 28, 2002)

The purpose of this paper is to take the wide variety of federal government laws, regulations, and guidance combined with industry best practices and define the essential elements of an effective IT security program