Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.
This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.
Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.
In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).
This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.
By: Philip J. Kaleewoun (posted on October 31, 2003)
This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.
This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.
By: Nancy J. Carpenter (posted on October 31, 2003)
The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.
A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.
By: Francis Chong Heng Goh (posted on October 31, 2003)
This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.
This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.
By: George B. Koszegi (posted on October 31, 2003)
This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.
This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.
The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.