Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Integration is key to comprehensive prevention, detection, response and continuous improvement. Tell us how integrated or disparate your processes are in the SANS 2016 Security Optimization Survey and enter to win a $400 Amazon Gift Card:

How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? Tell us in the SANS 2016 Endpoint Protection survey and enter to win a $400 Amazon gift card!

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,580 original computer security white papers in 100 different categories.

Latest 25 Papers Added to the Reading Room

  • A Secure Approach to Deploying Wireless Networks by Joseph Matthews - October 19, 2016 in Wireless Access

    Enterprise wireless networks are an important component of modern network architecture. They are required to support mobile devices and provide connectivity to various devices where wired connections are not practical or cost prohibitive. But the missing physical control of the medium does require additional precautions to control access to wireless networks. Most books and papers present the problem and the risks, but do not provide a fully secure solution with examples. The 802.11 standard for wireless networks does offer encryption and authentication methods like WPA. But in an enterprise environment, these controls have to be implemented in a scalable and manageable way. This paper presents a hands-on guide to implementing a secure wireless network in an enterprise environment and provides an example of a tested secure solution.

  • From the Trenches: SANS 2016 Survey on Security and Risk in the Financial Sector Analyst Paper
    by G. Mark Hardy - October 18, 2016 in Alternate Payment Systems, Firewalls & Perimeter Protection

    The financial services industry is under a barrage of ransomware and spearphishing attacks that are rising dramatically. These top two attack vectors rely on the user to click something. Organizations enlist email security monitoring, enhanced security awareness training, endpoint detection and response, and firewalls/IDS/IPS to identify, stop and remediate threats. Yet, their preparedness to defend against attacks isnt showing much improvement. Read on to learn more.

  • Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 in Active Defense, Incident Handling, Tools

    Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.

  • Security and Accountability in the Cloud Data Center: A SANS Survey Analyst Paper
    by Dave Shackleford - October 10, 2016 in Cloud Computing

    Despite risk that is higher than more controlled on-premises traditional non-cloud systems, this survey found that almost a quarter of respondents (24%) are in organizations adopting a cloud first strategy. Using public cloud or on-premises applications as appropriate led the way, chosen by 46% of respondents, and 30% of respondents said they prefer on-premises applications. Read on to learn more about the state of cloud security and what we need to do to improve it.

  • Taking Action Against the Insider Threat Analyst Paper
    by Eric Cole, PhD - October 5, 2016 in Threat Hunting, Threats/Vulnerabilities

    Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?

  • Ransomware by Susan Bradley - October 3, 2016 in Active Defense, Security Awareness, Risk Management

    On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

  • Security Intelligence and the Critical Security Controls v6 Analyst Paper
    by G. W. Ray Davidson, PhD - September 29, 2016 in Critical Controls

    Security data is everywherein our logs, feeds from security devices (IDS/IPS/ rewalls, whitelists, etc.), network and endpoint systems, anomaly reports, access records, network tra c data, security incident and event monitoring (SIEM) systems, and even in applications hosted in the cloud. All of this dataand the processes that use them combine to form an organizations security intelligence ecosystem. The major challenge of managing this ecosystem of security data is tying all these bits of data together and automating their correlation and use, with the goal of faster detection, prevention, continued security improvement and ultimately, reduced risk.1 The key to success is through automation and integration, according to the CIS Critical Security Controls, which is now in version 6.

  • PORTKnockOut: Data Exfiltration via Port Knocking over UDP by Matthew Lichtenberger - September 29, 2016 in Security Awareness, Covert Channels, Intrusion Detection

    Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.

  • Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response by Gordon Fraser - September 21, 2016 in Forensics

    A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.

  • Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership by Preston S. Ackerman - September 20, 2016 in Case Studies, Management & Leadership

    The notion that IT security is a serious issue is non-controversial. The market for cybersecurity spending topped $75 billion in 2015, and analysts expect it to exceed $170 billion by 2020 (Morgan 2016). With the advent of cloud computing, the explosion of mobile devices, and the emergence of increasingly sophisticated adversaries from organized crime and nation-state actors, businesses and the industry as a whole will require the vision of great leaders to keep pace with the threats. We can look to the industry's rich history to see examples of such transformational leadership in the past. An enlightening case study is the Microsoft Trustworthy Computing initiative, launched by an insightful and stimulating memo Bill Gates sent on January 15, 2002. The initiative would not only transform culture, procedures, and policy surrounding security at Microsoft, but would in fact cause a dramatic shift for the entire industry. The idealized influence in the leadership shown by Gates can serve as a model for today's leaders.

  • Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab Masters
    by Shaun McCullough - September 20, 2016 in Information Assurance, Intrusion Detection, Tools

    This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.

  • Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2 Masters
    by Ryan Firth - September 19, 2016 in Critical Controls

    Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.

  • Threat Intelligence: What It Is, and How to Use It Effectively Analyst Paper
    by Matt Bromiley - September 19, 2016 in Threat Hunting

    In todays cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Todays security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.

  • Practical Considerations on IT Outsourcing Implementation under the Monetary Authority of Singapores Technology Risk Management Guidelines Masters
    by Andre Shori - September 19, 2016 in Critical Controls

    Singapore ranks third overall in the Global Financial Centres Index. The Monetary Authority of Singapore (MAS), Singapores central bank, has helped to achieve this success through guidance and regulation of the financial industry including how to conduct themselves in a secure and reliable manner. The Technology Risk Management Guidelines (TRM) are both a cyber philosophy and a set of regulatory requirements for financial institutions to address existing and emerging technological risks. However, successful implementation of TRM can be challenging from a practical standpoint for todays Cybersecurity Managers. TRMs Management of IT Outsourcing Risk is a key focus area which encompasses many of the principles and requirements promoted throughout the Guideline. By utilizing threat based, hierarchical measures such as those advocated by the Centre of Internet Security, Cybersecurity Managers can adhere to the Spirit of the Guidelines while implementing effective operational cybersecurity and safe Vendor integration.

  • Automating Provisioning of NetFlow Analyzers Masters
    by Sumesh Shivdas - September 14, 2016 in Critical Controls, Intrusion Detection

    NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.

  • Data Breaches: Is Prevention Practical? Analyst Paper
    by Barbara Filkins - September 13, 2016 in Data Protection, Data Loss Prevention

    Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches and what security and IT practitioners actually are, or are not, implementing for prevention.

  • Intelligent Network Defense Analyst Paper
    by Jake Williams - September 8, 2016 in Clients and Endpoints, Threats/Vulnerabilities

    When an army invades a sovereign nation, one of the defenders first goals is to disrupt the invaders command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.

  • Profiling Web Applications for Improved Intrusion Detection by Manuel Leos Rivas - September 7, 2016 in Intrusion Detection

    Web application firewalls using generic out of the box configurations work well for common vulnerabilities but lack the capability to address application-specific contexts. Due to this lack of context, it is difficult for the firewall to determine what it is good versus bad. In addition, several learning features of certain high-end devices are inaccessible to companies and individuals. This document provides a generic approach to protecting web applications using freely available software by configuring ModSecurity. This approach enables differentiation between what is acceptable for the application and what may be interesting for investigation purposes. The process for creating an application profile should be well documented, repeatable, verifiable and automated as much as possible to ease integration into the application development lifecycle.

  • Windows Installed Software Inventory by Jonathan Risto - September 7, 2016 in Critical Controls

    The 20 Critical Controls provide a guideline for the controls that need to be placed in our networks to manage and secure our systems. The second control states there should be a software inventory that contains the names and versions of the products for all devices within the infrastructure. The challenge for a large number of organizations is the ability to have accurate information available with minimal impact on tight IT budgets. This paper will discuss the Microsoft Windows command line tools that will gather this information, and provide example scripts that can be run by the reader.

  • Applying Machine Learning Techniques to Measure Critical Security Controls by Balaji Balakrishnan - September 6, 2016 in Critical Controls

    Implementing and measuring Critical Security Controls (CSC) requires analyzing all data types (structured, semi-structured and unstructured). This implementation can be a daunting task. One of the goals of effective implementation of Critical Security Controls is to automate as much as possible. Machine learning techniques can help automate many of the measurements in Critical Security Controls. This paper proposes a method to integrate all types of data into a single data repository, extract relationships between different entities and perform machine learning to automate the analysis. This solution provides the security team the ability to analyze the information, and make data-driven security decisions.

  • A security assessment of Z-Wave devices and replay attack vulnerability Masters
    by Mark Devito - August 31, 2016 in Internet of Things

    Within many modern homes, there exists a compelling array of vulnerable wireless devices. These devices present the potential for unauthorized access to networks, personal data and even the physical home itself. The threat originates from the Internet-connected devices, a ubiquitous collection of devices the consumer market dubbed the Internet of Things (IoT). IoT devices utilize a variety of communication protocols; a replay attack against the Z-Wave protocol was accomplished and demonstrated at ShmooCon 2016. The attack was carried out using two HackRF radios. This paper attempts to conduct a similar attack but employing a $35 US SDR, a $130 US sub-1Ghz dongle, and readily available Open Source applications, instead of the more expensive HackRF hardware.

  • Arming SMB's Against Ransomware Attacks by TIm Ashford - August 31, 2016 in Malicious Code

    Ransomware has become one of the most serious cyber threats to small and medium businesses today. A recent variant permanently deletes files within one hour of infection. The situation grows increasingly dire: the FBI even encourages victims to make payment, though there is still no guarantee that owners will recover their data (ICIT Fellows, 2016). Despite such threats, small and medium enterprises can follow recommended best practices to mitigate this risk. Businesses with tighter budgets and fewer security team members can adopt many of the protections available to the largest enterprises. The most important recommendation is the use of application whitelisting. In Windows environments, this can be accomplished through free tools within Active Directory. Other options will also be discussed, as well as a brief discussion of the future of ransomware.

  • The GICSP: A Keystone Certification by Derek R. Harp and Bengt Gregory-Brown - August 29, 2016 in Training

    The Global Industrial Cyber Security Professional (GICSP) certification was conceived in the winter of 2013 to address a growing challenge spanning multiple industries. Rapid and accelerating changes in technology were increasingly opening process control and automation system networks and equipment to security exposures, and developing a workforce to protect these systems was a growing concern. As a step towards addressing these and other control system security issues, representatives from Shell, Chevron, Saudi Aramco, BP, Rockwell Automation, Yokogawa Industries, Emerson, ABB, Cimation and the SANS Institute came together and laid out the framework of what would become the GICSP.

  • Android Security: Web Browsers and Email Applications by Marsha Miller - August 29, 2016 in Critical Controls

    Mobile devices are popular communication tools that allow people to stay connected in most places at all times. Despite the varied proliferation of applications that can be installed on smartphones and tablets, web browsers and email applications are default applications that remain highly vulnerable if not properly addressed. This paper will compare several different mobile versions of these applications and use the E-mail and Web Browser Protections critical control to suggest ways to secure these end points.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 in Active Defense, Incident Handling, Malicious Code

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.