Help SANS determine how organizations conduct continuous vulnerability assessment and remediation related to the CIS Critical Security Controls. Take the survey HERE: https://www.surveymonkey.com/r/2016VulnCMSurvey
More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,540 original computer security white papers in 97 different categories.
Latest 25 Papers Added to the Reading Room
Physical Security and Why It Is Important Masters
by David Hutter - July 28, 2016 in Physical Security
Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.
Implementing the Critical Security Control: Controlled Use of Administrative Privileges by Paul Ackerman - July 25, 2016 in Critical Controls
There is a plethora of information available to help organizations protect their cyber assets.
Polymorphic, multi-lingual websites: A theoretical approach for improved website security Masters
by Jonathan Risto - July 25, 2016 in Web Application Security
Web traffic is one of the largest single types of traffic on the internet.
Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industry Analyst Paper
by Barbara Filkins - July 19, 2016 in HIPAA
- Associated Webcasts: Health Care Provider Breaches and Risk Management Roadmaps: Part 2 - Health Care Security from the Top Down
- Sponsored By: ForeScout Technologies WhiteHat Security Carbon Black Trend Micro Inc. Anomali Great Bay Software
The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on
Portable System for Network Forensics Data Collection and Analysis Masters
by Don Murdoch - July 15, 2016 in Forensics
A portable lab environment for network level analysis is a necessary tool today for the forensic analyst. With today's malicious software and myriad of network aware client- side software, one of the tools that should be in the forensic analysts' toolbox is a portable response system for data collection and analysis. This paper will explain how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool. VM's will include pfSense 2.2 running in transparent firewall mode along with other supporting packages, a network security- monitoring platform. A cookbook approach will be used to explore common use cases for the network and system forensic analyst, such as updating rules, sharing data among multiple environments, extracting data from packet captures, and clearing out all of the tools installed to start an investigation. This paper was written to provide a build outline for using pfSense and Security Onion to achieve these goals.
Endpoint Security through Device Configuration, Policy and Network Isolation by Barbara Filkins and Jonathan Risto - July 15, 2016 in Clients and Endpoints
Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.
Scalable Methods for Conducting Cyber Threat Hunt Operations Masters
by Michael C. Long II - July 14, 2016 in Intrusion Detection, Threats/Vulnerabilities
Information Security professionals commonly agree that organizations cannot prevent 100% of all cyber attacks. For this reason, organizations are encouraged to practice defense in depth so that if any one security measure fails, another will reduce the exposure and mitigate the impact. However, despite investing countless sums of money, manpower, and time into developing and maintaining a robust security infrastructure, organizations still struggle to identify and respond to cyber intrusions in a timely manner. Cyber Threat Hunt Teams have recently emerged as a proactive defense asset capable of methodically detecting and responding to advanced persistent threats that evade traditional rule or signature-based security solutions. This paper describes scalable methods and practices to plan and conduct cyber threat hunt operations throughout the enterprise.
Using Information Security as an Auditing Tool by Adi Sitnica - July 14, 2016 in Auditing & Assessment
As cyber-attacks are gaining visibility within mainstream media, what once was knowledge for information security expertise is now a concern of everyday individuals. With solutions and information readily available, where does one start in the pursuit of information security? The understanding of the organization's system and network infrastructure is required, but what type of approach can be taken? Investigation leads to using information security as an auditing tool to analyze and report on an organization's strengths, weaknesses and needs. As a result, the organization inherently gains visualization of the current posture, its gaps and a method for continuous remediation.
Decision Criteria and Analysis for Hardware-Based Encryption Analyst Paper
by Eric Cole, PhD - July 13, 2016
- Associated Webcasts: Decision Criteria and Analysis for Hardware-Based Encryption
- Sponsored By: THALES e-Security
Organizations trying to balance the risk of data breaches against the inconvenience, latency and cost of encrypting every bit of valuable data often balk at the trade-off. But with the volume of digital data growing and computing environments becoming more complex and accessible, the ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions.
How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System Masters
by Matthew Hosburgh - July 12, 2016 in Critical Controls, Industrial Control Systems, Risk Management
Imagine a device that could decrypt all encryptionwithin seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversarys vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.
The Case for PIM/PAM in Today's Infosec Analyst Paper
by Barbara Filkins - June 30, 2016
To see how serious a threat the misuse of privileged credentials represents, look no further than the astonishing scope of the breach discovered in 2015 at the United States Office of Personnel Management (OPM). To realize how often similar threats become real, look no further than the 2016 Verizon Data Breach Incident Report (DBIR), which found that privilege misuse was the second-most frequent cause of security incidents and the fourth-most common cause of breaches.
SANS 2016 State of ICS Security Survey Analyst Paper
by Derek Harp and Bengt Gregory-Brown - June 28, 2016 in Industrial Control Systems, SCADA
- Associated Webcasts: Where Are We Now?: The SANS 2016 ICS Survey
- Sponsored By: Arbor Networks Carbon Black Anomali Belden
Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.
Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey Analyst Paper
by Barbara Filkins - June 20, 2016 in Management & Leadership, Legal Issues
- Associated Webcasts: Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey
- Sponsored By: PivotPoint Risk Analytics
Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.
Success Rates for Client Side Vulnerabilities by Jonathan Risto - June 14, 2016 in Clients and Endpoints
The user is the weakest link in the computer security chain. From clicking on links that they shouldn to having weak passwords, it generally comes down to the end user doing something they shouldn. If the user runs a piece of malware or opens an infected file, will it always lead to a compromise? This paper plans to test if client-side exploits will always function or if there are additional factors to consider when dealing with these vulnerabilities and associated exploits. Is the Common Vulnerability Scoring System (CVSS) score enough to determine if a particular vulnerability is more critical than another and should be remediated sooner than another? This testing will be accomplished through the use of freely available exploitation software (e.g. Social Engineering Toolkit, Metasploit) in a closed testing environment.
Lessons Learned from Treatment of Trauma in Individuals and Organizations Under Repeated Cyber Attacks by Vanessa Pegueros - June 13, 2016 in Incident Handling
There has been significant research relative to the impacts of trauma on human beings and the associated treatment of that trauma. With the increasing frequency of cyber-attacks and associated breaches, people within organizations are experiencing similar traumatic effects felt by victims of a more physical attack or incident. There are significant parallels between the impacts of cyber-attacks on organizations and the impacts on individuals experiencing some form of trauma. There are key lessons to be learned from the treatment of trauma victims and the techniques to help organizations become more prepared and resilient relative to cyber- attacks. With the continued escalation of cyber-attacks, organizations should be working to implement solutions beyond just security technology and look to the process and people elements of the solution.
Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey Analyst Paper
by Matt Bromiley - June 7, 2016 in Incident Handling
- Associated Webcasts: Incident Response Capabilities in 2016 - Part 1: The Current Threat Landscape and Survey Results Incident Response Capabilities in 2016 - Part 2: Emerging Trends in Incident Response and Survey Results
- Sponsored By: IBM Intel Security Arbor Networks LogRhythm NETSCOUT Systems, Inc. HP Enterprise Security AlienVault Veriato
Results of the 2016 Incident Response Survey indicate that the IR landscape is ever changing. Advanced industries are able to maintain effective IR teams, but as shown in this report, there are still hurdles to jump to increase the efficiency of many IR teams. Read this report to learn more.
Legal Aspects of Privacy and Security: A Case- Study of Apple versus FBI Arguments Masters
by Muzamil Riffat - June 3, 2016 in Legal Issues
The debate regarding privacy versus security has been going on for some time now.
Gh0st in the Dshell: Decoding Undocumented Protocols Masters
by David Martin - June 3, 2016 in Intrusion Detection
A 2015 study indicated that nearly 70 percent of traffic on the internet was made up of HTTP (57.39%) and HTTPS (9.53%) web traffic.
Understanding Security Regulations in the Financial Services Industry Analyst Paper
by David Hoelzer - June 3, 2016
- Sponsored By: Veracode
View the associated infographic here: https://www.sans.org/reading-room/whitepapers/analyst/infographic-financial-apps-risk-37042
Using Splunk to Detect DNS Tunneling Masters
by Steve Jaworski - June 1, 2016 in DNS Issues, Malicious Code
DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for www.sans.org. If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.
Evaluating Cyber Risk in Engineering Environments: A Proposed Framework and Methodology by Rebekah Mohr - May 31, 2016 in Industrial Control Systems
Under The Ocean of the Internet - The Deep Web by Brett Hawkins - May 27, 2016 in Covert Channels, Incident Handling, Security Trends
The Internet was a revolutionary invention, and its use continues to evolve. People around the world use the Internet every day for things such as social media, shopping, email, reading news, and much more. However, this only makes up a very small piece of the Internet, and the rest is filled by an area called The Deep Web.
Blueprint for CIS Control Application: Securing the SAP Landscape Analyst Paper
by Barbara Filkins - May 26, 2016
- Associated Webcasts: A Blueprint to Secure SAP Applications Using CIS Controls As a Guide
- Sponsored By: Onapsis
Any data breach can be expensive, but the potential cost rises with the value or exploitability of the data targeted in an attack.
Critical Security Controls: Software Designed Inventory, Configuration, and Governance Masters
by Lenny Rollison - May 24, 2016 in Compliance, Critical Controls, Standards
The events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).
All papers are copyrighted. No re-posting or distribution of papers is permitted.