iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Reading Room: Most Popular Papers

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Featuring the 25 most popular papers within the past month as of December 11, 2016

  • Reducing Attack Surface: SANS’ Second Survey on Continuous Monitoring Programs Analyst Paper
    by Barbara Filkins - November 14, 2016 in Critical Controls, Management & Leadership

    Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.


  • Forcepoint Review: Effective Measure of Defense Analyst Paper
    by Eric Cole, PhD - November 9, 2016 in Intrusion Detection, Firewalls & Perimeter Protection, Intrusion Prevention

    Effective security is all about the quality of the solution, not the quantity of products. Indeed, buying more products can make the problem worse. All of the major breaches over the last several years have had one thing in common: Multiple products were issuing alerts, but there were too many alerts and not enough people charged with monitoring and responding to them. When that is the case, putting more products in place spreads current resources even thinner--the problem gets worse, not better. This paper explains the advantages of an integrated defense-in-depth approach to security and looks at how Forcepoint's integrated solution suite meets the needs of such an approach.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • SANS 2016 Security Analytics Survey Analyst Paper
    by Dave Shackleford - December 6, 2016 in Security Analytics and Intelligence

    Survey respondents have become more aware of the value of analytics and have moved beyond using them simply for detection and response to using them to measure and aid in improving their overall risk posture. Still, we’ve got a long way to go before analytics truly progresses in many security organizations. Read on to learn more.


  • Auditing Windows installed software through command line scripts by Jonathan Risto - November 14, 2016 in Auditing & Assessment, Critical Controls

    The 20 Critical Controls provides guidance on managing and securing our networks. The second control states there should be a software inventory of the products for all devices within the infrastructure. Within this paper, the auditor will be enabled to compare Windows system baseline information against the currently installed software configuration. Command line tools utilized will be discussed and scripts provided to simplify and automate these tasks.


  • A Checklist for Audit of Docker Containers by Alyssa Robinson - November 22, 2016 in Auditing & Assessment

    Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment. The very properties that make Docker containers useful, however, can pose challenges for audit, and the security capabilities and best practices are changing rapidly. As adoption of this technology grows, it is, therefore, necessary to create a standardized checklist for audit of Dockerized environments based on the latest tools and recommendations.


  • Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper
    by Barbara Filkins - November 2, 2016 in Clients and Endpoints, Firewalls & Perimeter Protection

    Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn’t mean that antivirus is “dead.” Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.


  • Security Assurance of Docker Containers by Stefan Winkle - November 22, 2016 in Information Assurance, Cloud Computing, System Administration

    With recent movements like DevOps and the conversion towards application security as a service, the IT industry is in the middle of a set of substantial changes with how software is developed and deployed. In the infrastructure space, we see the uptake of lightweight container technology, while application technologies are moving towards distributed micros services. There is a recent explosion in popularity of package managers and distributors like OneGet, NPM, RubyGems and PyPI. More and more software development becomes dependent on small, reusable components developed by many different developers and often distributed by infrastructures outside our control. In the midst of this all, we often find application containers like Docker, LXC, and Rocket to compartmentalize software components. The Notary project, recently introduced in Docker, is built upon the assumption the software distribution pipeline can no longer be trusted. Notary attempts to protect against attacks on the software distribution pipeline by association of trust and duty separation to Docker containers. In this paper, we explore the Notary service and take a look at security testing of Docker containers.


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • BitTorrent & Digital Contraband Masters
    by Kenneth Hartman - April 13, 2016 in Legal Issues

    BitTorrent is a popular peer-to-peer file transfer program that allows participants in a swarm to exchange pieces with each other during the downloading process.


  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment

    Key elements of information security risk, offering insight into risk assessment methodologies.


  • Network Inspection of Duplicate Packets by Randy Devlin - November 11, 2016 in Intrusion Detection, Intrusion Prevention, IPS

    Network Intrusion Analysis enables a security analyst to review network traffic for protocol conformity and anomalous behavior. The analyst’s goal is to detect network intrusion activity in near-real time. The detection provides details as to who the attackers are, the attack type, and potential remediation responses. Is it possible that a network security stack could render the analyst “blind” to detecting intrusions? This paper will review architecture, traffic flow, and inspection processes. Architecture review validates proper sensor placement for inspection. Traffic flow analyzes sources and destinations, approved applications, and known traffic patterns. Inspection process evaluates protocols and packet specific details. The combination of these activities can reveal scenarios that potentially result in limitations of network security inspection and analysis.


  • Node Router Sensors: What just happened? by Kim Cary - November 22, 2016 in Incident Handling, Logging Technology and Techniques, System Administration

    When an airliner crashes, one of the most important tasks is the recovery of the flight recorder or black box. This device gives precise & objective information about what happened and when before the crash. When an information security incident occurs on a network, it is equally important to have access to precise information about what happened to the victim machine and what it did after any compromise. A network of devices can be designed, economically constructed and managed to automatically capture and make available this type of data to information security incident handlers. In any environment, this complete record of network data comes with legal and ethical concerns regarding its use. Proper technical, legal and ethical operation must be baked into the design and operational procedures for devices that capture information on any network. These considerations are particularly necessary on a college campus, where such operations are subject to public discussion. This paper details the benefits, designs, operational procedures and controls and sample results of the use of "Node Router Sensors" in solving information security incidents on a busy college network.


  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.


  • Designing a Secure Local Area Network by Daniel Oxenhandler - January 30, 2003 in Best Practices

    This paper examines of some of the issues in designing a secure Local Area Network (LAN) and some of the best practices suggested by security experts.


  • Implementing Full Packet Capture by Matt Koch - November 7, 2016 in Forensics

    Full Packet Capture (FPC) provides a network defender an after-the-fact investigative capability that other security tools cannot provide. Uses include capturing malware samples, network exploits and determining if data exfiltration has occurred. Full packet captures are a valuable troubleshooting tool for operations and security teams alike. Successful implementation requires an understanding of organization-specific requirements, capacity planning, and delivery of unaltered network traffic to the packet capture system.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • The Importance of Security Awareness Training by Cindy Brodie - January 14, 2009 in Security Awareness

    One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).


  • Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth by Ted Holland - May 2, 2004 in Intrusion Detection

    Over the past few years many papers and books have included articles explaining and supporting either Intrusion Detection Systems (IDS) or the newer technology on the security block, Intrusion Prevention Systems (IPS).


  • Case Study: Critical Controls that Could Have Prevented Target Breach Masters
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Physical Security and Why It Is Important Masters
    by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.