Featuring the 25 most popular papers within the past week as of July 23, 2016
Portable System for Network Forensics Data Collection and Analysis
by Don Murdoch - July 15, 2016 in Forensics
A portable lab environment for network level analysis is a necessary tool today for the forensic analyst. With today's malicious software and myriad of network aware client- side software, one of the tools that should be in the forensic analysts' toolbox is a portable response system for data collection and analysis. This paper will explain how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool. VM's will include pfSense 2.2 running in transparent firewall mode along with other supporting packages, a network security- monitoring platform. A cookbook approach will be used to explore common use cases for the network and system forensic analyst, such as updating rules, sharing data among multiple environments, extracting data from packet captures, and clearing out all of the tools installed to start an investigation. This paper was written to provide a build outline for using pfSense and Security Onion to achieve these goals.
Endpoint Security through Device Configuration, Policy and Network Isolation
by Barbara Filkins and Jonathan Risto - July 15, 2016 in Clients and Endpoints
Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.
Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industry
by Barbara Filkins - July 19, 2016 in HIPAA
- Associated Webcasts: Health Care Provider Breaches and Risk Management Roadmaps: Part 2 - Health Care Security from the Top Down
- Sponsored By: ForeScout Technologies WhiteHat Security Carbon Black Trend Micro Inc. Anomali Great Bay Software
The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on
Scalable Methods for Conducting Cyber Threat Hunt Operations
by Michael C. Long II - July 14, 2016 in Intrusion Detection, Threats/Vulnerabilities
Information Security professionals commonly agree that organizations cannot prevent 100% of all cyber attacks. For this reason, organizations are encouraged to practice defense in depth so that if any one security measure fails, another will reduce the exposure and mitigate the impact. However, despite investing countless sums of money, manpower, and time into developing and maintaining a robust security infrastructure, organizations still struggle to identify and respond to cyber intrusions in a timely manner. Cyber Threat Hunt Teams have recently emerged as a proactive defense asset capable of methodically detecting and responding to advanced persistent threats that evade traditional rule or signature-based security solutions. This paper describes scalable methods and practices to plan and conduct cyber threat hunt operations throughout the enterprise.
How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System
by Matthew Hosburgh - July 12, 2016 in Critical Controls, Industrial Control Systems, Risk Management
Imagine a device that could decrypt all encryptionwithin seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversarys vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.
SSL and TLS: A Beginners Guide
by Holly McKinley - May 12, 2003 in Protocols
This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.
Using Information Security as an Auditing Tool
by Adi Sitnica - July 14, 2016 in Auditing & Assessment
As cyber-attacks are gaining visibility within mainstream media, what once was knowledge for information security expertise is now a concern of everyday individuals. With solutions and information readily available, where does one start in the pursuit of information security? The understanding of the organization's system and network infrastructure is required, but what type of approach can be taken? Investigation leads to using information security as an auditing tool to analyze and report on an organization's strengths, weaknesses and needs. As a result, the organization inherently gains visualization of the current posture, its gaps and a method for continuous remediation.
Incident Handler's Handbook
by Patrick Kral - February 21, 2012 in Incident Handling
An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.
SANS 2016 State of ICS Security Survey
by Derek Harp and Bengt Gregory-Brown - June 28, 2016 in Industrial Control Systems, SCADA
- Associated Webcasts: Where Are We Now?: The SANS 2016 ICS Survey
- Sponsored By: Arbor Networks Carbon Black Anomali Belden
Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.
Decision Criteria and Analysis for Hardware-Based Encryption
by Eric Cole, PhD - July 13, 2016
- Associated Webcasts: Decision Criteria and Analysis for Hardware-Based Encryption
- Sponsored By: THALES e-Security
Organizations trying to balance the risk of data breaches against the inconvenience, latency and cost of encrypting every bit of valuable data often balk at the trade-off. But with the volume of digital data growing and computing environments becoming more complex and accessible, the ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions.
Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey
by Barbara Filkins - June 20, 2016 in Management & Leadership, Legal Issues
- Associated Webcasts: Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey
- Sponsored By: PivotPoint Risk Analytics
Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.
The Case for PIM/PAM in Today's Infosec
by Barbara Filkins - June 30, 2016
To see how serious a threat the misuse of privileged credentials represents, look no further than the astonishing scope of the breach discovered in 2015 at the United States Office of Personnel Management (OPM). To realize how often similar threats become real, look no further than the 2016 Verizon Data Breach Incident Report (DBIR), which found that privilege misuse was the second-most frequent cause of security incidents and the fourth-most common cause of breaches.
Disaster Recovery Plan Strategies and Processes
by Bryan Martin - March 5, 2002 in Disaster Recovery
This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.
An Overview of Threat and Risk Assessment
by James Bayne - January 22, 2002 in Auditing & Assessment
The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment
Neutrino Exploit Kit Analysis and Threat Indicators
by Luis Rocha - April 13, 2016 in Intrusion Detection, Malicious Code
Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.
Building a World-Class Security Operations Center: A Roadmap
by Alissa Torres - April 15, 2015
- Sponsored By: RSA
Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.
Designing a Secure Local Area Network
by Daniel Oxenhandler - January 30, 2003 in Best Practices
This paper examines of some of the issues in designing a secure Local Area Network (LAN) and some of the best practices suggested by security experts.
Windows Logon Forensics
by Sunil Gupta - March 12, 2013 in Forensics
Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Implementing a Vulnerability Management Process
by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities
A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).
Penetration Testing: Assessing Your Overall Security Before Attackers Do
by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing
- Sponsored By: Core Security Technologies
CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.
Securing the Internet of Things Survey
by John Pescatore - January 15, 2014 in Covert Channels, Information Warfare
- Associated Webcasts: SANS Analyst Webcast: SANS Survey on Securing The Internet of Things
- Sponsored By: Codenomicon Norse
Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.
An Introduction to Information System Risk Management
by Steve Elky - June 6, 2006 in Auditing & Assessment
Key elements of information security risk, offering insight into risk assessment methodologies.
Conducting a Penetration Test on an Organization
by Chan Wai - October 4, 2001 in Auditing & Assessment
A methodology for executing penetration testing.
Who's Using Cyberthreat Intelligence and How?
by Dave Shackleford - February 16, 2015
- Associated Webcasts: Who's Using Cyberthreat Intelligence and How? Part 1: Definitions, Tools and Standards Who's Using Cyberthreat Intelligence and How? Part 2: Best Practices to Improve Incident Detection and Response
- Sponsored By: Arbor Networks Carbon Black BeyondTrust AlienVault SurfWatch Labs Anomali
In the last several years, we've seen a disturbing trend-attackers are innovating much faster than defenders are. We've seen the "commercialization" of malware, with attack kits available on underground forums for anyone who wants to perpetrate a variety of attacks.
The Importance of Security Awareness Training
by Cindy Brodie - January 14, 2009 in Security Awareness
One of the greatest threats to information security could actually come from within your company or organization. Inside attacks have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).
All papers are copyrighted. No re-posting or distribution of papers is permitted.