Reading Room: Most Popular Papers

Featuring the 25 most popular papers within the past week as of September 25, 2016

  • A Hands-on XML External Entity Vulnerability Training Module Masters
    by Carrie Roberts - November 4, 2013 in Application and Database Security

    Web based attacks are on the rise, and the most exploited vulnerabilities are often not the newest (Symantec Corporation, 2013).

  • Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab Masters
    by Shaun McCullough - September 20, 2016 in Information Assurance, Intrusion Detection, Tools

    This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.

  • Threat Intelligence: What It Is, and How to Use It Effectively Analyst Paper
    by Matt Bromiley - September 19, 2016 in Threat Hunting

    In todays cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Todays security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.

  • Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response by Gordon Fraser - September 21, 2016 in Forensics

    A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.

  • Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2 Masters
    by Ryan Firth - September 19, 2016 in Critical Controls

    Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.

  • Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership by Preston S. Ackerman - September 20, 2016 in Case Studies, Management & Leadership

    The notion that IT security is a serious issue is non-controversial. The market for cybersecurity spending topped $75 billion in 2015, and analysts expect it to exceed $170 billion by 2020 (Morgan 2016). With the advent of cloud computing, the explosion of mobile devices, and the emergence of increasingly sophisticated adversaries from organized crime and nation-state actors, businesses and the industry as a whole will require the vision of great leaders to keep pace with the threats. We can look to the industry's rich history to see examples of such transformational leadership in the past. An enlightening case study is the Microsoft Trustworthy Computing initiative, launched by an insightful and stimulating memo Bill Gates sent on January 15, 2002. The initiative would not only transform culture, procedures, and policy surrounding security at Microsoft, but would in fact cause a dramatic shift for the entire industry. The idealized influence in the leadership shown by Gates can serve as a model for today's leaders.

  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.

  • Automating Provisioning of NetFlow Analyzers Masters
    by Sumesh Shivdas - September 14, 2016 in Critical Controls, Intrusion Detection

    NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.

  • Data Breaches: Is Prevention Practical? Analyst Paper
    by Barbara Filkins - September 13, 2016 in Data Protection, Data Loss Prevention

    Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches and what security and IT practitioners actually are, or are not, implementing for prevention.

  • Intelligent Network Defense Analyst Paper
    by Jake Williams - September 8, 2016 in Clients and Endpoints, Threats/Vulnerabilities

    When an army invades a sovereign nation, one of the defenders first goals is to disrupt the invaders command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.

  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.

  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.

  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment

  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.

  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment

    Key elements of information security risk, offering insight into risk assessment methodologies.

  • Practical Considerations on IT Outsourcing Implementation under the Monetary Authority of Singapores Technology Risk Management Guidelines Masters
    by Andre Shori - September 19, 2016 in Critical Controls

    Singapore ranks third overall in the Global Financial Centres Index. The Monetary Authority of Singapore (MAS), Singapores central bank, has helped to achieve this success through guidance and regulation of the financial industry including how to conduct themselves in a secure and reliable manner. The Technology Risk Management Guidelines (TRM) are both a cyber philosophy and a set of regulatory requirements for financial institutions to address existing and emerging technological risks. However, successful implementation of TRM can be challenging from a practical standpoint for todays Cybersecurity Managers. TRMs Management of IT Outsourcing Risk is a key focus area which encompasses many of the principles and requirements promoted throughout the Guideline. By utilizing threat based, hierarchical measures such as those advocated by the Centre of Internet Security, Cybersecurity Managers can adhere to the Spirit of the Guidelines while implementing effective operational cybersecurity and safe Vendor integration.

  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).

  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

  • Windows Installed Software Inventory by Jonathan Risto - September 7, 2016 in Critical Controls

    The 20 Critical Controls provide a guideline for the controls that need to be placed in our networks to manage and secure our systems. The second control states there should be a software inventory that contains the names and versions of the products for all devices within the infrastructure. The challenge for a large number of organizations is the ability to have accurate information available with minimal impact on tight IT budgets. This paper will discuss the Microsoft Windows command line tools that will gather this information, and provide example scripts that can be run by the reader.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 in Active Defense, Incident Handling, Malicious Code

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

  • Designing a Secure Local Area Network by Daniel Oxenhandler - January 30, 2003 in Best Practices

    This paper examines of some of the issues in designing a secure Local Area Network (LAN) and some of the best practices suggested by security experts.

  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.

  • Case Study: Critical Controls that Could Have Prevented Target Breach Masters
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).

  • Detecting DNS Tunneling Masters
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as, instead of hard-to-remember IP addresses.

  • Introduction to Business Continuity Planning by Gan Chee-Syong - October 1, 2001 in Disaster Recovery

    The purpose of this document is to give an overview of what is Business Continuity Planning and provide some guidance and resources for beginner.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.