SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHPPhysical Security and Why It Is Important security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.Thu, 28 Jul 2016 00:00:00 +0000Implementing the Critical Security Control: Controlled Use of Administrative Privileges is a plethora of information available to help organizations protect their cyber assets. Mon, 25 Jul 2016 00:00:00 +0000Polymorphic, multi-lingual websites: A theoretical approach for improved website security traffic is one of the largest single types of traffic on the internet.Mon, 25 Jul 2016 00:00:00 +0000Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industry number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on …Tue, 19 Jul 2016 00:00:00 +0000Portable System for Network Forensics Data Collection and Analysis portable lab environment for network level analysis is a necessary tool today for the forensic analyst. With today's malicious software and myriad of network aware client- side software, one of the tools that should be in the forensic analysts' toolbox is a portable response system for data collection and analysis. This paper will explain how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool. VM's will include pfSense 2.2 running in transparent firewall mode along with other supporting packages, a network security- monitoring platform. A cookbook approach will be used to explore common use cases for the network and system forensic analyst, such as updating rules, sharing data among multiple environments, extracting data from packet captures, and clearing out all of the tools installed to start an investigation. This paper was written to provide a build outline for using pfSense and Security Onion to achieve these goals.Fri, 15 Jul 2016 00:00:00 +0000Endpoint Security through Device Configuration, Policy and Network Isolation data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.Fri, 15 Jul 2016 00:00:00 +0000Scalable Methods for Conducting Cyber Threat Hunt Operations Security professionals commonly agree that organizations cannot prevent 100% of all cyber attacks. For this reason, organizations are encouraged to practice defense in depth so that if any one security measure fails, another will reduce the exposure and mitigate the impact. However, despite investing countless sums of money, manpower, and time into developing and maintaining a robust security infrastructure, organizations still struggle to identify and respond to cyber intrusions in a timely manner. Cyber Threat Hunt Teams have recently emerged as a proactive defense asset capable of methodically detecting and responding to advanced persistent threats that evade traditional rule or signature-based security solutions. This paper describes scalable methods and practices to plan and conduct cyber threat hunt operations throughout the enterprise.Thu, 14 Jul 2016 00:00:00 +0000Using Information Security as an Auditing Tool cyber-attacks are gaining visibility within mainstream media, what once was knowledge for information security expertise is now a concern of everyday individuals. With solutions and information readily available, where does one start in the pursuit of information security? The understanding of the organization's system and network infrastructure is required, but what type of approach can be taken? Investigation leads to using information security as an auditing tool to analyze and report on an organization's strengths, weaknesses and needs. As a result, the organization inherently gains visualization of the current posture, its gaps and a method for continuous remediation.Thu, 14 Jul 2016 00:00:00 +0000Decision Criteria and Analysis for Hardware-Based Encryption trying to balance the risk of data breaches against the inconvenience, latency and cost of encrypting every bit of valuable data often balk at the trade-off. But with the volume of digital data growing and computing environments becoming more complex and accessible, the ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions.Wed, 13 Jul 2016 00:00:00 +0000How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.Tue, 12 Jul 2016 00:00:00 +0000The Case for PIM/PAM in Today's Infosec see how serious a threat the misuse of privileged credentials represents, look no further than the astonishing scope of the breach discovered in 2015 at the United States Office of Personnel Management (OPM). To realize how often similar threats become real, look no further than the 2016 Verizon Data Breach Incident Report (DBIR), which found that privilege misuse was the second-most frequent cause of security incidents and the fourth-most common cause of breaches.Thu, 30 Jun 2016 00:00:00 +0000SANS 2016 State of ICS Security Survey of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns. Tue, 28 Jun 2016 00:00:00 +0000Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.Mon, 20 Jun 2016 00:00:00 +0000Success Rates for Client Side Vulnerabilities user is the weakest link in the computer security chain. From clicking on links that they shouldn to having weak passwords, it generally comes down to the end user doing something they shouldn . If the user runs a piece of malware or opens an infected file, will it always lead to a compromise? This paper plans to test if client-side exploits will always function or if there are additional factors to consider when dealing with these vulnerabilities and associated exploits. Is the Common Vulnerability Scoring System (CVSS) score enough to determine if a particular vulnerability is more critical than another and should be remediated sooner than another? This testing will be accomplished through the use of freely available exploitation software (e.g. Social Engineering Toolkit, Metasploit) in a closed testing environment.Tue, 14 Jun 2016 00:00:00 +0000Lessons Learned from Treatment of Trauma in Individuals and Organizations Under Repeated Cyber Attacks has been significant research relative to the impacts of trauma on human beings and the associated treatment of that trauma. With the increasing frequency of cyber-attacks and associated breaches, people within organizations are experiencing similar traumatic effects felt by victims of a more physical attack or incident. There are significant parallels between the impacts of cyber-attacks on organizations and the impacts on individuals experiencing some form of trauma. There are key lessons to be learned from the treatment of trauma victims and the techniques to help organizations become more prepared and resilient relative to cyber- attacks. With the continued escalation of cyber-attacks, organizations should be working to implement solutions beyond just security technology and look to the process and people elements of the solution.Mon, 13 Jun 2016 00:00:00 +0000Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey of the 2016 Incident Response Survey indicate that the IR landscape is ever changing. Advanced industries are able to maintain effective IR teams, but as shown in this report, there are still hurdles to jump to increase the efficiency of many IR teams. Read this report to learn more.Tue, 07 Jun 2016 00:00:00 +0000Infographic: Financial Apps at Risk the associated whitepaper here:, 07 Jun 2016 00:00:00 +0000Legal Aspects of Privacy and Security: A Case- Study of Apple versus FBI Arguments debate regarding privacy versus security has been going on for some time now. Fri, 03 Jun 2016 00:00:00 +0000Gh0st in the Dshell: Decoding Undocumented Protocols 2015 study indicated that nearly 70 percent of traffic on the internet was made up of HTTP (57.39%) and HTTPS (9.53%) web traffic. Fri, 03 Jun 2016 00:00:00 +0000Understanding Security Regulations in the Financial Services Industry the associated infographic here: Fri, 03 Jun 2016 00:00:00 +0000Using Splunk to Detect DNS Tunneling tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.Wed, 01 Jun 2016 00:00:00 +0000Evaluating Cyber Risk in Engineering Environments: A Proposed Framework and Methodology, 31 May 2016 00:00:00 +0000Under The Ocean of the Internet - The Deep Web Internet was a revolutionary invention, and its use continues to evolve. People around the world use the Internet every day for things such as social media, shopping, email, reading news, and much more. However, this only makes up a very small piece of the Internet, and the rest is filled by an area called The Deep Web. Fri, 27 May 2016 00:00:00 +0000Blueprint for CIS Control Application: Securing the SAP Landscape data breach can be expensive, but the potential cost rises with the value or exploitability of the data targeted in an attack.Thu, 26 May 2016 00:00:00 +0000Critical Security Controls: Software Designed Inventory, Configuration, and Governance events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).Tue, 24 May 2016 00:00:00 +0000