SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPOS X as a Forensic Platformhttps://www.sans.org/reading-room/whitepapers/forensics/os-forensic-platform-37637The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options. Wed, 22 Feb 2017 00:00:00 +0000DevSecOps Transformation: The New DNA of Agile Businesshttps://www.sans.org/reading-room/whitepapers/securitytrends/devsecops-transformation-dna-agile-business-37632This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please <a href = "https://www.sans.org/reading-room/whitepapers/analyst/devsecops-approach-securing-code-cloud-37597" target = "_blank">click this link</a>.Tue, 21 Feb 2017 00:00:00 +0000Indicators of Compromise TeslaCrypt Malwarehttps://www.sans.org/reading-room/whitepapers/awareness/indicators-compromise-teslacrypt-malware-37622Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections. Thu, 16 Feb 2017 00:00:00 +0000PLC Device Security - Tailoring needshttps://www.sans.org/reading-room/whitepapers/threats/plc-device-security-tailoring-37612Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio. Wed, 15 Feb 2017 00:00:00 +0000Impediments to Adoption of Two-factor Authentication by Home End-Usershttps://www.sans.org/reading-room/whitepapers/authentication/impediments-adoption-two-factor-authentication-home-end-users-37607Cyber criminals have proven to be both capable and motivated to profit from compromised personal information. The FBI has reported that victims have suffered over $3 billion in losses through compromise of email accounts alone (IC3 2016). One security measure which has been demonstrated to be effective against many of these attacks is two-factor authentication (2FA). The FBI, the Department of Homeland Security US Computer Emergency Readiness Team (US-CERT), and the internationally recognized security training and awareness organization, the SANS Institute, all strongly recommend the use of two-factor authentication. Nevertheless, adoption rates of 2FA are low. Fri, 10 Feb 2017 00:00:00 +0000Obfuscation and Polymorphism in Interpreted Codehttps://www.sans.org/reading-room/whitepapers/malicious/obfuscation-polymorphism-interpreted-code-37602Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.Fri, 10 Feb 2017 00:00:00 +0000The DevSecOps Approach to Securing Your Code and Your Cloudhttps://www.sans.org/reading-room/whitepapers/analyst/devsecops-approach-securing-code-cloud-37597DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking <a href = "https://www.sans.org/security-resources/devsecops-transformation-dna-agile-business.pdf" target = "_blank">this link</a>.Tue, 07 Feb 2017 00:00:00 +0000Moving Toward Better Security Testing of Software for Financial Serviceshttps://www.sans.org/reading-room/whitepapers/application/moving-security-testing-software-financial-services-37592The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.Tue, 07 Feb 2017 00:00:00 +0000Dissect the Phish to Hunt Infectionshttps://www.sans.org/reading-room/whitepapers/awareness/dissect-phish-hunt-infections-37587Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt? Fri, 03 Feb 2017 00:00:00 +0000Forensication Education: Towards a Digital Forensics Instructional Frameworkhttps://www.sans.org/reading-room/whitepapers/bestprac/forensication-education-digital-forensics-instructional-framework-37582The field of digital forensics is a diverse and fast-paced branch of cyber investigations. Unfortunately, common efforts to train individuals in this area have been inconsistent and ineffective, as curriculum managers attempt to plug in off-the-shelf courses without an overall educational strategy. The aim of this study is to identify the most effective instructional design features for a future entry-level digital forensics course. To achieve this goal, an expert panel of digital forensics professionals was assembled to identify and prioritize the features, which included general learning outcomes, specific learning goals, instructional delivery formats, instructor characteristics, and assessment strategies. Data was collected from participants using validated group consensus methods such as Delphi and cumulative voting. The product of this effort was the Digital Forensics Framework for Instruction Design (DFFID), a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula. Fri, 03 Feb 2017 00:00:00 +0000From Security Perspective, the Quickest Way to Assess Your Web Applicationhttps://www.sans.org/reading-room/whitepapers/webappsec/security-perspective-quickest-assess-web-application-37577The aim of this paper is to explain how to assess web applications with a fast, easy and effective method. A framework has been created as a Chrome Extension to solve two problems. 1. The first problem is when the IT team wants to know the security posture of their web application, but they did not have the budget/time to hire a penetration tester. Therefore, they can use this framework "WPSecAnalyzer Chrome Extension" to check their web application scores from a security perspective without having a deep knowledge of penetration testing. 2. The second problem is when the penetration tester wants to do the reconnaissance phase, he will use many tools, which will consume his time/effort. Consequently, to reduce the time/effort consumed he can use "WPSecAnalyzer Extension" to check many issues/vulnerabilities from one place with an efficient and effective method. The Chrome Extension which is called "WPSecAnalyzer" checks and verifies eleven issues/vulnerabilities on any website the end user visits, and provides him with a report based on the findings. The report will have the score of the website, as well as a list of the findings based on eleven issues/vulnerabilities. Fri, 03 Feb 2017 00:00:00 +0000Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Riskhttps://www.sans.org/reading-room/whitepapers/legal/cyber-insurance-conundrum-cis-critical-security-controls-underwriting-cyber-risk-37572There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying "cyber risks of daily life"; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors. Wed, 01 Feb 2017 00:00:00 +0000Digital Ghost: Turning the Tableshttps://www.sans.org/reading-room/whitepapers/analyst/digital-ghost-turning-tables-37567The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.Wed, 01 Feb 2017 00:00:00 +0000Attack and Defend: Linux Privilege Escalation Techniques of 2016https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks. Mon, 30 Jan 2017 00:00:00 +0000Using COIN Doctrine to Improve Cyber Security Policieshttps://www.sans.org/reading-room/whitepapers/policyissues/coin-doctrine-improve-cyber-security-policies-37557In today’s ever-evolving Cyber environment, the “bad guys” seem to prosper, and the “good guys” cannot seem to find a solution to create a proper defensive posture. As the Cyber environment becomes an integral part of society, it is imperative to find a way to increase the global defensive posture in the most efficient way possible. This paper will focus on possible security policies that are easy to implement, are proven, and have a significant impact on an enterprise's security practices and posture. The argument will use field data and firsthand combat experience. Working within the framework of the Cyber environment as an insurgency, applying proven Counterinsurgency policies, there can be a great increase in security and a more efficient Cyber defender. The application of this solution gives the potential for the Cyber defender to have a new set of tools for the Cyber domain that are proven to be useful in the physical domain of a counterinsurgency.Fri, 27 Jan 2017 00:00:00 +0000Building and Maintaining a Denial of Service Defense for Businesseshttps://www.sans.org/reading-room/whitepapers/critical/building-maintaining-denial-service-defense-businesses-37552Distributed Denial of Service (DDoS) attacks have been around for decades but still cause problems for most businesses. While easy to launch, DDoS attacks can be difficult to sustain and even more difficult to monetize for attackers. From the business perspective, a DDoS attack might result in lost revenue but is unlikely to have the same long term impact that a data breach may have. Recent changes in the IT landscape have made DDoS a more attractive attack vector for hackers. The industry trend to connect more and more devices to the Internet (often with minimal to no security), dubbed the "Internet of Things" has created a new marketplace for bad actors to sell their resource exhaustion services. Businesses need to consider all options when planning and implementing a defensive posture against denial of service attacks. As security vendors continue to offer new (and expensive) options to defend against these attacks, how does an InfoSec manager know which is best for their business. Using an "Offense informs the Defense" approach, this paper will analyze the methods used during DDoS attacks in order to determine the most appropriate defensive postures. Wed, 25 Jan 2017 00:00:00 +0000Implementing the Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/analyst/implementing-critical-security-controls-37547This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CIS Control adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they’ve experienced.Tue, 24 Jan 2017 00:00:00 +0000Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protectionhttps://www.sans.org/reading-room/whitepapers/engineering/countering-impersonation-spearphishing-email-borne-threats-review-mimecast-targeted-threat-protection-37542The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers. Tue, 24 Jan 2017 00:00:00 +0000Back to Basics: Focus on the First Six CIS Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/analyst/basics-focus-first-cis-critical-security-controls-37537Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem. Tue, 24 Jan 2017 00:00:00 +0000Superfish and TLS: A Case Study of Betrayed Trust and Legal Liabilityhttps://www.sans.org/reading-room/whitepapers/certificates/superfish-tls-case-study-betrayed-trust-legal-liability-37532Superfish, the bloat adware included in Lenovo consumer laptops from 2014-2015 which intentionally broke TLS, exposed user's personal data to compromise and theft, and altered search result ads in user's browsers severely impacted Lenovo brand reputation. There have been other high profile cases of intentionally modifying and breaking TLS that used questionable and deceptive practices but few that generated as much attention and provide such a clear example of a chain of missteps between Lenovo, Superfish, and their customers. A case study of the Superfish mishap exposes the danger, risk, legal liability, and potential government investigation for organization deploying TLS certificates and keys that breaks or weakens the security design and puts private data or people at risk. The Superfish case further demonstrates the importance of a company's disclosure transparency to avoid accusations of deceptive practices if breaking TLS is required to protect users or an organization's data. Tue, 24 Jan 2017 00:00:00 +0000Intrusion Detection Evasion Techniques and Case Studieshttps://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-evasion-techniques-case-studies-37527The number of security breaches is increasing significantly each year. Global Internet traffic is expected to be on the order of zettabytes for 2016 and then doubling by 2020. In addition to increased traffic, the percentage of attack traffic is also increasing. The sophistication of attacks is also increasing. Attacks range in complexity from simple protocol, insertion, or desynchronization attacks that exploit the vagueness and incompleteness of the RFCs to polymorphic blending attacks that camouflage attack and exfiltration traffic to match normal traffic for that particular network. Various evasion techniques have been described in articles within this field of study, but there has not been a collective discussion on the variety of evasion techniques. A comprehensive compilation of the most common evasion techniques is needed to aid Intrusion Detection System providers and to assist various decision makers as they determine how best to apply limited resources to protect assets. This paper is a case study analysis designed to detail the most common intrusion evasion techniques that exist in the wild today. Mon, 23 Jan 2017 00:00:00 +0000Minimizing Legal Risk When Using Cybersecurity Scanning Toolshttps://www.sans.org/reading-room/whitepapers/legal/minimizing-legal-risk-cybersecurity-scanning-tools-37522When cybersecurity professionals use scanning tools on the networks and devices of organizations, there can be legal risks that need to be managed by individuals and enterprises. Often, scanning tools are used to measure compliance with cybersecurity policies and laws, so they must be used with due care. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal network or system operations and to ensure the accuracy of the scanning results. Several challenges will be examined in depth, such as, measuring for scanner accuracy, proper methods of obtaining written consent for scanning, and how to set up a scanning session for optimum examination of systems or networks. This paper will provide cybersecurity professionals and managers with a better understanding of how and when to use the scanning tools while minimizing the legal risk to themselves and their enterprises. Thu, 19 Jan 2017 00:00:00 +0000Packets Don't Lie: LogRythm NetMon Freemium Reviewhttps://www.sans.org/reading-room/whitepapers/dlp/packets-lie-logrythm-netmon-freemium-review-37517With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs. Wed, 18 Jan 2017 00:00:00 +0000Leveraging the Asset Inventory Databasehttps://www.sans.org/reading-room/whitepapers/critical/leveraging-asset-inventory-database-37507A well maintained Asset Inventory Database can aid in building a more comprehensive security program based on the CIS Critical Security Controls (CSC). Adding inputs and outputs to the database workflow will help the organization with several of the Critical Security Controls. The Critical Security Controls define a list of prioritized controls that, when followed, can improve the security foundation of an organization. The controls are most effective when implemented in order. Keeping an integrated and well maintained Asset Inventory Database with the proper inputs and outputs can serve as a foundational element in any comprehensive security program. Wed, 04 Jan 2017 00:00:00 +0000Data Breach Impact Estimationhttps://www.sans.org/reading-room/whitepapers/dlp/data-breach-impact-estimation-37502Internal and External auditors spend a significant amount of time planning their audit processes to align their efforts with the needs of the audited organization. The initial phase of that audit cycle is the risk assessment. Establishing a firm understanding of the likelihood and impact of risk guides the audit function and aligns its work with the risks the organization faces. The challenge many auditors and security professionals face is effectively quantifying the potential impact of a data breach to their organization. This paper compares the data breach cost research of the Ponemon Institute and the RAND Corporation, comparing the models against breach costs reported by publicly traded companies by the Securities and Exchange Commission (SEC) reporting requirements. The comparisons will show that the RAND Corporation's approach provides organizations with a more accurate and flexible model to estimate the potential cost of data breaches as they relate to the direct cost of investigating and remediating a breach and the indirect financial impact associated with regulatory and legal action of a data breach. Additionally, the comparison indicates that data breach-related impacts to revenue and stock valuation are only realized in the short-term. Tue, 03 Jan 2017 00:00:00 +0000