SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPHunting with Preventionhttps://www.sans.org/reading-room/whitepapers/analyst/hunting-prevention-37217Traditional endpoint protection such as antivirus, while effective in some cases, is no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys.Wed, 24 Aug 2016 00:00:00 +0000Building a Forensically Capable Network Infrastructurehttps://www.sans.org/reading-room/whitepapers/modeling/building-forensically-capable-network-infrastructure-37212The number of computer related security incidents continue to grow yearly, resulting in the need for ensuring network infrastructures are built to be forensically capable. During the period January 2011 to December 2015, the number of reported computer security incidents grew over this four-year period from 1,281 to 3,930. Similar to the increased number of reported computer security incidents, was the increased number of exposed records. During this same period, the number of exposed records jumped from 413 million to 736 million, with 2013 and 2014 having over 2 billion records exposed. Some challenges with becoming forensically capable, relates to understanding the business needs, identifying the people to support that need and ultimately the technology or tools to support business needs. Tue, 23 Aug 2016 00:00:00 +0000Automated Analysis of “abuse” mailbox for employees with the help of Malzoohttps://www.sans.org/reading-room/whitepapers/threathunting/automated-analysis-“abuse”-mailbox-employees-malzoo-37207For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.Tue, 23 Aug 2016 00:00:00 +0000Protect the Network from the Endpoint with the Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/access/protect-network-endpoint-critical-security-controls-37202The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.Mon, 22 Aug 2016 00:00:00 +0000Simple Approach to Access Control: Port Control and MAC Filteringhttps://www.sans.org/reading-room/whitepapers/access/simple-approach-access-control-port-control-mac-filtering-37197Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.Mon, 22 Aug 2016 00:00:00 +0000Incident Handling Preparation: Learning Normal with the Kansa PowerShell Incident Response Frameworkhttps://www.sans.org/reading-room/whitepapers/incident/incident-handling-preparation-learning-normal-kansa-powershell-incident-response-framewor-37192Preparation is a critical step in establishing an effective incident response program. Information Security professionals that will be called upon to handle an incident must prepare ahead of time. Kansa is a PowerShell Incident Response Framework developed by Dave Hull. The PowerShell Remoting feature is leveraged to establish a highly scalable and extensible system state collection platform. Once data is collected from across the Microsoft environment, an extensive set of frequency analysis scripts may be executed to enable incident handlers to turn unknowns into knowns and to discover anomalies and indicators of compromise.Mon, 22 Aug 2016 00:00:00 +0000In but not Out: Protecting Confidentiality during Penetration Testinghttps://www.sans.org/reading-room/whitepapers/testing/out-protecting-confidentiality-penetration-testing-37187In but not Out: Protecting Confidentiality during Penetration Testing Abstract:Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a company’s network from an attacker’s perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources. Penetration testers may gain access to all compartmented sections of a network and document how to repeat successful exploits while saving restricted data to their laptops. This paper illustrates secure Tactics, Techniques, and Procedures (TTPs) to enable ethical hackers to complete their tests within scope while reducing managerial stress regarding confidentiality. A properly conducted independent penetration test should provide essential intelligence about a network without jeopardizing the confidentiality of proprietary data.Mon, 22 Aug 2016 00:00:00 +0000Filling the Gapshttps://www.sans.org/reading-room/whitepapers/auditing/filling-gaps-37182There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability. Thu, 18 Aug 2016 00:00:00 +0000The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturinghttps://www.sans.org/reading-room/whitepapers/analyst/state-cyber-threat-intelligence-survey-cti-important-maturing-37177It’s 2016, and the attacks (and attackers) continue to be more brazen than ever. In this threat landscape, the use of cyber threat intelligence (CTI) is becoming more important to IT security and response teams than ever before. This paper provides survey results along with advice and best practices for getting the most out of CTI.Mon, 15 Aug 2016 00:00:00 +0000Generating Hypotheses for Successful Threat Huntinghttps://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.Mon, 15 Aug 2016 00:00:00 +0000Investing in Information Security: A Case Study in Community Bankinghttps://www.sans.org/reading-room/whitepapers/leadership/investing-information-security-case-study-community-banking-37167Small businesses, such as community banks, often do not have resources dedicated to information technology, much less resources dedicated to information security. Despite larger financial institutions having more resources to invest in information security, they are also attempting to secure much larger, more complex environments. Community banks, with a smaller footprint of computer systems and networks, have the opportunity to produce even greater results with a comparatively smaller investment. This case study shows how one small community bank enjoyed the successes of transitioning from an environment of constant reactionary troubleshooting to implementing an information security strategy that focused not only on improving the information technology environment but also business operations and regulatory compliance for the bank. First Sentence: Small businesses, such as community banks, often do not have resources dedicated to information technology, much less resources dedicated to information security.Fri, 12 Aug 2016 00:00:00 +0000Introduction to Rundeck for Secure Script Executionshttps://www.sans.org/reading-room/whitepapers/privilege/introduction-rundeck-secure-script-executions-37162Many organizations today support physical, virtual, and cloud-based systems across a wide range of operating systems. Providing least privilege access to systems can be a complex mesh of sudoers files, profiles, policies, and firewall rules. While configuration management tools such as Puppet or Chef help ensure consistency, they do not inherently simplify the process for users or administrators. Additionally, current DevOps teams are pushing changes faster than ever. Keeping pace with new services and applications often force sysadmins to use more general access rules and thus expose broader access than necessary. Rundeck is a web-based orchestration platform with powerful ACLs and ssh-based connectivity to a wide range of operating systems and devices. The simple user interface for Rundeck couples with DevOps-friendly REST APIs and YAML or XML configuration files. Using Rundeck for server access improves security while keeping pace with rapidly changing environments. Thu, 11 Aug 2016 00:00:00 +0000Data Loss Preventionhttps://www.sans.org/reading-room/whitepapers/dlp/data-loss-prevention-37152Data Loss Prevention (DLP) continues to be a complex business-centric security initiative for organizations to overcome.Mon, 08 Aug 2016 00:00:00 +0000Changing the Perspective of Information Security in the Cloud: Cloud Access Security Brokers and Cloud Identity and Access Managementhttps://www.sans.org/reading-room/whitepapers/cloud/changing-perspective-information-security-cloud-cloud-access-security-brokers-cl-37150Businesses are leveraging cloud computing services at an exponential rate. Working in the information security industry during the cloud computing frenzy is exciting, but it is also proving to be challenging as cloud computing service providers (CSPs) have typically lacked industry standard security controls.Thu, 04 Aug 2016 00:00:00 +0000Defending Against the Weaponization of Trust: Defense in Depth Assessment of TLShttps://www.sans.org/reading-room/whitepapers/auditing/defending-weaponization-trust-defense-in-depth-assessment-tls-37145X.509 certificates are the cornerstone of brokered trust across the digital landscape both inside and outside the firewall. Often they are too trusted and become the weapon of choice for attackers looking for the easiest way to bypass the first layers of controls. Implementing additional layers of certificate quality controls using a Defense in Depth strategy reduces the X.509 certificate attack surface and ensures a reliable trust anchor.Mon, 01 Aug 2016 00:00:00 +0000Deception Techniques as Part of Intrusion Detection Strategyhttps://www.sans.org/reading-room/whitepapers/detection/deception-techniques-intrusion-detection-strategy-37140Intrusion Detection Systems (IDS) are used to help the Security Analyst detect unauthorized or suspicious activity inside a network and on Endpoints (servers, workstations). An early stage in the Hackers methodology uses Active Recon on the network to find other machines they can pivot to and maintain their presence.Mon, 01 Aug 2016 00:00:00 +0000Realistic Risk Management Using the CIS 20 Security Controlshttps://www.sans.org/reading-room/whitepapers/riskmanagement/realistic-risk-management-cis-20-security-controls-37135Does your organization spend an inordinate amount of time “managing” risk, when the current state of security is known to be poor, with far too few resources available to deal with the top issues?Mon, 01 Aug 2016 00:00:00 +0000“Is there a Yelp for Ransomware?” Incident response planning that doesn't rely on Plan Bhttps://www.sans.org/reading-room/whitepapers/incident/“is-yelp-ransomware”-incident-response-planning-doesnt-rely-plan-37130What if there was a service that could classify the impact of each variant of ransomware?Mon, 01 Aug 2016 00:00:00 +0000Hardware Keyloggershttps://www.sans.org/reading-room/whitepapers/physical/hardware-keyloggers-37125Most information security professionals are familiar with keyloggers. However, while the security industry has produced plenty of defenses for software-based keyloggers, hardware keyloggers continue to pose a daunting problem for the typical enterprise. A deeper understanding of these insidious devices can lead to viable techniques for both protection and detection.Fri, 29 Jul 2016 00:00:00 +0000Physical Security and Why It Is Importanthttps://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.Thu, 28 Jul 2016 00:00:00 +0000Implementing the Critical Security Control: Controlled Use of Administrative Privilegeshttps://www.sans.org/reading-room/whitepapers/critical/implementing-critical-security-control-controlled-administrative-privileges-37115There is a plethora of information available to help organizations protect their cyber assets. Mon, 25 Jul 2016 00:00:00 +0000Polymorphic, multi-lingual websites: A theoretical approach for improved website securityhttps://www.sans.org/reading-room/whitepapers/webappsec/polymorphic-multi-lingual-websites-theoretical-approach-improved-website-security-37110Web traffic is one of the largest single types of traffic on the internet.Mon, 25 Jul 2016 00:00:00 +0000Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industryhttps://www.sans.org/reading-room/whitepapers/analyst/healthcare-provider-breaches-risk-management-road-maps-results-survey-informati-37105The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on …Tue, 19 Jul 2016 00:00:00 +0000Portable System for Network Forensics Data Collection and Analysishttps://www.sans.org/reading-room/whitepapers/forensics/portable-system-network-forensics-data-collection-analysis-37100A portable lab environment for network level analysis is a necessary tool today for the forensic analyst. With today's malicious software and myriad of network aware client- side software, one of the tools that should be in the forensic analysts' toolbox is a portable response system for data collection and analysis. This paper will explain how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool. VM's will include pfSense 2.2 running in transparent firewall mode along with other supporting packages, a network security- monitoring platform. A cookbook approach will be used to explore common use cases for the network and system forensic analyst, such as updating rules, sharing data among multiple environments, extracting data from packet captures, and clearing out all of the tools installed to start an investigation. This paper was written to provide a build outline for using pfSense and Security Onion to achieve these goals.Fri, 15 Jul 2016 00:00:00 +0000Endpoint Security through Device Configuration, Policy and Network Isolationhttps://www.sans.org/reading-room/whitepapers/clients/endpoint-security-device-configuration-policy-network-isolation-37095Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.Fri, 15 Jul 2016 00:00:00 +0000