SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPBuilding a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Responsehttps://www.sans.org/reading-room/whitepapers/forensics/building-home-network-configured-collect-artifacts-supporting-network-forensic-incident-re-37302A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.Wed, 21 Sep 2016 00:00:00 +0000Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadershiphttps://www.sans.org/reading-room/whitepapers/casestudies/bill-gates-trustworthy-computing-case-study-transformational-leadership-37297The notion that IT security is a serious issue is non-controversial. The market for cybersecurity spending topped $75 billion in 2015, and analysts expect it to exceed $170 billion by 2020 (Morgan 2016). With the advent of cloud computing, the explosion of mobile devices, and the emergence of increasingly sophisticated adversaries from organized crime and nation-state actors, businesses and the industry as a whole will require the vision of great leaders to keep pace with the threats. We can look to the industry's rich history to see examples of such transformational leadership in the past. An enlightening case study is the Microsoft Trustworthy Computing initiative, launched by an insightful and stimulating memo Bill Gates sent on January 15, 2002. The initiative would not only transform culture, procedures, and policy surrounding security at Microsoft, but would in fact cause a dramatic shift for the entire industry. The idealized influence in the leadership shown by Gates can serve as a model for today's leaders.Tue, 20 Sep 2016 00:00:00 +0000Using Vagrant to Build a Manageable and Sharable Intrusion Detection Labhttps://www.sans.org/reading-room/whitepapers/tools/vagrant-build-manageable-sharable-intrusion-detection-lab-37292This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.Tue, 20 Sep 2016 00:00:00 +0000Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2https://www.sans.org/reading-room/whitepapers/critical/thy-network-cisco-firepower-critical-security-controls-1-2-37287Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.Mon, 19 Sep 2016 00:00:00 +0000Threat Intelligence: What It Is, and How to Use It Effectivelyhttps://www.sans.org/reading-room/whitepapers/threathunting/threat-intelligence-is-effectively-37282In today’s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today’s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.Mon, 19 Sep 2016 00:00:00 +0000Practical Considerations on IT Outsourcing Implementation under the Monetary Authority of Singapore's Technology Risk Management Guidelineshttps://www.sans.org/reading-room/whitepapers/critical/practical-considerations-outsourcing-implementation-monetary-authority-singapore-37277Singapore ranks third overall in the Global Financial Centres Index. The Monetary Authority of Singapore (MAS), Singapore’s central bank, has helped to achieve this success through guidance and regulation of the financial industry including how to conduct themselves in a secure and reliable manner. The Technology Risk Management Guidelines (TRM) are both a cyber philosophy and a set of regulatory requirements for financial institutions to address existing and emerging technological risks. However, successful implementation of TRM can be challenging from a practical standpoint for today’s Cybersecurity Managers. TRM’s Management of IT Outsourcing Risk is a key focus area which encompasses many of the principles and requirements promoted throughout the Guideline. By utilizing threat based, hierarchical measures such as those advocated by the Centre of Internet Security, Cybersecurity Managers can adhere to the Spirit of the Guidelines while implementing effective operational cybersecurity and safe Vendor integration.Mon, 19 Sep 2016 00:00:00 +0000Automating Provisioning of NetFlow Analyzershttps://www.sans.org/reading-room/whitepapers/critical/automating-provisioning-netflow-analyzers-37272NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.Wed, 14 Sep 2016 00:00:00 +0000Data Breaches: Is Prevention Practical?https://www.sans.org/reading-room/whitepapers/dataprotection/data-breaches-prevention-practical-37267Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches – and what security and IT practitioners actually are, or are not, implementing for prevention.Tue, 13 Sep 2016 00:00:00 +0000Intelligent Network Defensehttps://www.sans.org/reading-room/whitepapers/threats/intelligent-network-defense-37262When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.Thu, 08 Sep 2016 00:00:00 +0000Profiling Web Applications for Improved Intrusion Detectionhttps://www.sans.org/reading-room/whitepapers/detection/profiling-web-applications-improved-intrusion-detection-37257Web application firewalls using generic “out of the box” configurations work well for common vulnerabilities but lack the capability to address application-specific contexts. Due to this lack of context, it is difficult for the firewall to determine what it is ‘good’ versus ‘bad’. In addition, several learning features of certain high-end devices are inaccessible to companies and individuals. This document provides a generic approach to protecting web applications using freely available software by configuring ModSecurity. This approach enables differentiation between what is acceptable for the application and what may be interesting for investigation purposes. The process for creating an application profile should be well documented, repeatable, verifiable and automated as much as possible to ease integration into the application development lifecycle. Wed, 07 Sep 2016 00:00:00 +0000Windows Installed Software Inventoryhttps://www.sans.org/reading-room/whitepapers/critical/windows-installed-software-inventory-37252The 20 Critical Controls provide a guideline for the controls that need to be placed in our networks to manage and secure our systems. The second control states there should be a software inventory that contains the names and versions of the products for all devices within the infrastructure. The challenge for a large number of organizations is the ability to have accurate information available with minimal impact on tight IT budgets. This paper will discuss the Microsoft Windows command line tools that will gather this information, and provide example scripts that can be run by the reader. Wed, 07 Sep 2016 00:00:00 +0000Applying Machine Learning Techniques to Measure Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/critical/applying-machine-learning-techniques-measure-critical-security-controls-37247Implementing and measuring Critical Security Controls (CSC) requires analyzing all data types (structured, semi-structured and unstructured). This implementation can be a daunting task. One of the goals of effective implementation of Critical Security Controls is to automate as much as possible. Machine learning techniques can help automate many of the measurements in Critical Security Controls. This paper proposes a method to integrate all types of data into a single data repository, extract relationships between different entities and perform machine learning to automate the analysis. This solution provides the security team the ability to analyze the information, and make data-driven security decisions. Tue, 06 Sep 2016 00:00:00 +0000A security assessment of Z-Wave devices and replay attack vulnerabilityhttps://www.sans.org/reading-room/whitepapers/internet/security-assessment-z-wave-devices-replay-attack-vulnerability-37242Within many modern homes, there exists a compelling array of vulnerable wireless devices. These devices present the potential for unauthorized access to networks, personal data and even the physical home itself. The threat originates from the Internet-connected devices, a ubiquitous collection of devices the consumer market dubbed the Internet of Things (IoT). IoT devices utilize a variety of communication protocols; a replay attack against the Z-Wave protocol was accomplished and demonstrated at ShmooCon 2016. The attack was carried out using two HackRF radios. This paper attempts to conduct a similar attack but employing a $35 US SDR, a $130 US sub-1Ghz dongle, and readily available Open Source applications, instead of the more expensive HackRF hardware. Wed, 31 Aug 2016 00:00:00 +0000Arming SMB's Against Ransomware Attackshttps://www.sans.org/reading-room/whitepapers/malicious/arming-smb-039-s-ransomware-attacks-37237Ransomware has become one of the most serious cyber threats to small and medium businesses today. A recent variant permanently deletes files within one hour of infection. The situation grows increasingly dire: the FBI even encourages victims to make payment, though there is still no guarantee that owners will recover their data (ICIT Fellows, 2016). Despite such threats, small and medium enterprises can follow recommended best practices to mitigate this risk. Businesses with tighter budgets and fewer security team members can adopt many of the protections available to the largest enterprises. The most important recommendation is the use of application whitelisting. In Windows environments, this can be accomplished through free tools within Active Directory. Other options will also be discussed, as well as a brief discussion of the future of ransomware. Wed, 31 Aug 2016 00:00:00 +0000The GICSP: A Keystone Certificationhttps://www.sans.org/reading-room/whitepapers/training/gicsp-keystone-certification-37232The Global Industrial Cyber Security Professional (GICSP) certification was conceived in the winter of 2013 to address a growing challenge spanning multiple industries. Rapid and accelerating changes in technology were increasingly opening process control and automation system networks and equipment to security exposures, and developing a workforce to protect these systems was a growing concern. As a step towards addressing these and other control system security issues, representatives from Shell, Chevron, Saudi Aramco, BP, Rockwell Automation, Yokogawa Industries, Emerson, ABB, Cimation and the SANS Institute came together and laid out the framework of what would become the GICSP. Mon, 29 Aug 2016 00:00:00 +0000Android Security: Web Browsers and Email Applicationshttps://www.sans.org/reading-room/whitepapers/critical/android-security-web-browsers-email-applications-37227Mobile devices are popular communication tools that allow people to stay connected in most places at all times. Despite the varied proliferation of applications that can be installed on smartphones and tablets, web browsers and email applications are default applications that remain highly vulnerable if not properly addressed. This paper will compare several different mobile versions of these applications and use the E-mail and Web Browser Protections critical control to suggest ways to secure these end points.Mon, 29 Aug 2016 00:00:00 +0000Demystifying Malware Traffichttps://www.sans.org/reading-room/whitepapers/incident/demystifying-malware-traffic-37222In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries. Mon, 29 Aug 2016 00:00:00 +0000Hunting with Preventionhttps://www.sans.org/reading-room/whitepapers/analyst/hunting-prevention-37217Traditional endpoint protection such as antivirus, while effective in some cases, is no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys.Wed, 24 Aug 2016 00:00:00 +0000Building a Forensically Capable Network Infrastructurehttps://www.sans.org/reading-room/whitepapers/modeling/building-forensically-capable-network-infrastructure-37212The number of computer related security incidents continue to grow yearly, resulting in the need for ensuring network infrastructures are built to be forensically capable. During the period January 2011 to December 2015, the number of reported computer security incidents grew over this four-year period from 1,281 to 3,930. Similar to the increased number of reported computer security incidents, was the increased number of exposed records. During this same period, the number of exposed records jumped from 413 million to 736 million, with 2013 and 2014 having over 2 billion records exposed. Some challenges with becoming forensically capable, relates to understanding the business needs, identifying the people to support that need and ultimately the technology or tools to support business needs. Tue, 23 Aug 2016 00:00:00 +0000Automated Analysis of “abuse” mailbox for employees with the help of Malzoohttps://www.sans.org/reading-room/whitepapers/threathunting/automated-analysis-“abuse”-mailbox-employees-malzoo-37207For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.Tue, 23 Aug 2016 00:00:00 +0000Protect the Network from the Endpoint with the Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/access/protect-network-endpoint-critical-security-controls-37202The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.Mon, 22 Aug 2016 00:00:00 +0000Simple Approach to Access Control: Port Control and MAC Filteringhttps://www.sans.org/reading-room/whitepapers/breaches/simple-approach-access-control-port-control-mac-filtering-37197Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.Mon, 22 Aug 2016 00:00:00 +0000Incident Handling Preparation: Learning Normal with the Kansa PowerShell Incident Response Frameworkhttps://www.sans.org/reading-room/whitepapers/incident/incident-handling-preparation-learning-normal-kansa-powershell-incident-response-framewor-37192Preparation is a critical step in establishing an effective incident response program. Information Security professionals that will be called upon to handle an incident must prepare ahead of time. Kansa is a PowerShell Incident Response Framework developed by Dave Hull. The PowerShell Remoting feature is leveraged to establish a highly scalable and extensible system state collection platform. Once data is collected from across the Microsoft environment, an extensive set of frequency analysis scripts may be executed to enable incident handlers to turn unknowns into knowns and to discover anomalies and indicators of compromise.Mon, 22 Aug 2016 00:00:00 +0000In but not Out: Protecting Confidentiality during Penetration Testinghttps://www.sans.org/reading-room/whitepapers/testing/out-protecting-confidentiality-penetration-testing-37187In but not Out: Protecting Confidentiality during Penetration Testing Abstract:Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a company’s network from an attacker’s perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources. Penetration testers may gain access to all compartmented sections of a network and document how to repeat successful exploits while saving restricted data to their laptops. This paper illustrates secure Tactics, Techniques, and Procedures (TTPs) to enable ethical hackers to complete their tests within scope while reducing managerial stress regarding confidentiality. A properly conducted independent penetration test should provide essential intelligence about a network without jeopardizing the confidentiality of proprietary data.Mon, 22 Aug 2016 00:00:00 +0000Filling the Gapshttps://www.sans.org/reading-room/whitepapers/auditing/filling-gaps-37182There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability. Thu, 18 Aug 2016 00:00:00 +0000