SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHPMethods for Understanding and Reducing Social Engineering Attacks engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization. Tue, 03 May 2016 00:00:00 +0000Tagging Data to Prevent Data Leakage (Forming Content Repositories) order to protect sensitive data, it must be secured at rest, during transit and when in use (Aaron, 2013).Tue, 03 May 2016 00:00:00 +0000Enterprise Survival Guide for Ransomware Attacks or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.Tue, 03 May 2016 00:00:00 +0000Case Study: How CIS Controls Can Limit the Cascading Failures During an Attack day it seems that new information becomes public about the latest data breach. Tue, 03 May 2016 00:00:00 +0000ISE6100 GIAC Enterprises - Open Source SIEM - Read Me First by Stephen Northcutt. Three students from the SANS Technology Institute, (Alyssa Robinson, David Fletcher, and Wes Whitteker) were assigned the following project for their ISE-M 6100 coursework. There are three files, a Step by Step, a presentation, and a Lessons Learned document.Fri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Step By Step Description Enterprises, a small to medium size business, has grown to a point where their current manual log analysis process is no longer efficient or effective. As such, GIAC Enterprises was forced to look for a SIEM solution that automates the correlation and analysis of system logs. GIAC Enterprises had a significant financial constraint, which required them to focus their investigation on several open source solution options. After investigation, GIAC Enterprises settled on AlienVault’s OSSIM product for their solution. The result of this research is the following OSSIM implementation guide.Fri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Presentation SIEM PILOT IMPLEMENTATION PROJECTFri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Lessons Learned following is Lessons Learned from the ISE 6100 project which commenced on March 22nd 2016. The objective of this project was to evaluate, select, and implement an open source Security Information and Event Management (SIEM) solution for the fictional corporation known as GIAC Enterprises. GIAC Enterprises is in the business of collecting fortunes from direct employees and contractors. These fortunes are GIAC Enterprises intellectual property. The ideal SIEM will enhance the detective capacity of GIAC Enterprises.Fri, 29 Apr 2016 00:00:00 +0000Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences. Fri, 29 Apr 2016 00:00:00 +0000Cloud Security Framework Audit Methods have become more mobile, threats have evolved, and actors have become smarter. Users distribute information across multiple locations, many of which are not currently within the organization’s infrastructure. Wed, 27 Apr 2016 00:00:00 +00002016 State of Application Security: Skills, Configurations and Components results reveal that it is critical for an overall enterprise security program to coordinate efforts among developers, architects and system administrators—particularly since many software vulnerabilities are rooted in configuration issues or third-party components, not just in code written by the development team. Read on to learn more.Tue, 26 Apr 2016 00:00:00 +0000Improving Application and Privilege Management: Critical Security Controls Update, 25 Apr 2016 00:00:00 +0000Using Sulley to Protocol Fuzz for Linux Software Vulnerabilities Fuzzers are useful for discovering vulnerabilities in software services. Sulley is a common fuzzer with an ability to fuzz network protocols. This paper will describe the process for using Sulley to fuzz for a vulnerability in an implementation of the unencrypted telnet protocol. Specifically, Sulley will be used to detect the vulnerability that was found in CVE-2011-4862 implemented on the RedHat Enterprise Linux 3 distribution.Mon, 25 Apr 2016 00:00:00 +0000Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud Head of Digital Forensics for Payment Software Company Inc. (“PSC”), a company that focuses exclusively on Clients that accept or process payments,1 we’ve responded to sites operating within cloud environments, most notably Amazon EC2. Thu, 21 Apr 2016 00:00:00 +0000Catching Flies: A Guide to the Various Flavors of Honeypots the concept of baiting adversaries in order to monitor their activities is nothing new, honeypotting has evolved into a critical tool in information security analysis. Recent years have given rise to advances in the detection of network intrusions such as honeynets, honeytokens and adaptive honeypots. This paper will explore modern applications, as well as the legal and technical considerations behind emerging honeypot solutions in the dynamic blockage of emerging attack vectors and the potential exploitation of advanced persistent threats. Tue, 19 Apr 2016 00:00:00 +0000Neutrino Exploit Kit Analysis and Threat Indicators Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.Wed, 13 Apr 2016 00:00:00 +0000BitTorrent & Digital Contraband is a popular peer-to-peer file transfer program that allows participants in a swarm to exchange pieces with each other during the downloading process. Wed, 13 Apr 2016 00:00:00 +0000Threat Hunting: Open Season on the Adversary 86% of organizations responding to the survey want to be doing the hunting, albeit informally, as more than 40% do not have a formal threat hunting program in place. Results indicate that hunting is providing benefits, including finding previously undetected threats, reducing attack surfaces and enhancing the speed and accuracy of response by using threat hunting. They also suggest that organizations want to improve their threat-hunting programs and realize more benefits from threat hunting. Tue, 12 Apr 2016 00:00:00 +0000Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2 Hypertext Transfer Protocol (HTTP) was first defined in 1991 by the World Wide Web initiative as method to retrieve hypertext markup language (HTML) messages (Berners-Lee).Mon, 11 Apr 2016 00:00:00 +0000Securing Jenkins CI Systems over 100,000 active installations worldwide, Jenkins became the top choice for continuous integration and automation. A survey conducted by Cloudbees during the 2012 Jenkins Users Conference concluded that 83 percent of the respondents consider Jenkins to be mission critical. The November 2015 remotely exploitable Java deserialization vulnerability stresses the need to lock down and monitor Jenkins systems. Exploitation of this weakness enables hackers to gain access to critical assets such as source code that Jenkins manages. Enabling password security is the general recommendations for securing Jenkins. Unfortunately, this necessary security measure can easily be defeated with a packet sniffer because passwords are transmitted over the wire as clear text. This paper will look at ways to secure Jenkins system as well as the deployment of intrusion detection systems to monitor critical assets controlled by Jenkins CI systems.Fri, 08 Apr 2016 00:00:00 +0000Boiling the Ocean: Security Operations and Log Analysis handling is a difficult and challenging job. One of the many challenges of incident response, and the root of this paper, is obtaining access to the data needed to identify an incident.Wed, 06 Apr 2016 00:00:00 +0000The Automotive Top 5: Applying the Critical Controls to the Modern Automobile car of today is an inherently vulnerable platform. At its core is a computing architecture from the 1980s which was designed to be lightweight and efficient, with very little thought given to security. As the modern automobile becomes increasingly connected, its attack surface only continues to grow. In the wake of several recent high- profile car hacking demonstrations, automakers face the daunting task of trying to lock down this insecure platform with bolt-on security fixes. This paper proposes a plausible strategy for securing modern automotive systems which takes into account some of the key limitations of the automobile industry, in addition to presenting a methodology for applying the Critical Controls to the modern automobile platform.Mon, 04 Apr 2016 00:00:00 +0000Threat Intelligence: Planning and Direction celebrated leaders like Ben Franklin and Winston Churchill have said, in various forms, “Failing to plan is planning to fail.”Tue, 29 Mar 2016 00:00:00 +0000OPM vs. APT: How Proper Implementation of Key Controls Could Have Prevented a Disaster June 4th, 2015 U. S. Government officials announced a breach of data at the Office of Personnel Management (OPM).Tue, 29 Mar 2016 00:00:00 +0000The Role of Static Analysis in Hardening Open Source Intrusion Detection Systems analysts use the principles of network security monitoring (NSM) to help secure computer systems.Tue, 29 Mar 2016 00:00:00 +0000