SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHPOn the x86 Representation of Object Oriented Programming Concepts for Reverse Engineers object oriented programming is generally understood by developers using higher level languages, such as C++, the reverse engineer is required to understand how these concepts manifest themselves within a compiled binary.Tue, 24 Nov 2015 00:00:00 +0000United Airlines May 2015 Data Breach: Suggested Near, Mid and Long-Term Mitigating Actions Using the 20 Critical Security Controls series of highly-publicized data breaches in recent years have shed light on the growing threat and prevalence of private and public organizational loss of valuable online data at the hands of illegitimate sources. Mon, 23 Nov 2015 00:00:00 +0000There's No Going it Alone: Disrupting Well Organized Cyber Crime July 8th, 2015, Vladimir Tsastsin pled guilty to charges relating to his development and long-term management of a criminal enterprise that conducted a complex, highly profitable Internet fraud scheme involving millions of compromised computers located in over 100 countries. Mon, 23 Nov 2015 00:00:00 +0000Encryption Solutions for Small Networks is being created faster than ever before. Every minute in 2014 users created 2.5 million pieces of Facebook content, 300,000 Tweets, and 220,000 Instagram photos (Gunelius, 2014). Each swipe of a credit card, scan of a loyalty card, and launch of a smartphone app creates even more data.Fri, 20 Nov 2015 00:00:00 +0000A Forensic Look at Bitcoin Cryptocurrency the creation of the Internet in 1969, there have been notable technological advances involving the Internet that not only drastically affect each aspect of a person's life, but also forever changes the way that a society functions (Strickland, 2007).Mon, 16 Nov 2015 00:00:00 +00002015 Analytics and Intelligence Survey survey results indicate slow and steady progress in the use of analytics and intelligence, most analytics programs lack maturity. Read this survey to understand what is missing and learn where most organizations plan to invest funds to drive improvement.Tue, 10 Nov 2015 00:00:00 +0000Cloud Assessment Survival Guide time has come where the society at large is living in the cloud. Many have questioned the security of information in the cloud and many have been told that information is safe there. But how can one be sure that information is indeed safe in the cloud? In this day and age where there is an increased dependence on such complex technology as cloud systems, there are needs for methodologies to test cloud deployments. For organizations that have or seek to implement cloud technology in their environment, this paper will present a brief background on cloud technology and a methodology for assessing the security of their cloud implementation based on penetration testing principles.Tue, 10 Nov 2015 00:00:00 +0000Framework for Innovative Security Decisions the Periodic Table of chemical elements (Dayah, Dynamic Periodic Table, 1997)? It revolutionized chemistry and continues serving scientists daily. TRIZ is a similar resource for inventors and decision-makers.Tue, 03 Nov 2015 00:00:00 +0000Security Automation: Security Nirvana or Just a Fad? breaches have become so frequent that often, they donít even make news. Tue, 03 Nov 2015 00:00:00 +0000Preparing to withstand a DDoS Attack Distributed Denial of Service or DDoS Attack is a distinct form of cyber threat with various aspects that differentiates it from other attack types.Mon, 02 Nov 2015 00:00:00 +0000Analysis and Reporting improvements with Notebooks and open source scientific notebook software allows responders to perform analysis and record results simultaneously in an open, flexible, portable format for ease of sharing and reporting.Mon, 02 Nov 2015 00:00:00 +0000The LogLED An LED-Based Information Security Dashboard year, Mandiant produces a detailed view of breach-related information security trends called the M-trends report.Mon, 02 Nov 2015 00:00:00 +0000 Learning from the Dridex Malware - Adopting an Effective Strategy Malware first surface at the third quarter of 2014 (Olson, 2014) targeting specifically companies in financial and banking industry.Thu, 29 Oct 2015 00:00:00 +0000The Business Case for TLS Certificate Enterprise Key Management of Web Site Certificates: Wrangling TLS Certificates on the Wild Web Enterprise Key Certificate Management System (EKCM) provides a best-in-class solution for TLS certificate management.Wed, 28 Oct 2015 00:00:00 +0000Security Data Visualization objective of this paper is to provide guidelines on information security data visualization and insights with repeatable process and examples on visualizing (communicating) information security data. Security data visualization can be used in many areas in information security.Wed, 28 Oct 2015 00:00:00 +0000The Scary and Terrible Code Signing Problem You Don't Know You Have 3.0 / TLS 1.0 certificates are built on the X.509v3 PKI standard and provide the framework that the code signing process uses. Code signing uses PKI and X.509v3 certificates issued by a trusted certificate authority to validate that the code being installed on a device comes from a trusted vendor.Wed, 28 Oct 2015 00:00:00 +0000What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring report offers an analysis of the survey findings and recommendations for improving practices. It also offers a definition of what a mature program should look like now and in the future. The goal, ultimately, is to provide a metric by which organizations can gauge their own progress in an objective way. Tue, 27 Oct 2015 00:00:00 +0000Audits Made Simple company just got notified there is a big external audit coming in 3 months. Getting ready for an audit can be challenging, scary, and full of surprises. This Gold Paper describes a typical audit from notification of the intent to audit through disposition of the final report including Best Practices, Opportunities for Improvement (OFI), and issues that must be fixed. Good preparation can improve the chances of success. Ensuring the auditors understand the environment and requirements is paramount to success. It helps the auditors understand that the enterprise really does think that security is important. Understanding and following a structured process ensures a smooth audit process. Ensuring follow-up on OFIs and issues in a structured fashion will also make the next audit easier. It is important to keep in mind that the auditors will use the previous report as a starting point. Now the only worry is the actual audit and subsequent report and how well the company has done.Tue, 27 Oct 2015 00:00:00 +0000Case Study: The Home Depot Data Breach theft of payment card information has become a common issue in today's society. Even after the lessons learned from the Target data breach, Home Depot's Point of Sale systems were compromised by similar exploitation methods. The use of stolen third-party vendor credentials and RAM scraping malware were instrumental in the success of both data breaches. Home Depot has taken multiple steps to recover from its data breach, one of them being to enable the use of EMV Chip-and-PIN payment cards. Is the use of EMV payment cards necessary? If P2P (Point-to-Point) encryption is used, the only method available to steal payment card data is the installation of a payment card skimmer. RAM scraping malware grabbed the payment card data in the Home Depot breach, not payment card skimmers. However, the malware would have never been installed on the systems if the attackers did not possess third-party vendor credentials and if the payment network was segregated properly from the rest of the Home Depot network. The implementation of P2P encryption and proper network segregation would have prevented the Home Depot data breach.Tue, 27 Oct 2015 00:00:00 +0000The Expanding Role of Data Analytics in Threat Detection, 27 Oct 2015 00:00:00 +0000Technical Implementation of the Critical Control "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office is great value in the proper employment of the Critical Security Controls. The Critical Security Controls are written with terminology that makes them appear applicable only to organizations and other large environments. Implementing the Critical Security Controls can be beneficial to any size network, but can they be applied to a Small Office/Home Office with a limited budget and expertise? This document examines the technical implementation of "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office. Topics discussed will be the selection of hardware, evaluation of open-source software and third-party firmware, and custom scripts that function with most modern operating systems.Mon, 26 Oct 2015 00:00:00 +0000Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s). Mon, 26 Oct 2015 00:00:00 +0000Email Acceptable Use: Balancing the Needs of the Organization and the Need to Comply with National Labor Relations Board Rulings strive to enact policies that protect intellectual property, including the reputation of their brand, and support a productive work environment, while at the same time respecting employee privacy and freedom of expression. Despite good intentions, organizations sometimes discover that their existing policies suddenly conflict with the legal system. Unexpected legal rulings can arise as authorities assess how technology changes the workplace. What is acceptable policy within an organization one day may be in violation of law the next. This paper examines National Labor Relations Board (NLRB) rulings regarding the use of email by employees for protected purposes such as union organizing and then presents an analysis of the implications of those rulings. Suggestions as to how policies and practices must evolve to meet the needs of the organization are made, while also complying with the NLRB's interpretation of employment law.Mon, 26 Oct 2015 00:00:00 +0000Behind the Curve? A Maturity Model for Endpoint Security, 22 Oct 2015 00:00:00 +0000Detecting a Targeted Data Breach with Ease: A SANS Product Review product review by Jake Williams. It examines LightCyber Magna, focusing on its effectiveness in detecting reconnaissance, lateral movement, data exfiltration and other threats.Wed, 21 Oct 2015 00:00:00 +0000