SANS Information Security Reading Roomhttp://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPMethods for Understanding and Reducing Social Engineering Attackshttps://www.sans.org/reading-room/whitepapers/engineering/methods-understanding-reducing-social-engineering-attacks-36972Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization. Tue, 03 May 2016 00:00:00 +0000Tagging Data to Prevent Data Leakage (Forming Content Repositories) https://www.sans.org/reading-room/whitepapers/dlp/tagging-data-prevent-data-leakage-forming-content-repositories-36967In order to protect sensitive data, it must be secured at rest, during transit and when in use (Aaron, 2013).Tue, 03 May 2016 00:00:00 +0000Enterprise Survival Guide for Ransomware Attackshttps://www.sans.org/reading-room/whitepapers/incident/enterprise-survival-guide-ransomware-attacks-36962Ransomware or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.Tue, 03 May 2016 00:00:00 +0000Case Study: How CIS Controls Can Limit the Cascading Failures During an Attackhttps://www.sans.org/reading-room/whitepapers/casestudies/case-study-cis-controls-limit-cascading-failures-attack-36957Every day it seems that new information becomes public about the latest data breach. Tue, 03 May 2016 00:00:00 +0000ISE6100 GIAC Enterprises - Open Source SIEM - Read Me Firsthttps://www.sans.org/reading-room/whitepapers/OpenSource/ise6100-giac-enterprises-open-source-siem-read-first-36952Forward by Stephen Northcutt. Three students from the SANS Technology Institute, (Alyssa Robinson, David Fletcher, and Wes Whitteker) were assigned the following project for their ISE-M 6100 coursework. There are three files, a Step by Step, a presentation, and a Lessons Learned document.Fri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Step By Step Descriptionhttps://www.sans.org/reading-room/whitepapers/OpenSource/ise6100-giac-enterprises-final-step-step-description-36947GIAC Enterprises, a small to medium size business, has grown to a point where their current manual log analysis process is no longer efficient or effective. As such, GIAC Enterprises was forced to look for a SIEM solution that automates the correlation and analysis of system logs. GIAC Enterprises had a significant financial constraint, which required them to focus their investigation on several open source solution options. After investigation, GIAC Enterprises settled on AlienVault’s OSSIM product for their solution. The result of this research is the following OSSIM implementation guide.Fri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Presentationhttps://www.sans.org/reading-room/whitepapers/OpenSource/ise6100-giac-enterprises-final-presentation-36937OSS SIEM PILOT IMPLEMENTATION PROJECTFri, 29 Apr 2016 00:00:00 +0000ISE6100 GIAC Enterprises Final Lessons Learnedhttps://www.sans.org/reading-room/whitepapers/OpenSource/ise6100-giac-enterprises-final-lessons-learned-36932The following is Lessons Learned from the ISE 6100 project which commenced on March 22nd 2016. The objective of this project was to evaluate, select, and implement an open source Security Information and Event Management (SIEM) solution for the fictional corporation known as GIAC Enterprises. GIAC Enterprises is in the business of collecting fortunes from direct employees and contractors. These fortunes are GIAC Enterprises intellectual property. The ideal SIEM will enhance the detective capacity of GIAC Enterprises.Fri, 29 Apr 2016 00:00:00 +0000Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Accesshttps://www.sans.org/reading-room/whitepapers/incident/creating-secure-compliant-digital-forensics-incident-response-network-remote-access-36927News stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences. Fri, 29 Apr 2016 00:00:00 +0000Cloud Security Framework Audit Methods https://www.sans.org/reading-room/whitepapers/cloud/cloud-security-framework-audit-methods-36922Users have become more mobile, threats have evolved, and actors have become smarter. Users distribute information across multiple locations, many of which are not currently within the organization’s infrastructure. Wed, 27 Apr 2016 00:00:00 +00002016 State of Application Security: Skills, Configurations and Componentshttps://www.sans.org/reading-room/whitepapers/bestprac/2016-state-application-security-skills-configurations-components-36917Survey results reveal that it is critical for an overall enterprise security program to coordinate efforts among developers, architects and system administrators—particularly since many software vulnerabilities are rooted in configuration issues or third-party components, not just in code written by the development team. Read on to learn more.Tue, 26 Apr 2016 00:00:00 +0000Improving Application and Privilege Management: Critical Security Controls Updatehttps://www.sans.org/reading-room/whitepapers/analyst/improving-application-privilege-management-critical-security-controls-update-36912Mon, 25 Apr 2016 00:00:00 +0000Using Sulley to Protocol Fuzz for Linux Software Vulnerabilitieshttps://www.sans.org/reading-room/whitepapers/testing/sulley-protocol-fuzz-linux-software-vulnerabilities-36907 Fuzzers are useful for discovering vulnerabilities in software services. Sulley is a common fuzzer with an ability to fuzz network protocols. This paper will describe the process for using Sulley to fuzz for a vulnerability in an implementation of the unencrypted telnet protocol. Specifically, Sulley will be used to detect the vulnerability that was found in CVE-2011-4862 implemented on the RedHat Enterprise Linux 3 distribution.Mon, 25 Apr 2016 00:00:00 +0000Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloudhttps://www.sans.org/reading-room/whitepapers/forensics/incident-response-amazon-ec2-first-responders-guide-security-incidents-cloud-36902As Head of Digital Forensics for Payment Software Company Inc. (“PSC”), a company that focuses exclusively on Clients that accept or process payments,1 we’ve responded to sites operating within cloud environments, most notably Amazon EC2. Thu, 21 Apr 2016 00:00:00 +0000Catching Flies: A Guide to the Various Flavors of Honeypotshttps://www.sans.org/reading-room/whitepapers/attacking/catching-flies-guide-flavors-honeypots-36897While the concept of baiting adversaries in order to monitor their activities is nothing new, honeypotting has evolved into a critical tool in information security analysis. Recent years have given rise to advances in the detection of network intrusions such as honeynets, honeytokens and adaptive honeypots. This paper will explore modern applications, as well as the legal and technical considerations behind emerging honeypot solutions in the dynamic blockage of emerging attack vectors and the potential exploitation of advanced persistent threats. Tue, 19 Apr 2016 00:00:00 +0000Neutrino Exploit Kit Analysis and Threat Indicatorshttps://www.sans.org/reading-room/whitepapers/malicious/neutrino-exploit-kit-analysis-threat-indicators-36892Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.Wed, 13 Apr 2016 00:00:00 +0000BitTorrent & Digital Contrabandhttps://www.sans.org/reading-room/whitepapers/legal/bittorrent-digital-contraband-36887BitTorrent is a popular peer-to-peer file transfer program that allows participants in a swarm to exchange pieces with each other during the downloading process. Wed, 13 Apr 2016 00:00:00 +0000Threat Hunting: Open Season on the Adversaryhttps://www.sans.org/reading-room/whitepapers/threats/threat-hunting-open-season-adversary-36882Nearly 86% of organizations responding to the survey want to be doing the hunting, albeit informally, as more than 40% do not have a formal threat hunting program in place. Results indicate that hunting is providing benefits, including finding previously undetected threats, reducing attack surfaces and enhancing the speed and accuracy of response by using threat hunting. They also suggest that organizations want to improve their threat-hunting programs and realize more benefits from threat hunting. Tue, 12 Apr 2016 00:00:00 +0000Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877The Hypertext Transfer Protocol (HTTP) was first defined in 1991 by the World Wide Web initiative as method to retrieve hypertext markup language (HTML) messages (Berners-Lee).Mon, 11 Apr 2016 00:00:00 +0000Securing Jenkins CI Systemshttps://www.sans.org/reading-room/whitepapers/bestprac/securing-jenkins-ci-systems-36872With over 100,000 active installations worldwide, Jenkins became the top choice for continuous integration and automation. A survey conducted by Cloudbees during the 2012 Jenkins Users Conference concluded that 83 percent of the respondents consider Jenkins to be mission critical. The November 2015 remotely exploitable Java deserialization vulnerability stresses the need to lock down and monitor Jenkins systems. Exploitation of this weakness enables hackers to gain access to critical assets such as source code that Jenkins manages. Enabling password security is the general recommendations for securing Jenkins. Unfortunately, this necessary security measure can easily be defeated with a packet sniffer because passwords are transmitted over the wire as clear text. This paper will look at ways to secure Jenkins system as well as the deployment of intrusion detection systems to monitor critical assets controlled by Jenkins CI systems.Fri, 08 Apr 2016 00:00:00 +0000Boiling the Ocean: Security Operations and Log Analysishttps://www.sans.org/reading-room/whitepapers/logging/boiling-ocean-security-operations-log-analysis-36867Incident handling is a difficult and challenging job. One of the many challenges of incident response, and the root of this paper, is obtaining access to the data needed to identify an incident.Wed, 06 Apr 2016 00:00:00 +0000The Automotive Top 5: Applying the Critical Controls to the Modern Automobilehttps://www.sans.org/reading-room/whitepapers/critical/automotive-top-5-applying-critical-controls-modern-automobile-36862The car of today is an inherently vulnerable platform. At its core is a computing architecture from the 1980s which was designed to be lightweight and efficient, with very little thought given to security. As the modern automobile becomes increasingly connected, its attack surface only continues to grow. In the wake of several recent high- profile car hacking demonstrations, automakers face the daunting task of trying to lock down this insecure platform with bolt-on security fixes. This paper proposes a plausible strategy for securing modern automotive systems which takes into account some of the key limitations of the automobile industry, in addition to presenting a methodology for applying the Critical Controls to the modern automobile platform.Mon, 04 Apr 2016 00:00:00 +0000Threat Intelligence: Planning and Directionhttps://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-direction-36857Many celebrated leaders like Ben Franklin and Winston Churchill have said, in various forms, “Failing to plan is planning to fail.”Tue, 29 Mar 2016 00:00:00 +0000OPM vs. APT: How Proper Implementation of Key Controls Could Have Prevented a Disasterhttps://www.sans.org/reading-room/whitepapers/breaches/opm-vs-apt-proper-implementation-key-controls-prevented-disaster-36852On June 4th, 2015 U. S. Government officials announced a breach of data at the Office of Personnel Management (OPM).Tue, 29 Mar 2016 00:00:00 +0000The Role of Static Analysis in Hardening Open Source Intrusion Detection Systemshttps://www.sans.org/reading-room/whitepapers/securecode/role-static-analysis-hardening-open-source-intrusion-detection-systems-36847Intrusion analysts use the principles of network security monitoring (NSM) to help secure computer systems.Tue, 29 Mar 2016 00:00:00 +0000