Prove Skill Mastery with GIAC Certs - Free Cert Attempt Included with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 72 Papers as of May 18, 2021

  • SANS 2021 Password Management and Two-Factor Authentication Methods Survey Analyst Paper (requires membership in community)
    by Chris Dale - May 18, 2021 

    Passwords are a hassle, and they're expensive to manage. They're also inherently insecure. Are organizations still required forced resets and enforcing complex passwords and other inconveniences that users tend to resist? This whitepaper explores the results of the SANS 2021 Password Survey, including how many passwords users and admins have to perform their work tasks, and how organizations are managing their passwords across users, apps, and devices.

  • GPS for Authentication: Is the Juice Worth the Squeeze? Graduate Student Research
    by Adam Baker - May 6, 2021 

    For decades, location has been used as a validating factor in authentication. However, this has almost exclusively reflected IP address-based geolocation, a far less precise data point than a GPS coordinate. This paper will compare the precision of IP address location data to that of GPS coordinates, to determine if the increased available precision of GPS coordinates provides sufficient enhancement in value to justify expanding the use of GPS coordinates for authentication.

  • Architecture and Configuration for Hardened SSH Keys Graduate Student Research
    by Scott Ross - November 11, 2020 

    The Secure Shell (SSH) protocol is a tool often-used to administer Unix-like computers, transfer files, and forward ports securely and remotely. Security can be quite robust for SSH when implemented correctly, and yet it is also user-friendly for developers familiar with Unix. Asymmetric SSH keys used by the protocol have allowed operations engineers and developers to authenticate to remote machines – supporting increased automation and orchestration across DevOps environments. While the private keys should be password protected, they are often not. The fast pace of DevOps and the focus on delivery has led to many companies not controlling their authentication credentials or understanding the risk they create. Private key files can become scattered around the environment, presenting a tempting target for threat actor exploitation to pivot across a network or access cloud services. This paper will evaluate a simple solution for protecting private keys by storing them on an external cryptographic device (Yubikey) and automating key management/SSH configuration (Ansible). This potential solution will be compared to local key storage and prevalent ad-hoc key management against conventional SSH attack techniques in the MITRE ATT&CK matrix.

  • Bye Bye Passwords: New Ways to Authenticate Analyst Paper (requires membership in community)
    by Matt Bromiley - July 23, 2019 

    The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.

  • Authentication: It Is All About the User Experience Analyst Paper (requires membership in community)
    by Matt Bromiley - June 12, 2019 

    In a world where compromised user credentials can cost an enterprise millions of dollars, the importance of being able to validate user accounts is a crucial enterprise requirement. Yet implementation of modern authentication techniques is lagging, even though it provides better user experiences as well as stronger authentication. This paper examines how these techniques can be applied within your organization for your employees--the other custodians of your data. It also explores the benefits of the new WebAuthn specification.

  • A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? Graduate Student Research
    by Preston Ackerman - November 19, 2018 

    Data breaches and Internet-enabled fraud remain a costly and troubling issue for businesses and home end-users alike. Two-factor authentication (2FA) has long held promise as one of the most viable solutions that enables ordinary users to implement extraordinary protection. A security industry push for widespread 2FA availability has resulted in the service being offered free of charge on most major platforms; however, user adoption remains low. A previous study (Ackerman, 2017) indicated that awareness videos can influence user behavior by providing a clear message which outlines personal risks, offers a mitigation strategy, and demonstrates the ease of implementing the mitigating measure. Building on that previous work, this study, focused on younger millennials between 21 and 26 years of age, seeks to reveal additional insights by designing experiments around the following key questions: 1) Does including a real-time implementation demonstration increase user adoption? 2) Does marketing the convenient push notification form of 2FA, rather than the popular SMS text method, increase user adoption? To address these questions, a two-phase study exposed groups of users to different video messages advocating use of 2FA. Each phase of the survey collected data measuring self-efficacy, fear, response costs and efficacy, perceived threat vulnerability and severity, and behavioral intent. The second phase also collected survey data regarding actual 2FA adoption. The insights derived from subsequent analysis could be applicable not just to increasing 2FA adoption but to security awareness programs more generally.

  • The Algorithm of You: Defeating Attackers by Being Yourself Analyst Paper (requires membership in community)
    by Matt Bromiley - October 17, 2018 

    Yesterday's defense mechanisms--such as tokens, one-time passwords and even fingerprint readers--are not adequately protecting our devices, data and networks. SANS author and DFIR expert Matt Bromiley examined a relatively new authentication method, behavioral biometrics, as implemented in a product from BehavioSec. This SANS Product Review chronicles Matts experience as he put BehavioSec's product through the paces, and it explores what behavioral biometrics is, how it works and the role it plays in authentication.

  • Impediments to Adoption of Two-factor Authentication by Home End-Users Graduate Student Research
    by Preston Ackerman - February 10, 2017 

    Cyber criminals have proven to be both capable and motivated to profit from compromised personal information. The FBI has reported that victims have suffered over $3 billion in losses through compromise of email accounts alone (IC3 2016). One security measure which has been demonstrated to be effective against many of these attacks is two-factor authentication (2FA). The FBI, the Department of Homeland Security US Computer Emergency Readiness Team (US-CERT), and the internationally recognized security training and awareness organization, the SANS Institute, all strongly recommend the use of two-factor authentication. Nevertheless, adoption rates of 2FA are low.

  • Implementing Least Privilege in an SMB Graduate Student Research
    by Tim Ashford - January 20, 2016 

    To better understand the problem at hand, it is perhaps best to look at how SMB’s got to where they are today, in terms of privileged account access at the desktop.

  • Two-Factor Authentication (2FA) using OpenOTP by Colin Gordon - July 17, 2015 

    This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as “2FA”. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access.

  • Implementing a Shibboleth SSO Infrastructure Graduate Student Research
    by Rich Graves - November 17, 2014 

    Secure authentication and authorization across organizational boundaries is a hard problem. Consider an academic publisher that wishes to make scientific journals available to currently enrolled students, but not staff, faculty, or alumni, at universities that have paid a site license fee. Students could register with a site-specific username and password - though such credentials are likely to be shared or forgotten, diminishing security and increasing user frustration and support burden.

  • Beyond the cookie: Using network traffic characteristics to enhance confidence in user identity Graduate Student Research
    by Courtney Imbert - August 19, 2014 

    Throughout history, authenticating to a computer system was simple: the user provided credentials, the system checked the credentials against a trusted source, and the system permitted or denied access to a protected resource.

  • Implementing IEEE 802.1x for Wired Networks by Johan Loos - March 14, 2014 

    Most companies do not have an extra of security layer in place when client computers are connecting to a wired network.

  • An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools by Tom Webb - January 2, 2014 

    We are all familiar with how password authentication works as we log into dozens of systems each day to check email or view bank account balance.

  • The Dangers of Weak Hashes by Kelly Brown - November 20, 2013 

    In June of 2012 a hacker posted more than 8 million passwords to the internet belonging to LinkedIn and eHarmony (Goodin, 2012).

  • SSL/TLS: What's Under the Hood Graduate Student Research
    by Sally Vandeven - August 19, 2013 

    Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both protocols used for the encryption of network data.

  • Daisy Chain Authentication Graduate Student Research
    by Courtney Imbert - August 8, 2013 

    "Daisy chain authentication", a term originally coined by Wired writer Mat Honan, is defined as an attacker using normal but alternative authentication methods to break into an account, building upon public or previously compromised data to gain access to other accounts.

  • SANS Institute Product Review: Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2 Analyst Paper (requires membership in community)
    by Dave Shackleford - October 22, 2012 

    Review of Oracle Identity Manager (OIM) 11g R2, an enterprise IAM product that offers end users a personalized experience through a friendly interface, while managing workflow approvals and executing changes at both the user and administrator levels.

  • SANS Institute Product Review: Demystifying External Authorization: Oracle Entitlements Server Product Review Analyst Paper (requires membership in community)
    by Tanya Baccam - April 20, 2012 

    Product review of Oracle Entitlements Server (OES) -- a solution that provides flexibility in access control allowing for dynamic changes, understands multiple systems and applies complex rules in a flexible manner.

  • Adding Enterprise Access Management to Identity Management Analyst Paper (requires membership in community)
    by J. Michael Butler - October 4, 2011 

    This paper discusses the difference between IDM and EAM and explains how these two enterprise functions can work together for better control of access to operating systems, applications and related data.

  • Kerberos Token Size and DoS by Joshua Sprenger - July 25, 2011 

    Kerberos has been the default authentication protocol for Windows since XP/2000. Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.

  • Extending Role Based Access Control Analyst Paper (requires membership in community)
    by J. Michael Butler - April 29, 2011 

    This paper discusses advantages and disadvantages of RBAC, along with options to consider when planning to extend RBAC to allow for centralization and standardization in a heterogeneous environment of multiple, diverse operating systems.

  • Smart Strategies for Securing Extranet Access Analyst Paper (requires membership in community)
    by Dave Shackleford - March 1, 2010 

    This paper discusses how to use risk-based authentication and entitlement management to enforce authentication security and achieve granular authorization using centralized role-based policies.

  • Two-Factor Authentication: Can You Choose the Right One? Graduate Student Research
    by Emilio Valente - May 1, 2009 

    The focus of this paper is enterprise solutions for two-factor authentication.

  • OS and Application Fingerprinting Techniques Graduate Student Research
    by Jon Mark Allen - October 22, 2008 

    This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting  applications: nmap, Xprobe2, and p0f.

  • Simple Formula for Strong Passwords (SFSP) Tutorial by Bernie Thomas - May 17, 2005 

    The practice of using passwords for user authentication exposes organizations' and individual users' data to disclosure alteration and/or destruction. However, a large portion of the security issues that make this true can be satisfactorily addressed using a simple method that I would like to introduce as the Simple Formula for Strong Passwords (SFSP) [Note 1].

  • Installing a Secure Network DHCP Registration System by Pam Fournier - May 5, 2005 

    One limitation of DHCP is that there is no accountability for IP address usage. NetReg is a Network DHCP Registration System which provides a means of linking user information to MAC and IP addresses on the network.

  • Secure implementation of Enterprise single sign-on product in an organization by Ravikanth Ponnapalli - January 18, 2005 

    Single Sign-On is a very important component of the security architecture of an organization. In IT, it is generally believed that it is expensive to deploy an enterprise Single Sign-On solution that is secure and scalable. However, there is a growing awareness in IT management about the advantages of implementation of enterprise Single Sign-On.

  • An Exploration of Voice Biometrics by Lisa Myers - July 25, 2004 

    Biometrics is, in the simplest definition, something you are. It is a physical characteristic unique to each individual. Using biometrics to identify individuals is a practice as old as ancient Egypt. Today, it is becoming more and more popular to use biometrics to identify people and authenticate them for access to secure areas and systems.

  • Single Sign On Concepts & Protocols by Sandeep Sandhu - March 25, 2004 

    This paper describes the characteristics and concepts of a few important protocols and technologies that have been used for implementing authentication and single sign-on (SSO) mechanisms for computer networks.

  • Dont Blink:Iris Recognition for Biometric Identification by Mary Dunker - March 8, 2004 

    This paper explores the origins of iris recognition, how it works, how it stacks up against other forms of biometric identification and what is required to perform the identification.

  • Biometrics: An In Depth Examination by Kyle Cherry - March 2, 2004 

    The purpose of this paper is to give the reader a good foundational understanding of biometric security systems. The intent is not to make the reader an expert in any one system.

  • Convergence of Logical and Physical Security by Yahya Mehdizadeh - January 11, 2004 

    This paper will demonstrate that the convergence of logical and physical security brings significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect, and also recommends practical steps to take in this direction.

  • Preventing the fraudulent use of Internet DSL accesses by dial-up accounts: a network authentication issue. by Bruno Germain - October 31, 2003 

    This document provides details of a typical deployment between DSL providers and ISPs in order to highlight the areas of vulnerability of the model.

  • Strengthening Authentication with Biometric Technology by Tricia Olsson - October 10, 2003 

    This paper looks at the danger and cost of identity theft, uncover the problem with current authentication practices, demonstrate how a biometric solution can be used to provide stronger authentication, and look at the added benefit of using multiple factor authentication practices.

  • Considerations For Implementing Single Sign-On Within The Enterprise by Russell Hobbs - October 6, 2003 

    The goal of this paper is to provide insight into many important areas that should be considered before implementing an enterprise SSO system.

  • Common issues in PKI implementations - climbing the "Slope of Enlightenment" by Angela Keith - September 8, 2003 

    This paper is an attempt to go beyond the many conceptual papers published about Public Key Infrastructure (PKI) and look at the actual problems experienced when implementing it.

  • Biometric Scanning Technologies: Finger, Facial and Retinal Scanning by Edmund Spinella - August 22, 2003 

    This paper discusses several Biometric scan technologies: finger-scan, facialscan and retinal-scan.

  • Passwords are DEAD! (Long live passwords?) by David Beverstock - August 8, 2003 

    Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use.

  • L is for Login by Carolee Rand - August 8, 2003 

    This paper will look at login commands, authentication mechanisms, passwords and password management programs used in several UNIX platforms, highlighting aspects of Solaris 8 and Red Hat Linux (RH) 7.3.

  • Identity Protection and Smart Card Adoption in America by Stephen Irwin - July 14, 2003 

    This paper will address smart card technology as a viable alternative to present financial and identity standards, and why it will be woven into the American identity fabric over the next decade.

  • It's All About Authentication by Douglas Graham - June 3, 2003 

    This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect in information security.

  • Identity Management by Kevin Kaufman - June 3, 2003 

    Information security magazines of all nature are publishing more and more articles about identity management and improved access control measures.

  • Shedding some light on Voice Authentication by Dualta Currie - April 4, 2003 

    This paper attempts to explain, in non -technical language, the technologies behind one particular type of biometric authentication, voice authentication.

  • An Introduction to Identity Management by Spencer Lee - March 22, 2003 

    The purpose of this document is to offer a broad overview of current identity management technologies and provide a framework for determining when an identity management system would benefit your company.

  • Biometrics: Are YOU the Key to Security? by Patricia Wittich - February 26, 2003 

    This paper will discuss the concepts behind the emerging biometrics craze along with its efficiency, cost, privacy issues, and success versus failure rate.

  • In Pursuit of Liberty? by Randy Mahrt - February 26, 2003 

    This paper explores the Liberty specification version 1.0 that was released on July 15, 2002.

  • Iris Recognition: Closer Than We Think? by Miltiades Leonidou - September 24, 2002 

    This overview covers the new and emerging biometric technique of Iris Recognition, with focus on image processing and computer vision aspects. Algorithms, systems and their experimental results will be reported.

  • Combating the Lazy User: An Examination of Various Password Policies and Guidelines by Sam Wilson - September 16, 2002 

    This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.

  • Single Sign On Through Password Synchronization by Nancy Loveland - September 3, 2002 

    This paper is a case study on a project to provide a Single Sign On (SSO) solution to web based applications that use the mainframe as the data store.

  • Biometric Selection: Body Parts Online by Steven Walker - July 26, 2002 

    The purpose of this paper is to provide information that will assist a biometric implementer evaluate and select biometric technology. The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.

  • Making Smart Cards Work In the Enterprise by Brett Lewis - April 4, 2002 

    The time has come for enterprises to begin considering whether smart cards can be used to improve security in their environments. Smart cards offer a secure and convenient form factor on which employees can carry digital credentials for accessing parking facilities, buildings, computers, and network resources. Indeed, the ability for an employee to carry both physical and logical access credentials can be provided on a single card. Adding to the significance of smart cards, that same card can also be used for employee photo identification, and potentially a multitude of other applications, including encryption, digital signatures, secure storage of employee medical information, and electronic wallet for cafeterias and vending machines. Done right, a single-card solution can provide return on investment in the forms of vastly improved security, reduced need for certain security and IT personnel functions, and customer satisfaction. This paper examines some of the key benefits that can be realized from employing smart cards, and it explains how smart cards can be used to significantly improve both physical and logical security. Additionally, it provides an overview of some strategic infrastructure elements needed to make smart cards work in an enterprise environment, including complimentary technologies, personnel, hardware, software, and perhaps most importantly, policies and procedures.

  • Biometrics: A Double Edged Sword - Security and Privacy by Wayne Penny - March 18, 2002 

    This paper presents an overview of biometrics in general and describes some of the issues related to biometrics vulnerabilities and security, and its other side, the protection of one's privacy. It considers that for biometrics to be publicly accepted, implementations will require cooperation between organizations and individuals, working with developed open standards that meet the demand for security and demonstrate the protection of personal privacy.

  • Iris Recognition Technology for Improved Authentication by Penny Khaw - March 7, 2002 

    Iris recognition technology does provide a good method of authentication to replace the current methods of passwords, token cards or PINs and if used in conjunction with something the user knows in a two-factor authentication system then the authentication becomes even stronger.

  • Smart Cards: How Secure Are They? by John Abbott - March 1, 2002 

    The author looks at the history, types and uses of smart cards and how they may be vulnerable. Since smart cards were never designed to be standalone systems, the author examines some of the applications that have incorporated smart cards into their design to see how they work, looks at the motivation for why they might be threatened, reviews some of the documented attacks, and puts forth a cost/benefit analysis of incorporating smart cards. Finally, there is a determination of how secure smart cards really are.

  • Web Single Sign-On Meets Business Reality by Tim Mather - February 18, 2002 

    This paper discusses some of the real-world operational challenges in getting a Web-only SSO deployed, starting with the impetus for why to deploy SSO; some considerations in vendor selection; operational considerations in a deployment, including challenges with having SSO and load balancing work effectively together; and, some compensating security controls.

  • Java Smart Cards Are Here To Stay: Benefits And Concerns by Sonia Otero - February 16, 2002 

    In this paper, the author describes the extensive security layers involved in Java smart cards, as well as their vulnerabilities. The conclusion is that the benefits seem to outweigh the disadvantages, since certain sectors of society have already accepted the risks.

  • Build a Web Interface to Allow Users to Change their Passwords (The Web Password Page) by Mark Holbrook - January 26, 2002 

    The purpose of this paper is to show you (the System Administrator) how to break free from the mundane task of periodically changing user passwords (in keeping with good security practices from GIAC Security Essentials). This document is designed to show you step-by-step how to build a web page for users to update their passwords on a UNIX or Windows server, easily, securely and without spending too much money on software!

  • Securing Access: Making Passwords a Legitimate Corporate Defense by David Sherrod - January 15, 2002 

    This paper outlines four easy steps to secure access to your systems using strong passwords, even those selected by users.

  • Biometric Technology Stomps Identity Theft by Seyoum Zegiorgis - January 7, 2002 

    This paper discusses the benefits of implementing a biometric technology product--one more tool for safeguarding the information assets and key installations of an organization--the privacy issues associated with the deployment of a BTP

  • More Than a Pretty Face, Biometrics and SmartCard Tokens by Gregory Williams - December 24, 2001 

    This paper will address many of the types of Biometrics available as well as the use of smart card technology.

  • Authentication and Authorization: The Big Picture with IEEE 802.1X by Arthur Fisher - December 21, 2001 

    This paper explores how Auth-x brings authentication and authorization down to a port level, enabling true privilege-based management of network services.

  • Biometrics and User Authentication by Michael Zimmerman - December 17, 2001 

    The purpose of this paper will be to look at the use of biometrics technology to determine how secure it might be in authenticating users, and how the users job function or role would impact the authentication process or protocol. We will also examine personal issues of privacy in the methods used for authentication; the cost of implementing a biometrics authentication system; the efficiency of biometrics authentication; and the potential for false positive or negative recognition of individual users.

  • A Concept for Universal Identification by Daniel Williams - December 13, 2001 

    The goal of this paper is to provide a detailed look at a new perspective for a unified, secure and consolidated form of personal identification. The advanced yet inexpensive technology exists today to step up modern identification to the next level.

  • Technical Aspect of Implementing/Upgrading SAP Security 4.6 by Mary Sims - November 15, 2001 

    This paper will discuss the technical aspect of securing the SAP environment and, even more specifically, the details of controlling security for the SAP Release 4.0 and above.

  • An Overview of Different Authentication Methods and Protocols by Richard Duncan - October 23, 2001 

    This overview will generalize several Authentication Methods and Authentication Protocols in hopes of better understanding a few options that are available when designing a security system.

  • Inadequate Password Policies Can Lead to Problems by Leonard Hermens - October 10, 2001 

    This paper explores how, overall, the security administrator's duty is to reasonably ensure the security of the network, and how he/she can do this by setting effective password policies

  • Password Protection: Is This the Best We Can Do? by Jason Mortensen - August 20, 2001 

    This paper explores how a combination of user education, strict password policies, encrypted network traffic, onetime passwords, Public-Key Infrastructure systems, and the use of biometrics, authentication can make computer systems less vulnerable to attacks.

  • Clear Text Password Risk Assessment Documentation by Kimberly Rallo - August 16, 2001 

    This paper will present a risk assessment on sending clear text passwords across an enterprise network.

  • Overview of S/Key usage with OpenBSD by Christian Lecompte - July 21, 2001 

    An evaluation of S/Key usage and integration with the The OpenBSD Operating System.

  • Proximity Authentication by Ali Merayyan - July 16, 2001 

    The author discusses protecting data by denying direct physical access onto a user's computer; that is, protect sensitive data terminals from being used by unauthorized users.

  • Biometrics: Technology That Gives You a Password You Can't Share by Yevgeniy Libov - July 9, 2001 

    This paper examines biometrics technology as a means for making user authentication more secure based on a unique identifier, the fingerprint.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.