One Week Only! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with OnDemand & vLive!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Security Awareness

Featuring 81 Papers as of October 23, 2019

  • What Security Practitioners Really Do When It Comes to Security Testing Analyst Paper (requires membership in community)
    by Matt Bromiley - October 18, 2019 

    Given the number, criticality and potential damage of attacks, how can you better protect your organization against the latest threats? And with so many solutions in your arsenal, how can you ensure that security controls are integrated seamlessly to defend you in the moment of truth against attacks? This paper, which is a follow-up to "Are Your Security Controls Yesterday’s News?," addresses issues with security effectiveness testing and how to improve control validation to shorten testing cycles, accelerate remediation and improve your organization's security posture--faster. It presents the results of a recent SANS poll to provide insight into how organizations are testing for security effectiveness and how performance is actually being measured.  The paper also provides specific steps to help you optimize security in a more proactive, continuous way.

  • Better Security Using the People You Have Analyst Paper (requires membership in community)
    by Matt Bromiley - August 13, 2019 

    Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.

  • Are Your Security Controls Yesterday's News? Analyst Paper (requires membership in community)
    by Matt Bromiley - July 18, 2019 

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.

    The second spotlight, "What Security Practitioners Really Do When It Comes to Security Testing," focuses on the input SANS received from a poll that gathered opinions from the SANS community on this topic

  • Understanding the Adversary with Deception Technology Analyst Paper (requires membership in community)
    by Matt Bromiley - February 26, 2019 

    Organizations are having great difficulties properly remediating incidents and eradicating attackers from their environment. This paper examines some of the challenges facing organizations in understanding the adversary, and presents some of the latest deception techniques that can be used to identify attacker activity (both known and unknown).

  • Evolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World Analyst Paper (requires membership in community)
    by Dave Shackleford - January 7, 2019 

    This paper looks at micro-segmentation as a new way to approach network security. The paper proposes ways to implement effective cyber hygiene, examines the role of automation, and explores ways to add security to workflows.

  • A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? STI Graduate Student Research
    by Preston Ackerman - November 19, 2018 

    Data breaches and Internet-enabled fraud remain a costly and troubling issue for businesses and home end-users alike. Two-factor authentication (2FA) has long held promise as one of the most viable solutions that enables ordinary users to implement extraordinary protection. A security industry push for widespread 2FA availability has resulted in the service being offered free of charge on most major platforms; however, user adoption remains low. A previous study (Ackerman, 2017) indicated that awareness videos can influence user behavior by providing a clear message which outlines personal risks, offers a mitigation strategy, and demonstrates the ease of implementing the mitigating measure. Building on that previous work, this study, focused on younger millennials between 21 and 26 years of age, seeks to reveal additional insights by designing experiments around the following key questions: 1) Does including a real-time implementation demonstration increase user adoption? 2) Does marketing the convenient push notification form of 2FA, rather than the popular SMS text method, increase user adoption? To address these questions, a two-phase study exposed groups of users to different video messages advocating use of 2FA. Each phase of the survey collected data measuring self-efficacy, fear, response costs and efficacy, perceived threat vulnerability and severity, and behavioral intent. The second phase also collected survey data regarding actual 2FA adoption. The insights derived from subsequent analysis could be applicable not just to increasing 2FA adoption but to security awareness programs more generally.

  • Network Architecture with Security in Mind Analyst Paper (requires membership in community)
    by Matt Bromiley - November 2, 2018 

    This paper looks at how efficient and security-minded network routing and security tool utilization can shorten detection and response times.

  • Back to Basics: Building a Foundation for Cyber Integrity Analyst Paper (requires membership in community)
    by Barbara Filkins - June 6, 2018 

    File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.

  • Blueprint for CIS Control Application: Securing the Oracle E-Business Suite Analyst Paper (requires membership in community)
    by Barbara Filkins - October 26, 2017 

    This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.

  • Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - October 17, 2017 

    SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.

  • Online Safety in a Foreign Language - Connecting with Teens by Chris Elgee - October 16, 2017 

    The inescapable dangers of our increasingly connected world are likely most threatening to our young adults. Teens, especially, see social media and related online platforms as inextricable from their public and private personas. These digital natives have grown up being comfortable with sharing all aspects of their lives with the Internet - without the healthy suspicion and caution of those who have seen the technology grow over the years. The importance of protecting our teenage Internet denizens apparent, it falls to parents, teachers, and industry professionals to effectively educate this group. What follow are tested methods and associated research on relating to and informing teenagers so they might understand and properly mitigate the risks they face. Importantly, this paper explores these topics in a way that doesn't overstate the dangers or attempt to upheave the norms of communication so organic to this generation.

  • Complement a Vulnerability Management Program with PowerShell STI Graduate Student Research
    by Colm Kennedy - August 10, 2017 

    A vulnerability management program is a critical task that all organizations should be running. Part of this program involves the need to patch systems regularly and to keep installed software up to date. Once a vulnerability program is in place organizations need to remediate discovered vulnerabilities quickly. Occasionally some discovered vulnerabilities are false positives. The problem with false positives is that manually vetting them is time-consuming. There are tools available, which assist in showing what patches may be missing, like SCCM, but can be rather costly. For organizations concerned that these types of programs hurt their budgets, there are free options available. PowerShell is free software that, if utilized, can complement an organization's vulnerability management program by assisting in scanning for unpatched systems. This paper presents a PowerShell script that provides Administrators with further insight into what systems are unpatched and streamlines investigations of possible false positives, with no additional cost.

  • Road Map to a Secure, Smart Infrastructure Analyst Paper (requires membership in community)
    by Barbara Filkins - August 9, 2017 

    This paper provides a multifaceted security approach for securing infrastructure systems that are being targeted by attackers and malware.

  • Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey Analyst Paper (requires membership in community)
    by Eric Cole - July 31, 2017 

    It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. This survey highlights the importance of managing internal threats as the key to winning at cyber security.

  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.

  • Indicators of Compromise TeslaCrypt Malware STI Graduate Student Research
    by Kevin Kelly - February 16, 2017 

    Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections.

  • Dissect the Phish to Hunt Infections STI Graduate Student Research
    by Seth Polley - February 3, 2017 

    Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt?

  • Ransomware by Susan Bradley - October 3, 2016 

    On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

  • PORTKnockOut: Data Exfiltration via Port Knocking over UDP by Matthew Lichtenberger - September 29, 2016 

    Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.

  • Enterprise Survival Guide for Ransomware Attacks by Shafqat Mehmoon - May 3, 2016 

    Ransomware or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.

  • Detect, Contain and Control Cyberthreats Analyst Paper (requires membership in community)
    by Eric Cole, PhD - August 20, 2015 

    An Analyst Program whitepaper by Dr. Eric Cole. It discusses the value of prioritizing mitigation efforts based on known risks and high- value targets, and how doing so can reinforce network defenses.

  • Insider-Focused Investigation Made Easier Analyst Paper (requires membership in community)
    by Dave Shackleford - August 18, 2015 

    A review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.

  • Beyond the Point of Sale: Six Steps to Stronger Retail Security Analyst Paper (requires membership in community)
    by Robert L. Scheier - July 28, 2015 

    A whitepaper by Robert Scheier. It addresses the complex nature of IT in the retail environment and outlines a six-step process for enhancing security of small shopkeepers as well as big-box chains.

  • Six Steps to Stronger Security for SMBs Analyst Paper (requires membership in community)
    by Eric Cole, PhD - June 23, 2015 

    An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.

  • Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsight Analyst Paper (requires membership in community)
    by Jerry Shenk - October 23, 2014 

    A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.

  • Under Threat or Compromise - Every Detail Counts Analyst Paper (requires membership in community)
    by Jake Williams - August 20, 2014 

    This paper outlines five major components of a life-cycle approach to defense and how companies can adopt this model to maximize security in the current threat landscape.

  • Incident Response: How to Fight Back Analyst Paper (requires membership in community)
    by Alissa Torres - August 13, 2014 

    A spate of high-profile security breaches and attacks means that security practitioners find themselves thinking a lot about incident response. A new SANS incident response survey explores how practitioners are dealing with these numerous incidents and provides insight into incident response plans, attack histories, where organizations should focus their response efforts, and how to put all of the pieces together.

  • Using Influence Strategies to Improve Security Awareness Programs by Alyssa Robinson - October 25, 2013 

    Many of the problems faced by information security professionals could be solved, or at least ameliorated, if people acted differently.

  • Information Risks & Risk Management by John Wurzler - May 1, 2013 

    In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

  • Robots.txt by Jim Lehman - May 31, 2012 

    Every minute of every day the web is searched, indexed and abused by web Robots; also known as Web Wanderers, Crawlers and Spiders.

  • A Process for Continuous Improvement Using Log Analysis by David Swift - October 26, 2011 

    A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.

  • Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls STI Graduate Student Research
    by Craig Wright - September 19, 2011 

    Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.

  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

  • Managing Insiders in Utility Control Environments Analyst Paper (requires membership in community)
    by Matthew E. Luallen - March 17, 2011 

    This paper discusses techniques attackers use to exploit missing insider controls and offers a cohesive set of cyber, operational and physical controls to manage a range of user access types for better security and compliance in utility control environments.

  • Measuring Psychological Variables of Control In Information Security by Josh More - January 12, 2011 

    “Perceived Control” is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of “Actual Control” that they may have. It is often paired against constructs such as “Vicarious Control” and “Vicarious Perceived Control”, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.

  • Which Disney© Princess are YOU? by Joshua Brower - March 18, 2010 

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Prelude as a Hybrid IDS Framework by Curt Yasm - March 24, 2009 

    In this paper, I will discuss the Open Source Security Information Management (SIM) system known as Prelude.

  • The Importance of Security Awareness Training by Cindy Brodie - January 14, 2009 

    One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).

  • Vendor-Supplied Backdoor Passwords - A Continuing Vulnerability by Astrid Todd - September 26, 2008 

    Vendor-supplied passwords embedded in software/hardware continue to be a securing vulnerability. Securing your network against vendor-supplied backdoor passwords is an ongoing process of staying informed through security mailing lists and bulletins, increased scrutiny of software/hardware before purchase, intense review of vendor documentation, application of vendor-supplied patches, and proper handling of default passwords/accounts.

  • Making Security Awareness Efforts Work for You by Rebecca Fowler - May 20, 2008 

  • The Controlled Event Framework for Information Asset Security by Chris Cronin - February 20, 2008 

    This paper proposes a framework for implementing, operating and testing document security controls within an organization. While much security management is meant to prevent people from doing things they ought not do, a framework is meant to help people do what they ought to do. In the case of the Controlled Event Framework for Information Asset Security, people are directed with some specificity on how to handle documents so they do their work effectively and securely.

  • Data Leakage - Threats and Mitigation by Peter Gordon - October 24, 2007 

    This paper explores data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged.

  • Identity Theft by Ian Wolff - July 2, 2007 

    The research shows that with the help of technology, legislation and general consumer awareness identity thieves can be thwarted.

  • Social Engineering Your Employees to Information Security by Martin Manjak - December 19, 2006 

    Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.

  • Building a Security Policy Framework for a Large, Multi-national Company by Leslie VanCura - May 5, 2005 

    Information Security is not just technology. It is a process, a policy, and a culture. Our organization had spent millions of dollars on technology to keep the "bad guys" out, but we had spent little time building the foundations of our Information Security Program.

  • The Role of the Security Analyst in the Systems Development Life Cycle by Brad Gray - May 5, 2005 

    This paper will proceed in a very logical manner to describe how a sequential development life cycle increases in depth as security is applied. Each major portion of the paper will address a phase of the system development lifecycle.

  • A Discussion of Spyware by Patria Leath - January 28, 2005 

    The insidious nature of spyware combined with the lack of user awareness and spyware's potential for surveillance, data gathering and system hijacking pose a threat to home users and businesses. Commercial interests, the technology industry, consumers and legislators must combine efforts to address this threat.

  • Developing a Security-Awareness Culture - Improving Security Decision Making by Chris Garrett - January 18, 2005 

    CIOs, managers and staff are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, for example, security policies, new technologies, new patches, new threats, new sources of information, the list is endless.

  • Examination of PC security: How we got where we are and how to fix it by Thomas Sprinkmeier - November 30, 2004 

    This essay explores the reasons for the poor state of PC security that currently exists. This essay focuses on the end users rather than the administrators. Threats and solutions are examined form an end-user's perspective.

  • Moving from Consciousness to Culture: Creating an Environment of Security Awareness by Mary Munley - July 25, 2004 

    Although the aftermath of September 11th has brought to the forefront the realization that security threats are real, most companies are still far from creating a culture of security awareness within their organizations.

  • Overview of Security Issues Facing Computer Users by Michael Boeckeler - June 9, 2004 

    Every security safeguard a computer user takes will reduce the number of people skilled enough to break into their computer. After all, there are a finite number of people who have the skill required to break into computer systems.

  • The Many Facets of an Information Security Program by Robert Behm - March 9, 2004 

    This document is a review of the various programs and processes that should be in place within any organization for the protection of their information assets. The many areas of any organization's security program play key roles in supporting the certification and accreditation (C&A) process of an organization's information assets.

  • Vendors and External Outsource Providers How Safe is Your Companys Confidential Data by Stan Gucwa - March 9, 2004 

    Let us assume your business is fairly accomplished in the Risk Assessment evolutionary ladder. Perhaps your company already assesses its network configurations regularly, all the applications in use have been reviewed for stringent security guidelines, maybe the IT team has even classified all your corporate information assets, and the vulnerability assessments are complete.

  • System Vulnerability Mitigation by Kevin Vasquez - March 4, 2004 

    This essay addresses various facets of IT security and offers insight into the different areas that should be considered when attempting to adequately protect a system.

  • Attacks Against The Mechanical Pin Tumbler Lock by Craig Kawaga - March 3, 2004 

    This paper examines an overview of the common pin tumbler lock and the five methods to exploit them. Pin tumbler locks are found in a vast majority of residential, commercial, government and educational institutions.

  • The Relevance of Quantum Cryptography in Modern Cryptographic Systems by Christoph Guenther - March 3, 2004 

    This paper explains the basic principles of quantum cryptography and how these principles apply to quantum key distribution. One specific quantum key distribution protocol called is described in detail and compared to traditional (nonquantum) cryptographic systems.

  • Securing Wireless Networks for HIPAA Compliance by Daniel Odorisio - March 3, 2004 

    The intent of this paper is to discuss wireless networks and why it is useful to organizations, namely healthcare organizations. Once we have established the foundation for why we need wireless, we will cover the vulnerabilities and problems with wireless networks.

  • Distributed Computing: An Unstoppable Brute Force by Michael Hill - March 2, 2004 

    Distributed computing allows groups to accomplish work that was not feasible before with supercomputers, due to cost or time constraints. Although the primary functions of distributed computing systems is to produce needed processing power to complete complex computations, distributed computing also reaches outside of the processing arena to other areas such as network usage.

  • Security Concerns in Using Open Source Software for Enterprise Requirements by Sreenivasa Vadalasetty - January 11, 2004 

    This paper highlights the security concerns of the end users in considering open source software for their enterprise requirements.

  • Essential Information Security For Corporate Employees by Lloyd Guyot - August 22, 2003 

    This paper was written to raise security awareness and provide corporate employees with essential security information that emphasizes critical issues surrounding an implementation of security "best practices" throughout an organization.

  • Developing an Integrated Security Training, Awareness, and Education Program by Courtney Gilbert - August 8, 2003 

    This essay describes how to successfully implement a comprehensive Security Training, Awareness, and Education program within a federal arena and further illustrates these processes are applicable and utilized in commercial organizations as well by using the Instructional System Design (ISD) process or model.

  • Creating the effective Security Awareness Program and Demonstration by Fred Hinchcliffe - June 3, 2003 

    Statistics gathered at the writing of this document indicate there are in excess of 160,000,000 computers that have access to the internet in some way.

  • Community Policing on the Internet by Tim Brown - March 4, 2003 

    This paper applies the principles of community policing and crime prevention to the Internet and details establishing relationships between law enforcement and potential victims, their individual roles and responsibilities, and some of the problems the relationship may alleviate such as fears a victim may have concerning the reporting of cybercrime.

  • The Need for Information Security in Today's Economy by Jeff Tarte - February 8, 2003 

    The role of Information Security is essential for the protection of consumers, businesses, governments, and the U.S. and World economy from the threats caused by the natural advancement of Information Technology and society as we know it.

  • Ghosts in the machine: The who, why, and how of attacks on information security by Cary Barker - January 27, 2003 

    To provide the best security one, needs to know the enemy: who they are, why they are attacking, and how they attack.

  • Security Awareness - Implementing an Effective Strategy by Chelsa Russell - October 25, 2002 

    This paper examines the importance of security awareness, how it supports the fundamental goals of an information security program and provides a recommendation for implementing an effective security awareness strategy.

  • Methods and Techniques of Implementing a Security Awareness Program by William Hubbard - April 8, 2002 

    This paper will illustrate why security awareness is so important and what it is supposed to accomplish.

  • Consumer Labeling for Software Security by Tom Melton - January 27, 2002 

    There are steps we can take to improve computer security. For corporate computers, the answer is twofold: make security a priority for the organization and get security expertise either by hiring or training.

  • Data Center Physical Security Checklist by Sean Heare - December 1, 2001 

    This paper presents an informal checklist compiled to ascertain weaknesses in the physical security of the data centers that their organization utilizes.

  • Security Awareness: Help the Users Understand by Kenton Smith - October 17, 2001 

    The purpose of this paper is to give you a guideline that you can use to put on a basic security awareness workshop.

  • Modeling the Silicon Curtain by John Saunders - October 6, 2001 

    This paper presents the available range of modeling and simulation capabilities in Information Assurance and establishes some principles for extending these capabilities into the community.

  • Security Awareness Starts in IT by William Farrar - September 10, 2001 

    This practical defines the current state of business operations, security design function, introduction policy development, security awareness, and communicates our new found knowledge to the IT security design team.

  • Introduction and Education of Information Security Policies to Employees in My Organization by Harbinder Kaur - August 29, 2001 

    This paper discusses a regional Information Security Office in Asia Pacific, setup to introduce the Information Security Policies to all Asia Pacific staff and educate them on these policies.

  • License to Surf? by Eddy Vanlerberghe - August 21, 2001 

    This paper discusses the similarity between car and computer evolutions, used to highlight security shortcomings in today's personal computer usage, as well as hint at possible remedies.

  • Secure This: Organizational Buy-in (A communications approach) by Wendy Ady - August 14, 2001 

    This paper will discuss the importance and recommend methods for soliciting and securing the organization's executive buy-in using a communications theory perspective.

  • Security Awareness Training Quiz - Finding the WEAKEST link! by David Sustaita - August 13, 2001 

    This paper discusses the need to employ not only an company wide security overview but also put in place a testing mechanism to make sure their employees understand the basics of computer security.

  • The Ultimate Defense of Depth: Security Awareness in Your Company by Brian Voss - August 11, 2001 

    By including the human factor in your security infrastructure via an effective Security Awareness Program, you will be implementing the ultimate defense of depth.

  • Security Awareness Training and Privacy by Michelle Johnston - July 28, 2001 

    An organization's security policy sets the standard for the way in which critical business information and systems will be protected from both internal and external threats.

  • Selling Security To Management by Jeff Hall - July 25, 2001 

    This document will help you understand how to create presentations that will engage management and will discuss the common presentation pitfalls that befall technology people.

  • awareness, quality assurance, security, techniques, implement, sans, white paper by Elizabeth Stanton - July 21, 2001 

    This paper discusses how quality is the responsibility of the whole organization and security is a part of the totality of quality of a system, implicit in customers' expectations.

  • Awareness, A Never Ending Struggle by Douglas Alred - July 18, 2001 

    This paper provides examples the importance of computer security awareness training and discusses some key points to any successful awareness program.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.