Sorry! The requested paper could not be found.
Security Basics
Featuring 90 Papers as of June 20, 2019
-
Why Your Vulnerability Management Strategy Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
by Jake Williams - April 23, 2019- Associated Webcasts: Why Your Vulnerability Management Strategy Is Not Working – and What to Do About It
- Sponsored By: Lookingglass Cyber Solutions, Inc.
This paper looks at why vulnerability management solutions have not met expectations and how IT and security teams can better implement those solutions to maximize value. It also addresses how to deal with the resourcing constraints that all vulnerability management programs encounter.
-
Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019
It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.
-
A Black-Box Approach to Embedded Systems Vulnerability Assessment by Michael Horkan - December 5, 2016
Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.
-
Extending your Business Network through a Virtual Private Network (VPN) SANS.edu Graduate Student Research
by Kaleb Fornero - May 17, 2016It’s safe to assume that most individuals reading this paper have leveraged a Virtual Private Network (VPN) at some point in their life, many on a daily basis.
-
Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015
Patch management tools may produce conflicting results.
-
Denial of Service Deterrence by Ryan Sepe - April 1, 2015
Denial of service attacks have been around since 1989 and may have been incorporated even before that time.
-
Password Security-- Thirty-Five Years Later SANS.edu Graduate Student Research
by George Khalil - November 12, 2014Computer historians trace the first use of a computer password back to Massachusetts Institute of Technology in the 1960s (McMillan, 2012). MIT's time-sharing computer, called Compatible Time-Sharing System (CTSS), was designed to accommodate multiple users on many terminals.
-
Implementing a PC Hardware Configuration (BIOS) Baseline SANS.edu Graduate Student Research
by David Fletcher - October 15, 2013This paper provides a road map for implementation of the recommended phases identified in NIST SP 800-147, BIOS Protection Guidelines.
-
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor by Josh More - October 4, 2013
Though we often agree as to what individual words mean, it is often true that complex ideas cannot be adequately described in a reasonable amount of time.
-
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? by Erik Couture - June 14, 2013
An ever-increasing number of high profile data breaches have plagued organizations over the past decade.
-
Surfing the Web Anonymously - The Good and Evil of the Anonymizer by Peter Chow - October 8, 2012
Companies of all sizes spend large amounts of time, resources, and money to ensure that their network resources and Internet connections are not being misused.
-
Recovering Security in Program Management by Howard Thomas - October 3, 2012
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
-
Using SNORT® for intrusion detection in MODBUS TCP/IP communications by Javier Jimenez Diaz - December 19, 2011
Not long ago, analog and purpose built communications systems use to be prevalent technologies on industrial plants. It wasn’t common to find either interoperability or compatibility among them. In the 70s communication Networking began to be used in Direct Digital Control (Berge Jonas, 2004).
-
Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
-
Measuring effectiveness in Information Security Controls SANS.edu Graduate Student Research
by Manuel Humberto Santander Peláez - July 6, 2010The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.
-
Preparing to face new vulnerabilities by Jacelyn Faucher - June 25, 2008
This document illustrates the benefit of being prepared to deal with new vulnerabilities. We don't really know when that's going to happen, but it will. Let's look at a typical scenario: Monday morning, panic is in the air. The boss heard the existence of a big new vulnerability on the radio on his way to work.
-
Firefox VS Windows Internet Explorer SANS.edu Graduate Student Research
by Robert Comella - January 29, 2008In my years as an IT professional I can not tell you the number of times I have had a client ask, “When you go online, do you use Internet explorer? Are there any other choices? Are they better?” In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with “No” and “ABSOLUTELY!” Unfortunately the last is a little harder to answer and its best short answer is, “it depends.” That, of curse, begs the question, “On what does it depend?” and that is what this paper examines.
-
Computer Security Education – The Tool for Today by Ian Burke - October 25, 2007
ecurity education, for a long time, has been seen as a thing reserved for security professionals. The Computer Security Act of 1987 put forward for the National Institute of Standards and Technology to create standards and guides for security awareness and training. This act was the first of a string of legislation that would place mandates around security education for non-security professionals. This trend illustrated newfound awareness in the community and in the world around computer security.
-
GCFW Practical Assignment Critique by Bart Hubbs - March 9, 2005
The purpose of this practical is to critique a GIAC Certified Firewall Analyst (GCFW) practical to enable implementation in a public healthcare company.
-
Network Security- A Guide for Small and Mid-sized Businesses by Jim Hietala - January 26, 2005
The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.
-
Transmission Media Security by Charles Esparza - January 18, 2005
When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.
-
Introduction to Host Based Cyber Defense by Roy Nielsen - January 17, 2005
There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.
-
The State of Patching Windows by Rafael Cappas - July 25, 2004
Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.
-
Information Security For Churches and Small Non-Profit Organizations by Jay Petel - April 8, 2004
In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.
-
The Use and Administration of Shared Accounts by David Johnson - December 13, 2003
This paper will discuss the use and security of shared accounts, and some of associated risks of those uses.
-
Outline for a Successful Security Program by Jeff Norem - September 26, 2003
This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.
-
How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study by Jerry Goodman - September 4, 2003
This paper explains the basic process of securing a small to medium sized network utilizing some commonly used products and techniques, within a case study format.
-
Change Control Process for Firewalls by Paul Maschak - August 8, 2003
This paper covers the fundamentals of Change Control and Procedures as it applies to the management of Firewalls.
-
The Bugs are Biting by Rishona Phillips - August 8, 2003
This paper will give a general overview of the problems and challenges of software mistakes and how they affect security.
-
Security - What is Enough? by Victoria England - June 3, 2003
This paper will look at the various layers of security businesses have on offer to them today, which will aid the security policy and look at why they should deploy them.
-
Introducing Security to the Small Business Enterprise by Jeff Herbert - June 2, 2003
This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.
-
Software Piracy- A challenge to E-world by Sundeep Bhasin - May 8, 2003
This paper provides insight to the levels of the society to which the menace of piracy has rooted itself, the cost and the impact of "illegal" software to the companies.
-
Facilitating the Qualitative Security Assessment: Overview of the Process of Defining and Delivering by Mike Kleckner - April 3, 2003
It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.
-
Argentina: Preparing for a Security Violation by Raymond Hoffman - September 11, 2002
Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.
-
Implementing Defense in Depth at the University Level by Michael Runnels - May 14, 2002
This paper discusses how defense in depth was implemented at a university in the Southwest.
-
The Need for a REAL Defensive Information Operations Capability by Mark Ruchie - April 22, 2002
This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).
-
Protection of Information Assets by Odd Nilsen - March 17, 2002
This paper focuses on the protection of information assets, addressing both physical and logical access exposures and controls.
-
Obtaining Better Results from Distributed Environment Security Programs by Rhonda Manter - March 2, 2002
This paper examines common barriers to achieving desired results from information security programs in mid-to-large-sized corporations.
-
Security Lifecycle - Managing the Threat by Mark King - February 19, 2002
This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.
-
The Cyber Security Management System: A Conceptual Mapping by John Dexter - January 28, 2002
This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.
-
The Password Web Page by Curt Kuper - January 12, 2002
It is important to pick good passwords and change them often. This paper addresses the benefits and merits of the password web page.
-
Information Technology Department Network Security Briefing by Thad Nobuhara - December 27, 2001
This paper discusses the role in protecting the corporate network, and the devices connected to the Internet, including employee personal computing devices.
-
Security Considerations for Extranets by Karen Korow-Diks - December 18, 2001
This paper identifies potential risks associated with extranets and the actions that can be taken to mitigate against them.
-
Security Architecture Model Component Overview by Scott Angelo - November 27, 2001
A successful security architecture combines a heterogeneous combination of policies and leading practices, technology, and a sound education and awareness program.
-
Defense In Depth by Todd McGuiness - November 11, 2001
This paper will look at three common scenarios, and likely methods for network attacks, and offer countermeasures to protect against these types of attacks.
-
Making the HelpDesk a Security Asset by Douglas Ridgeway - October 22, 2001
This paper address potential security risks with helpdesks including social engineering, and various methods to reduce the risk of security incidents against the helpdesk.
-
Keeping the Private Intranet Private by Michael Wilson - October 8, 2001
This paper addresses security problems faced by intranet network administrators, how to control those access points and minimize the risk involved.
-
Enhanced Security During Organizational Transitions by Denis Lynch - October 6, 2001
The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.
-
Kiosks: The Interactive Media Solution, or is it? by Lisa Evans - October 1, 2001
This paper addresses the topic of kiosks utilizing computers require information systems support and security to protect both the business and the customer.
-
Managing Desktop Security by Amran Munir - September 23, 2001
This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.
-
Keep Current With Little Time by Robert Taylor - September 19, 2001
This paper discusses various ways for security professionals to keep secure networks current with less time.
-
We're Lost, But We're Making Good Time! by Benjamin Grubin - September 18, 2001
Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.
-
Cyberspace Guardians: A Brief Guide to the Recruitment and Training of Security Personnel by Amina Claassen - September 18, 2001
This paper is an overview of the recruitment and training of entry- and intermediate-level information technology (IT) security staff members (referenced here as "security analysts.")
-
An Instant War, Just Add Chat: The Growth of Instant Messaging Technology by Jack Schiller - September 13, 2001
The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.
-
Basic Self-assessment: Go Hack Yourself by Barry Dowell - September 11, 2001
System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.
-
Securing a Wide-Open Computer Network by Mark Andrich - September 10, 2001
This paper describes how to Secure a Wide-Open Computer Network.
-
Managing Secure Data Delivery: A Data Roundhouse Model by Jim Farmer - September 5, 2001
The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.
-
Security from Scratch ... How to Achieve It by Alan Davies - September 4, 2001
Since there is no one technology or process that can be implemented in the name of total security, the aim is to develop a defense in depth strategy, as discussed in this paper.
-
Network Security Is Like Eating Crab's Legs - Is the Taste Worth the Effort? by Charles Romanus - September 1, 2001
This paper discusses the balance between network security, network functionality and ease of operation.
-
OK, So I Need Security. Where Do I Start? by Lyde Andrews - August 28, 2001
This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.
-
A Paper on the Promotion of Application Security Awareness by Man Yi - August 28, 2001
Application security is not a new science and the same principals that apply to network security also apply to application security.
-
Implementing an Information Security Program by Kevin Nichols - August 22, 2001
This paper provides the fundamentals of implementing an Information Security Program.
-
Organizational IT Security Theory and Practice: And Never the Twain Shall Meet? by John Jenkins - August 21, 2001
This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.
-
Implementing a Successful Security Assessment Process by Bradley Hart - August 21, 2001
This paper describes implementing a successful security assessment process.
-
Securing Network Infrastructure and Switched Networks by Richard Wagner - August 21, 2001
This paper describes how to secure a network infrastructure and switched networks.
-
Manage your Security Initiative as a Project by Rex Robitschek - August 19, 2001
This paper has been geared toward project managers who already know the methodology, and is intended to give them tools that are pertinent for obtaining executive buy-in.
-
Information Security Primer by Craig Lindner - August 18, 2001
This document discusses fundamental security concepts and architectures applicable to TCP/IP networks.
-
Information Security 101: Security for Newbies by Frederick Kim - August 18, 2001
This paper provides a guide and a starting point to get a sense of what information security is all about.
-
Why Small Businesses Need to Secure Their Computers (and How to Do it!) by Bruce Diamond - August 16, 2001
This paper discusses why small businesses need to secure their computers and provides information on how to do it!
-
The Computer Security Threat to Small and Medium Sized Businesses -A Manager';s Primer by Michael Regan - August 16, 2001
This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.
-
The Weakest Link...This Is Not a Game! by Jack Daniels - August 9, 2001
More employees are using their home computers to do office work and security policy as well as education should address this situation by requiring Personal Firewalls and Anti-Virus software.
-
Jekyll & Hyde in the Boardroom by David Nixon - August 8, 2001
Business success or failure can hinge on the business implementation of the Chief Technology Officer and the Chief Security Officer, two key IT management positions, discusses in this paper.
-
Ten Days to Network Security by Paul Zocco - August 6, 2001
This paper will present ten days of effective tasks, with a quick task and long term task each day.
-
Spyware & Network Security by Lester Cheveallier - August 5, 2001
When dealing with network security, a security professional's first concerns are who is trying to access the network and whether or not to allow access.
-
A "Bag of Tricks" Approach to Proactive Security by Mitch Saba - July 27, 2001
The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.
-
Digital Rights Management Overview by Austin Russ - July 26, 2001
This paper presents an overview of DRM issues addressed, standards, technology and service providers, challenges, and guidance for determining if DRM may be applicable to your organization.
-
Oh Answer, Where Are Thou? or Gee, There's a Lot to Know by Jim Sherrill - July 26, 2001
This paper reviews the complex environment of information security and looks at several elements of security practices.
-
Extranets: The Weakest Link & Security by Slawomir Marcinkowski - July 25, 2001
This paper focuses on the management processes needed to secure an extranet.
-
Users Wary of Microsoft's .NET by Jeffrey Hudack - July 25, 2001
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
-
IT Infrastructure Security-Step by Step by Karnail Singh - July 23, 2001
This paper documents the process and methodology for implementing computer security within corporate networks and describes the various aspects of security through a layered model.
-
A User's Guide to Security Threats on the Desktop by Richard Hagen - July 22, 2001
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
-
Toward Global Security by Paul Tremer - July 20, 2001
By implementing and enforcing strong, multi-layered security policies and processes, constructive progress can and will defeat global threats and malicious activities today and throughout time.
-
AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Securit by Matthew Smith - July 16, 2001
The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values.
-
Espionage and the Insider by Steve Kipp - July 16, 2001
In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.
-
I Think Our Internet Connection is Down by Raymond Hillen - July 15, 2001
The following is a "case analysis" of a real incident that was uncovered while trying to assist a small company with a supposed "down" Internet connection.
-
Security for Small and New IT Departments: Get Your Big Rocks In First by Greg Rolling - July 13, 2001
This paper will attempt to assist the small/single-person IS department in setting up and maintaining a secure environment while filling the many roles necessary to the company.
-
Plugging the holes! Your data is leaking OUT! by Robert Downey - July 10, 2001
Data is essential to the development and success of a company and this paper discusses some of the obvious areas where data can leave the company.
-
Vulnerability Assessment by Susan Cima - July 6, 2001
The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.
-
Implementing/Re-Implementing Change Control Policies by Derek Milroy - July 3, 2001
Implementing change control policies should be done with the same basic methodology as a technology implementation, broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.
-
Hardening Bastion Hosts by Todd Jenkins - July 3, 2001
This paper discusses some of the benefits to using hardened bastion hosts.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.