Get the Skills you need from Home with SANS Online Training - Special Offers Available Now

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 30 Papers as of April 6, 2018

  • Securing the Corporate WLAN in a Healthcare Regulated Organization Graduate Student Research
    by Jim Pomeroy - April 6, 2018 

    Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI.

  • PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Data Graduate Student Research
    by Christian J. Moldes - March 16, 2018 

    Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach.

  • Complying with Data Protection Law in a Changing World Analyst Paper (requires membership in community)
    by Benjamin Wright - June 27, 2017 

    Failure to meet legal and political expectations for data security can expose your enterprise to fines, lawsuits, negative publicity and regulatory investigations. These expectations are rapidly evolving across the world, making it difficult for enterprises to effectively protect their brands. This white paper reveals the major steps a large, multinational enterprise can take to assure the public, authorities and business partners that it is behaving responsibly and is on a commendable path of compliance.

  • Critical Security Controls: Software Designed Inventory, Configuration, and Governance Graduate Student Research
    by Lenny Rollison - May 24, 2016 

    The events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).

  • Compliant but not Secure: Why PCI-Certified Companies Are Being Breached Graduate Student Research
    by Christian Moldes - December 9, 2015 

    The Payment Card Industry Security Standards Council (PCI SSC) published the Data Security Standard (DSS) to provide a minimum set of required security controls to protect cardholder data 11 years ago (Search Security, 2013).

  • NERC CIP Patch Management and Cisco IOS Trains by Aaron Prazan - September 14, 2015 

    NERC CIP Version 5 is challenging many organizations with mandatory patch management requirements. The requirements are intended to be general for any managed system with a defined source for patches or security updates. However, the picture gets muddier for Cisco network devices, because the vendor issues frequent new versions of the operating system along multiple user trains, not patches to any static version. In addition, the proprietary SCADA systems to which NERC requirements apply do not lend themselves to frequent patching. This paper will describe the requirements for patching under NERC’s requirements and propose a set of processes an entity using such devices in a tightly controlled SCADA control system might use to satisfy the requirements.

  • eAUDIT: Designing a generic tool to review entitlements Graduate Student Research
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015 

    Patch management tools may produce conflicting results.

  • What Every Tech Startup Should Know About Security, Privacy, and Compliance by Kenneth Hartman - February 25, 2015 

    Not everyone has what it takes to launch a successful tech startup. A compelling vision must propel the founder, fueled by unstoppable passion.

  • Monitoring Baselines with Nagios by Steven Cardinal - February 12, 2015 

    It is 4:00 on a Friday afternoon and you, a system administrator for a large, multinational entertainment company, are putting your things away to head out for a long holiday weekend.

  • The Maturation of Controls Self - Assessments by Timothy Salka - July 31, 2014 

    This topic is appropriate for the Global Security Leadership Certification because it provides IT leaders with practical information and historical references.

  • Securing Static Vulnerable Devices Graduate Student Research
    by Chris Farrell - September 17, 2013 

    Static vulnerable devices (SVD) can be the bane of any security team regardless of the business size, budget or expertise.

  • Electronic Medical Records: Success Requires an Information Security Culture by Thomas Roberts - June 5, 2013 

    The increased use of electronic medical records (EMR's) is certainly impacting the world of healthcare.

  • Project Management Approach to Yearly PCI Compliance Assessment by Michael Hoehl - February 19, 2013 

    Payment Card Industry Data Security Standard (PCI DSS) has been developed by a collaboration of the credit card companies including VISA, American Express, Mastercard, and JCB.

  • In-house Penetration Testing for PCI DSS by Jeremy Koster - May 11, 2012 

    The Payment Card Industry Data Security Standard, introduced in 1999, is a rigorous set of prescriptive requirements aimed at securing systems that handle credit card numbers.

  • Cloud Computing - Maze in the Haze by Godha Iyengar - October 18, 2011 

    In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.

  • Wireless Networks and the Windows Registry - Just where has your computer been? Graduate Student Research
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Compliance and Security Challenges with Remote Administration Analyst Paper (requires membership in community)
    by Dave Shackleford - January 3, 2011 

    This paper focuses on remote administration of systems with regulated data falling under the Payment Card Industry Data Security Standard (PCI DSS).

  • A Compliance Primer for IT Professionals by David Swift - November 29, 2010 

    Fed up and frustrated with ambiguous standards, multiple frameworks, and scattered "best practices" I set out to at least glean the basics of compliance. What regulations apply to whom? What do the auditors want to see? And how as an IT security professional can I help reduce my pain, and my company's expenses in successfully completing and passing an audit. I felt it appropriate, and perhaps even beneficial to share that research and hopefully save others time by putting it down in this paper.

  • PCI 2.0: What's New? What Matters? What's Left? Analyst Paper (requires membership in community)
    by Dave Hoelzer - November 12, 2010 

    This paper discusses what’s new and what still needs more attention in the PCI DSS 2.0 standard, including gaps in storage encryption, wireless networking, and physical security that carry over from version 1.2.

  • Applying Information Security and Privacy Principles to Governance, Risk Management & Compliance by Scott Giordano - October 25, 2010 

    If there is a demarcation line for the start of the modern discipline of corporate governance, risk management and compliance (GRC) in the U.S., then perhaps the best candidate for that line is the handing down of the court’s opinion in In Re Caremark International Inc. Derivative Litigation in 1996. Caremark stands for the principle that individual directors of a corporation’s board may be held liable for failure to properly supervise the activities of that corporation. While the requirement for the creation of a corporate ethics program was promulgated in 1991 with the passage of the Federal Sentencing Guidelines for Organizations (FSGO), Caremark seems to have made a substantial impact on the resources dedicated to proper corporate governance. Completing this genesis period of corporate governance jurisprudence and guidelines was the legislative response to the Enron scandal and similar scandals at WorldCom and Adelphia, the enactment of Sarbanes-Oxley (“SOX”) in 2002. Finally, extra-territorial governance regulation has become commonplace. The Foreign Corrupt Practices Act of 1977 (FCPA), a statute designed to combat bribery of foreign officials by U.S. companies, has seen unprecedented use in the past 6 years (Searcey, 2009). This combination of jurisprudence, guidelines, new legislation, and revitalization of statues subsequently precipitated a substantial volume of analysis by commentators. The result: a traditional discipline of law infused with new life and which has evolved ever since.

  • Contracting for PCI DSS Compliance Graduate Student Research
    by Christian Moldes - July 15, 2010 

    Companies should carefully review and amend their agreements with third party service providers that handle or have access to cardholder data. Having the proper legal language in place is one of the key factors to reduce liability when dealing with third parties and limiting your companies’ exposure to additional risk.

  • Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010 

    With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • Meeting Compliance Efforts with the Mother of All Control Lists (MOACL) Graduate Student Research
    by Tim Proffitt - March 4, 2010 

    With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.

  • Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data by nuBridges, inc - September 29, 2009 

    Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

  • PCI DSS and Incident Handling: What is required before, during and after an incident Graduate Student Research
    by Christian J. Moldes - June 16, 2009 

    This paper intends to be a guideline for chief security officers, compliance directors, IT auditors, and anyone responsible for PCI DSS compliance.

  • Content Monitoring Issues – Legal and Otherwise by Darryl T Barnes - April 23, 2009 

    With the advent of the Internet, companies have an increased need to monitor their networks for external compromises and as well as inappropriate use on the part of their own employees. This paper looks at the risks and issues related to the electronic monitoring of employees by corporations under United States law. The intent is to provide awareness of issues involved with employee monitoring and to suggest some best practices.

  • There's a hole in my infrastructure? The road to PCI Compliance by Jonathan Chaitow - July 3, 2008 

    This paper addresses some of the issues faced in working towards a deadline of PCI (Payment Card Industry) Compliance at a major international corporation. – including the key challenges we faced and the current progress as a set of specific changes to the architecture.

  • Requirements For Record Keeping and Document Destruction in a Digital World Graduate Student Research
    by Craig Wright - January 21, 2008 

    In the day-to-day management of their organisation, company directors, accountants and management often overlook the importance of the documents used by the business. It is crucial to remember that the final accounts are not the only documents with a retention requirement. Further, as businesses move towards a "paperless office", they have to consider the evidentiary requirements.

  • Implementing Single Sign-On — Imprivata OneSign™ by Robert Turner - August 7, 2007 

    In this paper, I will focus on the implementing SSO with the Imprivata OneSign™ Appliance. The Imprivata website boasts, “OneSign™ Single Sign-On quickly and effectively solves password management and user access issues. OneSign™ single sign-on enables ALL applications – legacy, client/server, and web - without requiring any custom scripting, changes to existing directories, or inconvenient end-user workflow changes. OneSign™ Single Sign-On dramatically lowers Help Desk costs associated with forgotten password resets, increases user productivity and satisfaction, strengthens password security, and supports regulatory compliance initiatives.”

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.