Featuring 26 Papers as of December 10, 2015
Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
by Christian Moldes - December 9, 2015
The Payment Card Industry Security Standards Council (PCI SSC) published the Data Security Standard (DSS) to provide a minimum set of required security controls to protect cardholder data 11 years ago (Search Security, 2013).
NERC CIP Patch Management and Cisco IOS Trains
by Aaron Prazan - September 14, 2015
NERC CIP Version 5 is challenging many organizations with mandatory patch management requirements. The requirements are intended to be general for any managed system with a defined source for patches or security updates. However, the picture gets muddier for Cisco network devices, because the vendor issues frequent new versions of the operating system along multiple user trains, not patches to any static version. In addition, the proprietary SCADA systems to which NERC requirements apply do not lend themselves to frequent patching. This paper will describe the requirements for patching under NERCs requirements and propose a set of processes an entity using such devices in a tightly controlled SCADA control system might use to satisfy the requirements.
eAUDIT: Designing a generic tool to review entitlements
by Francois Begin - June 22, 2015
In a perfect world, identity and access management would be handled in a fully automated way.
Is It Patched Or Is It Not?
by Jason Simsay - April 23, 2015
Patch management tools may produce conflicting results.
What Every Tech Startup Should Know About Security, Privacy, and Compliance
by Kenneth Hartman - February 25, 2015
Not everyone has what it takes to launch a successful tech startup. A compelling vision must propel the founder, fueled by unstoppable passion.
Monitoring Baselines with Nagios
by Steven Cardinal - February 12, 2015
It is 4:00 on a Friday afternoon and you, a system administrator for a large, multinational entertainment company, are putting your things away to head out for a long holiday weekend.
The Maturation of Controls Self - Assessments
by Timothy Salka - July 31, 2014
This topic is appropriate for the Global Security Leadership Certification because it provides IT leaders with practical information and historical references.
Securing Static Vulnerable Devices
by Chris Farrell - September 17, 2013
Static vulnerable devices (SVD) can be the bane of any security team regardless of the business size, budget or expertise.
Electronic Medical Records: Success Requires an Information Security Culture
by Thomas Roberts - June 5, 2013
The increased use of electronic medical records (EMR's) is certainly impacting the world of healthcare.
Project Management Approach to Yearly PCI Compliance Assessment
by Michael Hoehl - February 19, 2013
Payment Card Industry Data Security Standard (PCI DSS) has been developed by a collaboration of the credit card companies including VISA, American Express, Mastercard, and JCB.
In-house Penetration Testing for PCI DSS
by Jeremy Koster - May 11, 2012
The Payment Card Industry Data Security Standard, introduced in 1999, is a rigorous set of prescriptive requirements aimed at securing systems that handle credit card numbers.
Cloud Computing - Maze in the Haze
by Godha Iyengar - October 18, 2011
In recent days, Cloud Computing has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.
Wireless Networks and the Windows Registry - Just where has your computer been?
by Jonathan Risto - May 6, 2011
The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.
Compliance and Security Challenges with Remote Administration
by Dave Shackleford - January 3, 2011
- Sponsored By: Netop
This paper focuses on remote administration of systems with regulated data falling under the Payment Card Industry Data Security Standard (PCI DSS).
A Compliance Primer for IT Professionals
by David Swift - November 29, 2010
Fed up and frustrated with ambiguous standards, multiple frameworks, and scattered "best practices" I set out to at least glean the basics of compliance. What regulations apply to whom? What do the auditors want to see? And how as an IT security professional can I help reduce my pain, and my company's expenses in successfully completing and passing an audit. I felt it appropriate, and perhaps even beneficial to share that research and hopefully save others time by putting it down in this paper.
PCI 2.0: What's New? What Matters? What's Left?
by Dave Hoelzer - November 12, 2010
- Sponsored By: Dell SecureWorks
This paper discusses whats new and what still needs more attention in the PCI DSS 2.0 standard, including gaps in storage encryption, wireless networking, and physical security that carry over from version 1.2.
Applying Information Security and Privacy Principles to Governance, Risk Management & Compliance
by Scott Giordano - October 25, 2010
If there is a demarcation line for the start of the modern discipline of corporate governance, risk management and compliance (GRC) in the U.S., then perhaps the best candidate for that line is the handing down of the courts opinion in In Re Caremark International Inc. Derivative Litigation in 1996. Caremark stands for the principle that individual directors of a corporations board may be held liable for failure to properly supervise the activities of that corporation. While the requirement for the creation of a corporate ethics program was promulgated in 1991 with the passage of the Federal Sentencing Guidelines for Organizations (FSGO), Caremark seems to have made a substantial impact on the resources dedicated to proper corporate governance. Completing this genesis period of corporate governance jurisprudence and guidelines was the legislative response to the Enron scandal and similar scandals at WorldCom and Adelphia, the enactment of Sarbanes-Oxley (SOX) in 2002. Finally, extra-territorial governance regulation has become commonplace. The Foreign Corrupt Practices Act of 1977 (FCPA), a statute designed to combat bribery of foreign officials by U.S. companies, has seen unprecedented use in the past 6 years (Searcey, 2009). This combination of jurisprudence, guidelines, new legislation, and revitalization of statues subsequently precipitated a substantial volume of analysis by commentators. The result: a traditional discipline of law infused with new life and which has evolved ever since.
Contracting for PCI DSS Compliance
by Christian Moldes - July 15, 2010
Companies should carefully review and amend their agreements with third party service providers that handle or have access to cardholder data. Having the proper legal language in place is one of the key factors to reduce liability when dealing with third parties and limiting your companies exposure to additional risk.
Effective Use Case Modeling for Security Information & Event Management
by Daniel Frye - March 10, 2010
With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
Meeting Compliance Efforts with the Mother of All Control Lists (MOACL)
by Tim Proffitt - March 4, 2010
With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.
Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data
by nuBridges, inc - September 29, 2009
Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.
PCI DSS and Incident Handling: What is required before, during and after an incident
by Christian J. Moldes - June 16, 2009
This paper intends to be a guideline for chief security officers, compliance directors, IT auditors, and anyone responsible for PCI DSS compliance.
Content Monitoring Issues Legal and Otherwise
by Darryl T Barnes - April 23, 2009
With the advent of the Internet, companies have an increased need to monitor their networks for external compromises and as well as inappropriate use on the part of their own employees. This paper looks at the risks and issues related to the electronic monitoring of employees by corporations under United States law. The intent is to provide awareness of issues involved with employee monitoring and to suggest some best practices.
There's a hole in my infrastructure? The road to PCI Compliance
by Jonathan Chaitow - July 3, 2008
This paper addresses some of the issues faced in working towards a deadline of PCI (Payment Card Industry) Compliance at a major international corporation. including the key challenges we faced and the current progress as a set of specific changes to the architecture.
Requirements For Record Keeping and Document Destruction in a Digital World
by Craig Wright - January 21, 2008
In the day-to-day management of their organisation, company directors, accountants and management often overlook the importance of the documents used by the business. It is crucial to remember that the final accounts are not the only documents with a retention requirement. Further, as businesses move towards a "paperless office", they have to consider the evidentiary requirements.
Implementing Single Sign-On — Imprivata OneSign™
by Robert Turner - August 7, 2007
In this paper, I will focus on the implementing SSO with the Imprivata OneSign Appliance. The Imprivata website boasts, OneSign Single Sign-On quickly and effectively solves password management and user access issues. OneSign single sign-on enables ALL applications legacy, client/server, and web - without requiring any custom scripting, changes to existing directories, or inconvenient end-user workflow changes. OneSign Single Sign-On dramatically lowers Help Desk costs associated with forgotten password resets, increases user productivity and satisfaction, strengthens password security, and supports regulatory compliance initiatives.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.