Featuring 40 Papers as of January 10, 2017
Leveraging the Asset Inventory Database STI Graduate Student Research
by Timothy Straightiff - January 4, 2017
A well maintained Asset Inventory Database can aid in building a more comprehensive security program based on the CIS Critical Security Controls (CSC). Adding inputs and outputs to the database workflow will help the organization with several of the Critical Security Controls. The Critical Security Controls define a list of prioritized controls that, when followed, can improve the security foundation of an organization. The controls are most effective when implemented in order. Keeping an integrated and well maintained Asset Inventory Database with the proper inputs and outputs can serve as a foundational element in any comprehensive security program.
Real-World Case Study: The Overloaded Security Professional's Guide to Prioritizing Critical Security Controls STI Graduate Student Research
by Phillip Bosco - December 27, 2016
Using a real-world case study of a recently compromised company as a framework, we will step inside the aftermath of an actual breach and determine how the practical implementation of Critical Security Controls (CSC) may have prevented the compromise entirely while providing greater visibility inside the attack as it occurred. The breached company's information security "team" consisted of a single over-worked individual, who found it arduous to identify which critical controls he should focus his limited time implementing. Lastly, we will delve into real-world examples, using previously unpublished research, that serve as practical approaches for teams with limited resources to prioritize and schedule which CSCs will provide the largest impact towards reducing the company's overall risk. Ideally, the observations and approaches identified in this research paper will assist security professionals who may be in similar circumstances.
Finding Bad with Splunk STI Graduate Student Research
by David Brown - December 16, 2016
There is such a deluge of information that it can be hard for information security teams to know where to focus their time and energy. This paper will recommend common Linux and Windows tools to scan networks and systems, store results to local filesystems, analyze results, and pass any new data to Splunk. Splunk will then help security teams narrow in on what has changed within the networks and systems by alerting the security teams to any differences between old baselines and new scans. In addition, security teams may not even be paying attention to controls, like whitelisting blocks, that successfully prevent malicious activities. Monitoring failed application execution attempts can give security teams and administrators early warnings that someone may be trying to subvert a system. This paper will guide the security professional on setting up alerts to detect security events of interest like failed application executions due to whitelisting. To solve these problems, the paper will discuss the first five Critical Security Controls and explain what malicious behaviors can be uncovered as a result of alerting. As the paper progresses through the controls, the security professional is shown how to set up baseline analysis, how to configure the systems to pass the proper data to Splunk, and how to configure Splunk to alert on events of interest. The paper does not revolve around how to implement technical controls like whitelisting, but rather how to effectively monitor the controls once they have been implemented.
Continuous Monitoring: Build A World Class Monitoring System for Enterprise, Small Office, or Home STI Graduate Student Research
by Austin Taylor - December 15, 2016
For organizations who wish to prevent data breaches, incident prevention is ideal, but detection of an attempted or successful breach is a must. This paper outlines guidance for network visibility, threat intelligence implementation and methods to reduce analyst alert fatigue. Additionally, this document includes a workflow for Security Operations Centers (SOC) to efficiently process events of interest thereby increasing the likelihood of detecting a breach. Methods include Intrusion Detection System (IDS) setup with tips on efficient data collection, sensor placement, identification of critical infrastructure along with network and metric visualization. These recommendations are useful for enterprises, small homes, or offices who wish to implement threat intelligence and network analysis.
Auditing Windows installed software through command line scripts STI Graduate Student Research
by Jonathan Risto - November 14, 2016
The 20 Critical Controls provides guidance on managing and securing our networks. The second control states there should be a software inventory of the products for all devices within the infrastructure. Within this paper, the auditor will be enabled to compare Windows system baseline information against the currently installed software configuration. Command line tools utilized will be discussed and scripts provided to simplify and automate these tasks.
Reducing Attack Surface: SANS’ Second Survey on Continuous Monitoring Programs Analyst Paper
by Barbara Filkins - November 14, 2016
- Associated Webcasts: Vulnerabilities, Controls and Continuous Monitoring: The SANS 2016 Continuous Monitoring Survey
- Sponsored By: ForeScout Technologies Qualys IBM RiskIQ
Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.
Triaging the Enterprise for Application Security Assessments STI Graduate Student Research
by Stephen Deck - November 4, 2016
Conducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Center for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. These activities are only warranted after an organization attains significant security maturity, which results in a large backlog of systems that need testing. When organizations finally undertake the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast array of applications that exist in the enterprise ecosystem. This process allows the security team to focus efforts on the riskiest systems first.
Security Intelligence and the Critical Security Controls v6 Analyst Paper
by G. W. Ray Davidson, PhD - September 29, 2016
- Sponsored By: LogRhythm
Security data is everywhere—in our logs, feeds from security devices (IDS/IPS/ rewalls, whitelists, etc.), network and endpoint systems, anomaly reports, access records, network tra c data, security incident and event monitoring (SIEM) systems, and even in applications hosted in the cloud. All of this data—and the processes that use them— combine to form an organization’s security intelligence ecosystem. The major challenge of managing this ecosystem of security data is tying all these bits of data together and automating their correlation and use, with the goal of faster detection, prevention, continued security improvement and ultimately, reduced risk.1 The key to success is through automation and integration, according to the CIS Critical Security Controls, which is now in version 6.
Practical Considerations on IT Outsourcing Implementation under the Monetary Authority of Singapore’s Technology Risk Management Guidelines STI Graduate Student Research
by Andre Shori - September 19, 2016
Singapore ranks third overall in the Global Financial Centres Index. The Monetary Authority of Singapore (MAS), Singapore’s central bank, has helped to achieve this success through guidance and regulation of the financial industry including how to conduct themselves in a secure and reliable manner. The Technology Risk Management Guidelines (TRM) are both a cyber philosophy and a set of regulatory requirements for financial institutions to address existing and emerging technological risks. However, successful implementation of TRM can be challenging from a practical standpoint for today’s Cybersecurity Managers. TRM’s Management of IT Outsourcing Risk is a key focus area which encompasses many of the principles and requirements promoted throughout the Guideline. By utilizing threat based, hierarchical measures such as those advocated by the Centre of Internet Security, Cybersecurity Managers can adhere to the Spirit of the Guidelines while implementing effective operational cybersecurity and safe Vendor integration.
Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2 STI Graduate Student Research
by Ryan Firth - September 19, 2016
Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.
Automating Provisioning of NetFlow Analyzers STI Graduate Student Research
by Sumesh Shivdas - September 14, 2016
NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.
Windows Installed Software Inventory by Jonathan Risto - September 7, 2016
The 20 Critical Controls provide a guideline for the controls that need to be placed in our networks to manage and secure our systems. The second control states there should be a software inventory that contains the names and versions of the products for all devices within the infrastructure. The challenge for a large number of organizations is the ability to have accurate information available with minimal impact on tight IT budgets. This paper will discuss the Microsoft Windows command line tools that will gather this information, and provide example scripts that can be run by the reader.
Applying Machine Learning Techniques to Measure Critical Security Controls by Balaji Balakrishnan - September 6, 2016
Implementing and measuring Critical Security Controls (CSC) requires analyzing all data types (structured, semi-structured and unstructured). This implementation can be a daunting task. One of the goals of effective implementation of Critical Security Controls is to automate as much as possible. Machine learning techniques can help automate many of the measurements in Critical Security Controls. This paper proposes a method to integrate all types of data into a single data repository, extract relationships between different entities and perform machine learning to automate the analysis. This solution provides the security team the ability to analyze the information, and make data-driven security decisions.
Android Security: Web Browsers and Email Applications by Marsha Miller - August 29, 2016
Mobile devices are popular communication tools that allow people to stay connected in most places at all times. Despite the varied proliferation of applications that can be installed on smartphones and tablets, web browsers and email applications are default applications that remain highly vulnerable if not properly addressed. This paper will compare several different mobile versions of these applications and use the E-mail and Web Browser Protections critical control to suggest ways to secure these end points.
Simple Approach to Access Control: Port Control and MAC Filtering by Bill Knaffl - August 22, 2016
Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.
Implementing the Critical Security Control: Controlled Use of Administrative Privileges by Paul Ackerman - July 25, 2016
There is a plethora of information available to help organizations protect their cyber assets.
How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System STI Graduate Student Research
by Matthew Hosburgh - July 12, 2016
Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.
Critical Security Controls: Software Designed Inventory, Configuration, and Governance STI Graduate Student Research
by Lenny Rollison - May 24, 2016
The events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).
Case Study: How CIS Controls Can Limit the Cascading Failures During an Attack STI Graduate Student Research
by Bill Knaffl - May 3, 2016
Every day it seems that new information becomes public about the latest data breach.
Methods for Understanding and Reducing Social Engineering Attacks STI Graduate Student Research
by Michael Alexander - May 3, 2016
Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.
Methods for Understanding and Reducing Social Engineering Attacks STI Graduate Student Research
by Michael Alexander - May 3, 2016
Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.
Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access STI Graduate Student Research
by Scott Perry - April 29, 2016
News stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences.
The Automotive Top 5: Applying the Critical Controls to the Modern Automobile STI Graduate Student Research
by Roderick Currie - April 4, 2016
The car of today is an inherently vulnerable platform. At its core is a computing architecture from the 1980s which was designed to be lightweight and efficient, with very little thought given to security. As the modern automobile becomes increasingly connected, its attack surface only continues to grow. In the wake of several recent high- profile car hacking demonstrations, automakers face the daunting task of trying to lock down this insecure platform with bolt-on security fixes. This paper proposes a plausible strategy for securing modern automotive systems which takes into account some of the key limitations of the automobile industry, in addition to presenting a methodology for applying the Critical Controls to the modern automobile platform.
Leading Effective Cybersecurity with the Critical Security Controls STI Graduate Student Research
by Wes Whitteker - March 8, 2016
Cybersecurity is a domain where organizations need to be right all the time and a bad actor needs to be right once.
Tracing the Lineage of DarkSeoul STI Graduate Student Research
by David Martin - March 4, 2016
The highly publicized 2014 cyber-attack on Sony brought the threat of cyberwarfare, broadly defined as destructive cyber-attacks launched by one nation state against another, to the attention of the American public.
Implementing the Critical Security Controls in the Cloud STI Graduate Student Research
by Jon Mark Allen - February 10, 2016
Amazon refers to cloud computing as “the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing” (Amazon Web Services, 2015).
The Case for Endpoint Visibility STI Graduate Student Research
by Robert Mier - February 10, 2016
On February 12, 2013 President Barack Obama issued executive order Improving Critical Infrastructure Cybersecurity, thus, recognizing the “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.”
Budgeting for the Critical Security Controls STI Graduate Student Research
by Paul Hershberger - January 20, 2016
In 2008, the National Security Agency (NSA) initiated an effort to prioritize the controls within the multiple frameworks to identify a manageable set of controls that are effective in implementing a Cybersecurity program with an "offense must inform defense" approach designed to directly address how attacks happen.
An Organic Approach to Implementing the Critical Security Controls STI Graduate Student Research
by Jim Hendrick - January 12, 2016
The Critical Security Controls (CSCs) describe a set of specific actions designed to improve an organization’s ability to resist or recover from information security incidents ("CIS critical security controls," 2015).
The Nightmare on Cryptville Street: 20 Pills for a Night of Sleep STI Graduate Student Research
by Oleg Bogomolniy - January 12, 2016
According to Center for Strategic and International Studies, by the year 2014, cybercrime has grown into its own $400+ billion industry and has plenty of room for growing potential (2014).
Continuous Security: Implementing the Critical Controls in a DevOps Environment STI Graduate Student Research
by Alyssa Robinson - December 23, 2015
DevOps is an agile-aligned software development methodology that is growing quickly in popularity, expected to reach nearly 25% of Global 2000 organizations (Gartner, 2015) by 2016. Adoption of DevOps practices introduces complications for implementing and auditing standardized security controls, presenting issues such as constantly changing assets, continuous deployment and a breakdown in the traditional segregation of duties. DevOps tools and philosophies also provide advantages, providing opportunity for integration of security automation as part of the development and deployment of applications and giving Security early input into design and implementation.
The Scary and Terrible Code Signing Problem You Don't Know You Have STI Graduate Student Research
by Sandra Dunn - October 28, 2015
SSL 3.0 / TLS 1.0 certificates are built on the X.509v3 PKI standard and provide the framework that the code signing process uses. Code signing uses PKI and X.509v3 certificates issued by a trusted certificate authority to validate that the code being installed on a device comes from a trusted vendor.
The Business Case for TLS Certificate Enterprise Key Management of Web Site Certificates: Wrangling TLS Certificates on the Wild Web STI Graduate Student Research
by Sandra E. Dunn - October 28, 2015
An Enterprise Key Certificate Management System (EKCM) provides a best-in-class solution for TLS certificate management.
Audits Made Simple by David W. Belangia - October 27, 2015
A company just got notified there is a big external audit coming in 3 months. Getting ready for an audit can be challenging, scary, and full of surprises. This Gold Paper describes a typical audit from notification of the intent to audit through disposition of the final report including Best Practices, Opportunities for Improvement (OFI), and issues that must be fixed. Good preparation can improve the chances of success. Ensuring the auditors understand the environment and requirements is paramount to success. It helps the auditors understand that the enterprise really does think that security is important. Understanding and following a structured process ensures a smooth audit process. Ensuring follow-up on OFIs and issues in a structured fashion will also make the next audit easier. It is important to keep in mind that the auditors will use the previous report as a starting point. Now the only worry is the actual audit and subsequent report and how well the company has done.
Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool STI Graduate Student Research
by Dallas Haselhorst - October 26, 2015
What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s).
Technical Implementation of the Critical Control "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office STI Graduate Student Research
by Kenton Groombridge - October 26, 2015
There is great value in the proper employment of the Critical Security Controls. The Critical Security Controls are written with terminology that makes them appear applicable only to organizations and other large environments. Implementing the Critical Security Controls can be beneficial to any size network, but can they be applied to a Small Office/Home Office with a limited budget and expertise? This document examines the technical implementation of "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office. Topics discussed will be the selection of hardware, evaluation of open-source software and third-party firmware, and custom scripts that function with most modern operating systems.
The Fall of SS7 – How Can the Critical Security Controls Help? STI Graduate Student Research
by Hassan Mourad - August 31, 2015
For decades, the security of one of the fundamental protocols in telecommunications networks, Signaling System No. 7 (SS7), has been solely based on the mutual trust between the interconnecting operators. Operators relied on their trust in other operators to play by the rules, and the SS7 network has been regarded as a closed trusted network. This notion of trust and security has recently changed after several security researchers announced major vulnerabilities in the SS7 protocol that threatens the user’s privacy and can lead to user location tracking, fraud, denial of service, or even call interception. In this paper we will discuss each individual attack and examine the possibility of using the critical security controls to protect against such attacks and enhance the security of SS7 interconnections.
Paying Attention to Critical Controls STI Graduate Student Research
by Edward Zamora - August 21, 2015
International organizations such as the Australia DSD, the European Commission and the US NSA have developed their lists of top mitigations and actions they consider necessary for organizations and governments to implement. It has been further established by the international information security community that the twenty critical security controls are the top relevant guidelines for implementing and achieving greater security. Many of the controls require the deployment and installation of security software. But is installing software all there is to it? Will an organization be better defended by buying lots of security products? In one particular use case, attackers were able to break through the network defenses of an organization that implemented many of the security controls but did not do so properly. Under the sense of false security, the senior leadership woke up to some bad news when they learned that gigabytes of data were stolen from the organization’s network after controls were in place. The implementation of security controls should be done with careful planning and attention to detail. This paper covers what the attackers did to circumvent the controls in place in the organization, how they could have implemented the critical controls properly to prevent this compromise, and what an organization needs to do to avoid this pitfall.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.