SANS Security West 2021 is right around the corner! Choose from over 30 interactive courses, plus Core & Cyber Defense NetWars.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Intrusion Prevention

Featuring 54 Papers as of April 21, 2021

  • Understanding Your Attack Surface Analyst Paper (requires membership in community)
    by Matt Bromiley - April 21, 2021 

    What does it mean to evaluate your attack surface? For many organizations, it may simply mean running a vulnerability scanner against their perimeter and hoping an attacker does not do the same. This legacy thinking leaves out all the nooks and crannies that attackers have become adept at finding. Your attack service should also include your system and network configurations, brand exposure, and knowledge of how your data is secured amongst numerous cloud providers. In this paper, we will provide our review of Netenrich's Attack Surface Intelligence (ASI) application. Offering unique insight into the aforementioned data points - and then some - Netenrich presents a novel way to examine enterprise exposure and evaluate potential risks. ASI provides the best of both worlds - a convenient, high-level point of view on organizational risk, while still providing the granular context that analysts need to analyze and remediate potential risks.

  • Unpacking the Hype: What You Can (and Can't) Do to Prevent/Detect Software Supply Chain Attacks Analyst Paper (requires membership in community)
    by Jake Williams - February 24, 2021 

    This paper focuses on the SolarWinds compromise and what it can teach us about detecting software supply chain compromises.

  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in community)
    by Dave Shackleford - February 22, 2021 

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.

  • Mitigating Attacks on a Supercomputer with KRSI Graduate Student Research
    by Billy Wilson - December 9, 2020 

    Kernel Runtime Security Instrumentation (KRSI) provides a new form of mandatory access control, starting in the 5.7 Linux kernel. It allows systems administrators to write modular programs that inject errors into unwanted systems operations. This research deploys KRSI on eight compute nodes in a high-performance computing (HPC) environment to determine whether KRSI can successfully thwart attacks on a supercomputer without degrading performance. Five programs are written to demonstrate KRSI’s ability to target unwanted behavior related to filesystem permissions, process execution, network events, and signals. System performance and KRSI functionality are measured using various benchmarks and an adversary emulation script. The adversary emulation activities are logged and mitigated with minimal performance loss, but very extreme loads from stress testing tools can overload a ring buffer and cause logs to drop.

  • All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation Analyst Paper (requires membership in community)
    by Matt Bromiley - May 6, 2020 

    As organizations move to the cloud, browser dependency becomes more prevalent. That's why we say the browser is the new endpoint. By limiting the impact a browser can have on a victim system, organizations can prevent web code from reaching the endpoint. Find out how browser isolation works, key factors to consider when evaluating, implementing and testing solutions, and how to integrate browser isolation into your security posture to stop attacks earlier.

  • Using Illusive Networks' Attack Surface Manager to Enhance Vulnerability Management Analyst Paper (requires membership in community)
    by Dave Shackleford - February 11, 2020 

    Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.

  • Boosting IAM and Privilege Control Using Illusive Networks’ Attack Surface Manager Analyst Paper (requires membership in community)
    by Dave Shackleford - February 11, 2020 

    Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.

  • Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception Analyst Paper (requires membership in community)
    by Matt Bromiley - September 5, 2019 

    Security teams cannot defend complex networks without holistic, correlative insight into the environment. In this first part of a two-part review, Matt Bromiley reviews the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats and deception. Not only does the Fidelis platform allow for holistic visibility, but it also makes it easy for organizations to move toward threat hunting, shortening their time to detect and uncover intrusions.

  • Passive Isn't Good Enough: Moving into Active EDR Analyst Paper (requires membership in community)
    by Justin Henderson - May 17, 2019 

    Endpoint detection and response (EDR) technologies focus on identifying anomalous activity at scale, but are often constrained by delayed analyses. Endpoint protection platforms (EPP) can manage aspects of endpoint security, but often lack enterprise class detection and reporting capabilities. Which leads us to the most recent addition to the endpoint protection arsenal--active endpoint detection and response, which boasts real-time analysis capabilities as compared to traditional passive EDR.

  • Taming the Endpoint Chaos Within: A Review of Panda Security Adaptive Defense 360 Analyst Paper (requires membership in community)
    by Justin Henderson - March 26, 2019 

    Endpoint security requires a solution that scales, is easy to maintain and provides a comprehensive integration into the endpoint itself. This review of Panda Security Adaptive Defense 360 details how the endpoint platform prevents malicious executables, automates complex tasks and provides scalability. Panda Security's EDR approach applies prevention controls in combination with detective controls, and allows security teams to deploy preventive technologies while retaining insight into environments.

  • Intrusion Prevention System Signature Management Theory by Joshua Levine - February 5, 2019 

    The intrusion prevention system (IPS) serves as one of the critical components for a defense-in-depth solution. IPS appliances allow for active, inline protection for known and unknown threats passing across a network segment at all layers of the OSI model. The employment, tuning, and upkeep of signatures on an IPS may lead to a negative impact on production traffic if not properly maintained. This document serves as baseline guidance to help shape the development of an organizational IPS signature management policy. Concepts are presented to address the lifecycle of an IPS signature from employment to expiration. Through proper maintenance, placement, and tuning of signatures, an unwanted impact to network traffic can be kept to a minimum while also achieving an optimal balance of security and network performance. By understanding the tenants of effective IPS signature evaluation, employment, tuning, and expiration, organizations can maintain an acceptable network security posture along with adequate levels of network performance.

  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.

  • DNS: An Asset, Not a Liability Analyst Paper (requires membership in community)
    by Matt Bromiley - January 30, 2018 

    The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.

  • Basic NGIPS Operation and Management for Intrusion Analysts by Mike Mahurin - August 15, 2017 

    Next Generation Intrusion Prevention Systems (NGIPS) are often referred to as the panacea to modern malware, network intrusion, advanced persistent threat, and application control for complex modern applications. Many vendors position these products in a way that minimizes the value of tuning and intrusion analysis to get the optimum security capability of the solution. This paper will provide a guide for how to maximize the capabilities of these technologies by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.

  • Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense Graduate Student Research
    by Matthew Hosburgh - July 21, 2017 

    Today's adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. One of the largest breaches of classified information was carried out by an insider. Months after the incident had occurred, the Department of Defense (DoD) only began to realize the implications of the leak. The damage did not solely rest with the United States. A cascade of consequences was felt in many parts of the world, resulting from this breach. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools such as the Web Bug Server and Molehunt can be leveraged as a means to proactively hunt insider threats. To keep up with the continually evolving human adversary, defenders must employ these offensive tactics to annoy and attribute their adversaries.

  • Deception Matters: Slowing Down the Adversary with illusive networks® Analyst Paper (requires membership in community)
    by Eric Cole, PhD - May 1, 2017 

    Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.

  • SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution Analyst Paper (requires membership in community)
    by Sonny Sarai - March 28, 2017 

    Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?

    This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.

  • Network Inspection of Duplicate Packets by Randy Devlin - November 11, 2016 

    Network Intrusion Analysis enables a security analyst to review network traffic for protocol conformity and anomalous behavior. The analyst’s goal is to detect network intrusion activity in near-real time. The detection provides details as to who the attackers are, the attack type, and potential remediation responses. Is it possible that a network security stack could render the analyst “blind” to detecting intrusions? This paper will review architecture, traffic flow, and inspection processes. Architecture review validates proper sensor placement for inspection. Traffic flow analyzes sources and destinations, approved applications, and known traffic patterns. Inspection process evaluates protocols and packet specific details. The combination of these activities can reveal scenarios that potentially result in limitations of network security inspection and analysis.

  • Forcepoint Review: Effective Measure of Defense Analyst Paper (requires membership in community)
    by Eric Cole, PhD - November 9, 2016 

    Effective security is all about the quality of the solution, not the quantity of products. Indeed, buying more products can make the problem worse. All of the major breaches over the last several years have had one thing in common: Multiple products were issuing alerts, but there were too many alerts and not enough people charged with monitoring and responding to them. When that is the case, putting more products in place spreads current resources even thinner--the problem gets worse, not better. This paper explains the advantages of an integrated defense-in-depth approach to security and looks at how Forcepoint's integrated solution suite meets the needs of such an approach.

  • Mimikatz Overview, Defenses and Detection Graduate Student Research
    by James Mulder - February 29, 2016 

    Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.

  • Intrusion Detection and Prevention Systems Cheat Sheet: Choosing the Best Solution, Common Misconfigurations, Evasion Techniques, and Recommendations. Graduate Student Research
    by Phillip Bosco - January 25, 2016 

    There are many decisions a company must make while choosing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for their infrastructure. Pricing questions will arise to determine if it will fit into their budget.

  • How to Leverage PowerShell to Create a User- Friendly Version of WinDump Graduate Student Research
    by Robert Adams - January 18, 2016 

    Security professionals rely on a myriad of tools to accomplish their job. This is no different than the toolboxes that plumbers, electricians, and other trade professionals carry with them every day.

  • Poaching: Hunting Without Permission by David Switzer - December 23, 2015 

    In the parlance of information security, hunting is proactively searching out a problem. An intrusion detection system (IDS) can miss a 0-day, so proactive and interactive hunting for indicators of compromise (IOCs) can be more productive than simply relying on automated tools.

  • Intrusion Prevention with HPE TippingPoint Analyst Paper (requires membership in community)
    by Dave Shackleford - December 7, 2015 

    A review by Dave Shackleford of HPEs TippingPoint 2600NX IPS and its management platform. It examines the device's analytic and operational features and discusses the integration of such devices with security information and event management (SIEM) systems as wells as external threat information.

  • Practical approaches for MTCP Security Graduate Student Research
    by Joshua Lewis - October 2, 2015 

    Multi-path TCP (MPTCP) is an emerging IETF standard for providing connection resilience and bandwidth aggregation. MPTCP evolves the existing TCP protocol by allowing multiple TCP flows for a TCP session. This provides exciting new possibilities for mobile devices that can maintain TCP sessions as connection paths are added or dropped, and multi-homed servers that allow TCP sessions to take advantage of a mesh topology. However, current network security monitoring infrastructure solutions cannot appropriately inspect MPTCP connections, leaving significant intrusion detection and data loss blind spots. This paper will discuss practical approaches for MPTCP security.

  • Open Source IDS High Performance Shootout by George Khalil - February 17, 2015 

    As early as 1972, the U.S. Air Force was becoming increasingly aware of computer security problems (Bruneau, 2001).

  • Point of Sale Systems and Security: Executive Summary Analyst Paper (requires membership in community)
    by Wes Whitteker - November 20, 2014 

    The last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive "offense must inform defense" approach to POS security.

  • MalwareD: A study on network and host based defenses that prevent malware from accomplishing its goals. by Dave Walters - September 17, 2014 

    Malware is an ever-growing problem on the Internet. Organizations struggle to prevent, detect, and responds to malware threats.

  • Insider Threats in Law Enforcement Analyst Paper (requires membership in community)
    by Dr. Eric Cole - September 4, 2014 

    Based on the valuable information they have at their disposal, law enforcement agencies are among those that are prime targets for advanced attacks. While network protection can be extensive and sophisticated, the exploitation of insiders poses a serious threat for illegal access to these agencies.

  • Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention Analyst Paper (requires membership in community)
    by Tony Sager - July 29, 2014 

    All attacks follow certain stages. By observing those stages during an attack progression and then creating immediate protections to block those attack methods, organizations can achieve a level of closed-loop intelligence that can block and protect across this attack kill chain. This paper explains the many steps in the kill chain, along with how to detect unknown attacks by integrating intelligence into sensors and management consoles.

  • Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon Analyst Paper (requires membership in community)
    by Barbara Filkins - March 6, 2014 

    The use of threat intelligence to improve the security of information systems in the health care industry.

  • Active Security Or: How I learned to stop worrying and use IPS with Incident handling by Doug Brown - January 9, 2014 

    Beyond the obvious nomenclature for viruses and worms, several lessons can also be gleaned from the world of epidemiology and applied to information security.

  • Open Source Host Based Intrusion Detections System (OHIDS) by Tom Webb - September 6, 2013 

    Detecting and analyzing intrusion based solely on network traffic gives you an incomplete picture, especially if you are lacking full packet captures or if you have a large number of mobile users who do not always use your Internet connection.

  • Using DomainKeys Identified Mail (DKIM) to Protect your Email Reputation by Chris Murphy - August 20, 2013 

    Domain Keys Identified Mail (DKIM) was developed as a successor to the DomainKeys framework originally created by Yahoo!

  • Web Log Analysis and Defense with Mod_Rewrite Graduate Student Research
    by Rick Wanner - March 12, 2013 

    Anybody who has been tasked with defending a production web server has quickly realized that the volume of logs generated, often measuring in gigabytes or terabytes a day, defies analysis even with the use of a good event management solution.

  • Beating the IPS by Michael Dyrmose - March 12, 2013 

    Firewalls and Intrusion Prevention Systems (IPS) are core equipment in any enterprise or organization's network infrastructure.

  • An Analysis of the Snort Data Acquisition Modules by Christopher Murphy - November 8, 2012 

    Snort is an open-source Intrusion Detection System (IDS) that runs on Linux, UNIX, BSD variants and Windows.

  • Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization by Joseph Faust - October 7, 2011 

    There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.

  • Interception and Automating Blocking of Malicious Traffic Based on NDIS Intermediate Driver by Lee Ling Chuan - June 30, 2011 

    Over the past years, the number of malicious programs developed for illegal purpose has grown rapidly. The Monthly Malware Statistics, January 2011 (Zakorzhevsky, 2011) by Kaspersky Lab announced that there are over ten million viruses in circulation, most developed in January 2011.

  • Animal Farm: Protection From Client-side Attacks by Rendering Content With Python and Squid. Graduate Student Research
    by TJ OConnor - February 22, 2011 

    Client-side attacks target vulnerabilities in applications and continue to grow at a faster rate than operating system or server-side attacks (SANS, 2010). Server-side applications that reside behind several server-side controls, and hopefully, intrusion detection and prevention systems. In contrast, client-side attacks target the application on the end-user machine. End-user workstations typically have considerably less protection and intrusion detection mechanisms than the finer grain server-side applications, and they have proven to be an attractive target for attackers. As a result, client-side vulnerabilities have offset server-side vulnerabilities since 2005 (CORE, 2010).

  • Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011 

    Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

  • Detecting and Responding to Data Link Layer Attacks Graduate Student Research
    by TJ OConnor - October 15, 2010 

    In this paper, we examine techniques for identifying signatures and anomalies associated with attacks against the data link layer on both wired and wireless networks. Methods for signature-based detection and anomaly-based detection are not new. Intrusion detection systems such as SNORT are quite capable of detecting some of the known data link layer attacks and include a mechanism for integrating Intrusion Prevention System (IPS) solutions. This paper does not advocate against the use of these solutions in organizations. What we present can augment your existing capabilities by detecting attacks that may be blind to your IDS.

  • Smart IDS - Hybrid LaBrea Tarpit by Cristian Ruvalcaba - December 28, 2009 

    The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.

  • A Multi-Perspective View of PHP Remote File Include Attacks by Dennis Schwarz - November 10, 2009 

    This paper describes the mechanics of a RFI (remote file include) attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files.

  • Efficiently Deducing IDS False Positives Using System Profiling by Michael Karwaski - November 9, 2009 

    Security Whitepaper: How to create a simple, static inventory database and compare security alerts to see if they relate to the host in question. This will allow for greater visibility into which alerts are actually relevant to the end users network.

  • Era of Spybots - A Secure Design Solution Using Intrusion Prevention Systems by Siva Kumar - October 23, 2008 

    This paper is presented in the form of a case study. It utilizes a fictitious company, GIAC Enterprises, a growing small retail company whose clients span the nation. In early spring GIACE was compromised with the Spybot worm which caused a business outage.

  • Intrusion Prevention with L7-Filter by Rui Santos - August 19, 2008 

    The possibility of using L7-filter as an Intrusion Prevention tool.

  • Intrusion Detection and Prevention In-sourced or Out-sourced by Vince Fitzparick - July 30, 2008 

    The goal of this paper is to compare the different aspects of in-sourced and outsourced intrusion detection and prevention solutions in the effort to properly ascertain the benefits and risks, thus helping an organization to make an informed decision when considering outsourcing intrusion detection.

  • Host Intrusion Prevention Systems and Beyond by Jonathan Chee - June 24, 2008 

    Host Intrusion Prevention Systems (HIPS) are becoming more of a necessity in any environment, home or enterprise. Host Intrusion Prevention Systems protect hosts from the network layer all the way up to the application layer, against known and unknown malicious attacks.

  • Network IDS & IPS Deployment Strategies by Nicholas Pappas - April 11, 2008 

    Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.

  • A Design for Building an IPS Using Open Source Products by Mike Smith - October 30, 2006 

    The goal of the research was to develop a design for an IPS that could be applied to any small to medium sized network.

  • Intrusion Detection on a Large Network by Jason Botwick - April 8, 2004 

    This paper will describe in detail the steps for setting up and managing an intrusion detection system across a large corporate network. It will begin with a discussion of the potential problems and benefits of the use of a NIDS on a large network.

  • A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment by Michael Glenn - September 26, 2003 

    This paper covers Denial of Service (DoS) and Distributed Denial of Service attacks (DDoS) and discusses techniques to prevent attacks including good security policies, new/updated product security testing, patch management, spoofed packet dropping (uRPF) and firewall/IDS/IPS deployment in a service provider environment.

  • Packet Level Normalisation by Ian Martin - July 29, 2003 

    This paper proposes that any Signature Based Passive Network Intrusion Detection (NID) deployment is incomplete without an 'In-line' 'Packet Level Normaliser' [1].

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.