SANS Institute: Reading Room

Architecting for Compliance: A Case Study in Mapping Controls to Security Frameworks Analyst Paper (requires membership in SANS.org community)
by Jake Williams - February 22, 2021

Associated Webcasts: Architecting for Compliance: Case Study in Mapping Controls to Security Frameworks
Sponsored By: Fortinet, Inc.

SANS reviewed Fortinet’s FortiGate product to test and highlight features and to identify how those features align with NIST 800-53v5 controls. This paper is intended to assist those considering the FortiGate product family—as well as those who may be unfamiliar with FortiGate—to understand its capabilities and how it will help them achieve their NIST 800-53v5 compliance goals. This is a companion paper to “Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide”.

Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide Analyst Paper (requires membership in SANS.org community)
by Jake Williams - February 22, 2021

Associated Webcasts: Architecting for Compliance: Case Study in Mapping Controls to Security Frameworks
Sponsored By: Fortinet, Inc.

Designed as a companion paper to “Architecting For Compliance: A Case Study in Mapping Controls to Security Frameworks,” this implementation guide seeks to show those considering deploying a FortiGate appliance in their networks whether a NIST 800-53v5 control family (or individual control) can be supported through the proposed deployment. For those who have already deployed a FortiGate appliance, this implementation guide can be used as a tool to validate that the organization is getting the best value possible from the deployment.

Managing ICS Security with IEC 62443 by Jason Dely - December 2, 2020

Associated Webcasts: Understanding IEC 62443: An Overview of the Standard, Its Deployment and How to Use Fortinet Products for Compliance
Sponsored By: Fortinet, Inc.

In this followup to “Effective ICS Cybersecurity Using the IEC 62443 Standard,” this paper examines how to use the Standard to strategically reduce ICS cybersecurity risk.

Effective ICS Cybersecurity Using the IEC 62443 Standard Analyst Paper (requires membership in SANS.org community)
by Jason Dely - November 17, 2020

Associated Webcasts: Understanding IEC 62443: An Overview of the Standard, Its Deployment and How to Use Fortinet Products for Compliance
Sponsored By: Fortinet, Inc.

IEC 62443 is the global standard for the security of ICS networks, designed to help organizations reduce the risk of failure and exposure of ICS networks to cyberthreats. This paper explores how that standard can provide guidance to enterprises looking to choose and implement technical security capabilities. It also addresses how Fortinet's layered solutions may help asset owners and system integrators reach IEC 62443 compliance.

The SANS Guide to Evaluating Attack Surface Management Analyst Paper (requires membership in SANS.org community)
by Pierre Lidome - October 26, 2020

Associated Webcasts: The SANS Guide to Evaluating Attack Surface Management
Sponsored By: Randori

This guide provides an overview of the benefits and limitations of attack surface management and actionable guidance for organizations looking to evaluate an ASM solution.

Enabling NIS Directive Compliance with Fortinet for Operational Technology Analyst Paper (requires membership in SANS.org community)
by Jason D. Christopher - September 1, 2020

Associated Webcasts: Aligning Your Security Program with the NIS Directive
Sponsored By: Fortinet, Inc.

The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper examines how Fortinet solutions can help comply with the NIS Directive.

Aligning Your Security Program with the NIS Directive Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - August 16, 2020

Sponsored By: Fortinet, Inc.

The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper explores various measures of the NIS Directive and how to align your organization�s security posture with those measures.

Show Business Benefit by Moving to Risk-Based Vulnerability Management Analyst Paper (requires membership in SANS.org community)
by John Pescatore - August 10, 2020

Associated Webcasts: How to Show Business Benefit by Moving to Risk-Based Vulnerability Management
Sponsored By: Tenable

This paper provides SANS advice for actionable steps to enable security managers to reduce risk and demonstrate business value by increasing the maturity and effectiveness of their vulnerability management processes and controls. It also suggests key questions to ask of product and service providers to select the best approach for an organization.

Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - June 29, 2020

Associated Webcasts: Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra
Sponsored By: Guardicore LTD

Organizations are taking advantage of digital transformation in their quest to boost agility and shrink infrastructure costs. However, this transformation often comes at a cost: a larger, more complex security attack surface. Guardicore Centra aims to provide a simpler, faster way to reduce attack surfaces and prevent lateral movement in an IT environment via micro-segmentation security policies. In this product review, SANS analyst Dave Shackleford shares his experience of putting Centra through its paces.

ICS Asset Identification: It's More Than Just Security Analyst Paper (requires membership in SANS.org community)
by Mark Bristow - June 24, 2020

Associated Webcasts: ICS Asset Identification: It\'s More Than Just Security: A SANS Report ICS Asset Identification: It�s More Than Just Security: A SANS Panel Discussion
Sponsored By: Cisco Systems Inc. Tenable Palo Alto Networks PAS

Historically, asset identification has been associated with time-consuming and costly cybersecurity efforts. In this new SANS report, Mark Bristow, SANS ICS Active Defense and Incident Response certified instructor, explores critical resources needed to start an asset identification program. The author also explains how asset Identification can enhance ROI through such benefits as improved maintenance, reduced mean-time-to-repair, and increased availability.

Workforce Transformation: Challenges, Risks and Opportunities Analyst Paper (requires membership in SANS.org community)
by David Hazar - December 17, 2019

Associated Webcasts: Workforce Transformation and Risk: A SANS Survey Workforce Transformation and Risk: A SANS Survey
Sponsored By: RSA

Shifts in globalization, demographics, work styles and work sourcing are transforming the way companies manage their businesses. In this survey, SANS, in cooperation with RSA, examines the risk factors associated with workforce transformation, what organizations are most concerned about, and what organizations are doing to mitigate risks.

JumpStart Guide to Investigations and Cloud Security Posture Management in AWS Analyst Paper (requires membership in SANS.org community)
by Kyle Dickinson - November 8, 2019

Associated Webcasts: JumpStart Guide to Security Investigations and Posture Management in Amazon Web Services
Sponsored By: Barracuda Networks AWS Marketplace

Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.

Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity SANS.edu Graduate Student Research
by Erik Avery - August 21, 2019

Cyber Protectionist policies are adversely impacting global cybersecurity despite their intent to mitigate threats to national security. These policies threaten the information security community by generating effects which increase the risk to the networks they are intended to protect. International product bans, data-flow restrictions, and increased internet-enabled crime are notable results of protectionist policies � all of which may be countered through identifying protectionist climates and subsequent threat. Analyzed historical evidence facilitates a metrics-based comparison between protectionist climate and cybersecurity threats to comprise the Cyber Protectionist Risk Matrix - a risk framework that establishes a new cybersecurity industry standard.

Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged - Discover and Defend Your Assets Analyst Paper (requires membership in SANS.org community)
by Doug Wylie and Dean Parsons - September 26, 2018

Associated Webcasts: Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged--Discover and Defend Your Assets
Sponsored By: Tenable

The benefits derived from information technology (IT) and operational technology (OT) convergence are enabling more effective management of contemporary control systems. However, the unique challenges of IT/OT convergence make managing and securing an industrial control system (ICS) more difficult. This paper explores how industrial and information system administrators can build stronger cybersecurity programs to protect IT/OT systems.

Breach Avoidance: It Can Be Done, It Needs to Be Done Analyst Paper (requires membership in SANS.org community)
by John Pescatore - September 10, 2018

Associated Webcasts: Breach Avoidance: Yes, You Can!
Sponsored By: Balbix

Almost every day it seems like the press is reporting on yet another security breach. Some breaches expose sensitive business and customer information, while others bring down business operations. But breaches are not inevitable. By implementing security processes and controls to proactively identify and remove or mitigate vulnerabilities, today�s companies, even those with limited staff and budgets, can avoid or limit business damage by prioritizing security efforts.

Securing Against the Most Common Vectors of Cyber Attacks SANS.edu Graduate Student Research
by Richard Hummel - September 12, 2017

Advanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit vulnerabilities either through holes in an organization's security implementation or by targeting the human element which often uses social engineering. Financially motivated actors indiscriminately send mass spam emails in credential harvesting campaigns or deploy ransomware. These attack vectors are the most common against organizations of any size, but often have a greater impact on small to medium-sized business that may not have a robust security posture. As a security practitioner, it is imperative to posture an organization to prevent and mitigate the risk posed by these attacks. The Critical Security Controls (CSC) is the industry standard for securing an environment but may be costly and time-consuming to implement; also, some of them may not be as applicable to all organizations. In this study, the controls for Email and Web Browser Protection (#7) and Security Skills Assessment and Appropriate Training to Fill Gaps (CSC #17) are examined to secure against threats seeking to take advantage of end users, the most common entry point for an attacker. This paper examines multiple real-world threats and how the CSCs can be applied to prevent compromises. The goal of this research is to inform and educate security practitioners at any stage of the business on best practices and to aid in implementing controls directly applicable to their end users.

Incentivizing Cyber Security: A Case for Cyber Insurance by Jason D. Christopher - June 27, 2017

In the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be an enigma. Unlike traditional engineering problems, we cannot define the constraints and rules adequately. We lack the data and models to describe the variables, let alone the mathematical function. Read on for ideas on how ICS can benefit from cyber insurance.

A Black-Box Approach to Embedded Systems Vulnerability Assessment by Michael Horkan - December 5, 2016

Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.

Ransomware by Susan Bradley - October 3, 2016

On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

Filling the Gaps by Robert Smith - August 18, 2016

There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability.

Realistic Risk Management Using the CIS 20 Security Controls SANS.edu Graduate Student Research
by Andrew Baze - August 1, 2016

Does your organization spend an inordinate amount of time �managing� risk, when the current state of security is known to be poor, with far too few resources available to deal with the top issues?

How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System SANS.edu Graduate Student Research
by Matthew Hosburgh - July 12, 2016

Imagine a device that could decrypt all encryption�within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary�s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.

Managing Accepted Vulnerabilities SANS.edu Graduate Student Research
by Tracy Brockman - May 20, 2016

Every day a new vulnerability is discovered in a piece of code or software and shortly afterwards the news of a new virus, malware, or hack is being used to exploit the vulnerability.

Extending your Business Network through a Virtual Private Network (VPN) SANS.edu Graduate Student Research
by Kaleb Fornero - May 17, 2016

It�s safe to assume that most individuals reading this paper have leveraged a Virtual Private Network (VPN) at some point in their life, many on a daily basis.

Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - February 25, 2016

Sponsored By: PivotPoint Risk Analytics

Sponsored by PivotPoint Risk Analytics, in conjunction with Advisen.

Crossing the line: Joining forces with your customers by Jules Vandalon - February 24, 2016

Anyone who starts in the field of information security quickly gets familiar with setting up a secure architecture, setting up defense mechanisms and much more.

Applying Data Analytics on Vulnerability Data by Yogesh Dhinwa - December 23, 2015

An organization with services spread across the globe depends on information technology and information systems. Adoption and compliance of information security standards have become mandatory for many organizations, especially those working under government regulations.

Framework for Innovative Security Decisions by Ergash Karshiev - November 3, 2015

Remember the Periodic Table of chemical elements (Dayah, Dynamic Periodic Table, 1997)? It revolutionized chemistry and continues serving scientists daily. TRIZ is a similar resource for inventors and decision-makers.

eAUDIT: Designing a generic tool to review entitlements SANS.edu Graduate Student Research
by Francois Begin - June 22, 2015

In a perfect world, identity and access management would be handled in a fully automated way.

Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015

Patch management tools may produce conflicting results.

Breaches Happen: Be Prepared Analyst Paper (requires membership in SANS.org community)
by Stephen Northcutt - October 14, 2014

Associated Webcasts: Breaches Happen: Be Prepared
Sponsored By: Symantec

A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.

Risky Business SANS.edu Graduate Student Research
by Robert Peter Sorensen - July 8, 2014

Risk Management has evolved just like many other aspects of IT Security.

Risk, Loss and Security Spending in the Financial Sector: A SANS Survey Analyst Paper (requires membership in SANS.org community)
by Mark Hardy - March 26, 2014

Associated Webcasts: Risks, Threats and Preparedness: Part I of the SANS Financial Services Survey
Sponsored By: Forescout Technologies BV Cisco Systems Inc. Tenable Blue Coat Systems, Inc. Raytheon | Websense FireEye

Survey identified key areas in which financial service employees and endpoints were most at risk, with direct losses resulting from internal abuse, spearphishing and botnet infections.

How to Win Friends and Remediate Vulnerabilities by Chad Butler - March 20, 2014

In today's era of rapid release development projects, finding vulnerabilities is not difficult.

Network and Endpoint Security "Get Hitched" for Better Visibility and Response Analyst Paper (requires membership in SANS.org community)
by Jerry Shenk - July 10, 2013

Associated Webcasts: Network and Endpoint Security "Get Hitched" for Better Visibility and Response
Sponsored By: Carbon Black

How endpoint visibility, coordinated with network intelligence, can help identify threats not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators.

SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action Analyst Paper (requires membership in SANS.org community)
by John Pescatore - June 25, 2013

Sponsored By: Tenable Symantec EiQnetworks FireEye IBM

Survey to determine how well the CSCs are known in government and private industry, how they are being used and what can we learn from CSC implementations to date.

Reducing Risk Through Prevention: Implementing Critical Security Controls 1-4 Analyst Paper (requires membership in SANS.org community)
by James Tarala - June 12, 2013

Associated Webcasts: Leveraging the First Four Critical Security Controls for Holistic Improvements
Sponsored By: Tripwire, Inc.

Examination of actual threats facing organizations today, methods dedicated attackers use to compromise systems using the �intrusion kill chain� as a model and specific defenses organizations can use to mitigate threat.

Own Your Network with Continuous Monitoring Analyst Paper (requires membership in SANS.org community)
by Jerry Shenk - September 10, 2012

Sponsored By: Tripwire, Inc.

A look at what continuous monitoring is and how organizations can devise a solution that works for them.

Secure Configuration Management Demystified Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - August 2, 2012

Sponsored By: Tripwire, Inc.

Paper shows how to use secure configuration concepts to reduce the overall attack surface, bring better coordination among groups within IT and elsewhere, and ultimately reduce the risk to your business by continuously improving the IT environment.

Streamline Risk Management by Automating the SANS 20 Critical Security Controls Analyst Paper (requires membership in SANS.org community)
by James Tarala - June 12, 2012

Sponsored By: FireEye

Practical considerations for automating the 20 Critical Security Controls to create a more defensible network against these increasingly automated, persistent attacks.

Risk Assessment of Social Media by Robert Shullich - May 16, 2012

According to a September 2011 survey, 63% respondents indicated �that employee use of social media puts their organization�s security at risk" while 29% "say they have the necessary security controls in place to mitigate or reduce the risk" (Ponemon Institute, 2011).

Reducing Federal Systems Risk with the SANS 20 Critical Controls Analyst Paper (requires membership in SANS.org community)
by G. Mark Hardy - April 22, 2012

Sponsored By: Tripwire, Inc. Patriot Technologies

The 20CSCs: are they a better approach than the ten-year-old FISMA? And how will adoption ultimately enhance security and operations overall?

Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls SANS.edu Graduate Student Research
by Craig Wright - September 19, 2011

Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.

Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It Analyst Paper (requires membership in SANS.org community)
by E. Eugene Schultz, Ph.D. - June 17, 2011

Sponsored By: Tripwire, Inc.

A review of continuous monitoring as defined by the NIST 800-137 guidelines.

Implementing the 20 Critical Controls with Security Information and Event Management (SIEM) Systems Analyst Paper (requires membership in SANS.org community)
by James Tarala - April 5, 2011

Sponsored By: ArcSight, an HP Company

This paper examines the top 20 controls, with advice on how to get started and an explanation of how SIEM systems can provide a central role in implementing the 20 critical controls effectively.

Measuring Psychological Variables of Control In Information Security by Josh More - January 12, 2011

�Perceived Control� is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of �Actual Control� that they may have. It is often paired against constructs such as �Vicarious Control� and �Vicarious Perceived Control�, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.

Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011

Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment � Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations� reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (�Shrinking time from,� 2006). It has also been identified that �99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available� ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

A Question of Platinum Plus by Craig Wright - December 29, 2010

The fallacy of the black swan in risk has come full circle in information systems. Just as the deductive fallacy, �a dicto secundum quid ad dictum simpliciter2� allowed false assertions that black swans could not exist when they do, we see assertions that risk cannot be modeled without knowing all of the �black swans‟ that can exist. The falsity of the black swan argument derives from a deductive statement that �every swan I have seen is white, so it must be true that all swans are white�. The problem is that which one has seen is a subset of the entire set. One cannot have seen all swans.

McAfee Total Protection for Server Review Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - June 17, 2010

Sponsored By: Mcafee LLC

This paper is a review of the type of security and compliance coverage McAfee Total Protection for Server provides for server endpoints.

Real-Time Adaptive Security Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - December 17, 2008

Sponsored By: Cisco Systems Inc.

With security actions based on context, intrusion systems can adapt to real-time threats like these while giving visibility into what to investigate, where to investigate, and even take or recommend action based on preset rules.

Monitoring Security and Performance on Converged Traffic Networks Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - April 23, 2008

Sponsored By: NIKSUN

For security teams to be effective within today�s converged networks, network performance and security monitoring need to converge as well.

Reading Room

Risk Management

Latest Whitepapers

Latest Tweets @SANSInstitute

Contact Us