Last Day to Save up to $400 on Cyber Security Training at SANSFIRE 2018 in Washington DC!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Risk Management

Featuring 37 Papers as of September 12, 2017

  • Securing Against the Most Common Vectors of Cyber Attacks STI Graduate Student Research
    by Richard Hummel - September 12, 2017 

    Advanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit vulnerabilities either through holes in an organization's security implementation or by targeting the human element which often uses social engineering. Financially motivated actors indiscriminately send mass spam emails in credential harvesting campaigns or deploy ransomware. These attack vectors are the most common against organizations of any size, but often have a greater impact on small to medium-sized business that may not have a robust security posture. As a security practitioner, it is imperative to posture an organization to prevent and mitigate the risk posed by these attacks. The Critical Security Controls (CSC) is the industry standard for securing an environment but may be costly and time-consuming to implement; also, some of them may not be as applicable to all organizations. In this study, the controls for Email and Web Browser Protection (#7) and Security Skills Assessment and Appropriate Training to Fill Gaps (CSC #17) are examined to secure against threats seeking to take advantage of end users, the most common entry point for an attacker. This paper examines multiple real-world threats and how the CSCs can be applied to prevent compromises. The goal of this research is to inform and educate security practitioners at any stage of the business on best practices and to aid in implementing controls directly applicable to their end users.


  • Incentivizing Cyber Security: A Case for Cyber Insurance by Jason D. Christopher - June 27, 2017 

    In the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be an enigma. Unlike traditional engineering problems, we cannot define the constraints and rules adequately. We lack the data and models to describe the variables, let alone the mathematical function. Read on for ideas on how ICS can benefit from cyber insurance.


  • A Black-Box Approach to Embedded Systems Vulnerability Assessment by Michael Horkan - December 5, 2016 

    Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.


  • Ransomware by Susan Bradley - October 3, 2016 

    On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.


  • Filling the Gaps by Robert Smith - August 18, 2016 

    There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability.


  • Realistic Risk Management Using the CIS 20 Security Controls STI Graduate Student Research
    by Andrew Baze - August 1, 2016 

    Does your organization spend an inordinate amount of time “managing” risk, when the current state of security is known to be poor, with far too few resources available to deal with the top issues?


  • How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System STI Graduate Student Research
    by Matthew Hosburgh - July 12, 2016 

    Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.


  • Managing Accepted Vulnerabilities STI Graduate Student Research
    by Tracy Brockman - May 20, 2016 

    Every day a new vulnerability is discovered in a piece of code or software and shortly afterwards the news of a new virus, malware, or hack is being used to exploit the vulnerability.


  • Extending your Business Network through a Virtual Private Network (VPN) STI Graduate Student Research
    by Kaleb Fornero - May 17, 2016 

    It’s safe to assume that most individuals reading this paper have leveraged a Virtual Private Network (VPN) at some point in their life, many on a daily basis.


  • Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance Analyst Paper
    by Barbara Filkins - February 25, 2016 

    Sponsored by PivotPoint Risk Analytics, in conjunction with Advisen.


  • Crossing the line: Joining forces with your customers by Jules Vandalon - February 24, 2016 

    Anyone who starts in the field of information security quickly gets familiar with setting up a secure architecture, setting up defense mechanisms and much more.


  • Applying Data Analytics on Vulnerability Data by Yogesh Dhinwa - December 23, 2015 

    An organization with services spread across the globe depends on information technology and information systems. Adoption and compliance of information security standards have become mandatory for many organizations, especially those working under government regulations.


  • Framework for Innovative Security Decisions by Ergash Karshiev - November 3, 2015 

    Remember the Periodic Table of chemical elements (Dayah, Dynamic Periodic Table, 1997)? It revolutionized chemistry and continues serving scientists daily. TRIZ is a similar resource for inventors and decision-makers.


  • eAUDIT: Designing a generic tool to review entitlements STI Graduate Student Research
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.


  • Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015 

    Patch management tools may produce conflicting results.


  • Breaches Happen: Be Prepared Analyst Paper
    by Stephen Northcutt - October 14, 2014 

    A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.


  • Risky Business STI Graduate Student Research
    by Robert Peter Sorensen - July 8, 2014 

    Risk Management has evolved just like many other aspects of IT Security.


  • Risk, Loss and Security Spending in the Financial Sector: A SANS Survey Analyst Paper
    by Mark Hardy - March 26, 2014 

    Survey identified key areas in which financial service employees and endpoints were most at risk, with direct losses resulting from internal abuse, spearphishing and botnet infections.


  • How to Win Friends and Remediate Vulnerabilities by Chad Butler - March 20, 2014 

    In today's era of rapid release development projects, finding vulnerabilities is not difficult.


  • Network and Endpoint Security "Get Hitched" for Better Visibility and Response Analyst Paper
    by Jerry Shenk - July 10, 2013 

    How endpoint visibility, coordinated with network intelligence, can help identify threats not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators.


  • SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action Analyst Paper
    by John Pescatore - June 25, 2013 

    Survey to determine how well the CSCs are known in government and private industry, how they are being used and what can we learn from CSC implementations to date.


  • Reducing Risk Through Prevention: Implementing Critical Security Controls 1-4 Analyst Paper
    by James Tarala - June 12, 2013 

    Examination of actual threats facing organizations today, methods dedicated attackers use to compromise systems using the “intrusion kill chain” as a model and specific defenses organizations can use to mitigate threat.


  • Own Your Network with Continuous Monitoring Analyst Paper
    by Jerry Shenk - September 10, 2012 

    A look at what continuous monitoring is and how organizations can devise a solution that works for them.


  • Secure Configuration Management Demystified Analyst Paper
    by Dave Shackleford - August 2, 2012 

    Paper shows how to use secure configuration concepts to reduce the overall attack surface, bring better coordination among groups within IT and elsewhere, and ultimately reduce the risk to your business by continuously improving the IT environment.


  • Streamline Risk Management by Automating the SANS 20 Critical Security Controls Analyst Paper
    by James Tarala - June 12, 2012 

    Practical considerations for automating the 20 Critical Security Controls to create a more defensible network against these increasingly automated, persistent attacks.


  • Risk Assessment of Social Media by Robert Shullich - May 16, 2012 

    According to a September 2011 survey, 63% respondents indicated “that employee use of social media puts their organization’s security at risk" while 29% "say they have the necessary security controls in place to mitigate or reduce the risk" (Ponemon Institute, 2011).


  • Reducing Federal Systems Risk with the SANS 20 Critical Controls Analyst Paper
    by G. Mark Hardy - April 22, 2012 

    The 20CSCs: are they a better approach than the ten-year-old FISMA? And how will adoption ultimately enhance security and operations overall?


  • A Preamble Into Aligning Systems Engineering and Information Security Risk STI Graduate Student Research
    by Craig Wright - February 20, 2012 

    This paper presents and extends the major statistical methods used in risk measurement and audit, and extends into other processes that are used within systems engineering (Elliott, Jeanblanc, & Yor, 2000).


  • Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls STI Graduate Student Research
    by Craig Wright - September 19, 2011 

    Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.


  • Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It Analyst Paper
    by E. Eugene Schultz, Ph.D. - June 17, 2011 

    A review of continuous monitoring as defined by the NIST 800-137 guidelines.


  • Implementing the 20 Critical Controls with Security Information and Event Management (SIEM) Systems Analyst Paper
    by James Tarala - April 5, 2011 

    This paper examines the top 20 controls, with advice on how to get started and an explanation of how SIEM systems can provide a central role in implementing the 20 critical controls effectively.


  • Measuring Psychological Variables of Control In Information Security by Josh More - January 12, 2011 

    “Perceived Control” is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of “Actual Control” that they may have. It is often paired against constructs such as “Vicarious Control” and “Vicarious Perceived Control”, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.


  • Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011 

    Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.


  • A Question of Platinum Plus by Craig Wright - December 29, 2010 

    The fallacy of the black swan in risk has come full circle in information systems. Just as the deductive fallacy, “a dicto secundum quid ad dictum simpliciter2” allowed false assertions that black swans could not exist when they do, we see assertions that risk cannot be modeled without knowing all of the „black swans‟ that can exist. The falsity of the black swan argument derives from a deductive statement that “every swan I have seen is white, so it must be true that all swans are white”. The problem is that which one has seen is a subset of the entire set. One cannot have seen all swans.


  • McAfee Total Protection for Server Review Analyst Paper
    by Dave Shackleford - June 17, 2010 

    This paper is a review of the type of security and compliance coverage McAfee Total Protection for Server provides for server endpoints.


  • Real-Time Adaptive Security Analyst Paper
    by Dave Shackleford - December 17, 2008 

    With security actions based on context, intrusion systems can adapt to real-time threats like these while giving visibility into what to investigate, where to investigate, and even take or recommend action based on preset rules.


  • Monitoring Security and Performance on Converged Traffic Networks Analyst Paper
    by Dave Shackleford - April 23, 2008 

    For security teams to be effective within today’s converged networks, network performance and security monitoring need to converge as well.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.