Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please email@example.com.
By: Manuel Humberto Santander Peláez(posted on July 6, 2010)
The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.
In my years as an IT professional I can not tell you the number of times I have had a client ask, “When you go online, do you use Internet explorer? Are there any other choices? Are they better?” In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with “No” and “ABSOLUTELY!” Unfortunately the last is a little harder to answer and its best short answer is, “it depends.” That, of curse, begs the question, “On what does it depend?” and that is what this paper examines.
The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.
When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.
There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.
Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.
In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.
By: Benjamin P. Grubin(posted on October 31, 2003)
Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.
This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.
The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.
This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.
This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.
This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.
This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).
Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.
The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.
In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.
It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.
The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.
This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.
This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.
This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.
The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.
System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.
The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.