SANS Basic Computer Security Whitepapers

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 77 papers as of Apr 21, 2011

 Measuring effectiveness in Information Security Controls

By: Manuel Humberto Santander Peláez (posted on July 6, 2010)

The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.

 Preparing to face new vulnerabilities

By: Jacelyn Faucher (posted on June 25, 2008)

 Firefox VS Windows Internet Explorer

By: Robert Comella (posted on January 29, 2008)

In my years as an IT professional I can not tell you the number of times I have had a client ask, “When you go online, do you use Internet explorer? Are there any other choices? Are they better?” In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with “No” and “ABSOLUTELY!” Unfortunately the last is a little harder to answer and its best short answer is, “it depends.” That, of curse, begs the question, “On what does it depend?” and that is what this paper examines.

 Computer Security Education – The Tool for Today

By: Ian Burke (posted on October 25, 2007)

 GCFW Practical Assignment Critique

By: Bart Hubbs (posted on March 9, 2005)

The purpose of this practical is to critique a GIAC Certified Firewall Analyst (GCFW) practical to enable implementation in a public healthcare company.

 Network Security- A Guide for Small and Mid-sized Businesses

By: Jim Hietala (posted on January 26, 2005)

The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.

 Transmission Media Security

By: Charles Esparza (posted on January 18, 2005)

When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.

 Introduction to Host Based Cyber Defense

By: Roy Nielsen (posted on January 17, 2005)

There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.

 The State of Patching Windows

By: Rafael Cappas (posted on July 25, 2004)

Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.

 Information Security For Churches and Small Non-Profit Organizations

By: Jay Petel (posted on April 8, 2004)

In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.

 The Use and Administration of Shared Accounts

By: David Johnson (posted on December 13, 2003)

This paper will discuss the use and security of shared accounts, and some of associated risks of those uses.

 We're Lost, But We're Making Good Time!

By: Benjamin P. Grubin (posted on October 31, 2003)

Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.

 Cyberspace Guardians: A Brief Guide to the Recruitment and Training of Security Personnel

By: Amina Khattak Claassen (posted on October 31, 2003)

This paper is an overview of the recruitment and training of entry- and intermediate-level information technology (IT) security staff members (referenced here as "security analysts.")

 Keep Current With Little Time

By: Robert Taylor (posted on October 31, 2003)

This paper discusses various ways for security professionals to keep secure networks current with less time.

 Managing Desktop Security

By: Amran Bin Munir (posted on October 31, 2003)

This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.

 Kiosks: The Interactive Media Solution, or is it?

By: Lisa T. Evans (posted on October 31, 2003)

This paper addresses the topic of kiosks utilizing computers require information systems support and security to protect both the business and the customer.

 Enhanced Security During Organizational Transitions

By: Denis R. Lynch (posted on October 31, 2003)

The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.

 Keeping the Private Intranet Private

By: Michael A. Wilson (posted on October 31, 2003)

This paper addresses security problems faced by intranet network administrators, how to control those access points and minimize the risk involved.

 Making the HelpDesk a Security Asset

By: Douglas Ridgeway (posted on October 31, 2003)

This paper address potential security risks with helpdesks including social engineering, and various methods to reduce the risk of security incidents against the helpdesk.

 Defense In Depth

By: Todd McGuiness (posted on October 31, 2003)

This paper will look at three common scenarios, and likely methods for network attacks, and offer countermeasures to protect against these types of attacks.

 Security Architecture Model Component Overview

By: Scott M. Angelo (posted on October 31, 2003)

A successful security architecture combines a heterogeneous combination of policies and leading practices, technology, and a sound education and awareness program.

 Security Considerations for Extranets

By: Karen A. Korow-Diks (posted on October 31, 2003)

This paper identifies potential risks associated with extranets and the actions that can be taken to mitigate against them.

 Information Technology Department Network Security Briefing

By: Thad Nobuhara (posted on October 31, 2003)

This paper discusses the role in protecting the corporate network, and the devices connected to the Internet, including employee personal computing devices.

 The Password Web Page

By: Curt Kuper (posted on October 31, 2003)

It is important to pick good passwords and change them often. This paper addresses the benefits and merits of the password web page.

 Introducing Security to the Small Business Enterprise

By: Jeff Herbert (posted on October 31, 2003)

This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.

 Security - What is Enough?

By: Victoria England (posted on October 31, 2003)

This paper will look at the various layers of security businesses have on offer to them today, which will aid the security policy and look at why they should deploy them.

 The Cyber Security Management System: A Conceptual Mapping

By: John H. Dexter (posted on October 31, 2003)

This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.

 Security Lifecycle - Managing the Threat

By: Mark King (posted on October 31, 2003)

This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.

 Obtaining Better Results from Distributed Environment Security Programs

By: Rhonda Cram Manter (posted on October 31, 2003)

This paper examines common barriers to achieving desired results from information security programs in mid-to-large-sized corporations.

 Protection of Information Assets

By: Odd Nilsen (posted on October 31, 2003)

This paper focuses on the protection of information assets, addressing both physical and logical access exposures and controls.

 The Need for a REAL Defensive Information Operations Capability

By: Mark J. Ruchie (posted on October 31, 2003)

This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).

 Implementing Defense in Depth at the University Level

By: G.Michael Runnels (posted on October 31, 2003)

This paper discusses how defense in depth was implemented at a university in the Southwest.

 A Certification and Accreditation Plan for Information Systems Security Programs (Evaluating the Eff

By: Brenda Dinges (posted on October 31, 2003)

This paper addresses the need for organizations to implement a comprehensive Information Systems Security Program (ISSP).

 Argentina: Preparing for a Security Violation

By: Raymond Hoffman (posted on October 31, 2003)

Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.

 Change Control Process for Firewalls

By: Paul Maschak (posted on October 31, 2003)

This paper covers the fundamentals of Change Control and Procedures as it applies to the management of Firewalls.

 Implementing/Re-Implementing Change Control Policies

By: Derek P. Milroy (posted on October 31, 2003)

Implementing change control policies should be done with the same basic methodology as a technology implementation, broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.

 Hardening Bastion Hosts

By: Todd Jenkins (posted on October 31, 2003)

This paper discusses some of the benefits to using hardened bastion hosts.

 Vulnerability Assessment

By: Susan Cima (posted on October 31, 2003)

The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.

 How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study

By: Jerry Goodman (posted on October 31, 2003)

This paper explains the basic process of securing a small to medium sized network utilizing some commonly used products and techniques, within a case study format.

 Plugging the holes! Your data is leaking OUT!

By: Robert G Downey (posted on October 31, 2003)

Data is essential to the development and success of a company and this paper discusses some of the obvious areas where data can leave the company.

 Security for Small and New IT Departments: Get Your Big Rocks In First

By: Greg Rolling (posted on October 31, 2003)

This paper will attempt to assist the small/single-person IS department in setting up and maintaining a secure environment while filling the many roles necessary to the company.

 I Think Our Internet Connection is Down

By: Raymond Hillen (posted on October 31, 2003)

The following is a "case analysis" of a real incident that was uncovered while trying to assist a small company with a supposed "down" Internet connection.

 AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Securit

By: Matthew R. Smith (posted on October 31, 2003)

The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values.

 Espionage and the Insider

By: Steve Kipp (posted on October 31, 2003)

In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.

 Toward Global Security

By: Paul Tremer (posted on October 31, 2003)

By implementing and enforcing strong, multi-layered security policies and processes, constructive progress can and will defeat global threats and malicious activities today and throughout time.

 A User's Guide to Security Threats on the Desktop

By: Richard D. Hagen (posted on October 31, 2003)

This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.

 IT Infrastructure Security-Step by Step

By: Karnail Singh (posted on October 31, 2003)

This paper documents the process and methodology for implementing computer security within corporate networks and describes the various aspects of security through a layered model.

 Facilitating the Qualitative Security Assessment: Overview of the Process of Defining and Delivering

By: Mike Kleckner (posted on October 31, 2003)

It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.

 Extranets: The Weakest Link & Security

By: Slawomir Marcinkowski (posted on October 31, 2003)

This paper focuses on the management processes needed to secure an extranet.

 Users Wary of Microsoft's .NET

By: Jeffrey Hudack (posted on October 31, 2003)

This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.

 Digital Rights Management Overview

By: Austin Russ (posted on October 31, 2003)

This paper presents an overview of DRM issues addressed, standards, technology and service providers, challenges, and guidance for determining if DRM may be applicable to your organization.

 Oh Answer, Where Are Thou? or Gee, There's a Lot to Know

By: Jim Sherrill (posted on October 31, 2003)

This paper reviews the complex environment of information security and looks at several elements of security practices.

 A "Bag of Tricks" Approach to Proactive Security

By: Mitch Saba (posted on October 31, 2003)

The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.

 Spyware & Network Security

By: Lester D. Cheveallier (posted on October 31, 2003)

When dealing with network security, a security professional's first concerns are who is trying to access the network and whether or not to allow access.

 Ten Days to Network Security

By: Paul A. Zocco (posted on October 31, 2003)

This paper will present ten days of effective tasks, with a quick task and long term task each day.

 Jekyll & Hyde in the Boardroom

By: David A. Nixon (posted on October 31, 2003)

Business success or failure can hinge on the business implementation of the Chief Technology Officer and the Chief Security Officer, two key IT management positions, discusses in this paper.

 The Weakest Link...This Is Not a Game!

By: Jack Daniels (posted on October 31, 2003)

More employees are using their home computers to do office work and security policy as well as education should address this situation by requiring Personal Firewalls and Anti-Virus software.

 Outline for a Successful Security Program

By: Jeff Norem (posted on October 31, 2003)

This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.

 Why Small Businesses Need to Secure Their Computers (and How to Do it!)

By: Bruce Diamond (posted on October 31, 2003)

This paper discusses why small businesses need to secure their computers and provides information on how to do it!

 The Computer Security Threat to Small and Medium Sized Businesses -A Manager';s Primer

By: Michael A. Regan (posted on October 31, 2003)

This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.

 Information Security Primer

By: CraigE. Lindner (posted on October 31, 2003)

This document discusses fundamental security concepts and architectures applicable to TCP/IP networks.

 Information Security 101: Security for Newbies

By: Frederick Kim (posted on October 31, 2003)

This paper provides a guide and a starting point to get a sense of what information security is all about.

 Manage your Security Initiative as a Project

By: Rex Robitschek (posted on October 31, 2003)

This paper has been geared toward project managers who already know the methodology, and is intended to give them tools that are pertinent for obtaining executive buy-in.

 Organizational IT Security Theory and Practice: And Never the Twain Shall Meet?

By: John Jenkins (posted on October 31, 2003)

This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.

 Implementing a Successful Security Assessment Process

By: Bradley Hart (posted on October 31, 2003)

This paper describes implementing a successful security assessment process.

 Securing Network Infrastructure and Switched Networks

By: Richard Wagner (posted on October 31, 2003)

This paper describes how to secure a network infrastructure and switched networks.

 Implementing an Information Security Program

By: Kevin L. Nichols (posted on October 31, 2003)

This paper provides the fundamentals of implementing an Information Security Program.

 OK, So I Need Security. Where Do I Start?

By: Lyde Andrews (posted on October 31, 2003)

This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.

 A Paper on the Promotion of Application Security Awareness

By: Man-Sau Yi (posted on October 31, 2003)

Application security is not a new science and the same principals that apply to network security also apply to application security.

 Network Security Is Like Eating Crab's Legs - Is the Taste Worth the Effort?

By: Charles F. Romanus (posted on October 31, 2003)

This paper discusses the balance between network security, network functionality and ease of operation.

 Security from Scratch ... How to Achieve It

By: Alan Davies (posted on October 31, 2003)

Since there is no one technology or process that can be implemented in the name of total security, the aim is to develop a defense in depth strategy, as discussed in this paper.

 Managing Secure Data Delivery: A Data Roundhouse Model

By: Jim Farmer (posted on October 31, 2003)

The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.

 Securing a Wide-Open Computer Network

By: Mark Andrich (posted on October 31, 2003)

This paper describes how to Secure a Wide-Open Computer Network.

 Basic Self-assessment: Go Hack Yourself

By: Barry Dowell (posted on October 31, 2003)

System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.

 An Instant War, Just Add Chat: The Growth of Instant Messaging Technology

By: Jack Schiller (posted on October 31, 2003)

The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.

 Software Piracy- A challenge to E-world

By: Sundeep Bhasin (posted on October 31, 2003)

This paper provides insight to the levels of the society to which the menace of piracy has rooted itself, the cost and the impact of "illegal" software to the companies.

 The Bugs are Biting

By: Rishona Phillips (posted on August 8, 2003)

This paper will give a general overview of the problems and challenges of software mistakes and how they affect security.

From  http://www.sans.org
Welcoem to http://www.mp4converter.net/