Thursday, April 21, 2011

SANS Basic Computer Security Whitepapers

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact
Featuring 77 papers as of Apr 21, 2011
PDF Measuring effectiveness in Information Security Controls
By: Manuel Humberto Santander Peláez (posted on July 6, 2010)
The risks in the business environment of companies and international regulations have made companies incorporate as business process the aspect of information security. Like all processes, it needs to get assigned resources and budget to ensure proper implementation. Because the objective of the security process is to minimize exposure to risk it is important to determine the effectiveness of the implemented controls. How do you measure if the security controls in place are effective? How do you justify the budget to augment or improve existing controls? It is important to show the organization that the requested funds will be invested in preventing the issues that can materialize an information risk against any of the core business processes. This paper illustrates how to define indicators to measure the exposure to information risks in the company processes.
PDF Preparing to face new vulnerabilities
By: Jacelyn Faucher (posted on June 25, 2008)
PDF Firefox VS Windows Internet Explorer
By: Robert Comella (posted on January 29, 2008)
In my years as an IT professional I can not tell you the number of times I have had a client ask, “When you go online, do you use Internet explorer? Are there any other choices? Are they better?” In the world of computers, indeed in most professions, it is rare that you can give a straight short answer to any question. Eagerly I answer the first two questions with “No” and “ABSOLUTELY!” Unfortunately the last is a little harder to answer and its best short answer is, “it depends.” That, of curse, begs the question, “On what does it depend?” and that is what this paper examines.
PDF Computer Security Education – The Tool for Today
By: Ian Burke (posted on October 25, 2007)
PDF GCFW Practical Assignment Critique
By: Bart Hubbs (posted on March 9, 2005)
The purpose of this practical is to critique a GIAC Certified Firewall Analyst (GCFW) practical to enable implementation in a public healthcare company.
PDF Network Security- A Guide for Small and Mid-sized Businesses
By: Jim Hietala (posted on January 26, 2005)
The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB's) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB's in setting priorities for securing the perimeter of a typical SMB network.
PDF Transmission Media Security
By: Charles Esparza (posted on January 18, 2005)
When studying for any security certification the topic of transmission media is always present, it is one of the many sources of attacks that can be made by exploiting the media that the transmissions are made over. In this paper I will discuss the various types of media commonly used to connect computers into networks and analyze the many vulnerabilities of the different media types.
PDF Introduction to Host Based Cyber Defense
By: Roy Nielsen (posted on January 17, 2005)
There is a lot of attention given in the computer security community to network security. Viruses, trojans, spyware and other malware come from the computer network. IT departments often concentrate on network firewalls, IDS and IPS systems to protect their network.
PDF The State of Patching Windows
By: Rafael Cappas (posted on July 25, 2004)
Patching is something that everyone tells you to do but find people really don't understand it. There was a time, not long ago, when security vulnerabilities became known and finding patches for them were difficult. One had to scour Usenet looking for further information and dig through FTP servers for fixes.
PDF Information Security For Churches and Small Non-Profit Organizations
By: Jay Petel (posted on April 8, 2004)
In today's ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face.
PDF The Use and Administration of Shared Accounts
By: David Johnson (posted on December 13, 2003)
This paper will discuss the use and security of shared accounts, and some of associated risks of those uses.
PDF We're Lost, But We're Making Good Time!
By: Benjamin P. Grubin (posted on October 31, 2003)
Vulnerability scanning and intrusion detection technologies have made a huge on improving the information security profession, with metrics by which to judge the organizations security posture - which fosters a questionable level of safety and false sense of security.
PDF Cyberspace Guardians: A Brief Guide to the Recruitment and Training of Security Personnel
By: Amina Khattak Claassen (posted on October 31, 2003)
This paper is an overview of the recruitment and training of entry- and intermediate-level information technology (IT) security staff members (referenced here as "security analysts.")
PDF Keep Current With Little Time
By: Robert Taylor (posted on October 31, 2003)
This paper discusses various ways for security professionals to keep secure networks current with less time.
PDF Managing Desktop Security
By: Amran Bin Munir (posted on October 31, 2003)
This document describes the defense mechanism for security of desktops (including notebooks or laptops) in a network computing environment from the approach of security requirements among users, process of implementing and enforcing security policies and technology within an organization.
PDF Kiosks: The Interactive Media Solution, or is it?
By: Lisa T. Evans (posted on October 31, 2003)
This paper addresses the topic of kiosks utilizing computers require information systems support and security to protect both the business and the customer.
PDF Enhanced Security During Organizational Transitions
By: Denis R. Lynch (posted on October 31, 2003)
The purpose of this paper is to provoke discussion concerning the requirements for increased security during a period of transition, the threats faced by an organization as it goes through a period of change, as well as appropriate controls that could be implemented to mitigate the risks.
PDF Keeping the Private Intranet Private
By: Michael A. Wilson (posted on October 31, 2003)
This paper addresses security problems faced by intranet network administrators, how to control those access points and minimize the risk involved.
PDF Making the HelpDesk a Security Asset
By: Douglas Ridgeway (posted on October 31, 2003)
This paper address potential security risks with helpdesks including social engineering, and various methods to reduce the risk of security incidents against the helpdesk.
PDF Defense In Depth
By: Todd McGuiness (posted on October 31, 2003)
This paper will look at three common scenarios, and likely methods for network attacks, and offer countermeasures to protect against these types of attacks.
PDF Security Architecture Model Component Overview
By: Scott M. Angelo (posted on October 31, 2003)
A successful security architecture combines a heterogeneous combination of policies and leading practices, technology, and a sound education and awareness program.
PDF Security Considerations for Extranets
By: Karen A. Korow-Diks (posted on October 31, 2003)
This paper identifies potential risks associated with extranets and the actions that can be taken to mitigate against them.
PDF Information Technology Department Network Security Briefing
By: Thad Nobuhara (posted on October 31, 2003)
This paper discusses the role in protecting the corporate network, and the devices connected to the Internet, including employee personal computing devices.
PDF The Password Web Page
By: Curt Kuper (posted on October 31, 2003)
It is important to pick good passwords and change them often. This paper addresses the benefits and merits of the password web page.
PDF Introducing Security to the Small Business Enterprise
By: Jeff Herbert (posted on October 31, 2003)
This discussion paper outlines the issues and constraints that a SBE faces, the common misconceptions managers have regarding Internet security, and how to introduce security to the Small Business Enterprise.
PDF Security - What is Enough?
By: Victoria England (posted on October 31, 2003)
This paper will look at the various layers of security businesses have on offer to them today, which will aid the security policy and look at why they should deploy them.
PDF The Cyber Security Management System: A Conceptual Mapping
By: John H. Dexter (posted on October 31, 2003)
This paper looks at the cyber security management process as a complex system of interrelated elements and demonstrates the use of concept mapping techniques to expand our knowledge of the system as a whole, and of policy and technology in particular.
PDF Security Lifecycle - Managing the Threat
By: Mark King (posted on October 31, 2003)
This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response and how they apply to the overall security posture of the organization.
PDF Obtaining Better Results from Distributed Environment Security Programs
By: Rhonda Cram Manter (posted on October 31, 2003)
This paper examines common barriers to achieving desired results from information security programs in mid-to-large-sized corporations.
PDF Protection of Information Assets
By: Odd Nilsen (posted on October 31, 2003)
This paper focuses on the protection of information assets, addressing both physical and logical access exposures and controls.
PDF The Need for a REAL Defensive Information Operations Capability
By: Mark J. Ruchie (posted on October 31, 2003)
This paper examines the need to significantly overhaul the current concept of protection of information in American business, incorporating the military model, referred as Defensive Information Operations (DIO).
PDF Implementing Defense in Depth at the University Level
By: G.Michael Runnels (posted on October 31, 2003)
This paper discusses how defense in depth was implemented at a university in the Southwest.
PDF A Certification and Accreditation Plan for Information Systems Security Programs (Evaluating the Eff
By: Brenda Dinges (posted on October 31, 2003)
This paper addresses the need for organizations to implement a comprehensive Information Systems Security Program (ISSP).
PDF Argentina: Preparing for a Security Violation
By: Raymond Hoffman (posted on October 31, 2003)
Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.
PDF Change Control Process for Firewalls
By: Paul Maschak (posted on October 31, 2003)
This paper covers the fundamentals of Change Control and Procedures as it applies to the management of Firewalls.
PDF Implementing/Re-Implementing Change Control Policies
By: Derek P. Milroy (posted on October 31, 2003)
Implementing change control policies should be done with the same basic methodology as a technology implementation, broken down into four steps/phases: Analysis, Design, Implementation, and Follow-up.
PDF Hardening Bastion Hosts
By: Todd Jenkins (posted on October 31, 2003)
This paper discusses some of the benefits to using hardened bastion hosts.
PDF Vulnerability Assessment
By: Susan Cima (posted on October 31, 2003)
The intention of this paper is to provide an overview of the vulnerability assessment process from discovery to baseline standardization, why it's necessary and offer some assistance to those who want to perform a vulnerability assessment but do not know where to start.
PDF How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study
By: Jerry Goodman (posted on October 31, 2003)
This paper explains the basic process of securing a small to medium sized network utilizing some commonly used products and techniques, within a case study format.
PDF Plugging the holes! Your data is leaking OUT!
By: Robert G Downey (posted on October 31, 2003)
Data is essential to the development and success of a company and this paper discusses some of the obvious areas where data can leave the company.
PDF Security for Small and New IT Departments: Get Your Big Rocks In First
By: Greg Rolling (posted on October 31, 2003)
This paper will attempt to assist the small/single-person IS department in setting up and maintaining a secure environment while filling the many roles necessary to the company.
PDF I Think Our Internet Connection is Down
By: Raymond Hillen (posted on October 31, 2003)
The following is a "case analysis" of a real incident that was uncovered while trying to assist a small company with a supposed "down" Internet connection.
PDF AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Securit
By: Matthew R. Smith (posted on October 31, 2003)
The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values.
PDF Espionage and the Insider
By: Steve Kipp (posted on October 31, 2003)
In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information.
PDF Toward Global Security
By: Paul Tremer (posted on October 31, 2003)
By implementing and enforcing strong, multi-layered security policies and processes, constructive progress can and will defeat global threats and malicious activities today and throughout time.
PDF A User's Guide to Security Threats on the Desktop
By: Richard D. Hagen (posted on October 31, 2003)
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
PDF IT Infrastructure Security-Step by Step
By: Karnail Singh (posted on October 31, 2003)
This paper documents the process and methodology for implementing computer security within corporate networks and describes the various aspects of security through a layered model.
PDF Facilitating the Qualitative Security Assessment: Overview of the Process of Defining and Delivering
By: Mike Kleckner (posted on October 31, 2003)
It is the intent of this paper to provide an overview of how to involve the appropriate decision makers and the solution providers in the delivery of cost-effective security controls for application systems.
PDF Extranets: The Weakest Link & Security
By: Slawomir Marcinkowski (posted on October 31, 2003)
This paper focuses on the management processes needed to secure an extranet.
PDF Users Wary of Microsoft's .NET
By: Jeffrey Hudack (posted on October 31, 2003)
This paper is written for non-technical computer users who need to know the security risks of the Internet and how to protect their important digital information.
PDF Digital Rights Management Overview
By: Austin Russ (posted on October 31, 2003)
This paper presents an overview of DRM issues addressed, standards, technology and service providers, challenges, and guidance for determining if DRM may be applicable to your organization.
PDF Oh Answer, Where Are Thou? or Gee, There's a Lot to Know
By: Jim Sherrill (posted on October 31, 2003)
This paper reviews the complex environment of information security and looks at several elements of security practices.
PDF A "Bag of Tricks" Approach to Proactive Security
By: Mitch Saba (posted on October 31, 2003)
The goal of this paper is to explore the tools, practices and procedures available to System Administrators prior to a security incident that will serve to negate the incident or significantly improve our recovery and forensic positions.
PDF Spyware & Network Security
By: Lester D. Cheveallier (posted on October 31, 2003)
When dealing with network security, a security professional's first concerns are who is trying to access the network and whether or not to allow access.
PDF Ten Days to Network Security
By: Paul A. Zocco (posted on October 31, 2003)
This paper will present ten days of effective tasks, with a quick task and long term task each day.
PDF Jekyll & Hyde in the Boardroom
By: David A. Nixon (posted on October 31, 2003)
Business success or failure can hinge on the business implementation of the Chief Technology Officer and the Chief Security Officer, two key IT management positions, discusses in this paper.
PDF The Weakest Link...This Is Not a Game!
By: Jack Daniels (posted on October 31, 2003)
More employees are using their home computers to do office work and security policy as well as education should address this situation by requiring Personal Firewalls and Anti-Virus software.
PDF Outline for a Successful Security Program
By: Jeff Norem (posted on October 31, 2003)
This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.
PDF Why Small Businesses Need to Secure Their Computers (and How to Do it!)
By: Bruce Diamond (posted on October 31, 2003)
This paper discusses why small businesses need to secure their computers and provides information on how to do it!
PDF The Computer Security Threat to Small and Medium Sized Businesses -A Manager';s Primer
By: Michael A. Regan (posted on October 31, 2003)
This paper seeks to provide non-technical, easily understood, information for the business executive seeking to capitalize on the benefits provided by Internet access while at the same time protecting his internal network from viruses and hackers.
PDF Information Security Primer
By: CraigE. Lindner (posted on October 31, 2003)
This document discusses fundamental security concepts and architectures applicable to TCP/IP networks.
PDF Information Security 101: Security for Newbies
By: Frederick Kim (posted on October 31, 2003)
This paper provides a guide and a starting point to get a sense of what information security is all about.
PDF Manage your Security Initiative as a Project
By: Rex Robitschek (posted on October 31, 2003)
This paper has been geared toward project managers who already know the methodology, and is intended to give them tools that are pertinent for obtaining executive buy-in.
PDF Organizational IT Security Theory and Practice: And Never the Twain Shall Meet?
By: John Jenkins (posted on October 31, 2003)
This paper presents an overview of common information technology security practices, demonstrates how and why they can frequently be ineffective, and finishes with suggestions on how we might better equip ourselves to prevent, and recover from unnecessary disruptions in the future.
PDF Implementing a Successful Security Assessment Process
By: Bradley Hart (posted on October 31, 2003)
This paper describes implementing a successful security assessment process.
PDF Securing Network Infrastructure and Switched Networks
By: Richard Wagner (posted on October 31, 2003)
This paper describes how to secure a network infrastructure and switched networks.
PDF Implementing an Information Security Program
By: Kevin L. Nichols (posted on October 31, 2003)
This paper provides the fundamentals of implementing an Information Security Program.
PDF OK, So I Need Security. Where Do I Start?
By: Lyde Andrews (posted on October 31, 2003)
This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that.
PDF A Paper on the Promotion of Application Security Awareness
By: Man-Sau Yi (posted on October 31, 2003)
Application security is not a new science and the same principals that apply to network security also apply to application security.
PDF Network Security Is Like Eating Crab's Legs - Is the Taste Worth the Effort?
By: Charles F. Romanus (posted on October 31, 2003)
This paper discusses the balance between network security, network functionality and ease of operation.
PDF Security from Scratch ... How to Achieve It
By: Alan Davies (posted on October 31, 2003)
Since there is no one technology or process that can be implemented in the name of total security, the aim is to develop a defense in depth strategy, as discussed in this paper.
PDF Managing Secure Data Delivery: A Data Roundhouse Model
By: Jim Farmer (posted on October 31, 2003)
The analogy of a traditional roundhouse, where railroad engineers manage and redirect the delivery of millions of tons of payload, reinforces the most important goal in the data delivery process: manage data securely from the start and secure it throughout its delivery all the way to its destination.
PDF Securing a Wide-Open Computer Network
By: Mark Andrich (posted on October 31, 2003)
This paper describes how to Secure a Wide-Open Computer Network.
PDF Basic Self-assessment: Go Hack Yourself
By: Barry Dowell (posted on October 31, 2003)
System administrators must not only be aware of the potential vulnerabilities inherent in their operating system and applications software, and know how to protect the network from these dangers, they must also put themselves in the mind of the attacker to assess network defenses before a successful attack is carried out.
PDF An Instant War, Just Add Chat: The Growth of Instant Messaging Technology
By: Jack Schiller (posted on October 31, 2003)
The purpose of this paper is to provide the reader with a rich synthesis of observations and ideas, encourage the reader to evaluate their current technological environment, and spur one to explore what additional work may need to be done in this security issue.
PDF Software Piracy- A challenge to E-world
By: Sundeep Bhasin (posted on October 31, 2003)
This paper provides insight to the levels of the society to which the menace of piracy has rooted itself, the cost and the impact of "illegal" software to the companies.
PDF The Bugs are Biting
By: Rishona Phillips (posted on August 8, 2003)
This paper will give a general overview of the problems and challenges of software mistakes and how they affect security.

Welcoem to 

No comments:

Post a Comment