Last Day to Save $400 on 4-6 Day Courses at SANS Cyber Defense Initiative 2017!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

How mature is your CTI Program? Take SANS survey at and enter to win a $400 Amazon gift card or free pass to the SANS CTI Summit.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,720 original computer security white papers in 105 different categories.

Latest 25 Papers Added to the Reading Room

  • Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform Analyst Paper
    by Dave Shackleford - October 17, 2017 in Security Awareness, Threats/Vulnerabilities, Tools

    SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.

  • Online Safety in a Foreign Language - Connecting with Teens by Chris Elgee - October 16, 2017 in Security Awareness

    The inescapable dangers of our increasingly connected world are likely most threatening to our young adults. Teens, especially, see social media and related online platforms as inextricable from their public and private personas. These digital natives have grown up being comfortable with sharing all aspects of their lives with the Internet - without the healthy suspicion and caution of those who have seen the technology grow over the years. The importance of protecting our teenage Internet denizens apparent, it falls to parents, teachers, and industry professionals to effectively educate this group. What follow are tested methods and associated research on relating to and informing teenagers so they might understand and properly mitigate the risks they face. Importantly, this paper explores these topics in a way that doesn't overstate the dangers or attempt to upheave the norms of communication so organic to this generation.

  • Can the "Gorilla" Deliver? Assessing the Security of Google's New "Thread" Internet of Things (IoT) Protocol STI Graduate Student Research
    by Kenneth Strayer - October 6, 2017 in Internet of Things

    Security incidents associated with Internet of Things (IoT) devices have recently gained high visibility, such as the Mirai botnet that exploited vulnerabilities in remote cameras and home routers. Currently, no industry standard exists to provide the right combination of security and ease-of-use in a low-power, low-bandwidth environment. In 2014, the Thread Group, Inc. released the new Thread networking protocol. Google's Nest Labs recently open-sourced their implementation of Thread in an attempt to become a market standard for the home automation environment. The Thread Group claims that Thread provides improved security for IoT devices. But in what way is this claim true, and how does Thread help address the most significant security risks associated with IoT devices? This paper assesses the new IEEE 802.15.4 "Thread" protocol for IoT devices to determine its potential contributions in mitigating the OWASP Top 10 IoT Security Concerns. It provides developers and security professionals a better understanding of what risks Thread addresses and what challenges remain.

  • AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis Analyst Paper
    by Jim Bird - October 4, 2017 in Application and Database Security

    In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.

  • Cyber Security and Data Integrity Problems Within the GAMP 5 Validation Process by Jason Young - September 26, 2017 in HIPAA

    When addressing the pharmaceutical industry's computerized systems risk within manufacturing, the International Society for Pharmaceutical Engineering (ISPE) has created the Good Automated Manufacturing Process (GAMP) as a leading industry standard. It is a validation process based on user requirements and product quality that applies information security through its computer systems validation (CSV) guidance. Problems arise due to information security roles, methodologies and technical controls not being clearly defined within GAMP guidance. These gaps within the CSV process are further exacerbated by cultural issues within the quality unit because they manage all aspects of information security and do not apply industry best business practices used in other industries. Finally, these gaps result in systems which do not incorporate the most basic protections for systems and data that should be expected from this industry. When compared to other industries like the Payment Card Industry (PCI), the security measures are woefully inadequate given the criticality of information processed by these life science systems. Because the production of pharmaceuticals is drastically different than other industries due the level of regulation on activities outside of computerized systems, relying on the International Standards Organization (ISO) or the United States National Institute of Science and Technology (NIST) as recommended by the ISPE is not adequate. Specialized guidance on how information security principles must be modified to fit within this model must be explored to provide relevance to the CSV process.

  • Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecture STI Graduate Student Research
    by Christopher Jarko - September 22, 2017 in Critical Controls

    The increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.

  • Botnet Resiliency via Private Blockchains STI Graduate Student Research
    by Jonny Sweeny - September 22, 2017 in Covert Channels

    Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts.

  • OSSIM: CIS Critical Security Controls Assessment in a Windows Environment. STI Graduate Student Research
    by Kevin Geil - September 22, 2017 in Logging Technology and Techniques

    Use of a Security Information and Event Management (SIEM) or log management platform is a recommendation common to several of the “CIS Critical Security Controls For Effective Cyber Defense” (2016). Because the CIS Critical Security Controls (CSC) focus on automation, measurement and continuous improvement of control application, a SIEM is a valuable tool. Alienvault's Open Source SIEM (OSSIM) is free and capable, making it a popular choice for administrators seeking experience with SIEM. While there is a great deal of documentation on OSSIM, specific information that focuses on exactly what events to examine, and then how to report findings is not readily accessible. This paper uses a demo environment to provide specific examples and instructions for using OSSIM to assess a CIS Critical Security Controls implementation in a common environment: A Windows Active Directory domain. The 20 Critical Security Controls can be mapped to other controls in most compliance frameworks and guidelines; therefore, the techniques in this document should be applicable across a wide variety of control implementations.

  • Trust No One: A Gap Analysis of Moving IP-Based Network Perimeters to A Zero Trust Network Architecture STI Graduate Student Research
    by John Becker - September 22, 2017 in Firewalls & Perimeter Protection

    Traditional IP-based access controls (e.g., firewall rules based on source and destination addresses) have defined the network perimeter for decades. Threats have evolved to evade and bypass these IP restrictions using techniques such as spear phishing, malware, credential theft, and lateral movement. As these threats evolve, so have the demands from end users for increased accessibility. Remote employees require secure access to internal resources. Cloud services have moved the perimeter outside of the enterprise network. The DevOps movement has emphasized speed and agility over up front network designs. This paper identifies gaps to implementation for organizations in the discovery phase of migrating to identity-based access controls as described by leading cloud companies.

  • A Spicy Approach to WebSockets: Enhancing Bro’s WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy STI Graduate Student Research
    by Jennifer Gates - September 22, 2017 in Intrusion Detection

    Although the Request for Comments (RFC) defining WebSockets was released in 2011, there has been little focus on using the Bro Intrusion Detection System (IDS) to analyze WebSockets traffic. However, there has been progress in exploiting the WebSockets protocol. The ability to customize and expand Bro’s capabilities to analyze new protocols is one of its chief benefits. The developers of Bro are also working on a new framework called Spicy that allows security professionals to generate new protocol parsers. This paper focuses on the development of Spicy and Bro scripts that allow visibility into WebSockets traffic. The research conducted compared the data that can be logged with existing Bro protocol analyzers to data that can be logged after writing a WebSockets protocol analyzer in Spicy. The research shows increased effectiveness in detecting malicious WebSockets traffic using Bro when the traffic is parsed with a Spicy script. Writing Bro logging scripts tailored to a particular WebSockets application further increases their effectiveness.

  • Does Network Micro-segmentation Provide Additional Security? STI Graduate Student Research
    by Steve Jaworski - September 15, 2017 in Network Security

    Network segmentation is a concept of taking a large group of hosts and creating smaller groups of hosts that can communicate with each other without traversing a security control. The smaller groups of hosts each have defined security controls, and groups are independent of each other. Network micro-segmentation takes the smaller group of hosts by configuring controls around individual hosts. The goal of network microsegmentation is to provide more granular security and reduce an attackers capability to easily compromise an entire network. If an attacker is successful in compromising a host, he or she is limited to only the network segment on which the host resides. If the host resides in a micro-segment, then the attacker is restricted to only that host. This paper will discuss what network and network micro-segmentation is, where it applies, any additional layer of security including levels of complexity.

  • ComBAT Phishing with Email Automation STI Graduate Student Research
    by Seth Polley - September 15, 2017 in Email Issues

    An analysis of organizations' email reporting processes reveals two challenges facing cyber security departments: successful administration of the managed mailbox provided for user's suspicious email reporting (automation) and effective security awareness training tailored to the business groups based on the type of email received. An effective defense requires an organization to be informed by actual attacks (knowing the enemy) and awareness of internal shortcomings (knowing yourself) so that implemented protections and training are applicable to the threats faced (strategy and tactics).

  • Tackling DoD Cyber Red Team Deficiencies Through Systems Engineering STI Graduate Student Research
    by John Schab - September 15, 2017 in Penetration Testing

    Red teaming is an essential capability in preparing and assessing the Department of Defense's (DoD) ability to execute their mission in a contested cyber environment. The identified deficiencies in DoD's overall red team capability resulting from their adhoc implementation creates unknown mission risk to the Combatant Commands and Services leading to a significant threat to national security. Unfortunately, many senior DoD officials are citing a lack of resources as the reason for the deficiencies and believe an increase in funding will solve the issues. However, funding alone is not scalable to address DoD's gaps in red team capability, and throwing more money to the existing adhoc process is quickly becoming a huge money pit for the DoD. This paper analyzes the deficiencies and concludes the primary cause to be a lack of a structured process needed to define, design, build, and sustain the required DoD red team capability. The solution presented is to treat the overall DoD cyber red team function as a complex system operating within a system of systems and apply the systems engineering process. Implementing a systems engineering process will eliminate some of the identified deficiencies through design and will identify feasible solutions or alternatives to the deficient areas which design cannot eliminate. The systems engineering process can help DoD build an effective and efficient red team capability which is needed to ensure the military can successfully execute its missions in the contestant cyber environment.

  • Next-Gen Protection for the Endpoint: SANS Review of Carbon Black Cb Defense Analyst Paper
    by Jerry Shenk - September 14, 2017 in Tools

    In today’s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of. Our review shows that Carbon Black’s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn’t otherwise see with traditional antivirus tools. Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface—through drill-down and pivot—to determine whether a threat was a false positive or real.

  • HL7 Data Interfaces in Medical Environments: Attacking and Defending the Achille's Heel of Healthcare STI Graduate Student Research
    by Dallas Haselhorst - September 12, 2017 in HIPAA, Encryption & VPNs

    On any given day, a hospital operating room can be chaotic. The atmosphere can make one’s head spin with split-second decisions. In the same hospital environment, medical data also whizzes around, albeit virtually. Beyond the headlines involving medical device insecurities and hospital breaches, healthcare communication standards are equally as insecure. This fundamental design flaw places patient data at risk in nearly every hospital worldwide. Without protections in place, a hospital visit today could become a patient’s worst nightmare tomorrow. Could an attacker collect the data and sell it to the highest bidder for credit card or tax fraud? Or perhaps they have far more malicious plans such as causing bodily harm? Regardless of their intentions, healthcare data is under attack and it is highly vulnerable. This research focuses on attacking and defending HL7, the unencrypted and unverified data standard used in healthcare for nearly all system-to-system communications.

  • HL7 Data Interfaces in Medical Environments: Understanding the Fundamental Flaw in Healthcare STI Graduate Student Research
    by Dallas Haselhorst - September 12, 2017 in HIPAA, Encryption & VPNs

    Ask healthcare IT professionals where the sensitive data resides and most will inevitably direct attention to a hardened server or database with large amounts of protected health information (PHI). The respondent might even know details about data storage, backup plans, etc. Asked the same question, a penetration tester or security expert may provide a similar answer before discussing database or operating system vulnerabilities. Fortunately, there is likely nothing wrong with the data at that point in its lifetime. It potentially sits on a fully encrypted disk protected by usernames, passwords, and it might have audit-level tracking enabled. The server may also have some level of segmentation from non-critical servers or access restrictions based on source IP addresses. But how did those bits and bytes of healthcare data get to that hardened server? Typically, in a way no one would ever expect... 100% unencrypted and unverified. HL7 is the fundamentally flawed, insecure standard used throughout healthcare for nearly all system-to-system communications. This research examines the HL7 standard, potential attacks on the standard, and why medical records require better protection than current efforts provide.

  • Securing Against the Most Common Vectors of Cyber Attacks STI Graduate Student Research
    by Richard Hummel - September 12, 2017 in Risk Management

    Advanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit vulnerabilities either through holes in an organization's security implementation or by targeting the human element which often uses social engineering. Financially motivated actors indiscriminately send mass spam emails in credential harvesting campaigns or deploy ransomware. These attack vectors are the most common against organizations of any size, but often have a greater impact on small to medium-sized business that may not have a robust security posture. As a security practitioner, it is imperative to posture an organization to prevent and mitigate the risk posed by these attacks. The Critical Security Controls (CSC) is the industry standard for securing an environment but may be costly and time-consuming to implement; also, some of them may not be as applicable to all organizations. In this study, the controls for Email and Web Browser Protection (#7) and Security Skills Assessment and Appropriate Training to Fill Gaps (CSC #17) are examined to secure against threats seeking to take advantage of end users, the most common entry point for an attacker. This paper examines multiple real-world threats and how the CSCs can be applied to prevent compromises. The goal of this research is to inform and educate security practitioners at any stage of the business on best practices and to aid in implementing controls directly applicable to their end users.

  • Challenges to Implementing Network Access Control STI Graduate Student Research
    by Joseph Matthews - September 12, 2017 in Network Access Control

    Network Access Control had always offered the hope of solving so many network security problems but has proven quite difficult to implement. NAC was to solve the issues of visibility, control, and compliance enforcement. This paper seeks to demonstrate through research and implementation an effective and practical way for small to medium- sized businesses to move to NAC and take advantage of the security benefits of a 3-6 month implementation plan.

  • IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks STI Graduate Student Research
    by Brandon Peterson - September 12, 2017 in Network Security

    Most modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment.

  • When a picture is worth a thousand products: Image protection in a digital age STI Graduate Student Research
    by Shawna Turner - September 12, 2017 in Security Trends

    Today, a lack of fashion industry specific information security controls and legal protection puts fashion industry companies at significant risk of Intellectual Property theft and counterfeiting. This risk is only growing as traditional methods of manufacturing are rapidly evolving toward digital models of design and mass production, using Industrial Control System (ICS) approaches for mass production. As mass production moves to digital manufacturing, the effect of losing new product 2D and 3D imagery, as well as the speed and lack of traceability around those losses could significantly impact corporate bottom lines and risk profiles.

  • Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications Analyst Paper
    by Barbara Filkins - September 12, 2017 in Application and Database Security, Tools

    Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.

  • Security Tools for the SMB and SME Segments by James Waite - September 11, 2017 in Intrusion Detection

    Modern small and medium businesses (SMBs) operate with limited staff and budgets. Today's business environment requires businesses to do more with less. Businesses also have information that they need to protect. This protection is either mandated by law (HIPAA), industry requirements (PCI) or best practices (NIST). What are the recommended policies and tools an SMB should have in place to provide adequate and responsible information security? What tools should an SMB concentrate their time, effort and money towards? Should these tools be network-based tools, monitoring both inline and spanned traffic? Should these tools be end point tools that provide the same functionality and minimize the network tool components? Or should there be a mix of tools? Are certain tools required on end points, in the network or both? What are an SMB's regulatory requirements and how does this affect the choice in tools? These are the difficult questions that require thoughtful, concise and researched guidance.

  • A Technical Approach at Securing SaaS using Cloud Access Security Brokers STI Graduate Student Research
    by Luciana Obregon - September 6, 2017 in Cloud Computing

    The adoption of cloud services allows organizations to become more agile in the way they conduct business, providing scalable, reliable, and highly available services or solutions for their employees and customers. Cloud adoption significantly reduces total cost of ownership (TCO) and minimizes hardware footprint in data centers. This paradigm shift has left security professionals securing abstract environments for which conventional security products are no longer effective. The goal of this paper is to analyze a set of cloud security controls and security deployment models for SaaS applications that are purely technical in nature while developing practical applications of such controls to solve real-world problems facing most organizations. The paper will also provide an overview of the threats targeting SaaS, present use cases for SaaS security controls, test cases to assess effectiveness, and reference architectures to visually represent the implementation of cloud security controls.

  • The Efficiency of Context: Review of WireX Systems Incident Response Platform Analyst Paper
    by Jerry Shenk - September 5, 2017 in Incident Handling

    WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.

  • Sensitive Data at Risk: The SANS 2017 Data Protection Survey Analyst Paper
    by Barbara Filkins - September 5, 2017 in Data Protection, Threats/Vulnerabilities

    Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.