Register Now for Great Online Training Offer: Get a 12.9" iPad Pro, Surface Pro or $350 Off

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of July 22, 2018

  • Detecting and Preventing Rogue Devices on the Network by Ibrahim Halil Saruhan - August 13, 2007 in Intrusion Detection, Wireless Access

    The main approach of this paper is to show how to use site survey to detect rogue devices in a wireless network. Site survey, if used correctly is extremely beneficial for detecting rogue devices. Rogue device detection can be considered the initial phase of wireless intrusion detection, in case it is not feasible to install sensors to cover all the wireless network area.


  • The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns Analyst Paper
    by Barbara Filkins - July 18, 2018 in Industrial Control Systems / SCADA, Internet of Things

    IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.


  • Times Change and Your Training Data Should Too: The Effect of Training Data Recency on Twitter Classifiers STI Graduate Student Research
    by Ryan O'Grady - July 11, 2018 in Artificial Intelligence

    Sophisticated adversaries are moving their botnet command and control infrastructure to social media microblogging sites such as Twitter. As security practitioners work to identify new methods for detecting and disrupting such botnets, including machine-learning approaches, we must better understand what effect training data recency has on classifier performance. This research investigates the performance of several binary classifiers and their ability to distinguish between non-verified and verified tweets as the offset between the age of the training data and test data changed. Classifiers were trained on three feature sets: tweet-only features, user-only features, and all features. Key findings show that classifiers perform best at +0 offset, feature importance changes over time, and more features are not necessarily better. Classifiers using user-only features performed best, with a mean Matthews correlation coefficient of 0.95 ± 0.04 at +0 offset, 0.58 ± 0.43 at -8 offset, and 0.51 ± 0.21 at +8 offset. The R2 values are 0.90, 0.34, and 0.26, respectively. Thus, the classifiers tested with +0 offset accounted for 56% to 64% more variance than those tested with −8 and +8 offset. These results suggest that classifier performance is sensitive to the recency of the training data relative to the test data. Further research is needed to replicate this experiment with botnet vs. non-botnet tweets to determine if similar classifier performance is possible and the degree to which performance is sensitive to training data recency.


  • One-Click Forensic Analysis: A SANS Review of EnCase Forensic Analyst Paper
    by Jake Williams - June 27, 2018 in Application and Database Security, Tools

    When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.


  • Content Security Policy in Practice by Varghese Palathuruthil - July 6, 2018 in Securing Code

    The implementation of Content Security Policy to leverage web browser capability in protecting a web application from cross-site scripting attack has been a challenge for many legacy web applications. Typical web applications maintained over the years accumulate a number of web pages that do not follow a consistent design. There are no widely available tools to quickly transform legacy web pages to adopt Content Security Policy. The results of this research cover the outcome of implementing a set of tools to address this need.


  • Cloud Security: Are You Ready? Analyst Paper
    by Dave Shackleford - June 18, 2018 in Application and Database Security, Best Practices

    As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Endpoint Protection and Response: A SANS Survey Analyst Paper
    by Lee Neely - June 12, 2018 in Clients and Endpoints

    Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Risk, Loss and Security Spending in the Financial Sector: A SANS Survey Analyst Paper
    by Mark Hardy - March 26, 2014 in Risk Management

    Survey identified key areas in which financial service employees and endpoints were most at risk, with direct losses resulting from internal abuse, spearphishing and botnet infections.


  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 in Security Awareness, Threats/Vulnerabilities

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Using Image Excerpts to Jumpstart Windows Forensic Analysis by John Brown - June 25, 2018 in Forensics

    There are many options available for acquiring, processing and analyzing forensic disk images. Choices range from feature-rich commercial tools that provide all-in-one solutions, to open source scripts for carrying out specific tasks. The availability of these tools and the hard work of those who contribute to the forensic community have made the job of the examiner much easier. Even with recent advances, analysis can still be time-consuming, particularly in the acquisition and processing of Windows full disk images. One alternative is to extract and analyze the files historically known to contain the most relevant data first. In many cases, a relatively small number of files contain the majority of information needed to perform a forensic examination. Tests were performed on Windows images to analyze some of these high-value artifacts to find an efficient approach for selectively acquiring and extracting different types of metadata. A script was then written to automate repetitive steps and leverage open source tools found on most recent Linux version of the SANS Sift virtual machine.


  • The Importance of Security Awareness Training by Cindy Brodie - January 14, 2009 in Security Awareness

    One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).


  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 in Intrusion Detection, Industrial Control Systems / SCADA, Tools

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.


  • Detecting DNS Tunneling STI Graduate Student Research
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.


  • Back to Basics: Building a Foundation for Cyber Integrity Analyst Paper
    by Barbara Filkins - June 6, 2018 in Security Awareness

    File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.


  • IT Security Spending Trends Analyst Paper
    by Barbara Filkins - February 2, 2016 in Management & Leadership

    This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.


  • Successful SIEM and Log Management Strategies for Audit and Compliance by David Swift - November 9, 2010 in Auditing & Assessment, Logging Technology and Techniques

    While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.