Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 57 papers as of Jul 6, 2009

Achieving PCI Compliance with Log Management
SenSage - July 2008

Post Acquisition Audit in 30 Days

By: Brad Ruppert (posted on May 4, 2009)

This paper will discuss the steps required to develop a high level risk-based post acquisition IT audit and means of conducting the audit in less than 30 days.

Auditing Nokia Firewall

By: Richard Sokal (posted on June 18, 2008)

The subjects of this Audit are Nokia IP530 Appliances running Checkpoint Firewall software. The Nokia/Checkpoint firewalls serve as components of the security architecture that protects EastCoast Enterprises’ corporate information assets from both external and internal threats.

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

By: Tim Proffitt (posted on March 31, 2008)

Auditing a Corporate Log Server

By: Roger Meyer (posted on February 1, 2008)

WiFi with BackTrack

By: Antonio Merola (posted on December 24, 2007)

NSS Vs NDS

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation: A madmans dilemma - Costs

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation: A madmans dilemma - Controls

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation for Dummies

By: Robert Edwards (posted on November 5, 2007)

Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC)

By: Robert Edwards (posted on November 5, 2007)

A Taxonomy of Information Systems Audits, Assessments and Reviews

By: Craig Wright (posted on June 20, 2007)

The paper will cover the types, history and basis for each type of service. The paper statistically compares the strengths and weaknesses of each and sets out a scientifically repeatable foundation for the deterministic nomenclature used in the industry.

VPNScan: Extending the Audit and Compliance Perimeter

By: Rob VandenBrink (posted on February 12, 2007)

This paper outlines specifically how VPNSCAN was built, with policy and implementation issues found in various customer environments.

A Guide to Security Metrics

By: Shirley C. Payne (posted on January 18, 2007)

This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

An Introduction to Information System Risk Management

By: Steve Elky (posted on January 18, 2007)

This paper addresses the topic of risk with respect to modern information systems and covers the importance of understanding risk, key elements of information security risk, offering insight into risk assessment methodologies.

Aligning an information risk management approach to BS 7799-3:2005

By: Ken Biery (posted on November 13, 2006)

This paper discusses the need and importance of information risk management in terms of business and organizational priorities.

A Practical Guide to Auditing an ASP

By: Johanna Ollinger (posted on May 17, 2005)

Auditing an Application Service Provider (ASP) can be a difficult and arduous task for the auditor and auditee alike. Since ASPs service such a wide variety of businesses there may be several regulations that an ASP may be audited against.

Sarbanes-Oxley Information Technology Compliance Audit

By: Dan Seider (posted on May 17, 2005)

This paper provides a basic review of the background literature (i.e. extensive but not exhaustive) and develops a process model so that a professional IT Auditor may readily appreciate the subtleties of the Sarbanes Oxley audit process.

B.A.S.E – A Security Assessment Methodology

By: Gregory Braunton (posted on May 5, 2005)

At a fundamental level, much like a chain, the Internet is a collection of organizations' business networks inter-linked that form the digital infrastructure of the world. This infrastructure forms a global information grid that harnesses the potential (good and bad) for any node to access any other node worldwide.

Information Systems Security Architecture: A Novel Approach to Layered Protection

By: George Farah (posted on January 22, 2005)

The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

The Application Audit Process - A Guide for Information Security Professionals

By: Robert Hein (posted on January 22, 2005)

This paper is meant to be a guide for IT professionals, whose applications are audited, either by an internal or external IS audit. It provides a basic understanding of the IS Audit process

Information Systems Security Architecture A Novel Approach to Layered Protection

By: George Farah (posted on January 19, 2005)

The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

Using Vulnerability Assessment Tools To Develop an OCTAVE Risk Profile

By: Andrew Storms (posted on March 25, 2004)

Threats to information technology are ever increasing and many organizations are spending much money and time in attempting to fix security problems. Before one can think about remediation, assets worth protecting and knowing what to protect those assets from must be defined.

Red Teaming: The Art of Ethical Hacking

By: Christopher Peake (posted on December 13, 2003)

This paper justifies the need for Red Teaming which is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access, to provide an accurate situational awareness for network/system security.

Application Of The Nsa Infosec Assessment Methodology

By: Kathryn Cross (posted on October 31, 2003)

This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.

Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance.

By: Kevin Bong (posted on October 31, 2003)

The process involves listing each technology and vendor service and categorizing these systems based on the data they process or store.

Security Program Management and Risk

By: Archie Andrews (posted on October 31, 2003)

This paper argues for building a security management program on a foundation of business risk assessment and risk management. It defines and explains risk, risk assessment, risk management and relates business risk management to security risk management.

Strategies for Improving Vulnerability Assessment Effectiveness in Large Organizations

By: Robert Huber (posted on October 31, 2003)

This paper will detail how to reduce the impact of the vulnerability assessment program in your organization, how to provide actionable items to those responsible for performing the work, how to effectively reduce high risk, and how to provide senior management with metrics that show actual risk reduction.

Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment

By: Ted Mina (posted on October 31, 2003)

In this paper we will focus on how to properly assess the security of application software.

Information System Security Evaluation Team: Security Insurance?

By: Bruce Swartz (posted on October 31, 2003)

This document proposes an idea that can help certain organizations (those with multiple geographically dispersed entities) establish and maintain a relatively high degree of security and reduce the risk of disruption of business operations.

The Art of Reconnaissance - Simple Techniques

By: Sai Bhamidipati (posted on October 31, 2003)

After reading myriad articles on Internet security and hacking, the author is convinced that every security conscious computer professional must learn the ways of the hacker.

Footprint Your Intranet

By: Bob Brown (posted on October 31, 2003)

Software tools are available to help maintain a current knowledge of an organization's intranet, a network "footprint".

Footprinting: What Is It, Who Should Do It, and Why?

By: James P. McGreevy (posted on October 31, 2003)

There are many devices available to the hacker to footprint your company's network: use these tools to find the weaknesses before they do.

A Perspective on Threats in the Risk Analysis Process

By: Arthur Nichols (posted on October 31, 2003)

A close look at one of the initial steps in Risk Analysis, Threat Analysis, demonstrating why it is important in successfully identifying key assets.

System Identification for Vulnerability Assessment

By: Michael C. Harris (posted on October 31, 2003)

A description of one company's journey using existing software utilities to identify the hardware and software that places their network at risk.

Conducting a Penetration Test on an Organization

By: ChanTuck Wai (posted on October 31, 2003)

A methodology for executing penetration testing.

Port Scanning Techniques and the Defense Against Them

By: Roger Christopher (posted on October 31, 2003)

A discussion on port scanning and how to limit the exposure of open ports to authorized users as well as deny access to the closed ports.

Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment

By: Alexander Lopyrev (posted on October 31, 2003)

New 3rd generation scanning tools implement a client/server solution with centralized console to manage remote scanning agents, making it easy to conduct scans on a regular basis and quickly report vulnerabilities.

Auditing Inside the Enterprise via Port Scanning & Related Tools

By: Bob Konigsberg (posted on October 31, 2003)

A number of commercial, freeware, demo, and open source tools to maintain and verify state of all systems on an network are described along with how best to use those tools to identify problems.

An Overview of Threat and Risk Assessment

By: James Bayne (posted on October 31, 2003)

The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment

Seeking Security: The New Paradigm for Government Agencies

By: Stephan H. Chapman (posted on October 31, 2003)

This guide is divided into five comprehensive activities to be used by "Any-Agency" IT operations personnel to begin to eliminate the security vulnerabilities associated with IT assets.

Case Study - TruSecure Security Certification

By: David Vos (posted on October 31, 2003)

This paper describes the security certification process conducted by TruSecure Security Corporation on a company called K-Co; a fictitious name used to protect the innocence of the financial firm used in this case study.

Proactive Vulnerability Assessments with Nessus

By: Jason Mitchell (posted on October 31, 2003)

A discussion of vulnerability scanning in general, what Nessus is all about, how to begin scanning your network, and finally why a vulnerability scanner is an essential component of an effective security model.

Information Classification - Who, Why and How

By: Sue Fowler (posted on October 31, 2003)

This paper will clarify who should be determining appropriate company protection needs.

Evaluating Untrusted Software In a Controlled Environment

By: Jeff Reava (posted on October 31, 2003)

To address the key business concern of "is this software safe to download and use?", a lightweight filtering methodology is proposed that will yield a reasonably reliable answer with a very modest resource and time investment.

How-To Make Linux System Auditing a Little Easier

By: Paul J. Santos (posted on October 31, 2003)

A discussion of various programs and utilities that can be used to audit your Linux system and how to put them all together in one script to make daily system auditing a little easier

Quantitative Risk Analysis Step-By-Step

By: Ding Tan (posted on October 31, 2003)

In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management.

A Qualitative Risk Analysis and Management Tool - CRAMM

By: Zeki Yazar (posted on October 31, 2003)

This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches, with a thorough look at CRAMM.

The Institutional Need for Comprehensive Auditing Strategies

By: Steward Milus (posted on October 31, 2003)

This paper examines the challenges in today's regulatory environment for financial institutions (primarily from the large institution's perspective, since they undergo the greatest scrutiny) and makes the argument that a high level, comprehensive auditing strategy is needed to allow organizations to respond effectively.

Security Auditing: A Continuous Process

By: Pam Page (posted on October 31, 2003)

This paper will help you determine how to successfully configure your W2K file and print server, monitor your server, have an action plan and be prepared for a successful security audit on that server. Although this audit will center on W2K servers, the same principals can be applied to other server audits.

Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy.

By: Ragi Guirguis (posted on October 31, 2003)

The purpose of this research was to investigate a convenient, efficient, and cost-effective method for conducting vulnerability assessments.

Data-Centric Quantitative Computer Security Risk Assessment

By: Brett Berger (posted on October 31, 2003)

In this paper a quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification.

Wireless Network Audits using Open Source tools

By: Edouard Lafargue (posted on October 31, 2003)

The intention of this paper is to show that Open Source tools are particularly well-suited for doing WiFi surveys, and will detail a practical setup and the capabilities it offers.

Security Assessment Guidelines for Financial Institutions

By: Karen Nelson (posted on October 31, 2003)

This paper will discuss the five information security assessment processes, identified by the Federal Financial Institutions Examination Council (FFIEC)1 and other financial regulators, as core components of a financial institution information security program, especially in fulfilling Gramm-Leach-Bliley Act (GLBA), and relevant with other, similar requirements.

Auditing-In-Depth For Solaris

By: Jeff Pike (posted on October 31, 2003)

The goal of this paper is to provide an effective and simple method for in-depth auditing and hardening of Solaris.

Conducting a Security Audit of an Oracle Database

By: Egil Andresen (posted on March 8, 2002)

Auditing access controls to oracle databases.

Defining a Risk Assessment Process for Federal Security Personnel

By: Kathleen Federico (posted on January 26, 2002)

One goal of this paper is to provide general guidance on security resources for federal information system security officers within a federal agency.