SANS InfoSec Reading Room - GIAC Honors Papers

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 78 papers as of Nov 22, 2009

This category is made up of the GIAC Honors papers from approximately the past two years for all different GIAC certifications and certificates. These papers demonstrate "the best of the best" in student work on all aspects: technical, writing ability, and presentation.

Don’t Just Patch, Protect!

By: Richard Sillito (posted on May 1, 2007)

Security analysts need to stop trying to be movie stars and start shaking up their networks and readdress how security is implemented.

XML Firewall Architecture and Best Practices for Configuration and Auditing

By: Don Patterson (posted on April 30, 2007)

This paper will discuss the building blocks of Web services, Web services threats and security requirements, the XML firewall for first-line perimeter defense, best practices for configuring an XML security gateway device, and industry recommended security testing procedures for ensuring the effectiveness of thsi security control.

Stealth for Survival: Threat of the Unknown

By: Ken Dunham (posted on April 30, 2007)

This report proves that no single program for stealth analysis will do it all. A suite of tools is required, with an understanding of each, to properly identify threats that may exist on a computer.

International Cybercrime Treaty: Looking Beyond Ratification

By: Daniel Robel (posted on March 28, 2007)

For the purposes of this paper, a global incident can be defined as an incident involving the computers, network, or assets of more than one nation-state. An incident implies harm or the attempt to harm. The term incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.

Assumptions in Intrusion Detection - Blind Spots in Analysis

By: Rodney Caudle (posted on March 28, 2007)

This paper examines one of the assumptions that form the foundations of packet analysis. A discussion of an approach to analyzing protocol stacks is presented. This approach can be used to determine gaps in the protocol stack where an analyst can be misled.

CyberLaw 101: A primer on US laws related to honeypot deployments

By: Jerome Radcliffe (posted on March 16, 2007)

A Honeypot is defined as an Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system.

Secure use of LDAP for Naming Services with Solaris

By: Raymond Scott (posted on March 15, 2007)

This paper will discuss some security considerations when using Lightweight Directory Access Protocol (LDAP) as a naming service for Solaris systems as a networked storage location.

Using Oracle Forensics to determine vulnerability to Zero Day exploits

By: Paul Wright (posted on February 28, 2007)

The aim of this paper is to explain the threat of PLSQL injection on Oracle databases and show how principles from the world of computer forensics can be transferred to Oracle in order to deduce vulnerability to past and future exploits with a high level of certainty. This paper will enable the reader to assess the effects of applying an Oracle security patch (CPU), and identify windows of past vulnerability that can be usefully correlated with archived audit logs in order to locate previous attacks.

Server Security in a Citrix Presentation/Terminal Server Environment

By: Shane Wescott (posted on February 14, 2007)

This document serves to discuss the special security needs of this environment, and to recommend strategies for its implementation

Sudo for Windows (sudowin)

By: Andrew Kutz (posted on February 14, 2007)

The original Sudo application was designed by Bob Coggeshall and Cliff Spencer in 1980 within the halls of the Department of Computer Science at SUNY/Buffalo. Sudo encourages the principal of least privilege that is, a user operates with a bare minimum number of privileges on a system until the user requests a higher level of privilege in order to accomplish some task.

Phishing and Pharming - The Evil Twins

By: Tushar Srivastava (posted on February 14, 2007)

This paper discusses the ways and means of defending the integrity of online business by foiling such attempts using a three pronged approach: education and awareness, technology, and law enforcement.

VPNScan: Extending the Audit and Compliance Perimeter

By: Rob VandenBrink (posted on February 12, 2007)

This paper outlines specifically how VPNSCAN was built, with policy and implementation issues found in various customer environments.

Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics

By: RickyD Smith (posted on February 9, 2007)

One of the first things that an incident handler takes for a potential computer incident is verifying that an incident has actually occurred. As part of the verification process, the incident handler will need to examine the system looking for the evidence of the incident.

Security Issues and Countermeasure for VoIP

By: Jianqiang Xin (posted on February 7, 2007)

This paper focuses on these VoIP specific security threats and the countermeasures to mitigate the problem.

Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases

By: Kirsten Hook (posted on January 11, 2007)

One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.

Wireless Attacks from an Intrusion Detection Perspective

By: Gary Deckerd (posted on December 11, 2006)

Wireless site surveys should be performed to ensure that the WIDS covers the entire wireless network. The case study contains an example of a WIDS deployed in this fashion.

Secure Configuration of Apache in the Mac OS X Environment

By: Neil Fryer (posted on December 7, 2006)

Within this paper I will attempt to show how to secure both OS X and Apache, so that it can be used as an Internet facing web server.

Discovering Rogue Wireless Access Points Using Kismet and Disposable Hardware

By: Larry Pesce (posted on December 7, 2006)

Steganography is the practice of concealing information in channels that superficially appear benign. The National Institute of Standards and Technossive Application Mapping (PAM) is a solution for this problem. In this paper I cover the topics that are vital to understanding and utilizing PAM. I also cover the commercial and public efforts that incorporate PAM to better aid in Intrusion Analysis and network maintenance.

The December Storm of WMF: Preparation, Identification, and Containment of Exploits

By: James Voorhees (posted on November 17, 2006)

This paper will look how prepared the security community is to contain the effects of a zero-day exploit, and how and when the vulnerability was discovered and made public. It will identify the actors in the security community and examine how they responded.

A Survey of Wireless Mesh Networking Security Technology and Threats

By: Anthony Gerkis (posted on October 18, 2006)

This paper will summarize the technologies and challenges related to wireless mesh networks.

Auditing a Systems Security Consultant's Laptop Running Fedora Core 2

By: Yolanda Martinez (posted on May 11, 2005)

The purpose of this report is to illustrate the process of auditing and verifying conformance to specific policies, procedures, security guidelines and best security practices of a systems security consultant's laptop.

Computer Forensics Investigation - Analyze an Unknown Image

By: Raul Siles (posted on April 28, 2005)

This paper consists on the investigation and forensic analysis of a piece of evidence, an USB flashdrive, collected during the incident response phase of a case involving personal harassment in CC Terminals.

802.11i (How we got here and where are we headed)

By: Elio Perez (posted on November 17, 2004)

This paper will focus on the current IEEE1 802.11i standard and the components that comprise the standard. It will show how the standard ensures the integrity of the CIA triad in an effort to restore confidence in corporate WLANs.

Getting Started: The Impacts of Privacy and Security Under HIPAA - A Case Study

By: Barbara Filkins (posted on November 17, 2004)

Late in 2002, a behavioral health agency realized that their use of a centralized electronic medical records (EMR) system and the requirements for HIPAA privacy had just accelerated their plans for security implementation. This paper is intended as a case study that can be applied in similar situations.

A Practical Implementation of Defense In Depth and Concomitant Security Management Program

By: Dar Ning Kung (posted on November 15, 2004)

In an organization connected to the Internet for business operations such as ecommerce, both the security staff and the network administrators constantly face tremendous challenges from dynamic digital attacks upon the organization's network infrastructure, servers, workstations, and business services.

The Yin and the Yang: A Sordid Tale of Information Security, OR DCOM, Netcat, and a Live Response, OH MY!

By: Dave Shackleford (posted on November 15, 2004)

The exploit that this paper will cover is one that has been in use for some time - the buffer overrun vulnerability that was discovered in the majority of Microsoft's Operating Systems' RPC DCOM handling.

Macromedia ColdFusion RDS default condition exploit

By: David Bruno (posted on November 15, 2004)

This paper will review the vulnerabilities associated with the Remote Development Service (RDS), a component of the widely used Macromedia ColdFusion (CF) development platform.

Building a Secured OS for a Root Certificate Authority

By: Don Murdoch (posted on November 15, 2004)

This paper discusses the procedures necessary for securing an installation of Red Hat Enterprise Server 2.1 in support of a root certificate authority that will eventually function in the Higher Education Bridge Certificate Authority

An Ettercap Primer

By: Duane Norton (posted on November 15, 2004)

Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions. Once ettercap has inserted itself in the middle of a switched connection, it can capture and examine all communication between the two victim hosts, and subsequently take advantage of these other features.

SAN Security – beyond segmentation

By: Etienne De Burgh (posted on November 15, 2004)

Storage Area Networks (SAN's) are becoming increasingly popular as a technology that allows data to be consolidated onto fewer devices and as a technology that provides high performance connectivity to storage medium.

The Ins and Outs of System Logging Using Syslog

By: Ian Eaton (posted on November 15, 2004)

The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging. Hopefully at the end you will be able to identify the best implementation for your particular environment. This paper focuses on logging using syslog which has become the de facto logging standard on UNIX based systems. Though this is syslog and UNIX specific I would hope the general discussions on logging would be helpful for any log implementation.

Dead Linux Machines Do Tell Tales

By: James Fung (posted on November 15, 2004)

A summary study of a compromised Linux network and the incident handling procedures that followed.

Defeating Overflow Attacks

By: Jason Deckard (posted on November 15, 2004)

Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.

USA PATRIOT Act Compliance Issues for Non-Financial Companies

By: Jeffrey Fenton (posted on November 15, 2004)

The USA PATRIOT Act and Executive Order 13224 have broad implications for information privacy, security, and records retention policy. While the financial services industry is most affected, all companies will need to re-evaluate their policies for customer information collection and privacy, acceptable use, records retention, and information sharing with law enforcement agencies.

Securing Wireless LANS in Microsoft Networks using Wireless Protected AccessTM and Digital Certificates

By: John Holmblad (posted on November 15, 2004)

This objective of this paper is to provide a comprehensive overview of the implementation of a secure 802.11 wireless networking environment based on a combination of enterprise grade 802.11 a/b/g wireless LAN1 components from Proxim, Cisco/Linksys, Lucent, Netgear, and Microsoft with Microsoft Small Business Server 2003 Premium Edition, Microsoft 2000 Advanced Server, and Microsoft Server 2003 Enterprise Edition.

Greymatter Remote Command Execution Vulnerability

By: Ken Rode (posted on November 15, 2004)

This paper examines a PHP injection exploit against the Greymatter WebLogging application. It begins with a detailed examination of the exploit and then reviews a sample attack against a remote network.

password Management: Awareness and Training

By: Neil Witek (posted on November 15, 2004)

The purpose of this document is to examine, in detail, the Implementation Specification for S 164.308(a)(5)(ii)(D), "Password Management" mandated by the HIPAA Security Rule.

Implementing a Windows 2003 PKI from an Existing Windows 2000 Network

By: Norman Christopher Knight (posted on November 15, 2004)

This paper will describe the process that one fictitious, medium-sized, organization took in deciding to move their Windows 2000 AD based domains to Windows Server 2003 and, subsequently, a 2003 based PKI.

Network Security Architecture

By: Patrick Luce (posted on November 15, 2004)

This document describes the Information Technology (IT) security architecture for GIAC, a small fictitious company who specializes in the distribution of fortune cookie sayings.

Slapper

By: Paul Elwell (posted on November 15, 2004)

Use of the terms "virus" and "worm" reinforce the analogy of the biological characteristics of the entities. "...some authorities (including Fred Cohen, the `father' of computer virology) regard worms as a subset of the genus virus....It can be said that the worm infects the environment (an operating system or mail system, for instance), rather than specific infectable objects, such as files." 2

Linux kernel rootkits: protecting the system's

By: Raul Siles (posted on November 15, 2004)

Why to secure the kernel, the jewel of the crown in a Unix system? There are mainly two reasons why this paper was developed; first one is because the kernel is the most important and critical part of a modern Unix operating system; second is because almost all Linux hardening guides don't include any reference about how to secure the kernel but other OS components (subsystems, daemons, filesystems. . . ).

Mass-Mailing Worms: Prevention, Detection and Responce

By: Richard Gadsden (posted on November 15, 2004)

Preventing mass-mailing worms from infecting the PCs in your network is obviously the cornerstone of any reasonable defense against them, but early detection and prompt isolation and recovery of any infections which do occur should be your second line of defense.

Running a Secure Kerberos Server on FreeBSD

By: Roberto Sabbi (posted on November 15, 2004)

This paper will discuss the use of the FreeBSD operating system to implement a Kerberos Key Distribution Center.

Alternate Data Streams: Out of the Shadows and into the Light

By: Ryan Means (posted on November 15, 2004)

Alternate Data Streams: Out of the Shadows and into the Light examines alternate data streams in NTFS. It provides a thorough technical background in alternate streams before proceeding to compare them to regular files and directories.

Defence in Depth on the Home Front

By: Thomas Harbour (posted on November 15, 2004)

The home Internet user is a target for intruders. The key question facing home Internet users is how they can securely access the Internet without sacrificing the required level of usability. After all if the security measures are too severe then use of the Internet will be very frustrating and either the Internet will not be accessed or more likely, the security measures will be circumvented or ignored to increase usability.

Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach

By: Vilas Ankolekar (posted on November 15, 2004)

The Internet has made inroads into every corner of our lives. Web applications and Web services are the major forces behind the Internet. For the past few years, the pitch over security in applications has reached a new crescendo.

Auditing a Corporate E-mail Gateway Running Postfix on Linux: an Administrator’s Perspective

By: William Karwisch (posted on November 15, 2004)

This is a report of the audit of a corporate e-mail relay from an administrator's viewpoint. The audit process optimized the scope of the audit using a pre-audit risk assessment. The audit objectively showed the reduction of risk from the unaudited state of the system through the audit and the post-audit remediation of findings.

Avaya INDeX PBX Security Audit: An Auditor’s Perspective

By: Alan Mercer (posted on November 14, 2004)

Private Automatic Branch Exchanges (PABX) or Private Branch Exchanges (PBX) - the term is used interchangeably as almost all PBX systems are now automatic - are often overlooked when organisations assess and audit the state of their internal security.

Information Security Management System (7799) for an Internet Gateway

By: Amarottam Shrestha (posted on November 14, 2004)

The Internet presence is an important aspect most businesses these days. An Internet gateway provides network security for businesses from the Internet. It is important that the Internet gateway is designed, implemented and operated in a secure manner.

GIAC Enterprises' Expansion into China

By: Andrew Jones (posted on November 14, 2004)

GIAC Enterprises has hired this consultant to design, implement, and test a security architecture for the company. A separate consultant proposed and implemented a different structure, with which GIAC Enterprises is not happy, and this consultant also has the task of analyzing that structure to find weaknesses.

GIAC Certified Firewall Analyst Practical

By: Bang Shug Tan (posted on November 14, 2004)

GIAC Enterprises is an e-business dealing in the online sale of fortune cookie sayings. Wary of security concerns of conducting business over the internet, the company has invested in improving the security posture of its IT systems and infrastructures.

Procedures for Establishing User Access Controls to Electronic Protected Health Information

By: Barbara Filkins (posted on November 14, 2004)

Our emphasis for this paper is on the technical implications of database user access controls. This paper presents a practical case where three separate agencies, each representing a different aspect of health care, intend to share electronic protected health information (ePHI) with the goal of developing better outcome measures and improved access to care for their beneficiary population.

Auditing Borland‘s J2EE Application Server: An Auditor’s Perspective

By: Brenton Camac (posted on November 14, 2004)

This paper documents an independent audit of an in-production business system. The focus of the audit is confined to the system's J2EE AppServer component only.

Quantum Encryption – A Means to Perfect Security?

By: Bruce Auburn (posted on November 14, 2004)

In the past twenty years, the quantum properties of matter and light have been applied to the field of information security. Research has advanced to the point that actual devices using quantum properties are transmitting information over considerable distances.

Auditing a print and scan server protected by the VisNetic for Workstation firewall

By: Carmen Aubry (posted on November 14, 2004)

Print servers, generally designed to be hosted on a private network, weren't usually viewed as a threat by network administrators. The general perception was that nothing can be done on a print server, except stealing confidential data.

empowering your IT Call Center as Information Security Advocates

By: Carrollynn Brown (posted on November 14, 2004)

This practical covers how my Information Security (IS) organization empowered the Information Technology (IT) Call Center as security advocates. My case study covers the operational aspect of information security and on implementing security processes at it related to the ITCC business environment.

Framework for Secure Application Design and Development

By: Chris McCown (posted on November 14, 2004)

The practice of secure application design and development is an important and necessary attribute of a secure computing environment. Applications that protect data from unauthorized access or modification and ensure its availability are key advantages to companies with physical and information assets that require such an environment.

Attacks Against The Mechanical Pin Tumbler Lock

By: Craig Kagawa (posted on November 14, 2004)

This paper examines an overview of the common pin tumbler lock and the five methods to exploit them. Pin tumbler locks are found in a vast majority of residential, commercial, government and educational institutions.

Implementing a Project Security Review Process within Project Management Methodology

By: Darlene Hart Rodgers (posted on November 14, 2004)

It is imperative for companies to have security policies and standards defined.

Case Study in Information Security

By: Suzy Clarke (posted on October 31, 2003)

This paper outlines the steps taken to secure part of a network belonging to a telecommunications company that was compromised earlier this year.

Auditing a Distributed Intrusion Detection System: An Auditors Perspective

By: Darrin Wassom (posted on October 31, 2003)

The intent of this audit is to certify the design to ensure it will comply with stated security policies and guidelines set forth by the healthcare organization.

How an Exploit in the Computer System of a Small Company Was Used to Gain Access to Two Major Govern

By: Adrienne Zago-Swart (posted on October 31, 2003)

In this paper, I will describe how an exploit in the computer system of a small company was used to gain access to two major government agencies.

Intrusion Detection and Analysis: Theory, Techniques, and Tools

By: Tod Beardsley (posted on October 31, 2003)

The goal of this paper is to explore RING's effectiveness as stand-alone OS fingerprinting tool, and offer suggestions of how an organization can protect themselves against RING specifically as well as future implementations of this concept.

Securing MySQL Server on FreeBSD 4.5

By: Jason Lam (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

GIAC Enterprise: Descriptions of the Company's Network, and Configuration of the Primary Router, Firewall and VPN Device

By: Emily Gladstone (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

SuSE Linux on a PowerBook G4 Workstation

By: David F. Beck (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

GIAC Enterprises

By: Stephen Carroll (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

WU-FTPD Heap Corruption Vulnerability

By: Jennifer Allen (posted on October 31, 2003)

This paper presents a vulnerability profile - specifically an oversight in design, whereby a remote user with any valid FTP login is able to execute arbitrary code with the privileges of the FTP daemon - usually root.

Lions and Tigers and Layers (of security)

By: David McLeod (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

GIAC Enterprises Security Policies & Procedure

By: Simon Oliver (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

Securing Unix Step By Step - Secure Mail Gateway

By: Maarten Hartsuijker (posted on October 31, 2003)

The goal of this paper is the implementation of a secure e-mail gateway.

Intrusion Detection In Depth

By: Kyle Haugsness (posted on October 31, 2003)

This paper focuses on two tools that were released in 2001 that seemed to "fly under the radar" of many security professionals.

Intrusion Detection In Depth

By: Hee So (posted on October 31, 2003)

This paper examines methods to identify vulnerabilities within a network by only passively listening to network traffic. topology and data flow are discussed.

GIAC Enterprises: "Your Fortunes" Security Infrastructure

By: Mark Hofman (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

GIAC Enterprises - Data Backup Security Policies and Procedures

By: Martin A. Reymer (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

A Comprehensive Perimeter Security Architecture for GIAC Enterprises

By: Matt Briddell (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

GIAC Enterprises

By: Peter Vestergaard (posted on October 31, 2003)

This paper presents a fictitious company, describes the nature of the business, provides a detailed look at the IT Infrastructure, defines specific vulnerabilities, and provides Security Policies and Procedures to address those areas of risk.

Intrusion Analysis - The Director's Cut!

By: Les Gordon (posted on October 31, 2003)

My goal for this paper was to investigate Q's capabilities, assess the risk posed by this software, see whether the existing standard Snort signatures and those at www.whitehat s.com are in fact adequate, and suggest new signatures which may perhaps be more effective.