SANS Technology Institute: Security Laboratory

SANS Technology Institute: Security Laboratory

Welcome to the Security Laboratory. I'm Stephen Northcutt and like many of you I am a manager and leader with an information technology job. At the SANS Technology Institute, we are always striving to become more skilled and knowledgeable in computer security as well as the people side of the job. The "Security Labratory", for you creative spellers, is an informal set of articles and whitepapers, almost a blog, about security, information technology, and the computer security industry. As we learn more, ponder issues and research content for SANS Security 401 Security Essentials and the GIAC Security Essentials Certification, we will continue to add to this site. Our hope is for this to be a resource for the community and we would love to hear from you. Feel free to drop us a note at stephen@sans.edu.

Click here to subscribe to the Security Laboratory Article Feed

Sec Lab: Predictions and Trends for Information, Computer and Network Security >> View This Series Only

A collection of predictions about the future of security for computers, networks and information.

2009 Security Predictions - Updated November 8th, 2008

By Stephen Northcutt and friends
Version 1.4

Stephen Northcutt and friends offer their predictions for the important trends in network, information and computer security for 2009 and beyond.

Stephen Northcutt's favorite Security Predictions for 2008 - Updated April 16th, 2008

By Stephen Northcutt
Version 1.1

Instead of making his own predictions about information and computer security trends in 2008, Stephen would like to share his favorites from other pundits, and he also takes a look at how those December 2007 predictions are holding up as of April 2008.

Endpoint Security: What works and what does not work - November 1st, 2008

By Stephen Northcutt, lead researcher

Can we fully secure our computer systems from attackers? This presentation reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice. (This presentation originated as a June 2008 webcast, in conjunction with CoreTrace, and we continue to expand the research.)

Security Laboratory: Thought Leaders >> View This Series Only

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu

What is a Security Thought Leader - March 22nd, 2008

By Stephen Northcutt

With the Security Thought Leader project Stephen hopes to introduce you to some really great men and women. A security thought leader can be defined by certain criteria: a person who is recognized by their peers as a thought leader, who passes their information on to help others, who has innovative ideas, and who shares ideas as actionable distilled insights.

Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008

By Stephen Northcutt

One of the important concepts that we want to explore in security thought leadership is the idea of group or team thought leadership. And so we are looking for examples of teams that exhibited security thought leadership. Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill, was on a team that exhibits many of the characteristics of security thought leadership.

Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008

By Stephen Northcutt

Amrit Williams, Chief Technology Officer at BigFix, was formerly a research director in the Information Security and Risk Research Practice at Gartner, Inc. He is certainly a security thought leader and if you have not been introduced to him before, we are sure you will find he has some interesting out of the box opinions.

Andrew Hay, Q1 Labs - May 13th, 2008

By Stephen Northcutt

Andrew Hay, one of the authors of the popular OSSEC Host-Based Intrusion Detection Guide and upcoming Nagios 3 Enterprise Network Monitoring book has agreed to be interviewed for the SANS Security Thought Leader series.

Gene Schultz, CTO of High Tower - April 4th, 2008

By Stephen Northcutt

The Security Laboratory is pleased to interview Dr. Gene Schultz, one of the most experienced security practitioners in the field.

Tomasz Kojm, original author of ClamAV - April 3rd, 2008

By Stephen Northcutt

Tomasz Kojm is the original author of ClamAV, an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Bill Johnson, CEO TDI - April 2nd, 2008

By Stephen Nortcutt

Bill Johnson, CEO TDI, was the first person in the industry, that I am aware of, to sound the clarion call that we might be vulnerable to attacks via the Baseboard Management Controller (BMC). That certainly qualifies him as a security thought leader, and we thank him for his time.

Gene Kim, Tripwire - March 14th, 2008

By Stephen Northcutt

Gene Kim is one of the original authors of Tripwire, a software product used to manage configurations and change. Gene is willing to share his thoughts on virtualization with the Security Laboratory thought leadership series, and we certainly thank him for his time!

Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008

By Stephen Northcutt

Imperva and a few other vendors are starting to understand the importance of database security and release product, but Kevin Kenan, Managing Director, K2 Digital Defense picked up on this long ago.

Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008

By Stephen Northcutt

Perhaps, one of the hottest topics in 2008 is log file analysis (who would have guessed). And while the commercial tools are getting a lot of the press, an open source and also commercial tool is ending up on a lot of systems. It is called Snare and Leigh Purdie is the thought leader behind the project. He has been willing to invest the time for a thought leadership interview with the Security Laboratory

Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008

By Stephen Northcutt

I keep thinking about the news reports that Chinese hackers managed to exfiltrate six terabytes of sensitive data from a large number of systems belonging to the Department of Homeland Security in November 2007. It seems like that would be impossible to do without being detected. But, I have to wonder, since the famous Richard Stiennon paper, Intrusion Detection is Dead, organizations have been replacing IDS with IPS, and maybe, just maybe, they think the devices do their job in some kind of "fire and forget" mode. Sourcefire was kind enough to allow me to interview Snort creator and Sourcefire CEO Marty Roesch on this topic.

Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008

By Stephen Northcutt

Dr. Anton Chuvakin from LogLogic is probably the number one authority on system logging in the world, and his employer is probably the leading vendor for logging, so we appreciate this opportunity to share in his insights.

Kishore Kumar, CEO of Pari Networks - January 23rd, 2008

By Stephen Northcutt

One of the ongoing research projects in the Security Laboratory is to work with the thought leaders in information security to get an understanding of their vision for our industry. We have recently had the honor of working with Kishore Kumar, CEO of Pari Networks, and we certainly thank him for his time.

Ivan Arce, CTO of Core Security Technologies - October 26th, 2007

By Stephen Northcutt

Ivan Arce, Chief Technology Officer of Core Security Technologies, sets the technical direction for the company and is responsible for overseeing the development, testing and deployment of all Core products. He talks with us here about the recent update to their product to include web application testing, the latest web attack techniques, and his security philosophy.

Mike Weider, CTO for Watchfire - Updated July 23rd, 2007

By Stephen Northcutt

Stephen Northcutt interviews Mike Weider, CTO of Watchfire, regarding recent trends in web app vulnerabilities as well as his company's solutions for web application security.

Jeremiah Grossman, Founder and CTO of WhiteHat Security - July 12th, 2007

By Stephen Northcutt

Jeremiah Grossman, founder and CTO of WhiteHat Security, talks with Stephen Northcutt about the state of web application security as well as WhiteHat's approach to website vulnerability assessment and management.

Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007

By Stephen Northcutt

The Leadership Laboratory recently posted a book review of The Art of Software Security Assessment. The book raises a number of issues that we would love to explore further and the authors, Mark Dowd, John McDonald and Justin Schuh have graciously agreed to an interview. One section was titled Code Auditing and the Development Life Cycle and we used that as the basis of the interview.

Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007

By Stephen Northcutt

Ryan Barnett, Director of Application Security Training at Breach Security, Inc. talks with Stephen Northcutt about the current state of web application security.

Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007

By Stephen Northcutt

Dinis Cruz, Director of Advanced Technology for Ounce Labs, talks with Stephen Northcutt about the many facets of OWASP, as well as the important questions that need real answers in order to develop secure web applications.

Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007

By Stephen Northcutt

Brian Chess, Chief Scientist for Fortify Software, talks with Stephen Northcutt about static analysis and other web application security solutions.

Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007

By Stephen Northcutt

Stephen Northcutt interviews Caleb Sima about the development of Caleb's company, SPI Dynamics, and the increasing need for solutions for web application security.

An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007

By Stephen Northcutt

An interview with David Hoelzer describing DAD, an open source Windows event log and syslog management tool that allows you to aggregate logs from hundreds to thousands of systems in real time.

An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - March 22nd, 2007

By Stephen Northcutt

In a new twist for vulnerability scanners, Nessus can now search for sensitive information like Social Security Numbers and Credit card numbers.

The 5 Most Common Mistakes Made When Developing a Web Application - Updated October 29th, 2008

By Johannes Ullrich

Dr. Ullrich examines the reasons why critical web application security flaws remain so common, even though most web developers are aware of them and do consider them in writing new applications. He sees 5 common mistakes: inconsistent input validation, not understanding the technology, not understanding the business, underestimating the threat, and underestimating the user.

Sec Lab: Attacks and Defense at Integrated Cyber Exercises >> View This Series Only

As in real life, there are no declared winners and losers in cyber defense games designed by WhiteWolf Security, but everyone learns something from the experience. In the real world, on real networks, the game never ends, making it impossible to declare a winner. All anyone can do is to perform their skills to the best of their ability, support the team, continue to learn and acquit themselves with honor.

ICE II : Vegas Summary - October 27th, 2008

By Tim Rosenberg

Summary report of the Integrated Cyber Exercise (ICE) II, October 1st -3rd 2008 Las Vegas

An Interview with Alex Horan, CORE Security on his experience with the Integrated Cyber Exercise (ICE I) event at SANS Las Vegas - October 10th, 2007

By Stephen Northcutt

An Interview with Alex Horan, CORE Security on his experience with the Integrated Cyber Exercise (ICE) event at SANS Las Vegas, September 2007.

SANS Provides Red Cell for Cybergame - March 13th, 2007

By Stephen Northcutt

March 9 - 11, 2007 eight college and university teams competed in the Mid-Atlantic cybergame. The attackers were all GIAC certified (red cell) and were provided by the SANS Institute.

How do you get started in Information security? - October 25th, 2008

By Stephen Northcutt

This article considers getting started in computer and network security (physical or facilities security is out of the scope of this writing). This is an introduction; you may want to consider our introductory course if you find you are interested in learning more about security, intro to Information Security.

Tools for Securing Your Computer Against Software Vulnerabilities - July 31st, 2008

By Stephen Northcutt

There are two free, powerful and effective tools designed with the sole purpose of helping you secure your computer from software vulnerabilities. Microsoft's scanner does a good job of checking out your system, but it doesn't evaluate whether the third party software like Real Audio or Adobe Acrobat Reader are up to date - but Secunia does exactly that.

Security Laboratory: Defense In Depth Series >> View This Series Only

Hybrid Threats - June 18th, 2008

By Stephen Northcutt

Though it is certainly true that malware has evolved a lot in this decade, the tools in use today are more similar than different from the attacker tools of ten years ago. The command and control is better, they are better able to evade detection, but still they are very similar. Here we take a look at hybrid threats: in the early days of malware, it was fairly easy to classify malware as a virus, worm, or Trojan, but these days many attacks use features of each other.

Can you build a Defense in Depth architecture without an architect? - Updated May 13th, 2008

By Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board
Version 1.1

We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position.

The Attack Surface Problem - November 6th, 2007

By Stephen Northcutt

One of the most important things to understand about defense in depth is attack surface. We can define attack surface as our exposure, the reachable and exploitable vulnerabilities that we have.

The Uniform Method of Protection to Achieve Defense-in-Depth - February 26th, 2007

By Stephen Northcutt

The uniform method of protection for defense-in-depth generally involves a firewall separating the internal trusted zone from the Internet, most implementations have anti-virus in the mail store and forward on the servers and desktops. It generally means that all internal hosts receive the same level of protection from attack by the computer network infrastructure. It is the most commonly and easily implemented architecture and least effective in terms of achieving a high degree of information assurance unless all IT contained information assets are of equal importance to the organization.

Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth - September 7th, 2007

By Stephen Northcutt

Security convergence is an interesting trend that has been picking up speed heading into 2008. We are running network information that was formerly analog over our digital data networks, we are converging formerly separate network devices, especially at the perimeter, and we are starting to see physical and classic network security groups beginning to merge. If the trend continues unabated, it will end up saving us a lot of money and giving us a lot less actual remediation of risk than past practice.

Protected Enclaves Defense-in-Depth - February 26th, 2007

By Stephen Northcutt

Protected enclaves simply means subdividing the internal network so that it is not one large zone with no internal protections. This architectural approach to information security defense-in-depth can be accomplished in a number of ways.

Information Centric Approach to Defense-in-Depth - February 26th, 2007

By Stephen Northcutt

As an information security manager it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema) there is also data including the increasingly important business record. Is the uniform approach to Defense-in-Depth appropriate when it comes to information?

Vector Oriented Defense in Depth - February 26th, 2007

By Stephen Northcutt

"You shall not pass", cried Gandalf standing on a narrow rock bridge facing the Balrog at the mines of Moria. Gandalf's resolve was unshakable. The actor portrayed the moment extremely well, showing fear and dread, yet a unshakable determination, proclaiming "You shall not pass!" And, through the magic of movie making, leaves those of us in the information security manager community with a fantastic word picture of vector oriented defense-in-depth.

Role Based Access Control to Achieve Defense in Depth - Updated December 26th, 2007

By Stephen Northcutt based on research work by Richard Hammer and Peter Leight

Role-based access control (RBAC) is an access control method that organizations implement to ensure that access to data is performed by authorized users, and enterprise based RBAC is accomplished with Network Access Control (NAC).

ISPs monitor what you do on the Internet and sell the information for marketing purposes - Updated April 7th, 2008

By Stephen Northcutt
Version 1.1

Our story begins in 2002, with a post on Interesting People and an assertion that Comcast was spying on its users, then, in January 2007, while on their honeymoon in Maui a couple was checking their email from their hotel and noticed something odd...

Sec Lab - Security Heroes >> View This Series Only

The SANS Security Heroes project is to help introduce you to people that have made a difference in information security. We believe there are a lot of people contributing to make security work, and we want to introduce you to them.

Craig Wright, Security Hero - April 4th, 2008

By Stephen Northcutt

Craig Wright certainly qualifies as a security hero! He has written articles and books on security and has nearly every SANS and GIAC certificate available (including platinum). He is a GIAC Technical Director, and jack-of-all-trades and master of a few.

Peter Giannoulis, Security Hero - March 19th, 2008

By Stephen Northcutt

Peter Giannoulis certainly qualifies as a security hero! He has written articles for SC & Information Security Magazine, has been a real work horse for SANS and GIAC, and now, as you will see, he is working on his own signature approach to sharing security information. He is a truly busy guy, a contributor to the SANS Security Laboratory

Suzanne Novak, Security Hero - February 13th, 2008

By Stephen Northcutt

I met Suzanne, Executive Vice President of ERUdyne, LLC and President of the Connecticut Chapter of InfraGard, as we were doing our due diligence related to running a SANS conference in Boston. Suzanne also serves as a Disaster Assistance Employee (Reservist) for FEMA as an External Affairs Specialist from Region I (New England). Her professional focus is on developing and implementing strategies that facilitate information sharing, one of the hardest problems to solve, especially in a disaster.

Laura Taylor, Security Hero - February 8th, 2008

By Stephen Northcutt

Please allow the Security Laboratory to introduce Laura Taylor and her unlikely career in Information Security.

The Business Case for SANS Penetration Testing Course and Incident Handling Course - February 28th, 2008

By Stephen Northcutt

This is a follow on to our discussion on how SANS new course, Security 560: Network Penetration Testing and Ethical Hacking, differs from other courses that, at first glance, appear to have the same objectives. This new course addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling. Perhaps you are convinced you need one or the other course because of your duties in incident handling or penetration testing - how do you make an effective business case for purchasing the training?

The New Pen Testing Course from SANS Institute - February 27th, 2008

By Stephen Northcutt and Ed Skoudis

Sometimes on the discussion list for the GIAC Advisory Board (an honor reserved for students that score 90 or higher on their exams) it gets pretty lively. We thought you might be interested in this discussion since the subject will probably come up again and again and again.It all started with the observation: "What I noticed was GPEN and GCIH [GPEN and GCIH are the names for the GIAC certifications for two courses taught at SANS] have the same course content and syllabus. Then why do we have 2 different course names with the same content?"

Separation of Duties in Information Technology - February 18th, 2008

By John Gregg, Michael Nam, Stephen Northcutt and Mason Pokladnik

Several authors join Stephen Northcutt to examine the special considerations for separation of duties in all organizations with regard to their information technology.

Security Laboratory: Cryptography in Business Series >> View This Series Only

We are grouping papers in this series to focus on the many facets of data encryption.

Cryptography Industry Analysis Papers - January 10th, 2008

By Stephen Northcutt

The Security Laboratory is pleased to announce that the SANS Institute and a leading Cryptography vendor have teamed up to produce guidance on navigating the compliance landscape as well as keys to procure a cryptographic system. We interviewed Nagraj Seshadri, the Product Marketing Manager for Utimaco Safeware, Inc. to find out why Utimaco was willing to invest in developing research for all of the defensive information community.

Secure Web Services - Updated September 17th, 2007

By Stephen Northcutt

The latest hurdle for managers, understanding Service Oriented Architecture.

Hash Functions - January 10th, 2008

By Stephen Northcutt

The primary application of hash functions in cryptography is message integrity. The hash value provides a digital fingerprint of a message's contents, which ensures that the message has not been altered by an intruder, virus, or by other means. Hash algorithms are effective because of the extremely low probability that two different plaintext messages will yield the same hash value.

An Interview with Oggy Vasic, Vice President of Software Development, ERUCES Inc. - July 12th, 2007

By Stephen Northcutt

An interview with Oggy Vasic who is responsible for security oriented software development at ERUCES Inc.; Stephen Northcutt talks with him about his encryption product that is used in high security installations of the US intelligence community.

SSL/TLS - Updated January 3rd, 2008

By Stephen Northcutt
Version 1.3

The Secure Sockets Layer (SSL) protocol was developed by Netscape Communications in 1994 to provide application-independent secure communications over the Internet. SSL procedures are most commonly employed on the Web with the Hypertext Transfer Protocol (HTTP) for e-commerce transactions, although SSL is not limited to HTTP.

The Pitfalls of Full Disk Encryption - January 4th, 2007

By Peter Giannoulis

You cannot pick up a technical magazine nowadays without reading about encrypting data at rest. According to a 2004 Gartner report, roughly 80% of Fortune 1000 organizations will be encrypting most of their data at rest by the end of 2007. Organizations that are currently storing terabytes of data will be taking on a massive initiative to encrypt all of this data within a specified timeframe. Information Assurance managers should consider a few key issues related to full disk encryption before deploying a system.

Quantum Cryptography - January 4th, 2008

By Stephen Northcutt

In 2007, from a hardware perspective, one of the more surprising cryptoanalysis developments was a Play Station used to brute force decrypt passwords. In the not too distant future, Quantum Computers may possibly spell the end of Public Key Cryptography as we know it, but Quantum Cryptography may also be the solution for that problem. Oddly enough, the name 'Quantum Cryptography' originally referred to Quantum Key Distribution, (QKD), and not to the use of Quantum Computers for Encryption.

E-Signatures: Are We Building Sufficient Electronic Evidence? - January 22nd, 2007

By Benjamin Wright, JD

E-commerce faces a problem. Financial institutions have yet to find a reliable electronic signature for spontaneous legal transactions over the web. Signatures based on just a mouse click or the typing of a name face challenges in court. An ideal e-signature will create evidence equivalent to paper and ink.

Interview with David Rice, author of Geekonomics - December 31st, 2007

By Stephen Northcutt

When reading David Rice’s book Geekonomics and writing the book review, we were so impressed that we asked for an interview to further understand David’s thoughts.

Security Laboratory: Wireless Security >> View This Series Only

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Hardware Hacking: Linksys WRT54G - December 28th, 2007

By Stephen Northcutt

We recently did a book review of Paul Asadoorian and Larry Pesce's Linksys WRT54G: Ultimate Hacking and we were so intrigued with the work they did, we asked Paul to participate in an interview for the Security Lab.

An Interview with Joshua Wright - September 25th, 2007

By Stephen Northcutt

Josh Wright discusses recent trends in attacks on systems utilizing wireless technology, as well as what can be done to assess vulnerabilities and minimize security risks for wireless devices.

Dispelling Common Bluetooth Misconceptions - September 19th, 2007

By Joshua Wright

This whitepaper will dispel several common misconceptions regarding Bluetooth technology, allowing organizations to better assess their exposure to Bluetooth threats.

Wireless Security Training and Pen Testing Tutorial - Framing Part 1 - September 6th, 2007

By Joshua Wright

In this training tutorial Joshua Wright begins the discussion on wireless Framing, covering the Frame Control Field, with particular attention to the To and From DS, and ends with the Duration/ID field.

Wireless Security Training and Pen Testing Tutorial: Infrastructure - August 31st, 2007

By Joshua Wright

You can't do a pen test of a wireless network without understanding how wireless works. In this training tutorial, Joshua Wright discusses the wireless MAC Layer and Authentication and Association, and he introduces the concept of Framing.

Five Wireless Threats You May Not Know - Updated September 5th, 2007

By Joshua Wright

Attackers have found new avenues to take advantage of weaknesses in wireless networks that, in most cases, have yet to be addressed by organizations. The wireless security market has matured significantly in the past several years, but still many organizations remain vulnerable to attacks, either through legacy protocols with well-published deficiencies, or through new threats that are not adequately addressed.

Sec Lab: Network Security Essentials by Dr. Eric Cole >> View This Series Only

This series of essays provides a comprehensive look at computer networks.

Types of Networks - October 26th, 2007

By Eric Cole

A key tenet of network security is "know thy system". You cannot secure something that you do not understand or know how it works. In order to be proficient in network security, you have to understand the different types of networks since each network type poses different challenges, issues and risks.

Sec Lab: Security Products >> View This Series Only

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Interview with Eric Hines, CEO of Applied Watch Technologies - October 12th, 2007

By Stephen Northcutt

Eric Hines, an IDS specialist and CEO of Applied Watch Technologies, talks with Stephen Northcutt about enterprise-grade management solutions for open source software.

Interview with David Breslin, Director of Sales Engineering for Tenable Network Security, Inc. - October 9th, 2007

By Stephen Northcutt

David Breslin of Tenable Network Security, Inc. talks with Stephen Northcutt about recent advances in network security and describes the benefits of passive vulnerability scanning.

F5 is a Security Company? - September 27th, 2007

By Stephen Northcutt

Kenneth Salchow of F5 Networks talks with Stephen Northcutt about F5's work in the application security space, and he takes a special look at unified threat management.

An Interview with Bret Jordan, a Security Architect for Identity Engines - July 26th, 2007

By Stephen Northcutt

Bret Jordan discusses his work at Identity Engines with 802.1X, an IEEE standard for authenticating clients to the network, as well as the the OpenSEA Alliance, an organization focused on building a secure network edge based on standards and open-source software.

What to Look for in Log Management Solutions, an interview with Chris Petersen of LogRhythm - April 25th, 2007

By Stephen Northcutt

Chris Petersen from LogRhythm describes various log management solutions and offers suggestions for what organizations can do to find the right log management products and services to fit their needs.

Interview About The Norman Malware Analyzer - February 26th, 2007

By Stephen Northcutt

We worked the show floor pretty hard at RSA 2007 San Francisco and this is one of the most interesting products that we saw at the show. To help you get to know it better, we have asked two of the brilliant minds, Righard J. Zwienenberg and Kurt Natvig, behind the product to join us for an interview. The name of the product tells you what it does, but we will try to bring it to life in this article.

Controlling P2P in your network with TippingPoint Intrusion Prevention Systems (IPS) - Updated October 9th, 2007

By Peter Giannoulis

Most everybody who is tasked with managing a network has faced the problem of controlling peer-to-peer (P2P) traffic. The reasons in which an organization wants to control P2P traffic differ, and if an organization has not taken this threat seriously, it's definitely time to begin. According to research which was conducted by FaceTime Communications Inc , P2P threats have increased dramatically over the last year. Security incidents that were reported in the first quarter of 2006 were 723% higher when compared to the same time period just a year earlier.

Sec Lab: CDI 2007 Initiatives >> View This Series Only

The Cyber Defense Initiative Program is something SANS runs every year. We try to show how one person, or one team can make a difference. Teams are formed to create a solution to a problem and they report their findings at a SANS conference designed to celebrate the progress made during the year. This series is a preview of the SANS CDI 2007 initiatives to be presented December 11-18 in Washington, DC.

Virtual Patching for Web Applications with ModSecurity - October 10th, 2007

By Michael Shinn, Technical Review by Ryan Barnett and GIAC Advisory Board

In this article the author, Michael Shinn, with technical review by Ryan Barnett and the GIAC Advisory Board, presents invaluable tools of virtual patching for web applications. He outlines where and when virtual patching is appropriate, how it can be integrated into the incident response process, and also the proper steps for creating and testing real-world examples.

Security Laboratory: Which SANS course should I take? >> View This Series Only

If you are new to computer, network or information security, the SANS Institute offers a number of introductory courses to get you on your way. But not every course is right for you and this series of essays is intended to help you make course selections to best fit your needs.

Security 503: Intrusion Detection and the Software Security courses are my favorites, here is why - October 9th, 2007

By Johannes Ullrich

To help you choose the most suitable network and information security training for yourself and for your company, Johannes presents a synopsis of his favorite SANS Institute courses - the new Security Software series and SEC503:Intrusion Detection.

Leadership Lab: Information Technology and the Law >> View This Series Only

This series of essays explores the many aspects of technology law relating to computer and information security.

Subpoenas for Electronic Records - September 15th, 2007

By Benjamin Wright, JD

What is a subpoena and what difference does it make for cases involving electronic information? Benjamin Wright, JD, discusses the case of Sue Kayton vs. MIT and the Family Educational Rights and Privacy Act (FERPA).

Dispel Criminal Intent with Open Communication - August 27th, 2007

By Benjamin Wright, JD

Above-board security professionals can take a number of steps to minimize the risk they are breaking the law. In order to commit a crime, a person must have intent to do something wrong. A powerful way to dispel “wrongful intent” is to openly communicate what you are doing and what the justification for it is.

Subterfuge as a Security Tactic - August 22nd, 2007

By Benjamin Wright, JD

Identity theft thrives because in modern society it’s hard to authenticate someone. Benjamin Wright offers stratagems that can withstand legal scrutiny for banks and merchants to verify the authenticity of their members.

Mock Trial as Security Education Exercise - Updated July 23rd, 2007

By Benjamin Wright, JD

Increasingly, good information security requires good legal techniques. Wise application of legal tools such as contracts can promote security and intelligently allocate risks among enterprise trading partners. Benjamin Wright, JD offers a mock trial example to help IT security professionals understand how legal contracts can affect security planning and execution.

Configuration Management in the Security World - August 15th, 2007

By Adam Meyer

Configuration management drives information security and information assurance. It’s in everything and is imbedded everywhere, but few people acknowledge this fact, and your organization may be suffering because of it. With this paper, Adam Meyer wants you to ask yourself - what does configuration management mean to your organization? Configuration is a critical step in building a secure infrastructure; it is providing a defense in depth to your organization.

Accurate Risk Assessment - August 9th, 2007

By Philip Alexander

The Office of the Comptroller of the Currency (OCC) requires financial institutions to have a formal risk assessment program. A program needs to accurately identify where sensitive customer information is stored, who has access to the data, and how to speak to the security controls that are being utilized.

Security Laboratory: Networking >> View This Series Only

This networking series will help the computer security manager understand the basics of an Internet Protocol network and give them the tools to help them manage those networks effectively.

Management Application of MAC Addresses - August 4th, 2007

By Stephen Northcutt

To build your defense-in-depth, computer security managers should ask their network engineers if they are collecting logs related to MAC addresses such as the ARP tables. They should also ask IT staff to ensure that it is not possible to connect a system to your organization's network without permission. In addition, see if your organization will perform both ingress and egress filtering.

A Management Perspective for Networks - June 29th, 2007

By Stephen Northcutt

Understanding how networks work will empower a manager to make informed decisions that affect the security posture of the business. Because our organizations depend on networks to accomplish work, they can be used to attack us and yet, we are all too willing to treat them as something beneath the manager's responsibility and beyond our understanding. At a minimum, security leaders are responsible for ensuring that metrics are in place to monitor the health of this resource and oversee the development of a secure architecture.

Ethernet Security Considerations - Updated August 3rd, 2007

By Stephen Northcutt

Knowing the basics of ethernet technology will enable managers to ask the right questions about the security of their organization's networks. Stephen Northcutt describes the basics of ethernet and its security risks.

Advances in Spyware - June 8th, 2007

By Peter Giannoulis

Statistics tell us that 90% of the computer systems on the Internet right now are infected with spyware or some other type of malware. The numbers are quite staggering and the incredible amount of unprotected computer systems has caught the eye of criminal minds that seek to control this resource for their own ends.

Security Laboratory: Methods of Attack Series >> View This Series Only

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Methods of Attack - May 2nd, 2007

By Stephen Northcutt

According to Dr. Dorothy Denning, "The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks."

Logic Bombs, Trojan Horses, and Trap Doors - May 2nd, 2007

By Stephen Northcutt

There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.

Denial of Service - May 10th, 2007

By Stephen Northcutt

As we say in information warfare, a denial-of-service attack is an effort to make your opponents' information resources less valuable to them. Of confidentiality, integrity, and availability, this is primarily an availability attack. Stephen Northcutt discusses the four basic types of attack: consumption of computational resources, disruption of configuration information, disruption of physical network components, and injecting an unexpected value that the host computer or network device is not capable of parsing.

Are Satellites Vulnerable to Hackers? - May 15th, 2007

By Stephen Northcutt

Strictly speaking, having someone attack your satellite would fall under denial of service; however, it could be so damaging that we want to focus on these particular attacks in this paper.

Extrusion Detection - April 30th, 2007

By Stephen Northcutt

There are a number of reasons a company might want to monitor their internal network ranging from operational health and status worm detection to insider attacks. Data breaches are increasingly making data protection within organizations vitally essential.

Spam and Flooding - May 15th, 2007

By Stephen Northcutt

In information warfare terms, spam is not only a problem as an additional cost to doing business, but also as a security risk. Stephen Northcutt considers how to manage this problem as well as flooding attacks, which are very closely related to resource exhaustion attacks using e-mail. To date, flooding attacks are rare, but they do have the potential to allow spam bot owners to join the extortion game if anti-spam products nullify their current economic advantage.

Spear Phishing - May 9th, 2007

By Stephen Northcutt

Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization. It isolates a specific group of people, as opposed to spamming the world, and attempts to get them to do something to gain access to proprietary data or company systems.

Remote Maintenance - May 9th, 2007

By Stephen Northcutt

When we hear the term remote access, remote maintenance, we typically think of authorized administrators with the ability to login from systems while on the road or at home for support reasons.

The Risk of Default Passwords - May 11th, 2007

By Stephen Northcutt

System administrators leave their devices with default username and password combinations for a variety of reasons. This practice is definitely not a good idea considering an attacker can break into your network by some other means, then easily gain access to these devices.

Race Conditions - May 11th, 2007

By Stephen Northcutt

Race conditions exploit that small window of time between when a security control is applied and when the service is used. Usually these are very tricky and relatively difficult to pull off

Interrupts - May 11th, 2007

By Stephen Northcutt

System interrupts are any sort of call to software or hardware to have it do something else, that is, something it is not already doing.

Browsing and Enumeration - May 16th, 2007

By Stephen Northcutt

Stephen Northcutt reviews how attackers can use enumeration and browsing to access sensitive information on unsuspecting computer systems and networks.

Traffic Analysis - May 16th, 2007

By Stephen Northcutt

Computer traffic analysis is a special type of inference attack technique that looks at communication patterns between entities in a system. Knowing who's talking to whom, when, and for how long, can sometimes clue an attacker in to information of which you'd rather she not be aware.

Alteration Attacks - May 16th, 2007

By Stephen Northcutt

Alteration attacks are just what they sound like; they occur when someone makes unauthorized modifications to code or data, attacking its integrity. These attacks can take many different forms and have a variety of consequences.

The Changing Face of Digital Forensics - May 10th, 2007

By Stephen Northcutt

Rob Lee¹ recently sent us a tool review article² describing something he has discussed in his class, SEC 508, System Forensics, Investigation and Response³ for several years now. It seems the cutting edge forensic tools are not being created and driven by law enforcement, but by private companies who need them for regulatory compliance and incident management. Yet, rules and case precedent are different when someone performs forensics for regulatory reasons versus purely a law enforcement one.

BitTorrent Considered Harmful to Intellectual Property - Updated May 3rd, 2007

By Stephen Northcutt
Version 1.1

BitTorrent and P2P in general are accelerating the attack pressure on the value of intellectual property, especially copyrighted electronic media.

Interview with Stephen Northcutt - April 30th, 2007

By Dave Elfering

David Elfering, Director of Network & Information Security for Werner Enterprises, asks Stephen Northcutt about the current status of corporate IT security.

Security Laboratory: IT Managers - Safety Series >> View This Series Only

This series of papers discusses the IT Manager's complex roles in establishing workplace and enterprise security.

Safety and the Computer Security Manager - February 14th, 2007

By Stephen Northcutt

On the surface it would seem that an information assurance manager wouldn't need to be overly concerned about safety other than repetitive stress injuries, or perhaps a back injury from a system administrator trying to horse a monster 4U server with integrated raid array into a rack by herself. However, what if you morph the title, as many organizations are starting to do, to "risk manager"? An NIST web site, Medline, lists a variety of topics and links to valuable information, but for now scan the list and ask yourself, what does a leader need to keep in mind on each of these.

Evacuation roles - April 18th, 2007

By Stephen Northcutt

Having an evacuation plan may be required by law; but having a plan and practicing the plan are separate issues. Practicing the plan is extremely important and directly affects the effectiveness of an evacuation plan.

Physical Security - January 25th, 2007

By Peter Giannoulis and Stephen Northcutt

Physical access control is just as important to your information security architecture as password policies and firewalls. Protecting your critical infrastructure with physical security can be a daunting task.

Could Currency Be Destabilized? - April 7th, 2007

By John C. A. Bambenek

While a variety of attacks could cause significant economic harm to a target, an attack specifically designed to destabilize a currency would likely be unsuccessful unless sponsored by a party with significant economic power (i.e., a major country).

Data Breach Disclosure Laws - a state by state perspective - April 5th, 2007

By Philip Alexander

This article is a companion to a book entitled Data Breach Disclosure Laws – a State by State Perspective. The book provides an in depth review of all the 35 state data breach disclosure laws.

Web Application Auditing Over Lunch - March 20th, 2007

By Dr. Johannes B. Ullrich
Version 1.0

Using simple free tools, many of them firefox plugins, it is possible to examine web applications for their common problems in under an hour.

Top 5 Firewall Leaks - March 13th, 2007

By Chris Brenton

Attack techniques have evolved to where traditional packet filtering firewalls, proxies, and even intrusion prevention systems are dramatically less effective at securing a corporate network. The common flaw in most perimeters is that they are designed to thwart inbound session establishment, while being relatively permissive in what they pass towards the Internet. This paper outlines the top five traffic patterns that currently breach most network perimeters.

Honeypots: A Security Manager's Guide to Honeypots - March 5th, 2007

By Eric Cole and Stephen Northcutt
Version 1.1

The ultimate goal of security is to reduce or eliminate risks to an organization's critical assets. Ideally, we prefer to do this by preventing attacks, but one of the key mottos of information security is, "Prevention is ideal, but detection is a must." We must realize that an organization's key resources will be attacked, and we have to be ready to detect the attack as early in the cycle as possible and take advantage of this when it does occur. One way of doing this is with honey-x technology, such as honeypots.

Center for Internet Security Toolset to Offset Impact of Government Regulations - February 23rd, 2007

By Stephen Northcutt
Version 2.1

A series of consensus configurations and testing tools from the Center for Internet Security for operating systems, databases, networking gear and applications are the best vendor neutral approach to enable organizations to achieve and sustain compliance across multiple regulations. Compliance with multiple regulations is becoming an increasing problem for organizations.

Default Passwords - February 13th, 2007

By Peter Giannoulis

Default passwords are an on-going threat for many organizations. Vendors who configure their products with standard default username and password combinations assume that their customers are going to change them during the initial implementation. Unfortunately, this is not always the case.

Denial of Service Attacks - January 17th, 2007

By Peter Giannoulis

A major ISP, MCI, reports an average of 1,000 DDoS attacks per day. Denial of Service is something every security professional should consider in their risk assessments. DoS attacks affect the overall availability of a resource, so naturally it would fall within the 'Availability' section of the Confidentiality/Integrity/Availability (CIA) triad.

Real World Pitfalls of Full Disk Encryption - January 9th, 2007

By Keith Loyd and Stephen Northcutt

In the The Pitfalls of Full Disk Encryption by Peter Giannoulis we point out that Full Disk Encryption(FDE) offerings provide a warm and fuzzy feeling to CxO's after the data loss headlines of the last few years, but FDE solutions may introduce their own set of issues. Due to the recent massive data losses, organizations are racing to deploy solutions, in fact the US Government is searching for a government wide FDE product. While FDE does provide strong protection to data lost due to lost or misplaced laptops, the protections do come with a potential downside including per seat cost and impact on performance that organizations should be aware of and adapt their process and procedures to accommodate FDE.

The Six Most Important Tenets For Configuration Management - January 4th, 2007

By Stephen Northcutt

According to Answer.com, a tenet is an opinion, doctrine, or principle held as being true by a person or especially by an organization.¹ In SANS Security Leadership Essentials,⁷ we consider six tenets an information assurance manager can use as a guiding set of principles to do configuration management right from the get-go and help lead an IT organization to achieve more security and more robustness. Implementing operational changes may seem difficult to grasp without a framework or road map to achieve improvement so we will introduce these six tenets to plan for improving the operational practice of your organization.

The Signature of Error is Change - January 4th, 2007

By Stephen Northcutt

It worked yesterday, why doesn't it work today? Try this Google search for yourself ("it worked yesterday"), on Jan 03 2007, it yielded 17 million results¹. Let's look at a two of the results and see what we learn as computer security managers.

Auditing for Availability With a Web Based Service - January 1st, 2007

By Stephen Northcutt

Many business leaders feel that technical security people do not "get it" when it comes to the needs of the business. To some extent this is fair criticism, as a community this is something we need to work on and it is one of the primary goals of the Leadership Laboratory. However, availability, the most important business requirement for IT, is something every information security student is taught as lesson one and is part of the security triad along with confidentiality and integrity. In this article we will open with a famous example of availability failure, the 1999 Victoria's Secret webcast, consider the business ramifications, look at resources for auditing for availability and end with a brief discussion of autonomic computing, which may well be the future of IT availability.

An approach to Audit Java for Security - January 1st, 2007

By Stephen Northcutt and Jim Manico

Java is a popular and powerful programming language and is often the choice for large enterprise coding projects. Programming projects designed properly and executed with security in mind are robust, but if the programmers take short cuts they probably produce unsafe code.

Add to Technorati Favorites