Security Laboratory

Security Laboratory

Welcome to the Security Laboratory. I'm Stephen Northcutt and like many of you I am a manager and leader with an information technology job. At the SANS Technology Institute, we are always striving to become more skilled and knowledgeable in computer security as well as the people side of the job. The "Security Labratory", for you creative spellers, is an informal set of articles and whitepapers, almost a blog, about security, information technology, and the computer security industry. As we learn more, ponder issues and research content for SANS Security 401 Security Essentials and the GIAC Security Essentials Certification, we will continue to add to this site. Our hope is for this to be a resource for the community and we would love to hear from you. Feel free to drop us a note at stephen@sans.edu.

Click here to subscribe to the Security Laboratory Article Feed


Security Laboratory: Methods of Attack Series

View this series only

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Methods of Attack

By Stephen Northcutt

According to Dr. Dorothy Denning, "The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks."

View Article

Logic Bombs, Trojan Horses, and Trap Doors

By Stephen Northcutt

There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.

View Article

Denial of Service

By Stephen Northcutt

As we say in cyber warfare, a denial-of-service attack is an effort to make your opponents' information resources less valuable to them. Of confidentiality, integrity, and availability, this is primarily an availability attack. Stephen Northcutt discusses the four basic types of attack: consumption of computational resources, disruption of configuration information, disruption of physical network components, and injecting an unexpected value that the host computer or network device is not capable of parsing.

View Article

Are Satellites Vulnerable to Hackers?

By Stephen Northcutt

Strictly speaking, having someone attack your satellite would fall under denial of service; however, it could be so damaging that we want to focus on these particular attacks in this paper.

View Article

Spam and Flooding

By Stephen Northcutt

In information warfare terms, spam is not only a problem as an additional cost to doing business, but also as a security risk. Stephen Northcutt considers how to manage this problem as well as flooding attacks, which are very closely related to resource exhaustion attacks using e-mail. To date, flooding attacks are rare, but they do have the potential to allow spam bot owners to join the extortion game if anti-spam products nullify their current economic advantage.

View Article

View Archives

Spear Phishing - May 9th, 2007

By: Stephen Northcutt

Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization. It isolates a specific group of people, as opposed to spamming the world, and attempts to get them to do something to gain access to proprietary data or company systems.

View Article

Remote Maintenance - May 9th, 2007

By: Stephen Northcutt

When we hear the term remote access, remote maintenance, we typically think of authorized administrators with the ability to login from systems while on the road or at home for support reasons.

View Article

The Risk of Default Passwords - May 11th, 2007

By: Stephen Northcutt

System administrators leave their devices with default username and password combinations for a variety of reasons. This practice is definitely not a good idea considering an attacker can break into your network by some other means, then easily gain access to these devices.

View Article

Race Conditions - May 11th, 2007

By: Stephen Northcutt

Race conditions exploit that small window of time between when a security control is applied and when the service is used. Usually these are very tricky and relatively difficult to pull off

View Article

Interrupts - May 11th, 2007

By: Stephen Northcutt

System interrupts are any sort of call to software or hardware to have it do something else, that is, something it is not already doing.

View Article

Browsing and Enumeration - May 16th, 2007

By: Stephen Northcutt

Stephen Northcutt reviews how attackers can use enumeration and browsing to access sensitive information on unsuspecting computer systems and networks.

View Article

Traffic Analysis - May 16th, 2007

By: Stephen Northcutt

Computer traffic analysis is a special type of inference attack technique that looks at communication patterns between entities in a system. Knowing who's talking to whom, when, and for how long, can sometimes clue an attacker in to information of which you'd rather she not be aware.

View Article

Alteration Attacks - May 16th, 2007

By: Stephen Northcutt

Alteration attacks are just what they sound like; they occur when someone makes unauthorized modifications to code or data, attacking its integrity. These attacks can take many different forms and have a variety of consequences.

View Article

Sec Lab: Predictions and Trends for Information, Computer and Network Security

View this series only

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Stephen Northcutt's Emerging Trends in IT and Security 2013 - 2015

By Stephen Northcutt

An emerging trends analysis and a stab at predictions for IT and security coming 2013-2015. Last updated May 2014.

View Article

Security Predictions 2013-2014: Emerging Trends in IT and Security

By Instructors at SANS Security West 2012

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

View Article

Stephen Northcutt's Security Predictions 2012 and 2013

By Stephen Northcutt

Stephen Northcutt identifies emerging trends in information security for the 2012, 2013 timeframe.

View Article

Security Predictions 2012 & 2013 - The Emerging Security Threat

By Stephen Northcutt & Friends

A look at some of the potential emerging trends and security threats for 2012 and 2013. File was started to help prepare for a panel on the same subject at SANS Security West, May 6 - 11 2011 San Diego and also for an upcoming Keynote. Love to hear your thoughts on the subject.

View Article

Stephen Northcutt's Security Predictions for 2011 and 2012

By Stephen Northcutt

In addition to the work that I have done rounding up other people's thoughts, I also work as a futurist for IT and IT Security, and this is my set of predictions for 2011 and 2012. I hope they are useful to you.

View Article

View Archives

Mark Weatherford Security Predictions 2011 - 2012 - May 24th, 2010

By: Mark Weatherford

Mark is the CISO of the State of California and is a valued thought leader in Information Security.

View Article

SANS Security West 2010 Speaker Room Predictions - May 24th, 2010

By: Stephen Northcutt and Tommy Luke

Stephen Northcutt thought it might be fun to interview the instructors in the speaker room at SANS Security West 2010 and get their take on the future. Sometimes your answer is different when it is given verbally.

View Article

2010 Security Predictions - Mar 2nd, 2010

By: Stephen Northcutt

A look at some of the more well known 2010 security predictions and a quick check to see how they are doing.

View Article

Security Errors and Omissions by Organizations As We Enter 2011 - Jul 22nd, 2010

By: Stephen Northcutt

Alan Paller, Director of Research at the SANS Institute asked me to put together a list of the prominent security errors and omissions organizations are making as we enter 2010 and I have updated it for 2011. The following is taken straight from one of the courses I research, author and teach, Management 512 Security Leadership Essentials.

View Article

2009 Security Predictions - Feb 6th, 2009

By: Stephen Northcutt and friends

Stephen Northcutt and friends offer their predictions for the important trends in network, information and computer security for 2009 and beyond.

View Article

Stephen Northcutt's favorite Security Predictions for 2008 - Apr 16th, 2008

By: Stephen Northcutt

Instead of making his own predictions about information and computer security trends in 2008, Stephen would like to share his favorites from other pundits, and he also takes a look at how those December 2007 predictions are holding up as of April 2008.

View Article

Two factor authentication for online banking

By Stephen Northcutt

Eight or nine years ago, I was asking about banks that support two factor authentication. At that time I found eTrade bank and Charles Schwab and not much more. SANS NewsBites carried a story about HSBC and I as asked people if they knew of banks that had two factor. Note, we have not validated any of the information, but if you have an online bank account that does not have 2 factor authentication this might be a place to start.

View Article

The 6 Categories of Critical Log Information

By Various

This report is based on work done by Marcus Ranum, Tina Bird, Chris Brenton and Anton Chuvakin. Version 3 was created by Peter Czanik from BalaBit. Version 3.01's technical review was done by members of the GIAC Advisory board: John Allison, Jake Evans, Barbara Filkens, Matthew Johnson, Orhan Moye, Jeff Read, Alissa Torres, Mark Wityszyn and compiled by Stephen Northcutt.


View Article

Security Laboratory: Defense In Depth Series

View this series only

Hybrid Threats

By Stephen Northcutt

Though it is certainly true that malware has evolved a lot in this decade, the tools in use today are more similar than different from the attacker tools of ten years ago. The command and control is better, they are better able to evade detection, but still they are very similar. Here we take a look at hybrid threats: in the early days of malware, it was fairly easy to classify malware as a virus, worm, or Trojan, but these days many attacks use features of each other.

View Article

Can you build a Defense in Depth architecture without an architect?

By Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board

We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position.

View Article

The Attack Surface Problem

By Stephen Northcutt


One of the most important things to understand about defense in depth is attack surface. We can define attack surface as our exposure, the reachable and exploitable vulnerabilities that we have.

View Article

Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth

By Stephen Northcutt

Security convergence is an interesting trend that has been picking up speed heading into 2008. We are running network information that was formerly analog over our digital data networks, we are converging formerly separate network devices, especially at the perimeter, and we are starting to see physical and classic network security groups beginning to merge. If the trend continues unabated, it will end up saving us a lot of money and giving us a lot less actual remediation of risk than past practice.

View Article

The Uniform Method of Protection to Achieve Defense-in-Depth

By Stephen Northcutt

The uniform method of protection for defense-in-depth generally involves a firewall separating the internal trusted zone from the Internet, most implementations have anti-virus in the mail store and forward on the servers and desktops. It generally means that all internal hosts receive the same level of protection from attack by the computer network infrastructure. It is the most commonly and easily implemented architecture and least effective in terms of achieving a high degree of information assurance unless all IT contained information assets are of equal importance to the organization.

View Article

View Archives

Information Centric Approach to Defense-in-Depth - Feb 26th, 2007

By: Stephen Northcutt

As an information security manager it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema) there is also data including the increasingly important business record. Is the uniform approach to Defense-in-Depth appropriate when it comes to information?

View Article

Vector Oriented Defense in Depth - Feb 26th, 2007

By: Stephen Northcutt

"You shall not pass", cried Gandalf standing on a narrow rock bridge facing the Balrog at the mines of Moria. Gandalf's resolve was unshakable. The actor portrayed the moment extremely well, showing fear and dread, yet a unshakable determination, proclaiming "You shall not pass!" And, through the magic of movie making, leaves those of us in the information security manager community with a fantastic word picture of vector oriented defense-in-depth.

View Article

Role Based Access Control to Achieve Defense in Depth - Dec 3rd, 2012

By: Stephen Northcutt based on research work by Richard Hammer and Peter Leight

Role-based access control (RBAC) is an access control method that organizations implement to ensure that access to data is performed by authorized users, and enterprise based RBAC is accomplished with Network Access Control (NAC).

View Article

Separation of Duties in Information Technology

By John Gregg, Michael Nam, Stephen Northcutt and Mason Pokladnik

Several authors join Stephen Northcutt to examine the special considerations for separation of duties in all organizations with regard to their information technology.

View Article

The Certificate Signing Trust Model Under Stress As An Industrial Security Model

By Stephen Northcutt

A common part of the security model for industrial IT applications is to never accept or run a program or driver that has not been signed by the appropriate publisher. However, while it appears to be strong protection against malicious code, in fact it is not.

View Article

Security Leadership Essentials Fairway Markers

By Stephen Northcutt

This document is known as the "fairway markers" for SANS Security Essentials. It reflects the newest version of the course which will be taught for the first time December 2010 in Washington DC ( SANS CDI ). We invite alumni of the course to review the list and make suggestions as to what should be added or removed, prioritized or deprecated.

View Article

Voice over IP, a South East Asian Perspective: an interview with Eric Cole, PhD and Paul Henry

By Stephen Northcutt

An interview by Stephen Northcutt with Eric Cole, PhD and Paul Henry on the rise of VoIP in SE Asia and the unique security concerns inherent to VoIP.

View Article

Computer Security Training and Education

View this series only

This series will look at the many perspectives of network and computer security training and education, what works and what doesn't.

What it takes to be a computer security instructor for SANS

By Stephen Northcutt

People ask me about teaching for SANS several times every month. The purpose of this essay is to show you the path.

View Article

How do you get started in Information security?

By Stephen Northcutt

This article considers getting started in computer and network security (physical or facilities security is out of the scope of this writing). This is an introduction; you may want to consider our introductory course that covers information security basics if you find you are interested in learning more about security, intro to Information Security.

View Article

Could Currency Be Destabilized?

By John C. A. Bambenek and Stephen Northcutt

Growing evidence indicates a variety of attacks could cause significant economic harm to a target, an attack specifically designed to destabilize a currency might now be possible especially if sponsored by a party with significant economic power (i.e., a major country) or executed with precise timing during a high stress period on the economy.

View Article

Security Controls

By Stephen Northcutt

This paper defines security controls and lists the types of controls. We cover phase controls such as preventative, detective, and corrective as well as functional controls as defined by NIST and GAO.

View Article

Common Network Security Misconceptions: Firewalls Exposed

By John Pirc | NSA-IAM, CEH

As the commercialization of the Internet enters its third decade, the Web itself has evolved from sharing static information to driving dynamically connected mission-critical applications. While web applications and efficiencies of Web 2.0 are universally adopted, network security practices often still rely too heavily on the basic network firewall to block access to static information. Too many enterprises today believe their firewalls deliver "good enough" security to mitigate Internet-related threats and attacks. However, enterprises that do not currently have advanced network protection deployed face significant risk and are likely already compromised.

View Article

Security Laboratory: Networking

View this series only

This networking series will help the computer security manager understand the basics of an Internet Protocol network and give them the tools to help them manage those networks effectively.

A Management Perspective for Networks

By Stephen Northcutt

Understanding how networks work will empower a manager to make informed decisions that affect the security posture of the business. Because our organizations depend on networks to accomplish work, they can be used to attack us and yet, we are all too willing to treat them as something beneath the manager's responsibility and beyond our understanding. At a minimum, security leaders are responsible for ensuring that metrics are in place to monitor the health of this resource and oversee the development of a secure architecture.

View Article

Management Application of MAC Addresses

By Stephen Northcutt

To build your defense-in-depth, computer security managers should ask their network engineers if they are collecting logs related to MAC addresses such as the ARP tables. They should also ask IT staff to ensure that it is not possible to connect a system to your organization's network without permission. In addition, see if your organization will perform both ingress and egress filtering.

View Article

Ethernet Security Considerations

By Stephen Northcutt

Knowing the basics of ethernet technology will enable managers to ask the right questions about the security of their organization's networks. Stephen Northcutt describes the basics of ethernet and its security risks.

View Article

Sound Practice in Intrusion Detection & Prevention using NitroSecurity

By Michael Leland and Eric Knapp

This paper investigates sound practices in intrusion detection and prevention, from IDS and IPS deployment considerations, to pushing the boundaries of IPS (with examples of advanced prevention techniques, specifically blocking the Kaminsky DNS cache poisoning exploit), and business applications.

View Article

Endpoint Security: What works and what does not work

By Stephen Northcutt, lead researcher

Can we fully secure our computer systems from attackers? This presentation reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice. (This presentation originated as a June 2008 webcast, in conjunction with CoreTrace, and we continue to expand the research.)

View Article

The 5 Most Common Mistakes Made When Developing a Web Application

By Johannes Ullrich

Dr. Ullrich examines the reasons why critical web application security flaws remain so common, even though most web developers are aware of them and do consider them in writing new applications. He sees 5 common mistakes: inconsistent input validation, not understanding the technology, not understanding the business, underestimating the threat, and underestimating the user.

View Article

Sec Lab: Attacks and Defense at Integrated Cyber Exercises

View this series only

As in real life, there are no declared winners and losers in cyber defense games designed by WhiteWolf Security, but everyone learns something from the experience. In the real world, on real networks, the game never ends, making it impossible to declare a winner. All anyone can do is to perform their skills to the best of their ability, support the team, continue to learn and acquit themselves with honor.

ICE II : Vegas Summary

By Tim Rosenberg

Summary report of the Integrated Cyber Exercise (ICE) II, October 1st -3rd 2008 Las Vegas

View Article

An Interview with Alex Horan, CORE Security on his experience with the Integrated Cyber Exercise (ICE I) event at SANS Las Vegas

By Stephen Northcutt

An Interview with Alex Horan, CORE Security on his experience with the Integrated Cyber Exercise (ICE) event at SANS Las Vegas, September 2007.

View Article

SANS Provides Red Cell for Cyber Game

By Stephen Northcutt

March 9 - 11, 2007 eight college and university teams competed in the Mid-Atlantic Cyber Games. The attackers were all GIAC certified (red cell) and were provided by the SANS Institute.

View Article

Tools for Securing Your Computer Against Software Vulnerabilities

By Stephen Northcutt

There are two free, powerful and effective tools designed with the sole purpose of helping you secure your computer from software vulnerabilities. Microsoft's scanner does a good job of checking out your system, but it doesn't evaluate whether the third party software like Real Audio or Adobe Acrobat Reader are up to date - but Secunia does exactly that.

View Article

ISPs monitor what you do on the Internet and sell the information for marketing purposes

By Stephen Northcutt

Our story begins in 2002, with a post on Interesting People and an assertion that Comcast was spying on its users, then, in January 2007, while on their honeymoon in Maui a couple was checking their email from their hotel and noticed something odd...

View Article

The Business Case for SANS Penetration Testing Course and Incident Handling Course

By Stephen Northcutt

This is a follow on to our discussion on how SANS new course, Security 560: Network Penetration Testing and Ethical Hacking, differs from other courses that, at first glance, appear to have the same objectives. This new course addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling. Perhaps you are convinced you need one or the other course because of your duties in incident handling or penetration testing - how do you make an effective business case for purchasing the training?

View Article

The New Pen Testing Course from SANS Institute

By Stephen Northcutt and Ed Skoudis

Sometimes on the discussion list for the GIAC Advisory Board (an honor reserved for students that score 90 or higher on their exams) it gets pretty lively. We thought you might be interested in this discussion since the subject will probably come up again and again and again.It all started with the observation: "What I noticed was GPEN and GCIH [GPEN and GCIH are the names for the GIAC certifications for two courses taught at SANS] have the same course content and syllabus. Then why do we have 2 different course names with the same content?"

View Article

Security Laboratory: Cryptography in Business Series

View this series only

We are grouping papers in this series to focus on the many facets of data encryption.

Cryptography Industry Analysis Papers

By Stephen Northcutt

The Security Laboratory is pleased to announce that the SANS Institute and a leading Cryptography vendor have teamed up to produce guidance on navigating the compliance landscape as well as keys to procure a cryptographic system. We interviewed Nagraj Seshadri, the Product Marketing Manager for Utimaco Safeware, Inc. to find out why Utimaco was willing to invest in developing research for all of the defensive information community.

View Article

Secure Web Services

By Stephen Northcutt

The latest hurdle for managers, understanding Service Oriented Architecture.

View Article

Hash Functions

By Stephen Northcutt

The primary application of hash functions in cryptography is message integrity. The hash value provides a digital fingerprint of a message's contents, which ensures that the message has not been altered by an intruder, virus, or by other means. Hash algorithms are effective because of the extremely low probability that two different plaintext messages will yield the same hash value.

View Article

An Interview with Oggy Vasic, Vice President of Software Development, ERUCES Inc.

By Stephen Northcutt

An interview with Oggy Vasic who is responsible for security oriented software development at ERUCES Inc.; Stephen Northcutt talks with him about his encryption product that is used in high security installations of the US intelligence community.

View Article

SSL/TLS

By Stephen Northcutt

The Secure Sockets Layer (SSL) protocol was developed by Netscape Communications in 1994 to provide application-independent secure communications over the Internet. SSL procedures are most commonly employed on the Web with the Hypertext Transfer Protocol (HTTP) for e-commerce transactions, although SSL is not limited to HTTP.

View Article

View Archives

Quantum Cryptography - Jan 4th, 2008

By: Stephen Northcutt

In 2007, from a hardware perspective, one of the more surprising cryptoanalysis developments was a Play Station used to brute force decrypt passwords. In the not too distant future, Quantum Computers may possibly spell the end of Public Key Cryptography as we know it, but Quantum Cryptography may also be the solution for that problem. Oddly enough, the name 'Quantum Cryptography' originally referred to Quantum Key Distribution, (QKD), and not to the use of Quantum Computers for Encryption.

View Article

E-Signatures: Are We Building Sufficient Electronic Evidence? - Jan 22nd, 2007

By: Benjamin Wright, JD

E-commerce faces a problem. Financial institutions have yet to find a reliable electronic signature for spontaneous legal transactions over the web. Signatures based on just a mouse click or the typing of a name face challenges in court. An ideal e-signature will create evidence equivalent to paper and ink.

View Article

Interview with David Rice, author of Geekonomics

By Stephen Northcutt

When reading David Rice’s book Geekonomics and writing the book review, we were so impressed that we asked for an interview to further understand David’s thoughts.

View Article

Security Laboratory: Wireless Security

View this series only

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Hardware Hacking: Linksys WRT54G

By Stephen Northcutt

We recently did a book review of Paul Asadoorian and Larry Pesce's Linksys WRT54G: Ultimate Hacking and we were so intrigued with the work they did, we asked Paul to participate in an interview for the Security Lab.

View Article

An Interview with Joshua Wright

By Stephen Northcutt

Josh Wright discusses recent trends in attacks on systems utilizing wireless technology, as well as what can be done to assess vulnerabilities and minimize security risks for wireless devices.

View Article

Dispelling Common Bluetooth Misconceptions

By Joshua Wright

This whitepaper will dispel several common misconceptions regarding Bluetooth technology, allowing organizations to better assess their exposure to Bluetooth threats.

View Article

Wireless Security Training and Pen Testing Tutorial - Framing Part 1

By Joshua Wright

In this training tutorial Joshua Wright begins the discussion on wireless Framing, covering the Frame Control Field, with particular attention to the To and From DS, and ends with the Duration/ID field.

View Article

Wireless Security Training and Pen Testing Tutorial: Infrastructure

By Joshua Wright

You can't do a pen test of a wireless network without understanding how wireless works. In this training tutorial, Joshua Wright discusses the wireless MAC Layer and Authentication and Association, and he introduces the concept of Framing.

View Article

Five Wireless Threats You May Not Know - Sep 5th, 2007

By: Joshua Wright

Attackers have found new avenues to take advantage of weaknesses in wireless networks that, in most cases, have yet to be addressed by organizations. The wireless security market has matured significantly in the past several years, but still many organizations remain vulnerable to attacks, either through legacy protocols with well-published deficiencies, or through new threats that are not adequately addressed.

View Article

Sec Lab: Network Security Essentials by Dr. Eric Cole

View this series only

This series of essays provides a comprehensive look at computer networks.

Types of Networks

By Eric Cole

A key tenet of network security is "know thy system". You cannot secure something that you do not understand or know how it works. In order to be proficient in network security, you have to understand the different types of networks since each network type poses different challenges, issues and risks.

View Article

Sec Lab: Security Products

View this series only

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Interview with Eric Hines, CEO of Applied Watch Technologies

By Stephen Northcutt

Eric Hines, an IDS specialist and CEO of Applied Watch Technologies, talks with Stephen Northcutt about enterprise-grade management solutions for open source software.

View Article

Controlling P2P in your network with TippingPoint Intrusion Prevention Systems (IPS)

By Peter Giannoulis

Most everybody who is tasked with managing a network has faced the problem of controlling peer-to-peer (P2P) traffic. The reasons in which an organization wants to control P2P traffic differ, and if an organization has not taken this threat seriously, it's definitely time to begin. According to research which was conducted by FaceTime Communications Inc , P2P threats have increased dramatically over the last year. Security incidents that were reported in the first quarter of 2006 were 723% higher when compared to the same time period just a year earlier.

View Article

Interview with David Breslin, Director of Sales Engineering for Tenable Network Security, Inc.

By Stephen Northcutt

David Breslin of Tenable Network Security, Inc. talks with Stephen Northcutt about recent advances in network security and describes the benefits of passive vulnerability scanning.

View Article

F5 is a Security Company?

By Stephen Northcutt

Kenneth Salchow of F5 Networks talks with Stephen Northcutt about F5's work in the application security space, and he takes a special look at unified threat management.

View Article

An Interview with Bret Jordan, a Security Architect for Identity Engines

By Stephen Northcutt

Bret Jordan discusses his work at Identity Engines with 802.1X, an IEEE standard for authenticating clients to the network, as well as the OpenSEA Alliance, an organization focused on building a secure network edge based on standards and open-source software.

View Article

View Archives

What to Look for in Log Management Solutions, an interview with Chris Petersen of LogRhythm - Apr 25th, 2007

By: Stephen Northcutt

Chris Petersen from LogRhythm describes various log management solutions and offers suggestions for what organizations can do to find the right log management products and services to fit their needs.

View Article

Interview with Steve Slater, founder of Security Compliance Corporation (SCC) - Mar 23rd, 2007

By: Stephen Northcutt

An interview with Steve Slater, founder of Security Compliance Corporation (SCC), by Stephen Northcutt. The mission of SCC is to provide automated solutions to labor-intensive compliance efforts. Their first product, Access Auditor discovers and consolidates users' access rights across the enterprise, and provides a workflow for the re-certification process.

View Article

Interview with Maximiliano Caceres about CORE IMPACT - Mar 13th, 2007

By: Stephen Northcutt

CORE IMPACT is an automated penetration testing product designed to help security managers prove the strength of their information security program. An interview with Maximiliano Caceres by Stephen Northcutt explores this GUI based exploit tool.

View Article

Interview About The Norman Malware Analyzer - Feb 26th, 2007

By: Stephen Northcutt

We worked the show floor pretty hard at RSA 2007 San Francisco and this is one of the most interesting products that we saw at the show. To help you get to know it better, we have asked two of the brilliant minds, Righard J. Zwienenberg and Kurt Natvig, behind the product to join us for an interview. The name of the product tells you what it does, but we will try to bring it to life in this article.

View Article

Sec Lab: CDI 2007 Initiatives

View this series only

The Cyber Defense Initiative Program is something SANS runs every year. We try to show how one person, or one team can make a difference. Teams are formed to create a solution to a problem and they report their findings at a SANS conference designed to celebrate the progress made during the year. This series is a preview of the SANS CDI 2007 initiatives to be presented December 11-18 in Washington, DC.

Virtual Patching for Web Applications with ModSecurity

By Michael Shinn, Technical Review by Ryan Barnett and GIAC Advisory Board

In this article the author, Michael Shinn, with technical review by Ryan Barnett and the GIAC Advisory Board, presents invaluable tools of virtual patching for web applications. He outlines where and when virtual patching is appropriate, how it can be integrated into the incident response process, and also the proper steps for creating and testing real-world examples.

View Article

Security Laboratory: Which SANS course should I take?

View this series only

If you are new to computer, network or information security, the SANS Institute offers a number of introductory courses to get you on your way. But not every course is right for you and this series of essays is intended to help you make course selections to best fit your needs.

Security 503: Intrusion Detection and the Software Security courses are my favorites, here is why

By Johannes Ullrich

To help you choose the most suitable network and information security training for yourself and for your company, Johannes presents a synopsis of his favorite SANS Institute courses - the new Security Software series and SEC503:Intrusion Detection.

View Article

Leadership Lab: Information Technology and the Law

View this series only

This series of essays explores the many aspects of technology law relating to computer and information security.

Subpoenas for Electronic Records

By Benjamin Wright, JD

What is a subpoena and what difference does it make for cases involving electronic information? Benjamin Wright, JD, discusses the case of Sue Kayton vs. MIT and the Family Educational Rights and Privacy Act (FERPA).

View Article

Dispel Criminal Intent with Open Communication

By Benjamin Wright, JD

Above-board security professionals can take a number of steps to minimize the risk they are breaking the law. In order to commit a crime, a person must have intent to do something wrong. A powerful way to dispel “wrongful intent” is to openly communicate what you are doing and what the justification for it is.

View Article

Subterfuge as a Security Tactic

By Benjamin Wright, JD

Identity theft thrives because in modern society it’s hard to authenticate someone. Benjamin Wright offers stratagems that can withstand legal scrutiny for banks and merchants to verify the authenticity of their members.

View Article

Mock Trial as Security Education Exercise

By Benjamin Wright, JD

Increasingly, good information security requires good legal techniques. Wise application of legal tools such as contracts can promote security and intelligently allocate risks among enterprise trading partners. Benjamin Wright, JD offers a mock trial example to help IT security professionals understand how legal contracts can affect security planning and execution.

View Article

Configuration Management in the Security World

By Adam Meyer

Configuration management drives information security and information assurance. It’s in everything and is imbedded everywhere, but few people acknowledge this fact, and your organization may be suffering because of it. With this paper, Adam Meyer wants you to ask yourself - what does configuration management mean to your organization? Configuration is a critical step in building a secure infrastructure; it is providing a defense in depth to your organization.

View Article

Accurate Risk Assessment

By Philip Alexander

The Office of the Comptroller of the Currency (OCC) requires financial institutions to have a formal risk assessment program. A program needs to accurately identify where sensitive customer information is stored, who has access to the data, and how to speak to the security controls that are being utilized.

View Article

Advances in Spyware

By Peter Giannoulis

Statistics tell us that 90% of the computer systems on the Internet right now are infected with spyware or some other type of malware. The numbers are quite staggering and the incredible amount of unprotected computer systems has caught the eye of criminal minds that seek to control this resource for their own ends.

View Article

The Changing Face of Digital Forensics

By Stephen Northcutt

Rob Lee1 recently sent us a tool review article2 describing something he has discussed in his class, SEC 508, System Forensics, Investigation and Response3 for several years now. It seems the cutting edge forensic tools are not being created and driven by law enforcement, but by private companies who need them for regulatory compliance and incident management. Yet, rules and case precedent are different when someone performs forensics for regulatory reasons versus purely a law enforcement one.

View Article

BitTorrent Considered Harmful to Intellectual Property

By Stephen Northcutt

BitTorrent and P2P in general are accelerating the attack pressure on the value of intellectual property, especially copyrighted electronic media.

View Article

Interview with Stephen Northcutt

By Dave Elfering

David Elfering, Director of Network & Information Security for Werner Enterprises, asks Stephen Northcutt about the current status of corporate IT security.

View Article

Security Laboratory: IT Managers - Safety Series

View this series only

This series of papers discusses the IT Manager's complex roles in establishing workplace and enterprise security.

Safety and the Computer Security Manager

By Stephen Northcutt

On the surface it would seem that an information assurance manager wouldn't need to be overly concerned about safety other than repetitive stress injuries, or perhaps a back injury from a system administrator trying to horse a monster 4U server with integrated raid array into a rack by herself. However, what if you morph the title, as many organizations are starting to do, to "risk manager"? An NIST web site, Medline, lists a variety of topics and links to valuable information, but for now scan the list and ask yourself, what does a leader need to keep in mind on each of these.

View Article

Evacuation roles

By Stephen Northcutt

Having an evacuation plan may be required by law; but having a plan and practicing the plan are separate issues. Practicing the plan is extremely important and directly affects the effectiveness of an evacuation plan.

View Article

Physical Security

By Peter Giannoulis and Stephen Northcutt

Physical access control is just as important to your information security architecture as password policies and firewalls. Protecting your critical infrastructure with physical security can be a daunting task.

View Article

Data Breach Disclosure Laws - a state by state perspective

By Philip Alexander

This article is a companion to a book entitled Data Breach Disclosure Laws – a State by State Perspective. The book provides an in depth review of all the 35 state data breach disclosure laws.

View Article

Web Application Auditing Over Lunch

By Dr. Johannes B. Ullrich

Using simple free tools, many of them firefox plugins, it is possible to examine web applications for their common problems in under an hour.

View Article

Top 5 Firewall Leaks

By Chris Brenton

Attack techniques have evolved to where traditional packet filtering firewalls, proxies, and even intrusion prevention systems are dramatically less effective at securing a corporate network. The common flaw in most perimeters is that they are designed to thwart inbound session establishment, while being relatively permissive in what they pass towards the Internet. This paper outlines the top five traffic patterns that currently breach most network perimeters.

View Article

Honeypots: A Security Manager's Guide to Honeypots

By Eric Cole and Stephen Northcutt

The ultimate goal of security is to reduce or eliminate risks to an organization's critical assets. Ideally, we prefer to do this by preventing attacks, but one of the key mottos of information security is, "Prevention is ideal, but detection is a must." We must realize that an organization's key resources will be attacked, and we have to be ready to detect the attack as early in the cycle as possible and take advantage of this when it does occur. One way of doing this is with honey-x technology, such as honeypots.

View Article

Center for Internet Security Toolset to Offset Impact of Government Regulations

By Stephen Northcutt

A series of consensus configurations and testing tools from the Center for Internet Security for operating systems, databases, networking gear and applications are the best vendor neutral approach to enable organizations to achieve and sustain compliance across multiple regulations. Compliance with multiple regulations is becoming an increasing problem for organizations.

View Article

Default Passwords

By Peter Giannoulis

Default passwords are an on-going threat for many organizations. Vendors who configure their products with standard default username and password combinations assume that their customers are going to change them during the initial implementation. Unfortunately, this is not always the case.

View Article

Denial of Service Attacks

By Peter Giannoulis

A major ISP, MCI, reports an average of 1,000 DDoS attacks per day. Denial of Service is something every security professional should consider in their risk assessments. DoS attacks affect the overall availability of a resource, so naturally it would fall within the 'Availability' section of the Confidentiality/Integrity/Availability (CIA) triad.

View Article

Real World Pitfalls of Full Disk Encryption

By Keith Loyd and Stephen Northcutt

In the The Pitfalls of Full Disk Encryption by Peter Giannoulis we point out that Full Disk Encryption(FDE) offerings provide a warm and fuzzy feeling to CxO's after the data loss headlines of the last few years, but FDE solutions may introduce their own set of issues. Due to the recent massive data losses, organizations are racing to deploy solutions, in fact the US Government is searching for a government wide FDE product. While FDE does provide strong protection to data lost due to lost or misplaced laptops, the protections do come with a potential downside including per seat cost and impact on performance that organizations should be aware of and adapt their process and procedures to accommodate FDE.

View Article

The Six Most Important Tenets For Configuration Management

By Stephen Northcutt

According to Answer.com, a tenet is an opinion, doctrine, or principle held as being true by a person or especially by an organization.1 In SANS Security Leadership Essentials,7 we consider six tenets an information assurance manager can use as a guiding set of principles to do configuration management right from the get-go and help lead an IT organization to achieve more security and more robustness. Implementing operational changes may seem difficult to grasp without a framework or road map to achieve improvement so we will introduce these six tenets to plan for improving the operational practice of your organization.

View Article

The Signature of Error is Change

By Stephen Northcutt

It worked yesterday, why doesn't it work today? Try this Google search for yourself ("it worked yesterday"), on Jan 03 2007, it yielded 17 million results1. Let's look at a two of the results and see what we learn as computer security managers.

View Article

Auditing for Availability With a Web Based Service

By Stephen Northcutt

Many business leaders feel that technical security people do not "get it" when it comes to the needs of the business. To some extent this is fair criticism, as a community this is something we need to work on and it is one of the primary goals of the Leadership Laboratory. However, availability, the most important business requirement for IT, is something every information security student is taught as lesson one and is part of the security triad along with confidentiality and integrity. In this article we will open with a famous example of availability failure, the 1999 Victoria's Secret webcast, consider the business ramifications, look at resources for auditing for availability and end with a brief discussion of autonomic computing, which may well be the future of IT availability.

View Article

An approach to Audit Java for Security

By Stephen Northcutt and Jim Manico

Java is a popular and powerful programming language and is often the choice for large enterprise coding projects. Programming projects designed properly and executed with security in mind are robust, but if the programmers take short cuts they probably produce unsafe code.

View Article

The 6 Categories of Critical Log Information

By Various

Based on earlier work from Marcus Ranum, Tina Bird, Chris Brenton and Anton Chuvakin, version 3 was updated by Peter Czanik of BalaBit. Stephen Northcutt led a technical review team from the GIAC Advisory Board to produce version 3.01.

View Article