Welcome to SecurityDocs

A collection of 8,050 IT security white papers, carefully curated by professionals like yourself

Dont Blink:Iris Recognition for Biometric Identification

by Mary Dunker

With the cost of eye-scanning technology coming down and the need for more secure systems going up, it’s time to take a close look at iris recognition for security applications. Due to research and patented technology, iris recognition has emerged from its early image of spy film fantasy to reality. This paper explores the origins of iris recognition, how it works, how it stacks up against other forms of biometric identification and what is required to perform the identification. Compari...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

SSL/TLS: What's Under the Hood

by Sally Vandeven

Encrypted data, by definition, is obscured data. Most web application authentication happens over HTTPS, which uses SSL/TLS for encryption. Did you ever wonder what that authentication exchange looks like in plaintext? What if you are troubleshooting your HTTPS enabled web application and need to dig deeper down in the OSI model than Firebug or other web developer tools will allow? This paper demonstrates how to easily decrypt and dissect a captured web session without either a proxy...

Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication

OS and Application Fingerprinting Techniques

by Jon Mark Allen

This paper will attempt to describe what application and  operating system (OS) fingerprinting are and discuss techniques and  methods used by three of the most popular fingerprinting  applications: nmap, Xprobe2, and p0f.  I will discuss similarities  and differences between not only active scanning and passive  detection, but also the differences between the two active scanners  as well. We will conclude with a brief discussion...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

The Dangers of Weak Hashes

by Kelly Brown

There have been several high publicity password leaks over the past year including LinkedIn, Yahoo, and eHarmony. While you never want to have vulnerabilities that allow hackers to get access to your password hashes, you also want to make sure that if the hashes are compromised it is not easy for hackers to generate passwords from the hashes. As these leaks have demonstrated, large companies are using weak hashing mechanisms that make it easy to crack user passwords. In this paper I will d...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Two-Factor Authentication: Can You Choose the Right One?

by Emilio Valente

It is a current trend that many companies seek to improve their authentication method in order to increase their security protection and reinforce their defense-in-depth. In doing so, these companies face a dilemma: What kind of two-factor authentication should be implemented? What “provider” should be trusted? What media should be used? Which methods should or could be combined and integrated to the existing infrastructures? And what costs will be incurred?

Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication

An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools

by Tom Webb

We are all familiar with how password authentication works as we log into dozens of systems each day to check email or view bank account balance. This type of authentication is considered single factor authentication. Authentication can happen using something you know, something you have, something you are or somewhere you are (Bishop, 2004). Multifactor combines two or more of these methods to create a stronger authentication.

Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication

Implementing IEEE 802.1x for Wired Networks

by Johan Loos

Without an extra layer of security, hosts can access resources on the wired network without any form of authentication. Basically there is no way to know who is accessing the wired network infrastructure. To manage this type of connections, IEEE 802.1x port based authentication can be implemented to force wired clients to authenticate. Without proper access to the wired network, malicious users can use the network to access company’s data or launch attacks to servers or client compute...

Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication

Implementing a Shibboleth SSO Infrastructure

by Rich Graves

Shibboleth is a free, open-source web single sign-on solution (SSO) for complex federated environments based on the Security Assertion Markup Language (SAML). Installation is voluminously documented by the Shibboleth Consortium, but requires considerable time, expertise, and site-specific integration. To help system administrators and security analysts who are new to SAML and Shibboleth get started, a VMware image is provided with CentOS, OpenLDAP, Apache, Tomcat, and Shibboleth identity and ...

Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication

Information System Security Evaluation Team: Security Insurance?

by Bruce Swartz

Information systems are becoming more complex and ubiquitous. Consequently, the opportunities for compromise increase. Networks once found only in relatively large offices are now found in the smallest of offices. These networks are typically connected to the Internet through Wide Area Networks (WAN). This poses a problem for maintaining a high degree of security in these systems especially where an organization is split into many smaller entities whether dispersed geographically or loc...

Sept. 1, 2017 0 comments SANS Institute

Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy.

by Ragi Guirguis

In today’s business world, vital company information is accessed, stored, and transferred electronically. The security of this information and the systems storing this information are critical to the reputation and prosperity of companies. Therefore, vulnerability assessments of computer systems are routinely employed by businesses to obtain a complete evaluation of the security risks of the systems under investigation. However, the methods for performing vulnerability assessments are va...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Footprinting: What Is It, Who Should Do It, and Why?

by James McGreevy

Are you footprinting your systems? Or is an attacker doing it for you? Yes, footprinting can be good for you just like scanning. The process of footprinting is the first step in information gathering of hackers. To perform or thwart a successful attack, one needs to gather information. The hacker’s intention is to learn about all aspects of the perspective organization’s security posture, profile of their Intranet, remote access capabilities, and intranet/extranet presence (Scambray,...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Port Scanning Techniques and the Defense Against Them

by Roger Christopher

Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. All systems that are connected to a LAN or the Internet via a modem run services that listen to well-known and not so well-known ports. By port scanning, the attacker can find the following information about the targeted systems: what services are running, what users own those services, whether anonymous logins are supported, and whether certain network service...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

System Identification for Vulnerability Assessment

by Michael Harris

By Michael C. HarrisMany sources exist within the security and hacking community that discus knowing the enemy, but that is only half the equation. Many security gurus have forgotten that they must also know them selves. They must know the systems and resources they are to protect.

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Conducting a Penetration Test on an Organization

by Chan Wai

This document is decided to give readers an outlook on how a penetration test can be successfully done on an organization. A methodology has been drawn out in this document to allow readers to be acquainted with the process that penetration testers go through to conduct a penetration test.

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment

by Alexander Lopyrev

Conducting an Enterprise-wide Vulnerability Assessment (VA) on a regular basis, as required risk management, is extremely time-consuming task for security professionals. Enterprise networks are usually widely distributed, located in different places, towns and even counties. A structure of the network is very complex and is separated to different type of zone, sometimes with highly restricted physical access. Average amount of hosts in network is estimated as thousands or tens thousands. Sec...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Data-Centric Quantitative Computer Security Risk Assessment

by Brett Berger

A quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification. The differences between quantitative and qualitative assessments are specified with the conclusion that both methods have significant strengths and weaknesses. A quantitative method that spans both assessment types is then presented with rigorous analysis of impact of individual risk factors upon the overall risk to information. A method of easily organizing risk f...

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

B.A.S.E. - A Security Assessment Methodology

by Gregory Braunton

“A fundamental tenet of security is that a chain is only as strong as its weakest link and a wall is only as strong as its weakest point. Smart attackers are going to seek out that weak point and concentrate their attentions there.”

Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits

Information Systems Security Architecture A Novel Approach to Layered Protection

by George Farah

The purpose of this paper is to demonstrate how to develop an information systems security architecture in a complex environment with few security measures in place. The case study illustrated will provide the reader with a set of guidelines that can be used to develop security architecture components that allow for scalable and secure IT infrastructure.

Sept. 1, 2017 0 comments SANS Institute

The Application Audit Process - A Guide for Information Security Professionals

by Robert Hein

This paper is meant to be a guide for IT professionals, whose applications are audited, either by an internal or external IS audit. It provides a basic understanding of the IS Audit process. It is also meant as an aid for auditors to facilitate the audit process by communicating audit terms and objectives. The document takes the reader through the different control points of an application audit: Administration, Input, Processing, Outputs, Logical Security, Disaster Recover Plan, Change Manag...

Sept. 1, 2017 0 comments SANS Institute

An Introduction to Information System Risk Management

by Steve Elky

The fundamental precept of information security is to support the mission of the organization. All organizations are exposed to uncertainties, some of which impact the organization in a negative manner. In order to support the organization, IT security professionals must be able to help their organizations’ management understand and manage these uncertainties.

Sept. 1, 2017 0 comments SANS Institute


We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.