Dr Anton Chuvakin Information Security Publications

Enterprise Security Management (08/15/2002) "Take Back Your Security Infrastructure" Covers the impact of audit trail and system log management on the enterprise. [published at SC Magazine web portal] (01/28/2002) "Approaches to choosing the strength of your security measures" Article discusses various ways of choosing the level of security for your company [published at LinuxSecurity.com portal site and featured at LinuxToday.com] (12/12/2002) "Security response for the small office environment" (part I of III) Article covers dealing with security events for various environments: small office, medium company and large environment. This part is about a small office environment. [published at Computerworld] (12/17/2002) "Security response in a midsize office" (part II of III) Article covers dealing with security event analysis for a medium size company. [published at Computerworld] (01/07/2003) "Security response at a large company" (part III of III) Article describes the intricacies of dealing with security events and incidents at a large company. [published at Computerworld] (09/14/2004) "Automated Incident Handling Using SIM" This paper covers how Security Information Products (SIM) such as netForensics can help to automate the enterprise incident management processes (investigation, evidence collection, etc). [published in ISSA Journal] (03/02/2005) "Real-time fallacy: how real-time your security really is?" This talks about the timing aspect of your security and discusses where real-time security is needed. [published in CSI Alert newsletter] (04/08/2005) "Five Mistakes of Incident Response" This article covers five common mistakes committed by the organizations while planning and executing their incident response programs. [published in "ComputerWorld"]	Log Analysis, Log Management and Data Correlation (08/01/2002) "Advanced Log Processing" This article offer a brief overview of log analysis particularly: log transmission, log collection and log analysis. It goes into some detail on using SQL for storing and analyzing security log files. [published at SecurityFocus] Italian translation is here (12/13/2002) "Cross Platform Security Analysis" The article discusses the issues of event data collection, analysis and presentation, outlining many challenges with Security Information Management (SIM) technology and its enterprise deployment. [published at "The Internet Security Conference Newsletter (TISC Insight)"] (09/02/2003) "Event Correlation in Security" covers the security event analysis through several types of correlation methods. [published at "The Internet Security Conference Newsletter (TISC Insight)"] (09/14/2004) "Security Event Analysis through Correlation" covers correlating intrusion and other security events using rules and statistical methods as implemented by SIM products. [published in Information Systems Security/ISC2 Journal (Volume 13, Issue 2 (May 2004))] (10/21/2004) "Five mistakes of log analysis" covers the typical mistakes organizations make when analyzing audit logs and other security-related records produced by security infrastructure components. [published at ComputerWorld] (10/25/2004) "Issues Discovering Compromised Machines" discusses the problem of reliably discovering the compromised machines on corporate networks. [published at SecurityFocus] (01/25/2007) "Introduction to Database Log Management" discusses the issues related to database logs and log analysis. [published in CSI Alert Newsletter] (07/01/2007) "Database Logs: The Underutilized Security Bulwark" discusses database logs and methods for their collection and analysis. [published in "IT Defense" Magazine] (11/01/2007) "Log Analysis Across System Boundaries for Security, Compliance and Operations" discusses how and why to collect and analyze network and server logs enterprise-wide. [published in "Enterprise Networks and Servers" Magazine] (12/01/2007) "Tips and Trends on Database Log Management" discusses database logs and methods for their collection and analysis. [published in "DM Review" Magazine] (07/08/2007) "Introduction to Database Log Management" discusses database log analysis. [published in InfoSecWriters.com] (08/31/2007) "Six Mistakes of Log Management" covers common mistakes of log analysis and log management. [published in InfoSecWriters.com]
Regulatory and Policy Compliance (05/18/2007) "Incident management in the age of compliance" This article covers how recent compliance mandates changed incident response programs and practices. [published in "ComputerWorld"] (07/07/2007) "Log management in the age of compliance" This article covers how recent compliance mandates changed log analysis and log management programs and practices. [published in "ComputerWorld"] (09/16/2007) "Intrusion detection in the age of compliance" This article covers how recent compliance mandates changed intrusion detection. [published in "ComputerWorld"] (11/19/2007) "Computer forensics in the age of compliance" This article covers how recent compliance mandates changed computer forensics programs and practices. [published in "ComputerWorld"] (1/28/2008) "Security policy in the age of compliance" This article covers how recent compliance mandates changed security policy requirements. [published in "ComputerWorld"]	Policy and people issues of information security (03/20/2001) "NLP-powered Social Engineering Attacks" describes a scary way of performing Social Engineering attacks based on powerful NLP persuasion technology [published at SecurityFocus] (08/2001) "Internal attacks: Doom of Information Security" Research report on internal security breaches, attacker motivations, various countermeasures and their relative efficiency [published in the Journal of Information Security (CRC)] (11/01/2007) "Log Analysis vs. Insider Attacks" covers how logs provide one of the few effective methods vs insider attacks.[published at "ISSA Journal"]
Malicious hacker attacks (08/2001) "Your money or your life?" evaluates risks and impacts of web page defacements versus hidden server penetrations [published at SecurityWatch] (05/08/2002) "FTP Attack Case Study Part I: The Analysis" (also published here at SecurityWriters.org) covers a detailed case study of a hacker penetration with network and hard drive forensics, hacker tool analysis and network infrastructure analysis [published at LinuxSecurity.com] Spanish translation is here (06/19/2002) "FTP Attack Case Study Part II: The Lessons" (also published here at SecurityWriters.org) covers several important security lessons drawn from the above case [published at LinuxSecurity.com] Spanish translation is here (05/04/2007) "Protected – but 0wned: A Real-world Example of Today’s Desktop Security" contains a fun case study of a infected system investigation. [published at InfoSecWriters.com]	Honeypots and honeynets (06/18/2002) "Lessons of the Honeypot I: Aggressive and Careless" describes some of the lessons one can get from running a honeypot [published at SC Magazine web portal] (09/25/2002) "Lessons of the Honeypot II: Expect the Unexpected" outlines how honeynets and honeypots present an ultimate challenge in information security [published at SC Magazine web portal] (10/08/2002) "Whys and Hows of Honeynets and Honeypots" discusses issues in setting up and maintaining honeypots and honeynets, covers some of the honeynet data control and data capture requirements and touches on benefits from research honeypots in discovering attacks and attack patterns. [published in the ISSA "Password" magazine] (01/17/2003) "Honeypot Essentials" The paper describes the honeypot technology and how it can be used. [published in the "Journal of Information Systems Security"] (04/25/2003) "Days of the Honeynet: Attacks, Tools, Incidents" The paper covers some of the daily events happening in the honeynet - decoy network - run by the author [published at LinuxSecurity.com] Also featured on InfosecWriters.com (07/24/2003) "Honeynets: High Value Security Data" The article covers the types of data collected from the honeynet and its value for security [published in the Elsevier Compsec Online portal] Local copy here
Security Tools and Intrusion Detection (08/2001) "Free security tools review" describes several most popular one-source security tools and their best uses for enterprise defense [published at SecurityWatch] (02/06/2002) "Network IDS Shortcomings: Has NIDS Reached the End of the Road?" Article about confusing network IDS sensors by sending carefully crafted TCP/IP packets [published at SC Magazine web portal] (04/22/2002) "Intrusion Detection Response" About using Linux/UNIX intrusion detection system snort to respond to attacks. It describes requirements and some implementation issues. [published at LinuxSecurity.com portal site] Italian translation is here (11/06/2002) "Complete Snort-based IDS Architecture, Part I" On setting up a complete snort-based intrusion detection infrastructure for switched or shared LAN in point or distributed configuration. [published at SecurityFocus] (11/19/2002) "Complete Snort-based IDS Architecture, Part II [published at SecurityFocus] (02/20/2003) "Five IDS mistakes that companies make" Briefly describes the five common mistakes companies make while deploying network intrusion detection and how to deal with them. [published at Computerworld] (04/08/2003) "Ups and Downs of UNIX/Linux Host-Based Security Solutions" Covers UNIX and Linux host security solutions (such as host IDS and integrity checkers), their limitations and attacks against them. [published in USENIX ;login magazine] (10/08/2003) "Monitoring IDS" Describes requirements for monitoring intrusion detection systems. [published in "Information Systems Security"]	UNIX/Linux Security (04/23/2001) "Comparison of iptables automation tools" describes automated tools used for setting newest Linux firewalling code, iptables and touches on security enhancements of 2.4 kernels [published at SecurityFocus] (10/20/2001) "Anonymizing with Squid Proxy" is about the setup of squid proxy and cache in combination with secure shell to get a simple web anonymizer [published at SecurityFocus] (12/13/2000) "Linux Internet Kiosks" covers security issues in Linux public web access terminals [published at SecurityFocus] (12/31/2001) "IPTables Linux firewall with packet string-matching support" Applications of new iptables capabilities: pattern matching in packet payloads [published at SecurityFocus] (01/23/2002) "Linux kernel hardening" Describes UNIX system hardening with an emphasis on kernel hardening using various kernel patches and high-security add-ons [published at SecurityFocus] (02/10/2002) "Using Chroot Securely" Outlines how to best use chroot() system call for enahnced security in UNIX programs and how to break from sloppy chroot jail [published at LinuxSecurity.com] (03/10/2002) "Linux Data Hiding and Recovery" Describes ways to hide data on Linux ext2 partitions, recover hidden and erased data and to make sure that erased data stays this way [published at LinuxSecurity.com and featured on Slashdot.org] Russian translation is here. Spanish translation is here. (05/01/2002) "Restricting UNIX Users" Talks about the ways to restrict the activities and privileges of non-root UNIX users on a system. [published at SecurityFocus] (03/05/2003) "An Overview of Unix Rootkits" Provides detailed discussion of UNIX/Linux rootkits, packages of tools to maintain the presense on the compromised systems. [distributed by iDefense] A paper review is here
Application security (08/2001) "Anti-defacement products: defense in-depth or an excure for poor system security"  reviews web application security approaches [published at SecurityWatch]	VPN, IPSec and encryption (08/2001) "Future IP Security" outlines the future of IP addressing (IPv6) and focuses on the security components of next generation IP services (IPsec) [published at SecurityWatch] (03/2007) "Five mistakes of data encryption" covers some of the other mistakes that often occur when organizations try to use encryption to protect data at rest and data in transit and thus improve their security posture.) [published at ComputerWorld]
Vulnerability Analysis Hack-of-the-Week series  takes a recent vulnerability in some popular operating system or other software and studies it. Realistic exploit scenarios are developed, and suggested ways of mitigating risks are considered and new ones proposed [published at SecurityWatch] (08/2001)  "Vulnerability in popular Linux network software Samba" (08/2001) "MS Hotmail and Messenger flaws" (08/2001) "Windows Media player NSC file bug" (08/2001)  "Fetchmail remote root" (08/2001) "HTML form tricks to have others do your hacking" (08/2001) "Sendmail local root" Other vulnerability and penetration testing articles (05/01/2002) "Standardizing Penetration Testing" Gives an outlines of popular penetration testing methodology (OSSPTMM) and challenges with standartizing penetration testing. [published at SC Magazine web portal] (04/22/2003) "Covert Channels" A modern review of network covert channeling methods which compares them with classic "Rainbow Series" covert channles on secure operating systems [submitted for publication]	Security Basics and FAQs (09/2001) "Secure Shell (SSH): a brief guide" Brief guide to many of the Secure Shell features with command samples and Linux/Windows configuration tips [local copy]  (11/05/2001) "Basic Security Checklist for Home and Office Users" A concise checklist of many important things that company and home computer users should be convinced to do. It will drastically increase the level of security at very low cost (can be used for enterprise basic security awareness program) [published at SecurityFocus] Information Security FAQs (08/2001) Infosecurity FAQ for system/network administrators and IT personnel [published at SecurityWatch] (08/2001) Infosecurity FAQ for managers [published at SecurityWatch] (08/2001) Infosecurity FAQ for end-users [published at SecurityWatch]
Other IT issues (non-security) (12/13/2000) "Access the Web Anywhere" [published in Linux Journal] (01/1999) "'Pocket' ISP based on RedHat Linux HOWTO" [published on LinuxDoc.org] (05/1999) "Linux web browser station mini-HOWTO" [published on LinuxDoc.org]	Digital risks (09/2001) "Digital risks taxonomy" A diagram that structures digital risks (such as hacking, Do, etc) in the form useful for impact assessment for the purposes of insurance [local copy]  (09/2001) "Impacts of digital risks on enterprise" [under development] (12/05/2001) "Infrastructure Protection: Infosec Perspective" The paper covers issues in critical infrastructure protection and information security, lists several focus areas that need efforts and summarizes the results of recent meeting in New England on infrastructure protection. [published at SC Magazine web portal] (11/11/2001) "Protecting New England: A Call to Action" The paper summarizes the results of joint meeting on critical infrastructure protection in New England and infosecurity community role in increasing information sharing [published at ISSA web site in PDF format]