Dr Anton Chuvakin Information Security Publications

• (08/15/2002) "Take Back Your Security Infrastructure" Covers the impact of audit trail and system log management on the enterprise. [published at SC Magazine web portal]
• (01/28/2002) "Approaches to choosing the strength of your security measures" Article discusses various ways of choosing the level of security for your company [published at LinuxSecurity.com portal site and featured at LinuxToday.com]
• (12/12/2002) "Security response for the small office environment" (part I of III) Article covers dealing with security events for various environments: small office, medium company and large environment. This part is about a small office environment. [published at Computerworld]
• (12/17/2002) "Security response in a midsize office" (part II of III) Article covers dealing with security event analysis for a medium size company. [published at Computerworld]
• (01/07/2003) "Security response at a large company" (part III of III) Article describes the intricacies of dealing with security events and incidents at a large company. [published at Computerworld]
• (09/14/2004) "Automated Incident Handling Using SIM" This paper covers how Security Information Products (SIM) such as netForensics can help to automate the enterprise incident management processes (investigation, evidence collection, etc). [published in ISSA Journal]
• (03/02/2005) "Real-time fallacy: how real-time your security really is?" This talks about the timing aspect of your security and discusses where real-time security is needed. [published in CSI Alert newsletter]
• (04/08/2005) "Five Mistakes of Incident Response" This article covers five common mistakes committed by the organizations while planning and executing their incident response programs. [published in "ComputerWorld"]
• (03/18/2008) "Unified GRC: Replacing a piecemeal response to compliance" The paper attempts to cover whatever useful stuff in IT GRC. [published in "SC Magazine"]

• (08/01/2002) "Advanced Log Processing" This article offer a brief overview of log analysis particularly: log transmission, log collection and log analysis. It goes into some detail on using SQL for storing and analyzing security log files. [published at SecurityFocus] Italian translation is here
• (12/13/2002) "Cross Platform Security Analysis" The article discusses the issues of event data collection, analysis and presentation, outlining many challenges with Security Information Management (SIM) technology and its enterprise deployment. [published at "The Internet Security Conference Newsletter (TISC Insight)"]
• (09/02/2003) "Event Correlation in Security" covers the security event analysis through several types of correlation methods. [published at "The Internet Security Conference Newsletter (TISC Insight)"]
• (09/14/2004) "Security Event Analysis through Correlation" covers correlating intrusion and other security events using rules and statistical methods as implemented by SIM products. [published in Information Systems Security/ISC2 Journal (Volume 13, Issue 2 (May 2004))]
• (10/21/2004) "Five mistakes of log analysis" covers the typical mistakes organizations make when analyzing audit logs and other security-related records produced by security infrastructure components. [published at ComputerWorld]
• (10/25/2004) "Issues Discovering Compromised Machines" discusses the problem of reliably discovering the compromised machines on corporate networks. [published at SecurityFocus]
• (01/25/2007) "Introduction to Database Log Management" discusses the issues related to database logs and log analysis. [published in CSI Alert Newsletter]
• (07/01/2007) "Database Logs: The Underutilized Security Bulwark" discusses database logs and methods for their collection and analysis. [published in "IT Defense" Magazine]
• (11/01/2007) "Log Analysis Across System Boundaries for Security, Compliance and Operations" discusses how and why to collect and analyze network and server logs enterprise-wide. [published in "Enterprise Networks and Servers" Magazine]
• (12/01/2007) "Tips and Trends on Database Log Management" discusses database logs and methods for their collection and analysis. [published in "DM Review" Magazine]
• (07/08/2007) "Introduction to Database Log Management" discusses database log analysis. [published in InfoSecWriters.com]
• (08/31/2007) "Six Mistakes of Log Management" covers common mistakes of log analysis and log management. [published in InfoSecWriters.com]
• (3/20/2008)Network, Database, and System Log Data Management: The What, Why, and How" The paper covers the basics of platform and application logging. "Computer Technology Review" [published in "Computer Technology Review"]
• (03/03/2009)"Logging in the Age of Web Services" (with Gunnar Peterson) covers the issues related to audit and event logging in SOA and WS environments. [published in IEEE Security & Privacy Home]
• (3/8/2010)"PCI DSS logging: A must for compliance" (part 1) reviews logging requirements imposed by the Payment Card Industry Data Security Standard [published in "Network World" newsletter]
• (3/10/2010)"Practical priorities in PCI DSS logging" (part 2) presents some practical guidance on PCI DSS logging [published in "Network World" newsletter]
• (2/2/2010)"Shut up and Log!" motivates people to take logs seriously [published in Feb 2010 issue of "Network Computing"]

• (05/18/2007) "Incident management in the age of compliance" This article covers how recent compliance mandates changed incident response programs and practices. [published in "ComputerWorld"]
• (07/07/2007) "Log management in the age of compliance" This article covers how recent compliance mandates changed log analysis and log management programs and practices. [published in "ComputerWorld"]
• (09/16/2007) "Intrusion detection in the age of compliance" This article covers how recent compliance mandates changed intrusion detection. [published in "ComputerWorld"]
• (11/19/2007) "Computer forensics in the age of compliance" This article covers how recent compliance mandates changed computer forensics programs and practices. [published in "ComputerWorld"]
• (1/28/2008) "Security policy in the age of compliance" This article covers how recent compliance mandates changed security policy requirements. [published in "ComputerWorld"]
• (4/16/2009) "PCI Shrugged: Debunking Criticisms of PCI DSS" (with Ben Rothke) This covers the debunking of common criticisms of PCI DSS [published in "CSO Magazine" online]
• (12/2/2009)"Security First or Compliance First?" discusses what shoud come first: security or compliance (duh!)
• (8/2/2009)"What Do I Really Need To Do To STAY PCI DSS Compliant?" covers how to maintain compliant and secure status, not just achieve it

In Russian:

• "ォ???????????? ?? ?????? ?????サ ??? ォ???????????? ?? ?????? ?????サ? - ??????"

• (03/20/2001) "NLP-powered Social Engineering Attacks" describes a scary way of performing Social Engineering attacks based on powerful NLP persuasion technology [published at SecurityFocus]
• (08/2001) "Internal attacks: Doom of Information Security" Research report on internal security breaches, attacker motivations, various countermeasures and their relative efficiency [published in the Journal of Information Security (CRC)]
• (11/01/2007) "Log Analysis vs. Insider Attacks" covers how logs provide one of the few effective methods vs insider attacks. [published at "ISSA Journal"]
• (2/29/2008) "Five basic mistakes of security policy" covers common mistakes of security policy management. [published at "Computer World"]

• (08/2001) "Your money or your life?" evaluates risks and impacts of web page defacements versus hidden server penetrations [published at SecurityWatch]
• (05/08/2002) "FTP Attack Case Study Part I: The Analysis" (also published here at SecurityWriters.org) covers a detailed case study of a hacker penetration with network and hard drive forensics, hacker tool analysis and network infrastructure analysis [published at LinuxSecurity.com] Spanish translation is here
• (06/19/2002) "FTP Attack Case Study Part II: The Lessons" (also published here at SecurityWriters.org) covers several important security lessons drawn from the above case [published at LinuxSecurity.com] Spanish translation is here
• (05/04/2007) "Protected ? but 0wned: A Real-world Example of Today痴 Desktop Security" contains a fun case study of a infected system investigation. [published at InfoSecWriters.com]

• (06/18/2002) "Lessons of the Honeypot I: Aggressive and Careless" describes some of the lessons one can get from running a honeypot [published at SC Magazine web portal]
• (09/25/2002) "Lessons of the Honeypot II: Expect the Unexpected" outlines how honeynets and honeypots present an ultimate challenge in information security [published at SC Magazine web portal]
• (10/08/2002) "Whys and Hows of Honeynets and Honeypots" discusses issues in setting up and maintaining honeypots and honeynets, covers some of the honeynet data control and data capture requirements and touches on benefits from research honeypots in discovering attacks and attack patterns. [published in the ISSA "Password" magazine]
• (01/17/2003) "Honeypot Essentials" The paper describes the honeypot technology and how it can be used. [published in the "Journal of Information Systems Security"]
• (04/25/2003) "Days of the Honeynet: Attacks, Tools, Incidents" The paper covers some of the daily events happening in the honeynet - decoy network - run by the author [published at LinuxSecurity.com] Also featured on InfosecWriters.com
• (07/24/2003) "Honeynets: High Value Security Data" The article covers the types of data collected from the honeynet and its value for security [published in the Elsevier Compsec Online portal] Local copy here

• (08/2001) "Free security tools review" describes several most popular one-source security tools and their best uses for enterprise defense [published at SecurityWatch]
• (02/06/2002) "Network IDS Shortcomings: Has NIDS Reached the End of the Road?" Article about confusing network IDS sensors by sending carefully crafted TCP/IP packets [published at SC Magazine web portal]
• (04/22/2002) "Intrusion Detection Response" About using Linux/UNIX intrusion detection system snort to respond to attacks. It describes requirements and some implementation issues. [published at LinuxSecurity.com portal site] Italian translation is here
• (11/06/2002) "Complete Snort-based IDS Architecture, Part I" On setting up a complete snort-based intrusion detection infrastructure for switched or shared LAN in point or distributed configuration. [published at SecurityFocus]
• (11/19/2002) "Complete Snort-based IDS Architecture, Part II [published at SecurityFocus]
• (02/20/2003) "Five IDS mistakes that companies make" Briefly describes the five common mistakes companies make while deploying network intrusion detection and how to deal with them. [published at Computerworld]
• (04/08/2003) "Ups and Downs of UNIX/Linux Host-Based Security Solutions" Covers UNIX and Linux host security solutions (such as host IDS and integrity checkers), their limitations and attacks against them. [published in USENIX ;login magazine]
• (10/08/2003) "Monitoring IDS" Describes requirements for monitoring intrusion detection systems. [published in "Information Systems Security"]

UNIX/Linux Security

• (04/23/2001) "Comparison of iptables automation tools" describes automated tools used for setting newest Linux firewalling code, iptables and touches on security enhancements of 2.4 kernels [published at SecurityFocus]
• (10/20/2001) "Anonymizing with Squid Proxy" is about the setup of squid proxy and cache in combination with secure shell to get a simple web anonymizer [published at SecurityFocus]
• (12/13/2000) "Linux Internet Kiosks" covers security issues in Linux public web access terminals [published at SecurityFocus]
• (12/31/2001) "IPTables Linux firewall with packet string-matching support" Applications of new iptables capabilities: pattern matching in packet payloads [published at SecurityFocus]
• (01/23/2002) "Linux kernel hardening" Describes UNIX system hardening with an emphasis on kernel hardening using various kernel patches and high-security add-ons [published at SecurityFocus]
• (02/10/2002) "Using Chroot Securely" Outlines how to best use chroot() system call for enahnced security in UNIX programs and how to break from sloppy chroot jail [published at LinuxSecurity.com]
• (03/10/2002) "Linux Data Hiding and Recovery" Describes ways to hide data on Linux ext2 partitions, recover hidden and erased data and to make sure that erased data stays this way [published at LinuxSecurity.com and featured on Slashdot.org] Russian translation is here. Spanish translation is here.
• (05/01/2002) "Restricting UNIX Users" Talks about the ways to restrict the activities and privileges of non-root UNIX users on a system. [published at SecurityFocus]
• (03/05/2003) "An Overview of Unix Rootkits" Provides detailed discussion of UNIX/Linux rootkits, packages of tools to maintain the presense on the compromised systems. [distributed by iDefense] A paper review is here

• (08/2001) "Anti-defacement products: defense in-depth or an excure for poor system security" reviews web application security approaches [published at SecurityWatch]

• (08/2001) "Future IP Security" outlines the future of IP addressing (IPv6) and focuses on the security components of next generation IP services (IPsec) [published at SecurityWatch]
• (03/2007) "Five mistakes of data encryption" covers some of the other mistakes that often occur when organizations try to use encryption to protect data at rest and data in transit and thus improve their security posture.) [published at ComputerWorld]

Hack-of-the-Week series takes a recent vulnerability in some popular operating system or other software and studies it. Realistic exploit scenarios are developed, and suggested ways of mitigating risks are considered and new ones proposed [published at SecurityWatch]

• (08/2001) "Vulnerability in popular Linux network software Samba"
• (08/2001) "MS Hotmail and Messenger flaws"
• (08/2001) "Windows Media player NSC file bug"
• (08/2001) "Fetchmail remote root"
• (08/2001) "HTML form tricks to have others do your hacking"
• (08/2001) "Sendmail local root"

Other vulnerability and penetration testing articles

• (05/01/2002) "Standardizing Penetration Testing" Gives an outlines of popular penetration testing methodology (OSSPTMM) and challenges with standartizing penetration testing. [published at SC Magazine web portal]
• (04/22/2003) "Covert Channels" A modern review of network covert channeling methods which compares them with classic "Rainbow Series" covert channles on secure operating systems [submitted for publication]

• (09/2001) "Secure Shell (SSH): a brief guide" Brief guide to many of the Secure Shell features with command samples and Linux/Windows configuration tips [local copy]
• (11/05/2001) "Basic Security Checklist for Home and Office Users" A concise checklist of many important things that company and home computer users should be convinced to do. It will drastically increase the level of security at very low cost (can be used for enterprise basic security awareness program) [published at SecurityFocus]

• (08/2001) Infosecurity FAQ for system/network administrators and IT personnel [published at SecurityWatch]
• (08/2001) Infosecurity FAQ for managers [published at SecurityWatch]
• (08/2001) Infosecurity FAQ for end-users [published at SecurityWatch]

• (12/13/2000) "Access the Web Anywhere" [published in Linux Journal]
• (01/1999) "'Pocket' ISP based on RedHat Linux HOWTO" [published on LinuxDoc.org]
• (05/1999) "Linux web browser station mini-HOWTO" [published on LinuxDoc.org]

• (09/2001) "Digital risks taxonomy" A diagram that structures digital risks (such as hacking, Do, etc) in the form useful for impact assessment for the purposes of insurance [local copy]
• (09/2001) "Impacts of digital risks on enterprise" [under development]
• (12/05/2001) "Infrastructure Protection: Infosec Perspective" The paper covers issues in critical infrastructure protection and information security, lists several focus areas that need efforts and summarizes the results of recent meeting in New England on infrastructure protection. [published at SC Magazine web portal]
• (11/11/2001) "Protecting New England: A Call to Action" The paper summarizes the results of joint meeting on critical infrastructure protection in New England and infosecurity community role in increasing information sharing [published at ISSA web site in PDF format]