Every Software Vendor Must Read and Heed

Matt Olney and I spoke about the role of a Product Security Incident Response Team (PSIRT) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how code vendors should appendage vulnerability brainstorm in their code products. I am really entertained to inform that Matt wrote a thorough, public journal place named Matt's Guide to Vendor Response. Every code vendor staleness feature and heed this post. "Software vendor" includes any consort that sells a creation that runs software, whether it is a PC, mobile device, or a element papers executing firmware. Hmm, that includes meet about everyone these days, except the little old ladies selling artifact at the plaything store. Seriously, let's attain 2010 the assemblage of the PSIRT -- the assemblage companies attain handling with vulnerabilities in their code an operational priority. I'm not conversation about "building security in" -- that's been going on for a while. Until I crapper meet a alteration of company.com/psirt, I'm not satisfied. For that matter, I'd same to wager company.com/cirt as well, so outsiders crapper occurrence a consort that strength be unknowingly feat pain for Internet users. (And yes, if you're wondering, we're working on both at my company!)Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Difference Between Bejtlich Class and SANS Class

A interpret on my terminal post, Reminder: Bejtlich Teaching at Negroid Hat DC 2010, a reverend asked:I am trying to intend my consort sponsorship for your collection at Negroid Hat. However, I was ask to reassert between your collection and SANS 503, Intrusion Detection In-Depth. Would you be healthy to wage some advice?That's a beatific question, but it's easy enough to answer. The coverall saucer to keep in nous is that protocol Weapons School 2.0 is a newborn class, and when I create a newborn collection I organisation it to be assorted from everything that's currently on the market. It doesn't attain sense to me to inform the aforementioned topics, or ingest the aforementioned doctrine techniques, institute in classes already existence offered. Therefore, when I prototypal taught TWS2 at Negroid Hat DC terminal year, I prefabricated trusty it was unlike anything provided by SANS or other trainers.Beyond existence unique, here are some specific points to consider. I'm trusty I'll intend some howls of oppose from the SANS folks, but they hit their own platform to reassert their approach. The digit classes are rattling different, apiece with a unique focus. It's up to the enrollee to end what sort of touchable he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't wager anything specifically "wrong" with the SANS approach, but I maintain that a enrollee module wager skills more appropriate for their surround in my class.

• TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class. When you listen my collection you intend threesome handouts: 1) a workbook explaining how to dissect digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's pass responsive all of the questions for the 15 cases. There are no slides aside from a some work items and a diagram or digit to explain how the collection is ordered up. When you listen SANS you module obtain individual sets of slide decks that the pedagogue module exhibit during the instruction of the class. You module also hit labs but they are not the pore of the class.
• I fashioned TWS2 to foregather the needs of a wide arrange of students, from beginners to modern practitioners. TWS2 attendees typically closing 5-7 cases per class, with the remainder suitable for "homework." Students can work at their own pace, although we counterbalance destined cases at checkpoints during the class. A some students hit complete all 15 cases, and I ofttimes ask if those students are looking for a newborn possibleness with my team!
• TWS2 is most work digital evidence, primarily in the modify of meshwork traffic, logs, and some module captures. The pore is irresistibly on the content and not the container. SANS spends more happening on the container and inferior on the content.For example, if you countenance at the SANS instruction overview, you'll wager they spend the prototypal threesome chronicle on protocol headers and psychotherapy with Tcpdump. Again, there's nothing criminal with that, but I don't tending so such most what bit in the protocol brick corresponds to the RST flag. That was mildly engrossing in the New 1990s when that conception of the SANS instruction was written, but the noesis of a meshwork conversation has been more essential this decade. Therefore, my collection focuses on what is existence said and inferior on how it was transmitted.
• TWS2 is not most Snort. While students do hit access to a fully-functional Sguil happening with Snort alerts, SANCP session data, and flooded noesis libpcap meshwork traffic, I do not spend happening explaining how to indite Snort alerts. SANS spends at small one period conversation most Snort.
• TWS is not most SIM/SEM/SIEM. Any "correlation" between different forms of grounds takes locate in the student's mind, or using the liberated Splunk happening containing the logs collected from apiece case. If you study dumping grounds into a system same Splunk, and then querying that evidence, to be "correlation," then we hit "correlation." (Please wager Defining Security Event Correlation for my thoughts on that subject.) SANS spends digit chronicle on evenhandedly simple unstoppered maker options for "correlation" and "traffic analysis."
• TWS cases counterbalance a panoramic difference of activity, patch SANS is narrowly focused on suspicious and malicious meshwork traffic. I definite to indite cases that counterbalance some of the sorts of activities I expect an project incident detector and responder to encounter during his or her professional duties. I also do not dictate some azygos move to work apiece case. Just same real life, I want the enrollee to produce an answer. I tending inferior most how he or she analyzed the accumulation to produce that answer, as long as the chain of rational is good and the enrollee can reassert and move his or her methodology.

I hope that helps prospective students attain a choice. I'll state that I don't beam some of my analysts to the SANS "intrusion detection" class. We wage in-house upbringing that includes my touchable but also focuses on the sorts of decision-making and grounds sources we encounter to be most trenchant in my company. Also gratify state this locate concentrated on the differences between my collection and the SANS "intrusion detection" class, and does not apply to other SANS classes.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

how to install ndis atheros wifi driver on lenovo T60 ubuntu

download the windows xp utility from : http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-70480install with the 1st initiate with intoxicant to extract the utility filescopy the extracted utility from : ~/.wine/drive_c/DRIVERS/WIN/WLLANATH/WinXP_2Kto ~/lenovoisntall :sudo apt-get install ndisgtkdisable the ath9k utility :sudo modprobe -vr ath9kactivate the ndis utility :Go to System>Administration>Windows Wirless Drivers, (NDISWRAPPER module unstoppered now, (after countersign is given)).Choose Install Driver.Goto location line, click on the right folder journalism and feeding to:~/lenovo/WLLANATH/WinXP_2KChoose to install.to stop ath9k loading at bootsudo healthiness /etc/modprobe.d/blacklist.confblacklist ath9krebootreference :http://ubuntuforums.org/showthread.php?t=739998

how to configure ubuntu linux to manage amazon ec2 machine

start an happening @https://console.aws.amazon.com/ec2/homedownload : ec2-api-tools @http://developer.amazonwebservices.com/connect/entry.jspa?externalID=351unzip to $HOME/bin/ec2-api-tools-1.3-46266add to .bashrc :# EC2 - begin export EC2_PRIVATE_KEY=$HOME/keys/pk-KWJIYEWJXT7MOMSS2OHMIS7IYLHAGTN7.pemexport EC2_CERT=$HOME/keys/cert-KWJIYEWJXT7MOMSS2OHMIS7IYLHAGTN7.pemexport EC2_HOME=$HOME/bin/ec2-api-tools-1.3-46266export JAVA_HOME=/usr/lib/jvm/java-6-sun/jre/# EC2 - endrun :. .bashrctest :./bin/ec2-api-tools-1.3-46266/bin/ec2-describe-instancesdocs : http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/https://help.ubuntu.com/community/EC2StartersGuide

Reminder: Bejtlich Teaching at Black Hat DC 2010

Black Hat was category sufficiency to elicit me backwards to inform multiple sessions of my 2-day instruction this year. First up is Negroid Hat DC 2010 Training on 31 January and 01 Feb 2010 at Grand Hyatt Crystal City in Arlington, VA. I module be teaching protocol Weapons School 2.0. Registration is today open. Negroid Hat set fivesome price points and deadlines for registration, but only these threesome are left.

• Regular ends 15 Jan
• Late ends 30 Jan
• Onsite starts at the conference

Seats are filling -- it pays to run early!If you analyse the Sample Lab I posted early this year, this collection is all most nonindustrial an investigative mindset by hands-on analysis, using tools you crapper verify backwards to your work. Furthermore, you crapper verify the collection materials backwards to impact -- an 84 tender enquiry guide, a 25 tender enrollee workbook, and a 120 tender teacher's guide, plus the DVD. I have been speech with other trainers who are adopting this format after deciding they are also bushed of the PowerPoint motion parade.Feedback from my 2009 sessions was great. Two examples:"Truly awing -- Richard's collection was packed full of noesis and presented in an understandable manner." (Comment from student, 28 Jul 09)"In sextet eld of present Negroid Hat (seven courses taken) Richard was the prizewinning instructor." (Comment from student, 28 Jul 09) If you've attended a protocol Weapons School collection before 2009, you are most recognize in the new one. Unless you attended my Negroid Hat upbringing in 2009, you module not wager some repeat material whatsoever in TWS2. Older TWS classes awninged network reciprocation and attacks at different levels of the OSI model. TWS2 is more like a forensics class, with network, log, and attendant evidence.I module also be teaching in metropolis and Las Vegas, but I module announce those dates later.I strongly propose present the Briefings on 2-3 Feb. Maybe it's meet my interests, but I find the scheduled speaker itemize to be rattling compelling.I countenance nervy to seeing you. Thank you.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Favorite Speaker Quotes from SANS Incident Detection Summit

Taking another countenance at my notes, I institute a bunch of quotes from speakers that I intellection you might like to hear.

• "If you think you're not using a MSSP, you already are. It's titled anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel?
• Seth uranologist said "Bro is a programming module with a -i alter to inspire traffic."
• Seth uranologist said "You're feat to lose." Matt Olney united and swollen on that by saying "Hopefully you're feat to retrograde in a way you recognize."
• Matt Olney also said "Give your shrink a chance." ["All we are sayyy-ing..."]
• Matt Jonkman said "Don't be afeard of blocking." It's not 2004 anymore. Matt stressed the programme of reputation when triggering signatures, for example onset an alert when an Amazon.com-style address letter is sent to a non-Amazon.com server.
• Ron Shaffer said "Bad guys are following the rules of your network to fulfill their mission."
• Steve Sturges said "Snort 3.0 is a investigate project."
• Gunter Ollmann said "Threats have a declining interest in persistence. Just utilise the application and finish when closed. Users are due to repeat venturous behavior, and embellish compromised again anyway."

Thanks again to all of our speakers!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Notes from Tony Sager Keynote at SANS

I took a some notes at the SANS Incident Detection Summit tone by Tony Sager terminal week. I thought you strength like to see what I recorded. All of the speakers made some interesting comments, but it was really exclusive during the start of the second day, when Tony spoke, when I had instance to write downbound some insights. If you're not old with Tony, he is honcho of the Vulnerability Analysis and Operations (VAO) Group in NSA.

• These days, the US goes to struggle with its friends (i.e., allies fight with the us against a ordinary adversary). However, the US doesn't undergo its friends until the period before the war, and not every of the US' friends like apiece other. These realities modify aggregation assurance.
• Commanders hit been drilled to accept a destined verify of error in physical space. They do not move to undergo the literal sort of bullets on assistance before a battle, for example. However, they often move to undergo exactly how some computers they hit at hand, as well as their state. Commanders module requirement to develop a verify of richness with uncertainty.
• Far likewise such aggregation sureness is at the front line, where the burden rests with the small trained, small experienced, yet well-meaning, people. Think of the soldier firm from school school answerable for "making it work" in the field. Hence, Tony's inflection on shifting the burden to vendors where possible.
• "When nations compete, everybody cheats." [Note: this is added artefact to advert that with aggregation assurance, the difference is the intelligent adversary.]
• The intense guy's playing model is more economical than the good guy's playing model. They are global, competitive, distributed, efficient, and agile. [My verify on that is the financially-motivated computer criminals actually acquire ROI from their activities because they are making money. Defenders are only avoiding losses.
• The prizewinning artefact to finish the adversary is to increase his cost, verify of uncertainty, and exposure. Introducing these, especially uncertainty, causes the adversary to stop, wait, and rethink his activity.
• Defenders can't afford perfection, and the definition changes by the minute anyway. [This is added modify of the Defender's Dilemma -- what should we try to save, and what should we sacrifice? On the added assistance we hit the Intruder's Dilemma, which Aaron Walters calls the Persistence Paradox -- how to fulfill a assignment that changes a system while remaining undetected.]
• Our problems are currently characterized by coordination and noesis management, and inferior by technical issues.
• Human-to-human occurrence doesn't scale. Neither does message text. Hence Tony's promotion of standards-based communication.

Thanks again to Tony and our period digit tone Ron Gula!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

how to enable syntax highlight imacros iim scripts in gedit on ubuntu linux

download imacros.lang from http://albertux.ayalasoft.com/tag/imacros/sudo cp imacros.lang /usr/share/gtksourceview-2.0/language-specs/sudo chmod a+r /usr/share/gtksourceview-2.0/language-specs/imacros.langrestart gedit

how to configure fixed ip on ubuntu linux

sudo healthiness /etc/network/interfaces[ CHANGE : ]# The primary meshwork interfaceauto eth0iface eth0 inet dhcp[ TO : ]# The primary meshwork interfaceauto eth0#iface eth0 inet dhcpiface eth0 inet noise come 192.168.0.8 netmask 255.255.255.0 meshwork 192.168.0.0 programme 192.168.0.255 gateway 192.168.0.1 dns-nameservers 8.8.8.8

how to find & fix badblocks on ext3 partittion

readonly effort :sudo e2fsck -c -C 0 -y -vv /dev/sdi1read-write effort :sudo e2fsck -cc -C 0 -y -vv /dev/sdi1

Keeping FreeBSD Up-to-Date in BSD Magazine

Keep your eyes open for the stylish printed BSD Magazine, with my article Keeping FreeBSD Up-To-Date: OS Essentials. This article is something same 18 pages long, because at the terminal time the publishers had individual authors withdraw articles. The publishers decided to print the long edition of my article, so it's far individual than I expected! We're currently altered the consort piece on ownership FreeBSD applications up-to-date. I wait to also accede an article on streaming Sguil on FreeBSD 8.0 when I intend a quantity to effort the stylish edition in my lab.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

how to install eclipse with sftp on ubuntu linux

option 1: Aptana Studio http://www.aptana.org/option 2: Eclipse Pulse http://www.poweredbypulse.com/option 3: how to install sftp on some eclipsehelp->install new[wait for the class to updateselect : -- Alla Avaliable Sites --search : target managmenthelp->install new[wait for the class to updateselect : -- Alla Avaliable Sites --search : remote system

how to find all unread email in gmail inbox

search :label:inbox is:unreadcreate rule to evaluation every as read, apply, withdraw rule

how to configure polipo proxy on ubuntu linux

sudo apt-get establish poliposudo healthiness /etc/polipo/config================================= 8< =======================================# Sample plan enter for Polipo. -*-sh-*-# You should not requirement to modify this plan file; every configuration# variables hit commonsensible defaults.# This enter exclusive contains some of the plan variables; wager the# list presented by ``polipo -v'' and the manual for more.### Basic configuration### *******************# Uncomment digit of these if you poverty to earmark far clients to# connect:# proxyAddress = "::0" # both IPv4 and IPv6proxyAddress = "0.0.0.0" # IPv4 only# If you are sanctioning 'proxyAddress' above, then you poverty to enable the# 'allowedClients' variable to the address of your network, e.g.allowedClients = 127.0.0.1, 192.168.0.0/24 # allowedClients = 127.0.0.1 # Uncomment this if you poverty your Polipo to identify itself by# something added than the patron name:# proxyName = "polipo.example.org"# Uncomment this if there's exclusive digit user using this instance of Polipo:# cacheIsShared = false# Uncomment this if you poverty to ingest a parent proxy:# parentProxy = "squid.example.org:3128"# Uncomment this if you poverty to ingest a parent SOCKS proxy:# socksParentProxy = "localhost:9050"# socksProxyType = socks5### Memory### ******# Uncomment this if you poverty Polipo to ingest a preposterously diminutive amount# of module (a hundred C-64 worth or so):# chunkHighMark = 819200# objectHighMark = 128# Uncomment this if you've got plenty of memory:# chunkHighMark = 50331648# objectHighMark = 16384### On-disk data### ************# Uncomment this if you poverty to alter the on-disk cache:# diskCacheRoot = ""# Uncomment this if you poverty to put the on-disk store in a# non-standard location:# diskCacheRoot = "~/.polipo-cache/"# Uncomment this if you poverty to alter the local scheme server:# localDocumentRoot = ""# Uncomment this if you poverty to enable the pages low /polipo/index?# and /polipo/servers?. This is a serious concealment revealing if your proxy# is shared.disableIndexing = falsedisableServersList = false### Domain Name System### ******************# Uncomment this if you poverty to contact IPv4 hosts exclusive (and make DNS# queries somewhat faster):# dnsQueryIPv6 = no# Uncomment this if you poverty Polipo to favour IPv4 to IPv6 for# double-stack hosts:# dnsQueryIPv6 = reluctantly# Uncomment this to alter Polipo's DNS resolver and ingest the system's# choice resolver instead. If you do that, Polipo module withhold during# every DNS query:# dnsUseGethostbyname = yes### HTTP### ****# Uncomment this if you poverty to enable spotting of proxy loops.# This module drive your hostname (or some you put into proxyName# above) to be included in every request:# disableVia=false# Uncomment this if you poverty to slightly turn the turn of# information that you revealing most yourself:# censoredHeaders = from, accept-language# censorReferer = maybe# Uncomment this if you're paranoid. This module break a lot of sites,# though:# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language# censorReferer = true# Uncomment this if you poverty to ingest Poor Man's Multiplexing; increase# the sizes if you're on a fast line. They should each turn to a few# seconds' worth of transfer; if pmmSize is small, you'll want# pmmFirstSize to be larger.# Note that PMM is somewhat unreliable.pmmFirstSize = 16384pmmSize = 8192# Uncomment this if your user-agent does something commonsensible with# Warning headers (most don't):# relaxTransparency = maybe# Uncomment this if you never poverty to revalidate instances for which# accumulation is available (this is not a good idea):# relaxTransparency = yes# Uncomment this if you hit no network:# proxyOffline = yes# Uncomment this if you poverty to avoid revalidating instances with a# Vary brick (this is not a good idea):# mindlesslyCacheVary = true# Suggestions from Incognito configurationmaxConnectionAge = 5mmaxConnectionRequests = 120serverMaxSlots = 8serverSlots = 2tunnelAllowedPorts = 1-65535================================= 8< =======================================sudo /etc/init.d/polipo restart

Troubleshooting FreeBSD Wireless Problem

My important individualized workstation is a Thinkpad x60s. As I wrote in Triple-Boot Thinkpad x60s, I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely ingest the FreeBSD side. I haven't run FreeBSD on the screen for individual years, but I same to ready FreeBSD on the laptop in case I connexion a status on the agency where I know how to cipher a difficulty with FreeBSD but not Windows or Linux. (Yes I know about [insert selection VM creation here]. I ingest them. Sometimes there is no unreal for a bare-metal OS.)When I prototypal installed FreeBSD on the x60s (named "neely" here), the wireless NIC, an Intel(R) PRO/Wireless 3945ABG, was not based on FreeBSD 6.2. So, I utilised a wireless bridge. That's how the status stayed until I fresh feature M.C. Widerkrantz's FreeBSD 7.2 on the Lenovo Thinkpad X60s. It looked cushy sufficiency to intend the wireless NIC streaming today that it was based by the wpi driver. I had utilised freebsd-update to raise the 6.2 to 7.0, then 7.0 to 7.1, and eventually 7.1 to 7.2. This is where the apparent insanity began.I couldn't encounter the if_wpi.ko or wpifw.ko essence modules in /boot/kernel. However, on additional grouping (named "r200a") which I conceive had started chronicle as a FreeBSD 7.0 incase (but today also ran 7.2), I institute both absent essence modules. Taking a fireman look, I only counted the number of files on my laptop /boot/kernel and compared that list to the number of files on the other FreeBSD 7.2 system.$ wc -l boot-kernel-neely.06dec09a.txt 545 boot-kernel-neely.06dec09a.txt$ wc -l boot-kernel-r200a.06dec09a.txt 1135 boot-kernel-r200a.06dec09a.txtWow, that is a bounteous difference. Apparently, the raise impact from 6.2 to 7.x did not alter almost 600 files, today inform on a grouping that started chronicle streaming 7.x.Since all I rattling cared about was getting wireless streaming on the laptop, I copied the absent essence modules to /boot/kernel on the laptop. I additional the mass to /boot/loader.conf:legal.intel_wpi.license_ack=1if_wpi_load="YES"After rebooting I was healthy to wager the wpi0 device.wpi0: mem 0xedf00000-0xedf00fff irq 17 at figure 0.0 on pci3wpi0: Ethernet address: [my MAC]wpi0: [ITHREAD]wpi0: timeout resetting Tx anulus 1wpi0: timeout resetting Tx anulus 3wpi0: timeout resetting Tx anulus 4wpi0: unification land changed to UPI conceive I module essay upgrading the 7.2 grouping to 8.0 using freebsd-update, then study the results to a third grouping that started chronicle as 7.0, then upgraded from 7.2 to 8.0. If the /boot/kernel directories are ease different, I might reinstall 8.0 on the laptop from media or the network.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Let a Hundred Flowers Blossom

I undergo some of us impact in large, diverse organizations. The large or more complex the organization, the more arduous it is to oblige homogenous section countermeasures. The large the population to be "secure," the more probable exceptions module bloom. Any accepted tends to worsen to the small common denominator. There are whatever exceptions, such as FDCC, but I do not undergo how distributed that accepted plan is inside the government. Beyond the difficulty of applying a uniform, worthwhile standard, we separate into the heterogeneity vs monoculture discussion from 2005. I separate to lateral with the heterogeneity saucer of view, because heterogeneity tends to increase the outlay borne by an intruder. In added words, it's cheaper to amend utilization methods for a direct who 1) has generally similar, if not identical, systems and 2) publishes that accepted so the entrant can try attacks preceding to "game day." At the modify of the day, the focus on homogenous standards is a dissent of the effort between digit schools of thought: Control-Compliant vs Field-Assessed Security. The control-compliant aggroup believes that nonindustrial the "best standard," and then applying that accepted everywhere, is the most essential characteristic of security. The field-assessed aggroup (where I devote my effort) believes the result is more essential than how you get there.I am not anti to nonindustrial standards, but I do conceive that the control-compliant edifice of intellection is exclusive half the effort -- and that controls occupy farther more instance and try than they are worth. If the accepted whithers in the face of battle, i.e., erst field-assessed it is found to be lacking, then the accepted is a failure. Compliance with a unsuccessful accepted is meritless at that point.However, I'd same to propose a variation of my example argument. What if you desert homogenous standards completely? What if you attain the focus of the state field-assessed instead of control-compliant, by conducting assessments of systems? In added words, let a hundred flowers blossom.(If you don't appreciate the irony, do a little research and remember the sorts of threats that occupy such of the instance of some this blog's readers!)So what do I mean? Rather than making compliance with controls the focus of section activity, attain categorization of the results the priority. Conduct chromatic and flushed aggroup assessments of aggregation assets to watch if they meet different resistance and (maybe) "survivability" metrics. In added words, we won't care how you control to ready an entrant from exploiting your system, as daylong as it takes individual for a chromatic or flushed assesor with instance X and skill take Y and initial admittance take Z (or something to that effect).In such a world, there's plenty of room for the person who wants to separate Plan 9 without anti-virus, the person who runs FreeBSD with no graphical display or Web browser, the person who runs added "nonstandard" platform or grouping -- as daylong as their grouping defies the field categorization conducted by the chromatic and flushed teams. (Please state the digit "standard" I would administer to every assets is that they 1) do no harm to added assets and 2) do not fortuity some laws by streaming illegal or unauthorized software.)If a "hundred flowers" is likewise radical, maybe consider 10. Too thickened to control every that? Guess what -- you are probable managing it already. So-called "unmanaged" assets are everywhere. You probably already have 1000 variations, never nous 100. Maybe it's instance to attain the system's inability to survive against chromatic and flushed teams the measure of failure, not whether the grouping is "compliant" with a standard, the measure of failure?Now, I'm trusty there is probable to be a broad honor of reciprocity between "unmanaged" and undefendable in some organizations. There's probably also a medium honor of reciprocity between "exceptional" (as in, this incase is likewise "special" to be thoughtful "managed") and vulnerable. In added instances, the exceptional systems may be colorfast to every but the most sacred intruders. In some case, accepting that heterogeneity is a fact of life on modern networks, and determining to try the status take of those assets, might be more productive than seeking to amend and administer homogenous standards.What do you think?Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Real Security Is Threat-Centric

Apparently there's been a gesture of concern burglaries in a nearby municipality during the last month. As you strength expect, topical residents responded by exchange windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever added "security vendors" recommended. Town policymakers created newborn laws to dominion locking doors, sanctioning alarm systems, and creating scorecards for compliance. Home builders decided they necessary to adopt "secure building" practices so all these retrofitted measures were "built in" future homes.Oh wait, this is the actual world! All those vulnerability-centric measures I meet described are what likewise many "security professionals" would recommend. Instead, police identified the criminals and inactive them. From Teen burglary ring in Manassas identified:Two suspects questioned weekday gave aggregation about the others, police said. Now this gathering is facing prosecution. That's a beatific warning of what we need to do in the digital world: enable and action threat-centric security. We won't get there until we have meliorate attribution, and interestingly sufficiency attribution is the articulate I center most ofttimes from people pondering improvements in meshwork security.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)