tag:blogger.com,1999:blog-4088979.post116378472836066152..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Further Thoughts on SANS Top 20Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-53854939949414579642007-06-14T10:12:00.000-04:002007-06-14T10:12:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1164036759347141862006-11-20T10:32:00.000-05:002006-11-20T10:32:00.000-05:00So now I've seen comments (here and elsewhere) tha...So now I've seen comments (here and elsewhere) that the SANS Top 20 is for security people, that it's not for security people, that it's for administratiors, that it's not for administrators, that it's for policymakers, etc... <BR/><BR/>I don't buy for a minute that the SANS Top 20 is for "nontechnical people." Nontechnical people are not going to read a document that long. They do not understand CVEs. They do not understand most of the terminology in that document.<BR/><BR/>Here's a link to <A HREF="http://taosecurity.blogspot.com/2005/10/two-new-book-reviews-drought-has-ended.html" REL="nofollow">two books</A> I reviewed that try to speak to nontechnical users.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1164036268884926942006-11-20T10:24:00.000-05:002006-11-20T10:24:00.000-05:00Just wondering if we are missing the point here. ...Just wondering if we are missing the point here. I don't think the SANS TOP 20 is for the Administrators. They are the ones in the ditches every day pulling the muck out and getting it cleaned up.<BR/><BR/>The SANS TOP 20 is for high level overviews, for _non_ technical people to see, such as the people who run the companies. It's also probably for the auditors and the like for them to know where to look for issues, and not specific ones, but general issues.<BR/><BR/>At that level (an overview) _any_ list becomes somewhat arbitrary, and easily picked apart, especially given that it can not give to many specifics.<BR/><BR/>I don't disagree with your observations, and yes I do agree that Symantec's report is probably better, but I've found a few issues with it as well. Their "metrics" that show that Microsoft fixes bugs within 8 days is just plain BS, and any decent Administrator will know that.<BR/><BR/>So, Richard, how do you produce a list for _non_ technical administrators of companies, auditors and the like that isn't detailed, and gives an overview of the industry?<BR/><BR/>Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163982425933260632006-11-19T19:27:00.000-05:002006-11-19T19:27:00.000-05:00Protocols cannot have threats. Protocols can only...Protocols cannot have threats. Protocols can only have vulnerabilities. Threats exploit vulnerabilities. Threats can present a clear and present danger.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163980667140570432006-11-19T18:57:00.000-05:002006-11-19T18:57:00.000-05:00I've thought about this question a lot, within the...I've thought about this question a lot, within the context of looking at older protocols that included threats later found to be controversial. When should we worry about a threat?<BR/><BR/>I've since modelled it as needing to be <I>validated</I>, and a threat is validated when it is a <I>clear and present danger</I>. It's <I>clear</I> if we can measure it; <I>present</I> if we can show it exists; and a <I>danger</I> if it hurts us. With that framework, it's a lot easier to separate out the wheat from the chaff.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163854765890595452006-11-18T07:59:00.000-05:002006-11-18T07:59:00.000-05:00If the SANS Top 20 were metric-based, and consiste...<I>If the SANS Top 20 were metric-based, and consisted of a consistent class of items (say vulnerabilities), it might be possible to compare the lists from year to year.</I><BR/><BR/>Come on, Richard, you that's not what it's about! It's about putting money in someone's pocket, that's all. "Consistent class of items"...that just makes sense! You've really gotta stop doing that!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163789951776061762006-11-17T13:59:00.000-05:002006-11-17T13:59:00.000-05:00Nerd Fight!Nerd Fight!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163789725150481652006-11-17T13:55:00.000-05:002006-11-17T13:55:00.000-05:00I could make a list such as this and it would be a...I could make a list such as this and it would be about as important:<BR/><BR/>1. Windows<BR/>2. Unix<BR/>3. WWW<BR/>4. Users<BR/>5. Other OS<BR/><BR/>I mean, this is just furthering what has happened. Instead of a top 20 list, they have a top 75 list just categorized into 20 sections.<BR/><BR/>In a way, a document like this could be argued to need more opinion. Sadly, when you have so many people pushing for their "biggest holes on the Internet" to be on the list, someone somewhere either has to create an objective measure (not likely) or just put their foot down, declare the identity and purpose of the document, and make the decisions.<BR/><BR/>As it is, too many people are wanting too many things, and as such we now have a document that purports to be a top 20, yet encompass everything they can think of.<BR/><BR/>But yes, the list has its puposes, and thankfully can be very powerful with "FBI" and "SANS" in the title, plus how it has been recognized through the years. I just wish it were more surgical in the 20 items.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163786719652396442006-11-17T13:05:00.000-05:002006-11-17T13:05:00.000-05:00The link you are looking for is http://www.ranum.c...The link you are looking for is http://www.ranum.com not www.mjr.com.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163785938620299732006-11-17T12:52:00.000-05:002006-11-17T12:52:00.000-05:00Don't back down Richard. This:"it’s called an ‘at...Don't back down Richard. This:<BR/><BR/>"it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about."<BR/><BR/>is absolutely correct. Risk is all about context, and it can be just as much of a mistake to consider potential weaknesses without putting them in context as it would be to be "wrong" about that context (one of his reasons to not delineate between "weakness, action item, vulnerability or attack.).<BR/><BR/>To me, this makes no sense. To ignore taxonomy, context, and relationships between factors in a taxonomy is "Bad security" just as doing so in another field is "Bad science".Anonymousnoreply@blogger.com