Thursday, April 29, 2010

Blame cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bullets, not PowerPoint

Blog readers probably know I am not a big fan of PowerPoint presentations. I sympathize with many points in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent article We Have Met cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Enemy and He Is PowerPoint, which resurrects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 December 2009 story by Richard Engel titled So what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual surge strategy? I think it is important to focus, however, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core problem with PowerPoint presentations: bullets.

Bullets are related to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main PowerPoint problem, which is having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 medium drive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message drive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 medium. When you create a PowerPoint presentation that relies on bullets to deliver a message, you essentially cripple cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intellect of anyone attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation.

I thought about this yesterday while listening to Johnny Cash. Let's imagine Johnny wanted to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 devotion someone feels for his significant ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. If his default thinking involved creating a PowerPoint presentation every time he wanted to communicate, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bullets might look something like this:

Title: Reasons I Walk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Line

  • Key points about me:


    • My heart: keep a close watch

    • My eyes: keep open

    • My "ends:" "keep out for ties that bind"

    • Easy for me to me true

    • I'm a fool


  • Proof I'm true:


    • End each day alone

    • You're on my mind


      • Day

      • Night


    • Happiness

    • I'd turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tide for you

    • I walk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line


  • Reasons you keep me true:


    • You're a got "a way"

    • You "give me cause"

    • You're mine




Or, instead of delivering this disaster (which probably takes 5 minutes), Johnny sings "I Walk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Line" in 2 minutes 44 seconds. Which approach is more effective, efficient, powerful? This doesn't mean we should all start singing when we need to deliver a message. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message first, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n select a medium. Don't lead with PowerPoint.

Saturday, April 24, 2010

Review of The Rootkit Arsenal Posted

Amazon.com just posted my five star review of The Rootkit Arsenal by Bill Blunden. I received this book last year but didn't get a chance to finish it until this week, thanks to several long plane flights. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Disclaimer: Bill mentions me and my book "Real Digital Forensics" on pages xxvi and 493. He sent me a free review copy of his book.

"Wow." That summarizes my review of "The Rootkit Arsenal" (TRA) by Bill Blunden. If you're a security person and you plan to read one seriously technical book this year, make it TRA. If you decide to really focus your attention, and try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, you will be able to write Windows rootkits. Even without taking a hands-on approach, you will learn why you can't trust computers to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves or report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir condition in a trustworthy manner.

Snort Near Real Time Detection Project

I don't think many people noticed this story, but on Thursday Sourcefire Labs published A New Detection Framework on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VRT blog and a NRT page on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir labs site. I had a small part in this development due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Incident Detection Summit I organized late last year. Sourcefire sent an army of developers (I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest contingent) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference and clearly enjoyed participating. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y spoke to participants from multiple security teams and had follow-up discussions with several of us.

One item we emphasized with Sourcefire was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for analysis of file contents, not just network traffic. As Matt mentions in his latest post, Mike Cloppert and his team have used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se approaches very effectively and have even published components of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work as open source projects like Vortex by Charles Smutz. In my NSM in products post last year I called this extracted content and listed it as one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 forms of NSM data.

What does this mean? The basic idea is that you extract content from network traffic, analyze it, record metadata, and so on, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n provide that information to a security analyst. That may sound like an anti-malware approach, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea is to provide indicators, not necessarily block transmission. In any case, Sourcefire published a presentation on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir site on what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir beta code can do. I'm really glad to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m working on this problem and sharing results in a form that interested parties can download and test.

Thoughts on New OMB FISMA Memo

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new OMB memorandum M-10-15, "FY 2010 Reporting Instructions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Information Security Management Act and Agency Privacy Management." This InformationWeek article pretty well summarizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 memo, but I'd like to share a few thoughts.

Long-time blog readers should know I've been writing about FISMA for five years, calling it a "joke," a "a jobs program for so-called security companies without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical skills to operationally defend systems," and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r kind words. Any departure from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous implementation is a welcome change.

However, it's critical to remember that control monitoring is not threat monitoring. Let's take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OMB letter to see if we can see what is really changing for FISMA implementation.

For FY 2010, FISMA reporting for agencies through CyberScope, due November 15, 2010, will follow a three-tiered approach:

1. Data feeds directly from security management tools
2. Government-wide benchmarking on security posture
3. Agency-specific interviews


I wonder how long before CyberScope is compromised?

Turning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three points, what does #1 really mean?

Beginning January 1, 2011, agencies will be required to report on this new information monthly. The new data feeds will include summary information, not detailed information, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following areas for CIOs:

• Inventory
• Systems and Services
• Hardware
• Software
• External Connections
• Security Training
• Identity Management and Access

So it looks like OMB is requiring agencies to basically report asset inventory information, training status for employees, and some IDM information? And monthly? I guess if you're moving from a three-year cycle to a monthly cycle, that sounds "continuous," but monthly in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern enterprise is recognized as a snapshot.

How about #2?

A set of questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security posture of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agencies will also be asked in CyberScope. All agencies, except microagencies, will be required to respond to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions in addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data feeds described above.

Now I see OMB will be asking agencies questions, which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will have to answer?

And #3:

As a follow-up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions described above, a team of government security specialists will interview all agencies individually on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir respective security postures.

This looks like anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r question-and-answer session, except I expect OMB to spend time with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem cases identified in steps 1 and 2.

Let's be clear: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no "continuous monitoring" happening here. This is basic housekeeping, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scale of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government and bureaucratic inertia make this a difficult problem. I hope this is only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first round of change.

I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 frequently asked questions to be more interesting than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main memo.

30. Why should agencies conduct continuous monitoring of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security controls?

Continuous monitoring of security controls is a cost-effective and important part of managing enterprise risk and maintaining an accurate understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security risks confronting your agency’s information systems. Continuous monitoring of security controls is required as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security authorization process to ensure controls remain effective over time (e.g., after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial security authorization or reauthorization of an information system) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 face of changing threats, missions, environments of operation, and technologies.


Ah ha, finally we see it in print: "continuous monitoring of security controls." There's no continuous monitoring of threats here. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, I'm wondering why OMB considers asset inventory, training, and IDM to be so crucial to security risks. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are important, but where's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real "security" in those controls? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could still observe controls, but those controls could be implementation of filtering Web proxies, firewalls, anti-malware, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r traditional security measures.

36. Must Government contractors abide by FISMA requirements?

Yes... Because FISMA applies to both information and information systems used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agency, contractors, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r automated or manual) – on behalf of a Federal agency. Such ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems.


This concerns me. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r pushing on contractors to adopt FISMA in private business?

FISMA is unambiguous regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent to which security authorizations and annual IT security assessments apply. To cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agency continues to be responsible for maintaining control), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security controls must be assessed against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same NIST criteria and standards as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were a Government-owned or -operated system. The security authorization boundary for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se systems must be carefully mapped to ensure that Federal information:

(a) is adequately protected,

(b) is segregated from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contractor, state or grantee corporate infrastructure, and

(c) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is an interconnection security agreement in place to address connections from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contractor, state or grantee system containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agency information to systems external to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security authorization boundary.


It's probably going to take .gov-savvy lawyer to really explain what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se points mean, but private enterprise working with government data should probably take a close look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new FISMA developments.

Tuesday, April 20, 2010

Still Looking for Infrastructure Administrator for GE-CIRT

Two months ago I posted Information Security Jobs in GE-CIRT and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r GE Teams. I've almost filled all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 roles, or have candidates for all roles in play, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exception of one -- Information Security Infrastructure Engineer (1147859).

We're looking for someone to design, build, and run infrastructure to support GE-CIRT functions. As you might expect, we don't need someone with Windows experience. Beyond Unix-like operating systems, we are interested in someone with MySQL experience. You must be a US citizen who lives near our Michigan AMSTC or can relocate on your own cost.

If you are interested, please visit www.ge.com/careers and apply for role 1147859. Thank you.

Sunday, April 18, 2010

Review of Handbook of Digital Forensics and Investigation Posted

Amazon.com just posted my four star review of Handbook of Digital Forensics and Investigation by Eoghan Casey and colleagues. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I've probably read and reviewed a dozen or so good digital forensics books over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last decade, and I've written a few books on that topic or related ones. The Handbook of Digital Forensics and Investigation (HODFAI) is a solid technical overview of multiple digital forensics disciplines. This book will introduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader to a variety of topics and techniques that a modern investigator is likely to apply in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is a collection of sections by multiple authors, some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coverage is uneven. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, I recommend HODFAI as a single volume introduction to modern digital forensics.

Review of The Victorian Internet Posted

Amazon.com just posted my five star review of The Victorian Internet by Tom Standage. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Tom Standage mentions chronocentricity on p 213 as "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 egotism that one's own generation is poised on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very cusp of history." Comparing modern times to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past, he says "if any generation has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right to claim that it bore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full bewildering, world-shrinking brunt of such a revolution, it is not us -- it is our nineteenth-century forbears." Commentator Gary Hoover defines chronocentricity as being "obsessed with our own era, considering it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important or most dynamic time ever." Being a history major, I find The Victorian Internet (TVI) to be an enlightening antidote to chronocentricity, and I recommend it to anyone trying to better understand modern times through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens of history.

Measurement Over Models

Most blog readers know I strongly prefer measurement over models. In digital security, I think too many practitioners prefer to substitute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own opinions for data, i.e., "defense by belief" instead of "defense by fact." I found an example of a conflict between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two mindsets in Test flights raise hope for European air traffic:

Dutch airline KLM said inspection of an airliner after a test flight showed no damage to engines or evidence of dangerous ash concentrations. Germany's Lufthansa also reported problem-free test flights...

"We hung up filters in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engines to filter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air. We checked whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was ash in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m and all looked good," said a KLM spokeswoman. "We've also checked whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was deposit on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plane, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wings. Yesterday's plane was all well..."

German airline Air Berlin was quoted as expressing irritation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shutdown was decided.

"We are amazed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test flights done by Lufthansa and Air Berlin have not had any bearing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision-making of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air safety authorities," Chief Executive Joachim Hunold told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mass circulation Bild am Sonntag paper.

"The closure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air space happened purely because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data of a computer simulation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Volcanic Ash Advisory Center in London."


I understand that safety officials need to make decisions based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best information available at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision needs to be made. However, when that information changes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision maker should re-evaluate his or her position. This reminds me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 silly policies mandated by various rule-makers regarding password complexity and frequency of change. They are basically completely disconnected with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern attack and exploitation environment. That thinking recalls a time when guessing credentials or brute-forcing passwords took weeks instead of near-real-time, and was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prevalent way to compromise a system.

Returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 volcano cloud -- I'm sure safety officials think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are acting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best interests of passengers, but I don't see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airlines about to take actions that jeopardize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir customers. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, customers who would be wary about flying through or near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ash cloud could decide not to do so. The problem is that safety officials bear none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir decisions while airlines and customers do.

Friday, April 16, 2010

Vulnerable Sites Database: More Intrusion as a Service

Last year I blogged about Shodan, and today thanks to Team Cymru I learned of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest evolution of Intrusion as a Service. It's called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vulnerable Sites Database.

According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site, to be listed as a vulnerable site a submitter must provide "1. site name 2. vulnerability or JPG proof." This reminds me of a Web defacement archive where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 submitter demonstrates having defaced a Web site, but with www.vs-db.info we get details like "local file inclusion" or "SQL injection."

All we need now is to pair cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 search capability of a site like Shodan with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability data for an entire site as provided by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vulnerable Sites Database. How about a cross-reference against sites currently whitelisted by Web proxy providers and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who use reputation to permit access? Something like:

Select sites where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reputation is GOOD, that are hosted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US, and are vulnerable to SQL injection?

Next, exploit vulnerable sites and use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for hosting malware, acting as command and control servers, and so on.

While neat, I thought Shodan was dangerous enough to attract LE attention and be shut down. I wonder how long www.vs-db.info will last. A site like I just described would probably really cross cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line. I hope.

Update: Thanks to @jeremiahg for pointing me towards www.xssed.com.

"Cyber insecurity is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paramount national security risk."

Thanks to @borroff I read a fascinating article titled Cybersecurity and National Policy by Dan Geer. The title of my blog post is an excerpt from this article, posted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Harvard National Security Journal on 7 April. This could be my favorite article of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year, and it proves to me that Dan Geer's writing has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest signal-to-noise ratio of any security author, period.

(Personal note: I remember seeing Dan speak at a conference, and he apologized for reading his remarks racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than speaking extemporaneously. He said he respected our time too much to not read his remarks, since he wanted to conserve time and words.)

I've reproduced my favorite excerpts and tried to thus summarize his argument.

First, security is a means, not an end. Therefore, a cybersecurity policy discussion must necessarily be about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 means to a set of desirable ends and about affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future. Accordingly, security is about risk management, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legitimate purpose of risk management is to improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, not to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past.

Second, unless and until we devise a scorekeeping mechanism that apprises spectators of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of play on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field, security will remain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 province of “The Few”. Sometimes leaving everything to The Few is positive, but not here as, amongst ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things, demand for security expertise so outstrips supply that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 charlatan fraction is rising.

Third, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems of cybersecurity are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problems in certain respects, yet critically different in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se differences include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original owner continuing to possess stolen data after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thief takes it, and law enforcement lacking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to work at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speed of light.


Security is a forward-looking function, requiring a scorecard (sound familiar?) with problems that are both common and unique.

[B]ecause cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States’s ability to project power depends on information technology, cyber insecurity is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paramount national security risk...

[R]emember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition of a free country: a place where that which is not forbidden is permitted. As we consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two”

Dan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n outlines three national security risks:

[W]hat types of risks rose to such a level that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could legitimately be considered national security concerns[?]...

The first is any mechanism that, to operate correctly, must be a single point of function, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby containing a single point of failure...

[The second] national security scale risk is cascade failure, and cascade failure is so much easier to detonate in a monoculture...

[The third is that it] is simply not possible to provide product or supply chain assurance without a surveillance state...


Dan next provides us with what I may adopt as my own definition of security:

I currently define security as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of unmitigatable surprise.

This definition resonates with me, although it could be twisted for some odd consequences. Could one simply choose to never feel surprised in order to feel secure? I hope not! Dan provides some conclusions next:

[1] our paramount aim cannot be risk avoidance but racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r risk absorption — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to operate in degraded states, in both micro and macro spheres, to take as an axiom that our opponents have and will penetrate our systems at all levels, and to be prepared to adjust accordingly...

[2] free society rulemaking will trail modalities of risk by increasing margins...

[3] if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tariff of security is paid, it will be paid in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coin of privacy...

[4] market demand is not going to provide, in and of itself, a solution.


I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are true. While explaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third conclusion Dan notes:

It has been said over and over for twenty years, “If only we could make government’s procurement engine drive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market toward secure products.” This, ladies and gentlemen, is a pleasant fiction.

That is also true! I'm going to skip his discussion of government action and list three essential capabilities:

[T]he ability to operate in a degraded state is an essential capability for government systems and private sector systems.

A second essential capability is a means to assure broad awareness of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gravity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation...

There is a third essential, one that flows from recognizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 limits of central action in a decentralized world, and that is some measure of personal responsibility and involvement.


Dan concludes with:

For me, I will take freedom over security and I will take security over convenience.

I highly encourage reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole article. I skipped Dan's discussion of "regulation, taxation, and insurance pricing," but that is also worth understanding.

Thursday, April 15, 2010

Response to Dan Geer Article on APT

A few people sent me a link to Dan Geer's article Advanced Persistent Threat. Dan is one of my Three Wise Men, along with Ross Anderson and Gene Spafford. I'll reproduce a few excerpts and respond.

Let us define cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.

That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party.

Given that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offense has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advantage of no legacy drag, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offense's ability to insert innovation into its product mix is unconstrained. By contrast, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO who does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least that can be gotten away with only increases cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 frequency of having to do something, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 net total work deficit pending.

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offense expends work whenever innovation is needed; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense expends work each day and never catches up.

This "least expensive defense" is not insane, just ineffective because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offense is a sentient being with a strategic advantage.


I love cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 characterization of offense as having "no legacy drag," and "defense expends work each day and never catches up." That perfectly describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advantage of offense over defense.

Even if you don't think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advanced persistent threat is all that advanced, realize that if this is so, it is only because it doesn't have to be when your defenses don't require it to be. Even more central, do not think that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 supplier of defensive weapons will ever have weapons to thwart (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deployment of) offensive weapons that are sufficiently well targeted to hit only some people, some computers, some data.

Dan nicely counters cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument that some make, namely "APT doesn't sound so 'advanced.'"

The advanced persistent threat, which is to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.

In one paragraph Dan reminds us to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plane, be field-assessed, not control-compliant (outcomes over inputs), and build intelligence and instrumentation.

With data, not networks or infrastructure, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unit of surveillance and action, an adaptable approach to data security is possible. Not anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r shield for every arrow, but a comprehensive fortress of information control and risk management -- a unifying framework that can best be described as Enterprise Information Protection (EIP).

EIP unifies data-leak prevention, network access control, encryption policy and enforcement, audit and forensics, and all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r wayward data protection technologies from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir present state of functional silos into an extensible platform supported by policy and operational practices.


Dan's conclusion seems too short, which is probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 constraints imposed by writing for NetworkWorld. I don't think an enterprise that adopts his approach will beat APT. Stopping this threat requires direct and indirect pressure in a threat-centric approach, not a vulnerability-centric approach.

Last Chance for TCP/IP Weapons School 2.0 in Las Vegas

Yesterday I returned home from teaching TCP/IP Weapons School 2.0 in Barcelona for Black Hat. I'd like to thank Black Hat and my students for a great class. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current format, which is a mix of methodology, labs, and answering whatever questions cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students have, in about 15-20 minute spontaneous presentations, is working really well. I plan to retire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current cases this year, and develop TWS3 with new cases for teaching in 2011.

My last class of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year will be at Black Hat USA 2010 Training on 25-28 July 2010 at Caesars Palace in Las Vegas, NV. I will be teaching two sessions of TCP/IP Weapons School 2.0, one on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekend and one during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week.

Registration is now open. Black Hat has four remaining price points and deadlines for registration.

  • Early ends 1 May

  • Regular ends 1 Jul

  • Late ends 22 Jul

  • Onsite starts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference


Seats are filling -- it pays to register early!

If you review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sample Lab I posted last year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, you can take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DVD. I have been speaking with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r trainers who are adopting this format after deciding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are also tired of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PowerPoint slide parade.

Feedback from my earlier sessions was great. Two examples:

"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)

"In six years of attending Black Hat (seven courses taken) Richard was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best instructor." (Comment from student, 28 Jul 09)

If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.

I plan to retire TWS2 after Vegas this year and teach TWS3 in 2011, if Black Hat invites me back.

I recently described differences between my class and SANS if that is a concern.

I look forward to seeing you. Thank you.

Bejtlich on Visible Risk Podcast

My friend Rocky DeStefano from Visible Risk posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video (streaming) and audio (.mp3, 124 MB) of a discussion he hosted on advanced persisten threat. Myself, Mike Cloppert, Rob Lee, and Shawn Carpenter discussed APT for about an hour on video and about an hour and a half on audio. Let Rocky know what you think as a comment here or via Twitter to @visiblerisk.

One comment -- slightly before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24:00 mark, Rob made a remark about "what you and I respond to in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force was laughable at this point, compared to what we're seeing today, actual intelligence being pulled back, potential nation state actors, potential organized crime, earning thousands or millions of dollars..." I disagree with part of that comment and agree with part of that comment. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "disagree" part: Rob was stationed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 609th, which was not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT we detected and responded to nation state activity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 caliber we see today. I don't know what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 609th dealt with. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "agree" part: in 1998 it was much rarer to see organized crime operating at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do today. I didn't respond during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video because I didn't feel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to interrupt any time I didn't fully agree with a speaker, and this exchange was mostly between Rob and Mike!

Tuesday, April 06, 2010

Defense Security Service Publishes 2009 Report on "Targeting U.S. Technologies"

Thanks to Team Cymru I learned of a new Defense Security Service report titled Targeting U.S. Technologies:
A Trend Analysis of Reporting from Defense Industry
. The report seems to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2009 edition, which covers reporting from 2008. I'll have to watch for a 2010 version. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report:

The Defense Security Service (DSS) works with defense industry to protect critical technologies and information. Defense contractors with access to classified material are required to identify and report suspicious contacts and potential collection attempts as mandated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Industrial Security Program Operating Manual (NISPOM). DSS publishes this annual report based on an analysis of suspicious contact reports (SCRs) that DSS considers indicative of efforts to target defense-related information.

The executive summary offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se bullet points:

  • East Asia and Pacific-originated contacts continued to generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 greatest number of suspicious reports attributable to a specific region of origin. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage.

  • Aggressive collection attempts by commercial actors continued to surge. In FY08, commercial entities attempted to collect defense technology at a rate nearly double that of governmental or individual collector affiliations. This trend likely represents a purposeful attempt to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contacts seem more innocuous, shifting focus from government collectors to commercial or non-traditional entities.

  • Collectors continued bold and overt exploitation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet to acquire information via direct requests. Facilitated by ever increasing world wide connectivity, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ease of inundating industry with overt email requests and webpage submissions made direct requests a premier vehicle for solicitation and/or collection. While not all direct requests for information or services represent organized collection attempts, exploitation of this medium provides collectors an efficient, low-cost, high-gain opportunity to acquire classified or restricted information.

  • Unmanned aerial vehicle (UAV) technology has emerged as a priority target of aggressive collectors from multiple regions. In FY08, DSS noticed a significant increase in exploitation attempts against UAV systems and technologies at CDCs. Targeting of UAVs is non-region specific, broadly based, and spans all phases of research, development, and deployment. It is highly likely that this interest and probable targeting is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direct result of a growing and increasingly competitive world market for UAV systems.


This report is good background and support for your threat-centric security measures.

BeyondTrust Report on Removing Administrator: Correct?

Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis. The report offers several interesting conclusions:

[R]emoving administrator rights will better protect companies against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploitation of:

  • 90% of critical Windows 7 vulnerabilities reported to date

  • 100% of Microsoft Office vulnerabilities reported in 2009

  • 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009

  • 64% of all Microsoft vulnerabilities reported in 2009


Initially I was pleased to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results. Then I read BeyondTrust's methodology.

This report uses information found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following sentence is located in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Bulletin’s Mitigating Factors section

Users whose accounts are configured to have fewer user rights on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system could be less impacted than users who operate with administrative user rights.
(emphasis added)

"Could be less impacted?" In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, BeyondTrust didn't do any testing. They just read Microsoft vulnerability reports, checked for that sentence, and published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results. I would be more comfortable with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir conclusions if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y conducted exploitation tests against suitable targets to determine if administrator rights made a difference or not.

This doesn't necessarily mean BeyondTrust is wrong. Removing administrator rights does help reduce exposures, but testing is required against modern exploitation methods to determine just how effective that countermeasure is.