总体看了一遍，记录几点。

ISO 31000 是一个风险管理指南，不是用来做认证的。标准正文24页。

标准主要讲了三部分：原则、框架、流程

术语部分对风险、事件、后果、可能性、风险管理、管理风险、策略、风险喜好等做了说明和区分，写的非常清晰，篇幅较多，共7页。建议多阅读几遍。

原则部分强调：风险管理要为企业创造价值、保护价值；风险管理是组织管理体系的一部分；风险管理是决策的一部分；风险管理要考虑到人和文化的因素。

框架部分与ISMS思路基本类似，设计、落实、监控、改进，突出了几点：理解企业的环境、责任、融入企业流程、资源、沟通与报告。

流程部分强调几点：建立内外环境、定义风险标准。

总体上，标准写的很容易懂，与其他风险评估标准不同的是更加侧重与企业管理体系的融合和企业环境的考虑。作为一个结构化的思考框架，很多地方值得学习和参考。

开发、讲授课程是一件很不容易的事情，最大的难点在于选择讲什么、怎么讲。所以必须花费很多的时间进行全盘思考、精心设计，开发课程类似编剧，讲授课程如同演出。

开发课程需要时间会比较长，但实际上很多都是赶鸭子上架，不到最后关头是拿不出来的，这里不去分析时间管理的问题。开发课程遵循的原则是“信、达、雅”，讲义上所有数据、图片、引用都应该有来源，这样既显得严谨又能让听众信服，还能指引延伸阅读。文字要流畅，能用短语的就不要用长句，除非特别引用，否则最好不要出现大段的文字。错别字连篇、分不清“的、地、得”、词不达意、逻辑混乱，这些都要不得。初次文字完成后，一定要舍得砍，越砍越精炼。雅，更多是布局上的考虑，能够引起视觉注意的有大小、颜色、方向，该大的字不能吝啬，该小的字要保证坐在后排要看得清，如果你在讲授过程中发现后排的人一直低头，首先想到的是不是字太小了。颜色要和谐搭配，但不能变成花脸。方向在一定程度上能暗示趋势，比如上升或下降。在图片的旁边要有简要解释，不能让人一头雾水。

 除了形式，内容编排更要精心设计，要逻辑清晰、边界明显、上下连贯、重点突出。课程是让学员在有限的时间内熟悉、理解、掌握知识点，不要搞成味同嚼蜡。

 功夫在诗外，讲授课程不是读本子。美国钢铁公司创始人安德鲁·卡内基说：“我相信，在任何一个领域要想获得卓越的成功，自己必须精通于斯”。也就是说，讲课的人一定是这门课程的专家（或深谙多年），否则讲课效果会大打折扣。他们都具有旁征博引、深入浅出的能力，看问题深刻，讲出来简单。在讲授过程中，重要知识点一定要花时间花力气讲清楚，不要怕重复，只有多重复几遍学员才能有更多理解。讲课的目的是为了讲明白，而不是讲完。

 要想本子写好讲好，日常需要多积累、多揣摩、多练习、多尝试。当你看到乔布斯在台上完美的演出时，你应该想到其实那个本子被砍了无数次、那个演出被练了无数遍。

Source: http://www.physorg.com/news176138448.html

The National Cybersecurity and Communications Integration Center (NCCIC) brings together various government organizations responsible for protecting cyber networks and infrastructure and private sector partners.

"This will be a 24/7, 365-day-a-year facility to improve our national efforts to prepare and respond to threats and incidents affecting critical information technology and communications infrastructure," Napolitano said.

She said the NCCIC will serve as the "central repository" for the cyber protection efforts of the civilian side of the federal government and its private sector partners.

Attending the ribbon-cutting ceremony for the NCCIC was the head of the US military's "cyber command," Lieutenant General Keith Alexander, director of the super-secret National Security Agency (NSA).

The high-security new NCCIC facility is located in an Arlington, Virginia, office building and includes a long narrow room dominated by giant wall-mounted video screens displaying maps and threat data. Facing the screens are dozens of computer work stations with multiple screens.

"Securing America's cyber infrastructure requires a coordinated and flexible system to detect threats and communicate protective measures to our federal, state, local, and private sector partners and the public," Napolitano said.

"Consolidating our cyber and communications operations centers within the NCCIC will enhance our ability to effectively mitigate risks and respond to threats," she added.

NCCIC combines two Homeland Security operational organizations: the US Computer Emergency Readiness Team (US-CERT) and the National Coordinating Center for Telecommunications (NCC).

US-CERT is a public-private partnership aimed to protecting and defending cyber infrastructure while the NCC is the operational arm of the National Communications System.

NCCIC will also integrate the National Cybersecurity Center (NCSC), which coordinates operations among the six largest federal cyber centers.

Napolitano, whose department has received the green light to hire up to 1,000 cybersecurity experts over the next three years, stressed the private sector participation in the NCCIC, noting they will have "offices in the same space."

US-CERT currently partners with a number of private sector companies such as telecommunications firms and others in monitoring cyber threats.

The opening of the NCCIC was the culmination of what has been dubbed "National Cybersecurity Awareness Month."

No single agency is currently charged with ensuring government information technology security and lawmakers have called for creating a powerful national cybersecurity advisor reporting directly to the president.

President Barack Obama has made cybersecurity a top priority and announced in May that he would name a "cyber czar" to defend against criminal, espionage and hacker attacks on US government and private computer networks.

Obama has not yet named the "cyber czar" but the 2010 Homeland Security Act that he signed on Wednesday included 397 million dollars for cybersecurity.

US government websites come under attack on a daily basis, according to the Department of Homeland Security, with the threats ranging from teenage hackers to criminal gangs to foreign governments.

(c) 2009 AFP


对于国内来说，情况就稍微复杂点了。

Source: http://tech.163.com/09/1027/08/5MK9H9LO000915BE.html

摘录一些。

打乱华为按工作年限、资历进行工号排序的做法，让自己“淹没”在华为10万雄兵之中，是任正非兑现自己在1998年提出的华为未来十年要实现“淡化企业家个人色彩，强化公司职业化管理”目标的最具符号意义的佐证。

任正非率队走访美国各大跨国公司，遍访了惠普、IBM、朗讯等IT巨头，并最终将目光锁定在IBM身上，以“削足适履”的精神，以及前后十年、超过十亿元的学费为代价，向IBM学习美国式的管理模式，从而为此后的国际化扩张之旅，提前进行了血液和灵魂的改造。

华为2008年已实现合同销售额233亿美元，实际销售额183.29亿美元，72％的收益来自于海外。

华为真正走向国际化的首站——俄罗斯市场，斩获的第一个合同仅仅只是几块电源，总额为38美金。此后一场亚洲金融危机紧随而至，更是冰封了华为试图将俄罗斯市场作为国际化开局的脚步。

我们没有像朗讯等公司那样雄厚的基础研究，即便我们的产品先进也是暂时的，不趁着短暂的领先尽快抢占一些市场，加大投入来巩固和延长我们的先进，一点点领先的优势会稍纵即逝。

海外市场不相信机会主义。

从1995年在俄罗斯建立办事处，1996年首度参加俄罗斯电信展，到1997年在当地建立合资公司“贝托”，直至经历1998年金融危机、2001年全球经济危机过程中的等待、蛰伏，并且持续加大投入，俄罗斯开拓样本只是华为每一个海外站点历程的缩影。

多年以来，任正非一直在思索着，如何在急速的扩军中，打造一支既骁勇善战，又兼具全球眼光和职业化运作经验的一流国际之师。

抓住机会窗的时间差，一边打仗（抢市场），一边练兵（管理变革），这成为华为早期国际化的显要特点。

尊重人才。不迁就人才。把聪明人规范起来。

网络战就是一群“斯文人进行的不可告人勾当”。
Source: http://tech.qq.com/a/20090814/000130.htm

1. 网络窃密：攻破互联网或侵入内部网，窃取个人隐私、单位或国家机密，有时也收集大量基础数据，为将来开展其它行动做准备。
2. 攻击网页：篡改对方单位、政府机构网页或设法阻止访问，这样做一般来说实际危害不大，但对被攻击者的声望和威信是个打击。
3. 网络宣传：通过互联网、手机等手段广泛散布对自己有利的真假消息，操纵舆论，影响士气。
4. 拒绝服务：近期发生的多起事件都属这类，通过分布式攻击，让服务器资源不足，造成大片断网。
5. 关键点破坏：通过病毒攻击、电磁干扰、实际火力打击等把对方网络中关键性的服务器、转接设备、卫星等破坏掉，从而使整个系统瘫痪。
6. 公共服务破坏：对发达城市严重依赖网络管理的供水、供电、交通信号、通信等系统发起网络攻击，造成管线、网络的瘫痪，制造城市混乱。
7. 硬件潜伏破坏：通过大的IT产品厂商或特工把藏有破坏程序的硬件当成正常硬件出售或安装到敌方枢纽部，战时摇控启动攻击。据说美国在1991年海湾战争中就利用预先掉包的打印机芯片作怪，使伊拉克防空系统错乱失去了应有战斗力。

Source: http://www.boonbox.net/csi/cyber-security-informer-19-5-09.htm

Cyber security tips from Sauder School Dean, Daniel F. Muzyka, from his recent column in the Globe and Mail include:

• Make sure security awareness exists and is maintained. Realize that users are generally rational actors: Give them incentives for good behaviour.【保持有安全意识】
• Keep up with the technology. New hardware offers new solutions, including fingerprint readers that secure laptops.【跟踪新技术】
• Remember the human element. People often avoid doing this because they worry, ironically enough, that it will harm their computer. It shouldn't be this way. Organizationally, patches can be supported by understanding them, testing them, and disseminating them efficiently and quietly with help available for those with difficulties.【不要忽视人的因素】
• Don't collect data you don't need: You can't lose it if you don't have it.【最小权限】

Sauder School Associate Professor of Management Information Systems Hasan Cavusoglu offers the following advice for companies looking to improve their security:

• Cyber security awareness ust be presented in creative ways to get attention. Don't just give rules, because rules get broken. They have to understand what they do is also affecting themselves. For instance, employees should be made aware that their promotions and bonuses will depend in part on how they’re handling information security. Money is very tangible and a very effective way to change behavior.【要让他们知道，做的事情对自身的影响】
  
• Make employees aware with literature about cyber crime and the legal consequences. Employees will know that if they are caught violating cyber security, they will get into trouble. Organizations should use these "carrot and stick" tactics at same time. 【要让他们知道，什么是合法的什么是犯罪的】
  

Source: http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090727005415&newsLang=en

转贴几个图：

Source: http://ow.ly/15ID8J

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Source: http://www.forrester.com/rb/Research/wave%26trade%3B_enterprise_governance%2C_risk%2C_and_compliance_platforms%2C/q/id/47911/t/2

Forrester在7月1日的一份最新报告中强调了GRC企业平台（即governance，risk management，and compliance——治理、风险管理及法规遵从）的重要性。Forrester提到了过去十年一些大牌公司的失败教训，认为GRC软件具有明确的价值主张，并指出了这个新兴行业的佼佼者。

本次研究公开提出了一个问题：企业是否会认为GRC软件是迫切之需？恐惧也许是一项重要的刺激因素，但GRC平台尚未证明它们是企业获得成功的IT必需品。

什么是GRC？

治理、风险管理及法规遵从平台的工作是将一系列广泛而复杂的企业任务从面化简为点。

本质上说，作为一种技术解决方案，它们要跟踪公司治理项目，管理已知和潜在的企业风险，并遵从法规要求。所有这些平台都集合了不同程度的工作流程管理、数据可视化、内容管理，以及报告相关的绩效指标。

领头先锋

Forrester回顾了14家企业GRC平台的开发商，AXENTIS、BWise、MetricStream、OpenPages和Thomson Reuters是他们眼里的佼佼者。

你也许会感到惊奇，像SAP这样的企业软件巨头却比不过那些规模小得多的厂商。但GRC市场正处于上升期，年轻而灵活的公司是完全可以打败那些在这个领域起步较晚的大公司。

集成的治理、风险管理及法规遵从平台提供了处理企业事务的新方式。Forrester曾在一份报告中预测，GRC将在今年“成就非凡”。从目前来看，凭借着降低风险、提高总体效率、方便制定战略决策的卖点，GRC市场的领先者已经得到了一大批客户。

但与其说GRC平台是一种作用关键的企业工具，还不如说它是一种专为大公司应对动荡市场而提供的产品。数目与日俱增的GRC厂商无疑已经表现出了它们的价值，但它们还无法证明GRC平台是各大公司紧缩银根时期的必备之宝。【译言翻译】

FIRST 21届年会在日本京都召开。演讲者与题目参见http://conference.first.org/program/listspeakers.aspx
演讲题目基本都与Incident Response相结合。

关键词：大网安全与异常、网页挂马检测、打击僵尸网络、蜜网、立法、Cyber安全、网络犯罪、DNS劫持、DNS滥用、日志审计、应急响应团队IRT、安全设计与安全系统、SCADA、入侵分析、预警系统、DoS、信息泄漏、漏洞挖掘、Mashup&Social Media

预警：预警系统、蜜网
防护：安全设计与安全系统、漏洞挖掘
检测：大网安全与异常、网页挂马检测、DNS劫持、DNS滥用、日志审计、入侵分析、信息泄漏、DoS
响应：打击僵尸网络、应急响应团队IRT
Cyber安全、网络犯罪、立法、SCADA、Mashup&Social Media


[CNCERT/CC]
A CASE STUDY OF WIDE-SCALE NETWORK ANOMALIES RESPONSE
Chinese Hacker Community and Culture, Underground Malware Industry
Network Security Assistance to the Beijing Olympic Games

[TWCERT/CC]
Malicious Webpage Detection

[JPCERT/CC]
Anti-bot Countermeasures in Japan

[CERT-EE & CERT-GE]
Analysis of the DDoS Attacks on Georgia & Estonia

[GOVERT.NL]
NM SIG: Monitoring & Analyzing Client-side Attacks

[CyberSecurity Malaysia]
Handling Incidents from Honeynet Data

[National Police Agency of Japan]
The incident response and the law enforcement

[National Information Security Center, Cabinet Office Japan]
Information Security Management and Economic Crisis

[West Japan Railway Company (JR West)]
The Great Hanshin-Awaji Earthquake

[Federal Office for Information Security (BSI, Germany)]
Internet Analysis System (IAS) - Module of the German IT Early Warning System

[INTERPOL]
INTERPOL Initiatives to Enhance Cyber Security

[Team Cymru]
Show Me The Evil - A Graphical Look at Online Crime

[Anti-Phishing Working Group]
The State of Phishing/Fraud and Efforts To Deliver Forensic Tools & Resources for ECrime Fighters

[ICANN]
Establishing Collaborative Response to Abuse of the Domain Name System

[BT]
Reconceptualizing Security
Security and the Future Generation
Deriving information from raw data: making business decisions with logs

[NTT]
CSIRT Modeling Architecture

[Deutsche Telekom AG]
Windows Memory Forensics with Volatility

[KPN-CERT]
When worlds collide: Understanding telco fraud in a VoIP world

[SAIC]
Mashup Security & Incident Response Considerations
Architecting Systems of Systems for Response
Content: The Next Generation of Incident Response

[Microsoft]
Comprehensive Response: A Bird's Eye View of Microsoft Critical Security Update MS08-067

[IBM]
SCADA Security - Who Is Really In Control of Our Control Systems?
Creating an End-to-End Identity Management Architecture
Extrapolated Thinking for Sarbanes-Oxley: Factoring Incident Response

[Siemens AG]
0x221b - Finding Traces of System Compromise

[McAfee]
In the cloud Security
Threat response - doing the right thing first time!

[Cisco]
Missing Clues: How to Prevent Critical Gaps in Your Security Monitoring
Emerging Threats and Attack Trends

[Arbor Networks]
Attacks Against the Cloud: Combating Denial-of-Service
Update on Carrier Infrastructure Security Attacks

[Atos Origin]
Olympics Information Security: Real Time Risk Management

[La Caixa]
Anti-Phishing Working Group and the Internet Policy Committee
"The Threat of Banking Trojans: Detection, Forensics, and Response." (Insights from a Bank CSIRT)

[VeriSign]
On-Line Fraud Prevention and Detection -- Multiple Layers of Security

[iDefense-VeriSign]
Explaining the Regional and National Character of Cyber Security Environments
Attacker Illusions: Finding the Real "Who" and "Why"
Proactively blacklisting Fast-Flux domains and IP addresses  

[Open Systems AG]
Closing the Gap between Policy Creation and Enforcement

[Davidoff & Lake Missoula Group]
Proprietary Data Leaks: Response and Recovery

[PRESECURE Consulting GmbH]
Information Security Exchange Formats and Standards

[DFN-CERT Services GmbH]
Contradictions in current european security policy

[The Network Security Blog]
Using Social Media in Incident Response

[PanMedia]
Recapturing the Wheel – Media Perspectives on Crisis and Recovery

[ESR/RNP]
New Developments on Brazilian Phishing Malware

[Amirkabir University of Technology]
How to handle Domain Hijacking Incidents
Effective Software Vulnerability Discovery within a Time Constraint

[National University of Singapore]
To be or not to be -- An Incident Recovery case study

[Spinlock Technologies]
Information security one character at a time

[National Institute of Standards and Technology]
Measuring the Root Cause of Incidents

[SecureLogix]
Incident Response for Voice Services

[Information Technology-promotion Agency (IPA)]
Proposal of MyJVN for Security Information Exchange infrastructure

[KRvW Associates, LLC]
The essential role of the CSIRT in secure software development

新！ 及时知道最新的app security alert，请在twitter上follow @2sec

应用安全漏洞 [选录]
-------------------
2009-6

这个月有几个漏洞需要注意：HTTP Server DoS、phpmyadmin、Green Dam、Apple，Joomla很多的组件都有安全漏洞，所以还针对出现了Joomla Vuln Scanner。

Joomla com_bookflip (book_id) Remote SQL Injection Vulnerability    29-06-2009
Cpanel (lastvisit.html domain) Arbitrary File Disclosure Vuln (auth)    29-06-2009
Joomla Component com_php (id) Blind SQL Injection Vulnerability    29-06-2009
Joomla Component com_K2 <= 1.0.1b (category) SQL Injection Vuln    29-06-2009
WordPress Plugin DM Albums 1.9.2 Remote File Inclusion Vuln    29-06-2009
DM FileManager 3.9.4 Remote File Inclusion Vulnerability    29-06-2009
Joomla Component com_pinboard (task) SQL Injection Exploit    25-06-2009
Joomla Component com_pinboard Remote File Upload Vulnerability    24-06-2009
Joomla Component com_amocourse (catid) SQL Injection Vuln    24-06-2009
Zen Cart 1.3.8 Remote Code Execution Exploit    23-06-2009
Zen Cart 1.3.8 Remote SQL Execution Exploit    23-06-2009
Joomla Component com_tickets <= 2.1 (id) SQL Injection Vuln    22-06-2009
Elgg (XSS-CSRF-Change Password) Multiple Remote Vulnerabilities    22-06-2009
Multiple HTTP Server Low Bandwidth Denial of Service #2    22-06-2009
pmaPWN! - phpMyAdmin Code Injection RCE Scanner & Exploit    22-06-2009
Green Dam 3.17 URL Processing Buffer Overflow Exploit (meta)    16-06-2009
McAfee 3.6.0.608 naPolicyManager.dll ActiveX Arbitrary Data Write Vuln    16-06-2009
XOOPS <= 2.3.3 Remote File Disclosure Vulnerability (.htaccess)    16-06-2009
Apple QuickTime CRGN Atom Buffer Overflow PoC    15-06-2009
WordPress Plugin Photoracer 1.0 (id) SQL Injection Vulnerability    15-06-2009
Netgear DG632 Router Authentication Bypass Vulnerability    15-06-2009
Netgear DG632 Router Remote Denial of Service Vulnerability    15-06-2009
vBulletin Radio and TV Player Add-On HTML Injection Vulnerability    15-06-2009
Joomla Component com_jumi (fileid) Blind SQL Injection Exploit    15-06-2009
Apple QuickTime CRGN Atom Remote Overflow PoC    15-06-2009
Joomla Component com_ijoomla_rss Blind SQL Injection Exploit    15-06-2009
Apple Safari & Quicktime Denial of Service Vulnerability    15-06-2009
Joomla Component com_Projectfork 2.0.10 Local File Inclusion Vuln    15-06-2009
Apple QuickTime CRGN Atom Local Crash Exploit    15-06-2009
Green Dam 3.17 (URL) Remote Buffer Overflow Exploit (xp-sp2)    12-06-2009
Apple iTunes 8.1.1.10 (itms-itcp) Remote Buffer Overflow Exploit (win)    12-06-2009
WordPress Plugin FireStats <= 1.6.1(fs_javascript) RFI Vulnerability    12-06-2009
ModSecurity <= 2.5.9 (Core Rules <= 2.5-1.6.1) Filter Bypass Vuln    11-06-2009
Joomla Component com_realestatemanager 1.0 RFI Vulnerability    09-06-2009
Joomla Component com_vehiclemanager 1.0 RFI Vulnerability    09-06-2009
phpMyAdmin (-scripts-setup.php) PHP Code Injection Exploit    09-06-2009
Joomla Component Akobook 2.3 (gbid) SQL Injection Vulnerability    09-06-2009
Joomla Component com_media_library 1.5.3 RFI Vulnerability    09-06-2009
Joomla Component BookLibrary 1.5.2.4 Remote File Inclusion Vuln    09-06-2009
Joomla Component BookLibrary 1.5.2.4 Remote File Inclusion Vulnerability    09-06-2009
Apple Safari <= 3.2.x (XXE attack) Local File Theft Vulnerability    09-06-2009
Joomla Component com_portafolio (cid) SQL injection Vulnerability    08-06-2009
SAP GUI 6.4 ActiveX (Accept) Remote Buffer Overflow PoC    08-06-2009
Joomla Component MooFAQ (com_moofaq) LFI Vulnerability    08-06-2009
httpdx <= 0.8 FTP Server Delete-Get-Create Directories-Files Exploit    08-06-2009
Apple MACOS X xnu <= 1228.9.59 Local Kernel Root Exploit    08-06-2009
Joomla Component com_school 1.4 (classid) SQL Injection Vulnerability    08-06-2009
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit    04-06-2009
Joomla Component Seminar 1.28 (id) Blind SQL Injection Exploit    03-06-2009
Apple QuickTime Image Description Atom Sign Extension PoC    03-06-2009
Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta)    03-06-2009
Joomla Omilen Photo Gallery 0.5b Local File Inclusion Vulnerability    03-06-2009
Joomla Component com_mosres Multiple SQL Injection Vulnerabilities    03-06-2009
Joomla Component Joomlaequipment 2.0.4 (com_juser) SQL Injection    01-06-2009
Apache mod_dav - svn Remote Denial of Service Exploit    01-06-2009
Linksys WAG54G2 Web Management Console Arbitrary Command Exec    01-06-2009

Source: bugsearch.net

Source: http://www.net-security.org/secworld.php?id=7660

Worldwide security software market revenue totalled $13.5 billion in 2008, an increase of 18.6 per cent from 2007 revenue of $11.3 billion, according to Gartner. Analysts said there was an increasing demand for appliance-based products, particularly within certain segments such as, e-mail security and secure web gateway markets.
Gartner报告称，全球安全软件市场在2008年达到135亿美元，相比2007年113亿美元增长18.6%。增长主要来自e-mail安全产品和Web安全网关。

“In 2008, the security market did not show any noticeable impact from the economic downturn,” said Ruggero Contu, principal research analyst at Gartner.
2008年，经济危机并未对安全市场造成严重影响。

Globally, data security and privacy, along with the need to protect IT infrastructure from the ever increasing sophisticated and targeted attacks, are among the key drivers fuelling the growth of IT security software spending.

Symantec continued to be the market leader, as it accounted for 22 per cent of worldwide security software in 2008. However, the company’s market share was down from 2007 when it accounted for 24.4 per cent of the market. McAfee experienced the strongest growth rate among the top five vendors, as its revenue increased 20.5 per cent in 2008.
Symantec占22%，相比2007年24.4%下降了。McAfee占20.5%。

The segments in the appliance-based products that recorded the fastest growth in 2008 were, security information and event management (SIEM), e-mail security boundary, and secure web gateway appliance with 50 per cent, 37.7 per cent and 29.9 per cent increases respectively.

Web access management (WAM) and endpoint protection platform (EPP) were the slowest performing segments.
WAM和EPP增长缓慢。

Eastern Europe was the fastest region with 35 per cent growth in 2008. It was followed by Middle East and Africa, Latin America and Asia/Pacific regions which saw growth increasing of around 30 per cent.
东欧（增长最快35%），中东、非洲、拉美、亚洲（30%）

new product delivery methods, such as software as a service (SaaS) and host based offerings, and expected increasing interest from the small and midsize business (SMB) sector will sustain growth in the market in 2009.
SaaS和为中小企业提供的产品在2009年将会增长。

In 2009, Gartner predicts that the security software market will show signs of slowdown but will continue to grow at around 9 per cent.
2009年，Gartner预计安全软件市场放缓，但仍能保持9%的增长。

Finjan 发布了2009年第二期 Cybercrime Intelligence Report

一个是肉鸡价格：

澳大利亚肉鸡，每1000台100美金，卖出价500美金。远东地区的，包括中国、日本、韩国等，每1000台5美金。美国的基本上1000台50美金。

一个是 Golden Ca$h 网络平台的运作模式：



类似古罗马奴隶交易市场。


全文阅读：

Source: http://liukeli.blog.sohu.com/118591855.html

1. 谁也不可能走在黑客前面
2. 美国只有七百分之一的黑客能被抓住
3. 我总对竞争对手心存恐惧
4. RSA安全会议一定会在中国召开，但时间未定
5. 把RSA名字给了世界性信息安全大会，我们的品牌不会分散
6. 微软产品已成为黑客的终极目标
7. 用户的需求是把所有安全产品嵌入系统
8. 每个安全产品厂商提供产品是单点式的，很容易被黑客钻空子，所以需要和竞争对手合作分工
9. 不同规模的公司不同时期科研和市场，投入是不同
10. 我们与美国政府的合作只有在资讯（信息）方面
11. 我们已进入无线网络安全市场
12. 我们金牌机制产品可以下载到手机中
13. RSA不排斥收购中国民营安全公司
14. 我们关闭了15万个钓鱼网站，保护过2.2亿网络身份

隐私和信息管理研究机构Ponemon Institute发布报告《内部人员数据安全策略合规趋势：员工逃避和忽略安全策略》(Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies)，此次调查（采样17021人，回复967，回复率5.7%）由IronKey资助。

一些结论：

• 多数人承认严重的不合规行为会给公司带来风险，这些行为包括：不安全的使用USB设备、使用Web email、共享密码、关闭计算机安全设置等
• 69%的调查者承认曾将公司机密、敏感信息拷贝到USB设备，仅有13%的调查者说他们公司的安全策略中允许这么做
• 61%的调查者承认曾将公司机密、敏感信息拷贝到USB设备，再传输到其他不属于公司网络的计算机上
• 近半数的调查者说从互联网下载个人使用的软件到公司计算机上，这会给公司网络引入病毒、蠕虫和其他恶意软件
• 58%的调查者说他们的公司并未提供充分的关于数据安全策略合规方面的培训，数据安全策略无效
• 近半数的调查者说他们公司的数据安全策略太难于理解，很多员工和管理人员都忽略这些安全策略
• 同2007年的报告相比，不合规的情况更糟了

6个调查场景	结果（承认做过）	与公司策略不合规情况
拷贝机密信息到USB设备	69%(51% 2007)	87%认为公司策略禁止这种行为
在办公计算机上访问web email	52%(45% 2007)	74%认为公司策略没有明确禁止这种行为
丢失了移动数据设备	43%(39% 2007)	73%说没有及时上报
在办公计算机上下载个人软件	53%(45% 2007)	38%说公司策略禁止这种行为
关掉安全设置或防火墙	21%(17% 2007)	71%认为公司策略没有明确禁止这种行为
与同事共享密码	47%(46% 2007)	71%认为公司策略禁止这种行为

随着移动设备的使用越来越多，这种不合规情况更要引起重视。

Source: http://www.gartner.com/it/page.jsp?id=1011512

Gartner称全球IT服务营收2008年为$806 billion，比2007年（$745 billion）增长8.2%。

Worldwide IT Services Vendors by Revenue (Millions of U.S. Dollars)

Company	2008 Revenue	2008 Market Share (%)	2007 Revenue	2007 Market Share (%)	Growth (%)
IBM	58,891	7.3	54,145	7.3	8.8
HP	38,584	4.8	37,866	5.1	1.9
Accenture	23,732	2.9	20,616	2.8	15.1
Fujitsu	20,432	2.5	18,646	2.5	9.6
CSC	17,112	2.1	16,059	2.2	6.6
Others	647,172	80.4	597,302	80.1	8.3
Total Market	805,923	100.0	744,634	100.0	8.2

Source: Gartner (June 2009)

IBM市场领导者地位，占总市场7.3%。

HP收购EDS后跻身第二，但由于整合上的难度，2008年仅增长1.9%，低于平均水平。

FISMA(Federal Information Security Management Act联邦信息安全管理法案)定义了保护政府信息系统的方法，要求所有的政府机构评估安全风险，实施 NIST 制定的安全基线控制措施，并进行测评，由 House Oversight and Government Reform Committee 出具scorecard，等级从A到F。

这看起来不错，但实际上效果并不好。

FISMA 在 risk assessment/control selection/audit processes 方面做的不错，但更侧重 compliance，对 effectiveness 评价不够。

    * 鼓励完成审计，而不是使系统更安全
    * 问题错了，“被认可了吗？” 而不是“安全吗？”
    * accredited systems（被认可的系统），这个名词让人一头雾水。
    * 关注inputs (controls) ，而不是outputs (KPIs, attacks)
    * 在审计员和流程方面花费了大量财力
    * 在攻击、入侵数据分享方面做的不多
    * 与其他负责安全的部门合作不够

Cyberspace Policy Review 建议了10个措施。强调的几点：

    * 承认各部门协作的阻碍太多了
    * 更关注入侵和应急响应，而不仅仅是Checklist
    * 在新的安全技术方面将有更多投资
    * 保证公民自由

可以看出，FISMA 关注 process，Cyberspace Policy Review 关注 outcomes。

对于 Private Sector 来说，应该多进行安全数据分享与信息沟通，提高应急响应和渗透测试的能力。

国内的情况有可能会有所变化。


注：部分内容参考了FORRESTER

新！ 及时知道最新的app security alert，请在twitter上follow @2sec

应用安全漏洞 [选录]
-------------------
2009-5

这个月严重漏洞较多，比如Adobe Reader、Linux Kernel、IIS 6.0的，Joomla和Winamp的漏洞也不少，当然，最猛烈的还是BaoFeng的。

Joomla Component JVideo 0.3.x SQL Injection Vulnerability    29-05-2009
ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities    29-05-2009
Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit    29-05-2009
Adobe Acrobat <= 9.1.1 Stack Overflow Crash PoC (osx-win)    29-05-2009
Joomla Component AgoraGroup 0.3.5.3 Blind SQL Injection Vulnerability    27-05-2009
Joomla Component Com_Agora 3.0.0 RC1 Remote File Upload Vulnerability    26-05-2009
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)    26-05-2009
PHP <= 5.2.9 Local Safemod Bypass Exploit (win32)    26-05-2009
Joomla Component com_rsgallery2 1.14.x-2.x Remote Backdoor Vuln    26-05-2009
Safari RSS feed:-- Buffer Overflow via libxml2 Exploit PoC    26-05-2009
Wordpress Plugin Lytebox (wp-lytebox) Local File Inclusion Vulnerability    26-05-2009
Mozilla Firefox (unclamped loop) Denial of Service Exploit    26-05-2009
vBulletin vbBux-vbPlaza <= 2.x (vbplaza.php) Blind SQL Injection Vuln    26-05-2009
Lighttpd 1.4.23 Source Code Disclosure Vulnerability (FreeBSD bug)    26-05-2009
Winamp 5.551 MAKI Parsing Integer Overflow Exploit    26-05-2009
Joomla Boy Scout Advancement 0.3 (id) SQL Injection Exploit    26-05-2009
Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit    22-05-2009
Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit    22-05-2009
Winamp 5.551 MAKI Parsing Integer Overflow PoC    22-05-2009
Winamp 5.551 MAKI Parsing Integer Overflow Vulnerability    22-05-2009
Winamp <= 5.55 (MAKI script) Universal Seh Overwrite PoC    22-05-2009
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)    22-05-2009
BaoFeng (config.dll) ActiveX Remote Code Execution Exploit    21-05-2009
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)    21-05-2009
Mac OS X Java applet Remote Deserialization Remote PoC (updated)    20-05-2009
Mac OS X Java applet Remote Deserialization Remote PoC    20-05-2009
Joomla Casino 0.3.1 Multiple SQL Injection Exploits    20-05-2009
Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit    19-05-2009
KingSoft Web Shield <= 1.1.0.62 XSS-Code Execution Vulnerability    19-05-2009
OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS    18-05-2009
PHP Dir Submit (Auth Bypass) SQL Injection Vulnerability    18-05-2009
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability    15-05-2009
D-Link Products Captcha Bypass Vulnerability    15-05-2009
Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities    15-05-2009
Linux Kernel 2.6.29 ptrace_attach() Local Root Race Condition Exploit    14-05-2009
ipsec-tools racoon frag-isakmp Denial of Service PoC    13-05-2009
Java SE Runtime Environment - JRE 6 Update 13 Multiple Vulnerabilities    13-05-2009
Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit    13-05-2009
PHP mb_ereg(i)_replace() Evaluate Replacement String Vulnerability    07-05-2009
Joomla Almond Classifieds 5.6.2 Blind SQL Injection Vuln    05-05-2009
Adobe Acrobat Reader 8.1.2 &ndash; 9.0 getIcon() Memory Corruption Exploit    04-05-2009
Solaris 10 - OpenSolaris (dtrace) Local Kernel Denial of Service PoC    04-05-2009
Solaris 10 - OpenSolaris (fasttrap) Local Kernel Denial of Service PoC    04-05-2009

Source: bugsearch.net