Security Basics mailing list archives
RE: Vulnerability Data
From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Mon, 14 Feb 2011 09:33:15 -0500
This is very interesting discussion. The main problem (and once I've publish an article briefly describing such a problem) I see is a classification of attacks and exposures. Even the same virus could cause different damage depending on internal organization's environment. Thus we need to collect not only info about a fact, attack variant, but about security/insecurity environment. So far, AFAIC there is no such public database. Private, which are sold together with so named "Risk Management" software is a black cat in a dark room. Regards Mikhail A. Utin, CISSP Information Security Analyst Commonwealth Care Alliance 30 Winter St. Boston, MA TEL: (617) 426-0600 x.288 FAX: (617) 249-2114 http://www.commonwealthcare.org mutin () commonwealthcare org -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of lonervamp () gmail com Sent: Friday, February 11, 2011 2:52 PM To: security-basics () securityfocus com Subject: Re: Vulnerability Data Great question! There is Zone-H.org (http://www.zone-h.org) which usually focuses on web defacements. Likewise the Vulnerabl Sites Database (http://www.vs-db.info). There is the datalossdb.org (http://datalossdb.org) which tends to focus on # of records lost and by whom, via public records, but does also track the general breach types. I'm sure this gets interesting once an attack uses more than 1 weakness and it sometimes doesn't satisfy the questions that security persons have about specific incidents. There is the sanitized annual Verizon DBIR paper (http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/) which contains stats on distilled incident details. But I'm not sure there is something specifically that will document, on an ongoing basis, various attacks mapped to discussions on how those attacks were performed/successful. Maybe not always in painful, recreation-type details, but enough to make it clear where the biggest problems lie (SQLi, lack of laptop disk encryption, social eng, weak passwords, LOIC/DDoS...) and that will include such hits as Gawker, HBGary Federal, Mozilla and Apple/AT&T last year... Some attacks are interesting while others border on the inane (guessed security questions). ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Vulnerability Data Maverick (Feb 11)
- Re: Vulnerability Data Richard Thomas (Feb 11)
- Re: Vulnerability Data Brad Bemis (Feb 15)
- Re: Vulnerability Data Saif El Sherei (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- <Possible follow-ups>
- Re: Vulnerability Data lonervamp (Feb 11)
- RE: Vulnerability Data Mikhail A. Utin (Feb 15)
- Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Francois Yang (Feb 15)
- RE: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)
- RE: Firewall question - how easy is it to get thru - Proof Mark Brunner (Feb 18)
- Re: Firewall question - how easy is it to get thru - Proof Todd Haverkos (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Jan Muenther (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Max Chow (Feb 17)
- Re: Firewall question - how easy is it to get thru - Proof Gichuki John Chuksjonia (Feb 18)
- Re: Firewall question - how easy is it to get thru - Proof Robson de Oliveira Albuquerque (Feb 17)
- Re: Firewall question - how easy is it to get thru - Proof Ansgar Wiechers (Feb 17)