tag:blogger.com,1999:blog-13756280.post6082402597175836172..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: How to rate the value of your websites (Road to Website Security part 2)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-47933603105004584232007-06-12T10:49:00.000-07:002007-06-12T10:49:00.000-07:00Uhmmm, you know I don't know for sure actually. Ma...Uhmmm, you know I don't know for sure actually. Maybe someone else reading here know if it is, and if so, what type of regulation.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-34702369167804715442007-06-12T10:38:00.000-07:002007-06-12T10:38:00.000-07:00Randomly, aren't SSN's regulated information, s we...Randomly, aren't SSN's regulated information, s well?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-73614669503286543552007-06-10T16:17:00.000-07:002007-06-10T16:17:00.000-07:00This might be wishful thinking, but it can at leas...This might be wishful thinking, but it can at least be tried. Through this valuing process, each website should get assigned to someone, or someone should be assigned to it, somewhat like a data owner who takes over some measure of responsibility and knowledge to answer questions. Eventually, websites with no owners should be deemed of no value and remove. (Ever walk into a company that had no clue they were hosting a publicly accessible 3 year-old phpbb system full of holes?)Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80407455998480547862007-06-08T16:49:00.000-07:002007-06-08T16:49:00.000-07:00this reminds me of a ccnp book i read about doing ...this reminds me of a ccnp book i read about doing network documentation, <A HREF="http://safari.oreilly.com/1587200813/ch02lev1sec2b" REL="nofollow">here</A>.<BR/><BR/>if you have a safari library account (*), you can login to the above and see the tables, which look surprisingly a lot like the ones you suggested.<BR/><BR/>any well-run organization has this sort of information available at least in spreadsheet form. some do asset management via agents (tivoli, snmpd, etc) so that the documentation is a live view. assigning threat/value/risk levels like you did is a very interesting approach to solving some security metrics issues associated with applications.<BR/><BR/>(*)<BR/>safari library is a great resource for $39.95/month. safaribooksonline provides rough-cuts and short-cuts that you should know about if you like to stay on the cutting-edge of technology knowledge. they also release some books a little early. in fact, they just added a few interesting books such as: <BR/>"Secure Programming with Static Analysis" and "Fuzzing: Brute Force Vulnerability Discovery"<BR/><BR/>also, where did this link come from?<BR/>http://www.myipneighbors.com/<BR/>it's an interesting/easy way to get a list of virtual hosts running. i just randomly came across it when thinking about your part 1, "how to find your websites" blog entry. del.icio.us seems to think it has existed since march of 2007, netcraft doesn't know it exists (until now), and whois says that the creation date is 23-nov-2006. the owner of the site also runs an seo-related site, is on linkedin, is almost 33 years old, and apparently paid a ticket for $50 for speeding in the year 2001 (after a rudimentary 5 second search).<BR/><BR/>the digg entry is even more interesting:<BR/>http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_AddressAnonymousnoreply@blogger.com