The pain of patch management

November 8, 2006

There are always more and more vulnerabilities and patches in our IT life. It has become one part of our job. Isn’t it? What’s the biggest pain in your mind?

If you said “why patch management? just go ‘windows update'”, then you must be a individual computer user, not an administrator. 😉

The hardest is to balance the risk of hacking due to not to patch and system unstability or even crash due to new patch. According to common practice, security manager should have a process in place to test patches, with the help from system and application managers. The balance point is decided together. [My comment in Chinese]. See the below report by Roger… Read the rest of this entry »


This is a samle.

October 29, 2006

This morning I found this interesting offer by Google. It’s more convenient and powerful than the old Writely. Moreover, it provide me a way to write my blog at I can communicate with my friends worldwide. It’s great !

China telecom operators and Sarbanes Oxley Act Compliance

August 10, 2006

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

  • Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

  • Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at Diggdigg it

In 2006, China has issued 15 national security standards

August 9, 2006

In China, network and information security have been getting rising attention in these years, not only from the government and those large enterprises, but also from whole society. More and more relevant standards are issued, and internal control manuals are made and executed in FSI (Financing, Securities and Insurance) and telecom enterprises as well to strengthen their compliance management.

Since the beginning of 2006, 15 standards have been published in security domain by the technical committee TC260 (, which is responsible for the information security related standards under the government standardization organization (, the counterpart of NIST, USA. Some of them cover the detailed management and technical requirements for classify security protection, while some of them are updates of the previous GB/T18336, which is the localized version of ISO15408 (CC). Additionally, ISO17799:2000 has been adopted as GB/T19716-2005 in 2005.

For the original publish page, check:

Click here to see my chinese comment.

Delicious Digg

WP’s first step to profit

August 4, 2006

The largest free blog hosting service provider – rolled out a new service – CSS customization, to give the bloggers a way to customize the stylesheet, according to their own flavor. This service is not free, instead you have to pay 15 credits for it. You can buy a credit point for 1$ through PayPal. For more…
This is the first service not free by It’s a common sense to regard it as the signal of first step to profit. Considering its huge subscriber base (287 thousands for now), WP is expected to be the superstar at the venture capital market.

What Hamachi brings?

July 28, 2006

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see, has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

Ground-breaking audit tool for SSH and Windows Remote Desktop Protocol (RDP)

July 24, 2006

A startup company in China, BMST Co. Ltd., is bringing security managers and auditors a ground-breaking product which can audit SSH and Windows Remote Desktop Protocol (RDP) as a network bridge transparent to the upper layer applications. The product is named Session Auditor. It can record, replay, query, correlate those session data from most of popular protocols used in the daily network and system maintenance and operations, such as SSH, RemoteDesktop(RDP), Telnet, FTP, HTTP, Rlogin, VNC, and even those SQL query in Oracle, Sybase, MS SQL and etc. The most brilliant point is its unprecedented audit capability to the two most popular encrypted protocols, ie. SSH and RDP, making it unique in the competition against common sniffer products as well as forensics tools.

The founders of BMST have put their product at much larger background – the wave of compliance.

In the wake of Enron and WorldCom the role of internal auditors in corporate governance has taken on whole new meaning. Compliance is a long journey that enterprise excutives and IT managers have to take. Although there have been too much in your work breakdown structure task list, however, “Audit” is the right one that you can never overlook for seconds. Audit systems help executives assure everything runing as expected and defined.

Generally speaking, “audit system” for information systems are seperated into two kinds, one is management layer auditing, another one is technical layer auditing. The former is mapped to those auditing tools, particularly based on best practices and standards, such as ISO27001(BS7799), Cobit. But as to the technical layer auditing, there are too many tools and approaches in IT managers’ table. Typically it’s implemented by those log collection and analysis tools in the IDC’s security product category of SIEM(Security Information and Event Management). Those logs are designed to record only the event results, without the details of the activities and operations. In other words, if security managers and auditors want to do in depth investigation and forensics, those logs can’t help any more.

BMST’s Session Auditor can help. It’s an outstanding in-depth investigation and forensics tool. With its huge built-in storage (up to 2T Bytes), SA can record up to 5 months of network traffic in a wire speed fast ethernet (100Mb/s) environment without missing any packet.

This post was also published at