There’s always been a certain amount of conspiracy theories when security type events happen or instances where there is secrecy. There are those who don’t buy the ‘reported’ reason a security event (like a breach) occurred, those who claim to have inside information or just those who see a story and draw their own conclusions. The following is my take (Satire Alert) on Transmission Control Protocol/Internet Protocol v6 and the end of the world as we know it. That can affect our security, right?!?

Recently there have been more than the usual number of articles about IPv6 and the need to deploy it soon since the v4 blocks are almost gone. Yes we’ve been hearing this for years (RFC2460 was defined in December 1998) but now the hype may be over as indicated in this article. There are many security enhancements in v6 nicely covered here but that’s not where I’m going.

In my first blog post on DevCentral, aptly titled First Post, I introduced psilva’s prophecies. I’ve been in the Internet industry since ’94 and while not a ‘know it all’ I have seen my share of changes and have seen a bunch of ‘ideas’ over time come true. For instance, I had always thought that the Internet would eventually become our entertainment delivery method and some 14 years later, that’s the case. That’s not that wild as I’m sure many of you figured it was only a matter of time once we started to see streaming video and broadband to the home. In that First Post, I offered my prediction of how our nomenclature might change over the next 50-100 years. That now, we no longer give our full name/address for contacting/correspondence as we’ve done in the past – we just give email. The idea was that over time, our current first/last naming convention might dissolve to where we are known as users@domains or a single string of characters. Twitter is enforcing that with their @namingconventions.

IPv6, at 128-bits (v4 is 32-bit), gives us the ability to assign an IP address to just about anything – heck, all the portable mobile devices we carry each need one and consumer appliances like TVs, refrigerators, thermostat, DVRs, garage door openers, coffee machines and just about any electronic item could potentially have an IP address. Schedule your toaster via a Web GUI to perfectly brown your bagel when you get home. You can already control your lights and alarm systems over the internet. In addition, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere.  Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. I could chip my child (like the dog) to be able to GPS their behind if they are not at the movies as indicated. Not so farfetched. That doesn’t sound so sinister, psilva, how can that be the beginning of the end?

OK, now the fun begins.  While not a Nostradamus follower, although History/Discovery Channels have covered him often, he does have something to say about numbers. You might remember he got a lot of press and was the subject of spam after 9/11 due to this quatrain which his followers say indicates that he predicted that disaster. Conspiracy? He was very much into numbers and also indicated that when we are all identified as numbers, that will be an sign of the impending doom. We do have a numbering system in the states called a Social Security Number, which is our Gov’t identity and very much linked to our own security. With IPv6, now the entire world can be identified by number and thus fulfills psilva’s prophecy #2.  The timing is right also.  2012 is getting a lot of play as the end of time.  Both the Mayans and Nostradamus feel that 2012 is the end of days and Hollywood has taken notice.  Now this does slightly negate my 1st prophecy since I’m giving our name change around 50 years but 2012 does sound about right for a full IPv6 transformation so it does fit nicely with doomsayers – if you’re into conspiracies.

ps

• #20 out of 26 Short Topics about Security
• previous stories: 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Social Networks are now part of our society for better or worse.  It has allowed us to both connect with current friends and find pals from the past; it offers businesses another outlet for marketing and sales; it allows us to collaborate, discuss and converse on any topic imaginable.  And due to it’s popularity, it also gives thieves and other criminal types an inroad to deliver malware, steal identities, spam, stalk, and many other nasty things to expose personal and corporate information.  Since so many people are on a single platform, where trust is somewhat inherent, it’s much easier to get someone to click a link than it is to technically hack their system.  There has been so much written about this topic, and in the spirit of sharing, I thought I’d offer just a few interesting stats, stories and suggestions from the various pundits on the topic:

Tweet Breach: 140 Characters of Sheer Destruction: This article tells the tale of a seemingly innocent tweet that turned into a nightmare.  He also defines the term – tweet•breach.

NFL restricts Twitter use: This is just one instance of how professional sports is dealing with social media and the instantaneous updates.  We’ve already seen a few players get into some trouble over their tweeting.

Statistics Show Social Media Is Bigger Than You Think: This is a fascinating list of statistics pertaining to Social Media including this gem – Years to Reach 50 millions Users:  Radio (38 Years), TV (13 Years), Internet (4 Years), iPod (3 Years)…Facebook added 100 million users in less than 9 months…iPhone applications hit 1 billion in 9 months. Many of the comments are just as engaging.

Top 8 Social Media Security Threats: A listing and description of many of the most recent Social Media focused attacks.

Social Networks Increase Risks to Online Privacy: His own personal account of falling for a scam.

Are social networking sites good for our society?: Very detailed article with plenty of stats and stories including the ever popular Franklin T-Chart with Pros/Cons of Social Networking.

Identity theft is too easy and can even be automated says IT security expert: From RSA Europe, this article describes a co-worker’s challenge to steal her identity and the steps the ‘friendly-perpetrator’ took to do just that.

Breach 2.0: some best practices for protecting company info and employee data.

Developing Social Media Policies for Business: Another with stories, stats and considerations when developing a Social Media policy.

And with that, I’ll let you get back to mingling on Twitter, Facebook, MySpace, YouTube, Digg, Technorati, and all the others.  Incidentally, you can follow F5 Networks tweets at http://twitter.com/f5networks (@f5networks) and mine is @psilvas.

ps

• #19 out of 26 Short Topics about Security
• previous stories: 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Some of both, apparently.  A recent Ponemon Institute PCI-DSS Compliance survey revealed that 71% of companies actually admitted that data security is not a top priority and 55% say they are only protecting credit card data and not other sensitive information like bank account info, social security numbers and drivers license data.  Additional statistics show that a miniscule 28% of smaller companies (501-1000 employees) are PCI-DSS compliant and around 70% of large companies (>75,000 employees) say they meet the Regulations.  The one that jumps out for me is the small merchant stat.  I understand that cost is a large factor for smaller companies to be PCI compliant but just imagine how many companies and industries that fall into the 501-1000 employee category.  And that doesn’t count all the even smaller ‘Family Owned’ restaurants, auto repair shops or any other service where you say, ‘I like them because they are local or family owned.’  Unfortunately, those friendly establishments might not be a BFF with your sensitive data.  I’m not saying to avoid your favorite Chinese take-out but also be aware that the numbers are against you.

There are a couple interesting PCI developments coming over the next year.  As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010.  These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered.  First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing.  And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES.  I imagine there will be another mad dash next spring for merchants to get in compliance.

The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security.  Some of these changes should help in protecting our data.

And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach.  They just got whacked with another $275,000 for removing a database security monitoring tool.

As I finish up the 18th entry of 26 Short Topics I’ve noticed Regulatory Compliance, especially PCI, comes up frequently.  Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together.  You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat – ‘Hey, that happened to me too!’  It’s one of those things that we all should care about.

ps

• #18 out of 26 Short Topics about Security
• previous stories: 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

UPDATE – Added 10.22.09:  ChoicePoint would like to clarify the characterization of the FTC situation and I’m happy to include this for accuracy:

“Your piece titled “Will you Comply or Just Check the Box” touches on recent ChoicePoint/FTC news and the company would like to request a clarification.

1.      In regards to your report that a “fine” was levied by the FTC
a.      While the Commission has authority to seek a civil penalty, http://ftc.gov/ogc/brfovrvw.shtm it expressly did not do so in this case, as the language of the Order and the amount of monetary relief indicate.  The Supplemental Stipulated Order itself in Part I provides for “monetary relief…to be used for equitable relief, including, but not limited to consumer redress and any attendant expenses….”  The FTC incorrectly characterized the monetary payment as a “penalty” in its initial press
release and has since revised its press release to correct this point.  The payment was made pursuant to the courts equitable authority to address compliance with its orders.  The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.

Thank you so much for you time and attention. We would very much appreciate your correction of the record.“

- Not a problem, thanks for the update and appreciate the clarification.  ps

………………………………………………….….oh, you’re waiting for me?  This will probably be a short post since there are not that many security terms that begin with the 17th letter of our alphabet.  However, keeping Quiet is a common theme in security.  As mentioned numerous times, locking passwords, logins, and other sensitive information in your mouth vault keeps them from leaking to others.  Social Engineering has always been about compromising that vault.  Recently there was a post by Roger Thompson, AVG’s Chief Research Officer, which actually suggested to Write Down your passwords, especially complex, hard to remember passwords.  While this practice has been frowned upon for many years – as in the ever popular post-it’s stuck to laptops – there is some sense in creating (and writing down) difficult passwords that are extremely hard to guess.  Just put that paper in a safe location.  Our own Alan Murphy offered some advice about passwords just a few months ago.

Keeping Quiet is also what most companies do when they discover a breach, at least initially.  A survey from the 2008 RSA conference showed that 89% of security incidents go unreported.  More often it’s the insider breaches that say under the covers.  Some of that could be due to just being undetected but many companies don’t want the public exposure of a breach.  Laws have changed some of that and huge breaches, like the Heartland incident, must be reported so people can protect themselves.  Even the Heartland incident wasn’t detected for a couple months, and when it was, it didn’t get reported for yet another month.  Granted, sometimes law enforcement does ask victims not to say anything so evidence can be gathered and, as to not tip off the crooks.  In any event, keeping quiet about a breach happens more often than you think and it’s often due to the fear of a damaged reputation.  Of course there is an opposing view to the damage factor by Larry Walsh where he talks about the multitude of brands who have suffered major breaches and how consumers have either forgotten or forgiven.

While silence can be golden and rests are written into music for effect, when it comes to Data Breaches not saying a word can put your business in jeopardy and in the cross-hairs of the law.

ps

• #17 out of 26 Short Topics about Security
• previous stories: 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Nearly 80% of companies reported an increase in the number of employees wanting to bring their own devices into the workplace in the last 6-12 months according to ‘The Device Dilemma,’ a report by Vanson Bourne and Good Technology. In addition, two thirds of IT Managers have been under more pressure to increase compatibility with people’s personal handsets in the workplace with 82% saying the most requested device is the iPhone.

Personal devices pose a difficult challenge to IT departments and it’s not just iPhones/personal cell phones; mp3/music players, portable video/game consoles, personal laptops and just about anything with an internet connection or USB hookup can pose a risk.  The age of social networks, streaming video, tele-work lifestyle and the basic computing power of mobile devices have made them constant companions in our daily lives since they do more than just make calls.  We have grown personally attached to these mini-computers (even customizing them) and don’t want to carry around 3 different mobile devices.  Employees now want to use their own devices for work related tasks.

It can be a Catch-22; IT might save a little money by not having to procure new corporate hardware but could spend significant time dealing with all the variants and security risks unauthorized personal devices pose.  With all the different types of models, manufactures, operating systems and capacity, configuring and securing each device is not an easy task.  Even if IT is able to apply a policy to individual devices, there still is no real guarantee that each device will support/enforce it.  Management and control of those is a huge concern.  The report also noted, ‘IT Managers don’t want to prevent people from using their own devices, almost half (44%) said they would let people choose if they were assured of security and configuration. Even then, 74% of IT Directors think that employees will still use their own devices even if IT doesn’t support it and more than 25% have experienced a security breach due to an employee using an unauthorized device.

Work Styles have changed also.  Employees are now more dispersed: Different time/different location, Same time/different location, Same time/same location or working alone.  While this model has enabled employees to work from anywhere, the need for collaboration has become critical especially with a global enterprise.  What can you do?  Don’t panic, as indicated in this article by Kim Boatman (hope I Linkedin the correct journalist) called Personal Tech Checklist for the Workplace.  She has a checklist of steps IT can take when dealing with personal tech issues:

Establish or re-evaluate usage policies. Many businesses wrote Internet usage policies a decade or so ago and haven’t revisited them.

Evaluate how you expect employees to use – or not use – social networking. After all, there can be a business benefit to your employees’ presence on Facebook or Twitter.

Inventory employees and equipment. Keep track of the level of access granted to each employee.

Understand the security implications of your policy. For instance, says Storms, allowing employees to install proprietary information on their personal devices is a high-risk proposition, while permitting access to social networking sites at work is less risky.

Educate users. It’s not enough simply to establish plain-language guidelines. If you want employee buy-in, explain why certain actions are limited and what the consequences could be.

Involve IT. It makes good sense to vet policies and practices through the people that keep your systems going.

Give yourself wiggle room. Create that clear usage policy, explain it, and publicize it. But give yourself leeway.

ps

• #16 out of 26 Short Topics about Security
• previous stories: 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related links

• Personal Tech Checklist for the Workplace
• Enterprise IT Face Mobile Device Dilemma
• The Device Dilemma
• The Threat Behind the Firewall

Honestly, this was not timed and I actually had a different topic to discuss for #15 of 26 Short Topics but this cool news today.  F5 and Oracle have announced plans to unify access management for web applications.  Press release can be found here.  The solution will combine F5’s BIG-IP system with Oracle Access Manager to enhance single sign-on (SSO) capabilities and simplify access control.

The Authentication Alternatives Today

Code in the Application

• Costly, difficult to change 
• Not repeatable
• Decentralized
• Less secure

Agents on servers

• Difficult to administer
• Interoperability
• Decentralized
• Less Secure

Specialized Access Proxies

• Don’t scale as well
• Often inferior reliability
• More boxes for network operations

 

A Better Alternative: BIG-IP and OAM

• The solution is to replace the OAM Proxy with BIG-IP.
• Gain superior scalability and high availability
• Benefit from F5’s Unified Application Delivery Services

 

 

 

 

Benefits of Oracle OAM & F5 BIG-IP Integration

• Reduced TCO and dramatically lowers deployment risk and streamlines operational efficiencies.
• Integration with OAM Single Sign-On (SSO) for superior end-user experience and enhanced user productivity
• Unified point of enforcement to simplify auditing and control changes in configuring application access settings

Unifying application delivery and web access management. 

Availability in 1H2010 – More to come soon!

ps

• #15 out of 26 Short Topics about Security
• previous stories: 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

In 2005, a Preventsys (now McAfee) and Qualys survey found that 52% of companies rely on a ‘Moat & Castle’ approach to Network Security but also admitted, at the time, that once the perimeter is penetrated, they are at risk.  I haven’t been able to find a more recent statistic but I’m still betting that once a network is breached, it’s at risk.  Networks are evolving, expanding and exploding with more data than ever before which means they also need to be smarter about who and what they allow on.  They have become Application Delivery Networks and soon, truly Identity Aware.  At the same time, many Enterprise networks are making  interconnections with other Corporate networks enabling Federation or trust between the two to create an extended network.

The good news/bad news about this is that according to Verizon  Business’ “2009 Data Breach Investigations Report (pdf)” 32% of the data breaches implicated a business partner.  The good news is that breaches linked to business partners fell for the first time in years (-7%) but it was still 3rd on the list (behind External Sources and  Multiple Parties).  They conclude that the decline wasn’t due to any additional security focus (in fact, the majority was due to lax security practices at the connection level from the third-party) in that particular area but a change in what criminals were going after.  In 2008, the Food/Beverage industry had a high percentage (70%) of breaches attributed to partners and in 2009, the bad-guys decided to go after higher payouts – like financial institutions.  Only (with a grain of salt) 1,509,000 records were compromised by partners compared to 266,788,000 by external sources based on the report.  Usually it was the third-party systems that were compromised and the attacker used the trusted connection to make inroads to the target.  Since it’s coming from a ‘trusted’ authorized connection, these are difficult to detect and stop.

Exchanging information is critical to this extended ecosystem and some level of trust is inherent.  But you can’t necessarily expect that your security policies will be consistently enforced on a separate network.  It’s important to look at these deployments, consider your visibility/accountability for those partner connections and create policies that enable, benefit and secure both ends.

ps

• #14 out of 26 Short Topics about Security
• previous stories: 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Source : The 2009 Data Breach Investigations Report by Verizon Business

On a couple occasions, I have  have offered advice on how to deal with disasters and just yesterday I wrote about Mitigating risks.  Today, I’m deviating slightly from 26 Short – make this #13.5 – to share some of F5’s Emergency Preparedness plans for the possible resurgence of H1N1.  While we often try to give interesting tips, ideas and suggestions to help you and since many of you might be going thru the same exercise, I though I’d share how we are preparing ourselves.  Per usual, this is not to flame the fears already in the media but offer calming assurance that there is no reason to panic.

F5’s main objectives for Emergency Preparedness for Employees is to provide a safe and healthy working environment and to ensure business continuity.  All of us received an email outlining our policies along with a link to an internal portal page dedicated to Emergency Preparedness.  It contains several governmental and informational resources pertaining to H1N1 along with Emergency Hotline Phone Numbers and a short video from HR so we all can clearly understand this particular flu strain and what to do if we contract it.  Each region around the world has a page specific to their needs.  We have also put together a cross functional pandemic planning team that has identified critical business activities, resources and responsibilities to support a pandemic mission along with taking precautions within our own facilities – like simply providing hand sanitizers among other supplies.

Following tips offered by the Centers for Disease Control, if any of us do get symptoms, one of the primary actions we can take as employees is stay home since the virus appears to be easily transmitted from person to person.  This is to protect all employees.  The great thing is that there are also Work from Home instructions on how to connect remotely using our own FirePass SSL VPN.  We’re already prepared for any increase in needed capacity and have policies in place to check any connecting device, even un-trusted home computers, to ensure internal security compliance.

It’s a comfort to me knowing that my employer is ready for H1N1 and any other emergency that suddenly appears and hopefully a comfort to you knowing that F5 is prepared to still support you even if you experience a crisis.

ps

• #13.5 out of 26 Short Topics about Security
• previous stories: 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Additional note added after posting:
One thing I forgot to mention about Work at Home strategies – Do keep in mind that with the additional workforce potentially using home broadband for work, there might be some capacity constraints on carriers in certain areas of the country.  There might also be some Acceleration solutions, like a WAN Optimization or Web Acceleration that can help with bandwidth reduction.

As I started this journey 13 topics ago, I mentioned that ‘security’ is really about managing risks and threats.  Most security experts would agree that the only way to be 100% secure is to unplug your units & it’s somewhat foolish to think that you are completely safe across the board.  In #2 of 26 Short, I mentioned a stat that 60 percent of companies had experienced a data breach in last year. However, only a minority of six percent could say with certainty that they had not experienced any such breaches in the past two years.  If you are not in that 6%, you almost need to expect that some sort of malicious activity is always targeting your systems.  In some ways, this helps you prepare and understand your risks.  With that information, you’re then much better able to Mitigate those risks.  Mitigation essentially has to do with having a plan of action pertaining to specific risks.  Often it also gives those involved specific duties (or actions to take) depending on the severity of the event.  According to the Project Management Institute, there are four basic approaches to risk mitigation:

• 1. Avoidance: eliminate the conditions that allow the risk to be present
• 2. Acceptance: acknowledge the risk’s existence but don’t do anything except for a contingency plan if the event happens
• 3. Mitigation: minimize the probability or impact of the risk
• 4. Deflection: transfer the risk somewhere else

Let’s start with end users.  Many think that security is also about keeping the bad guys out.  While that’s true, it’s more about securely letting the good guys in, to the specific stuff they need, depending on the contextual conditions.  A user tries to VPN to your corporate systems but during a host check, your controller notices that the device’s AV software hasn’t been updated in two months.  Are you going to deny access to this authorized user or help them (mitigate) the situation by instructing them to update their files, or better yet, re-direct them to a landing page so they can get updated automatically.  The helpdesk can avoid a support call, plus you educate the user on the AV policy for corporate access.  Also, in regards to end users, if there are signals that a potential disaster is coming – say a storm is bearing down on locations where your remote workers live – maybe try reaching them via Systems Management before they call with no access.  You might be able to route around the situation.

As far as your infrastructure, Mitigations of risks is a daily task.  Firewalls for networks, strong passwords for logons, WAFs for public facing sites (especially ecommerce), access cards for facilities, backups, storage, disaster recovery and the list goes on.  There has been a lot of focus on mitigating DoS attacks recently, due to many popular sites, including Government web applications, having issues….and some having none.  Just last week, The SANS Institute published their Top Cyber Security Risks and as Gideon J. Lenkey points out in this article, at the top they state, ‘Two risks dwarf all others, but organizations fail to mitigate them.’  They were talking about unpatched client software and vulnerable pubic facing web sites.  It’s interesting that while OS patching has gotten better (maybe due to worms & auto update settings), client updates of software applications (like Flash, Java, etc) fall behind.  And it’s those applications that get you in the most trouble!

As a side note, some of the runner-ups for #13 were Mobile, Malware, Monitoring and Man-in-the-Middle attacks.  Since articles appear daily about those topics, I thought Mitigation might be a good since it can help in all those areas.

ps

• #13 out of 26 Short Topics about Security
• previous stories: 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Since I strayed a bit on #11 out of 26 Short Stories, I figured that this entry would be mostly a link-fest – about Layer 7.  A picture is worth a thousand words don’t cha know.  SANS just released a report that says ‘60% of All Attacks hit Web Applications,’ and other research indicates that 70% of all attacks target Layer 7. Today, I thought I would just share a list of common Layer 7 attacks to show the many ways applications can be breached.  List courtesy of Vikram Phatak.

HTTP

• Code Red, Nimda Worms & Mutations
• SQL Injection
• Directory Traversal Attacks
• MDAC Buffer Overflows
• Cross-Site Scripting Attacks
• Chunked Transfer Encoding Attacks

FTP

• FTP Bounce Attack
• FTP Port Injection Attacks
• Directory Traversal Attack
• TCP Segmentation Attack

Microsoft Networking

• Bugbear Worm
• Nimda Worm
• Liotan Worm
• Opaserv Worm

SSH

• Buffer Overflow Attack

SMTP

• SMTP Worm
• MIME Attacks
• SPAM Attack
• Command Verification Attack
• SMTP Error Denial-of-Service Attack
• Mailbox Denial-of-Service Attack (excessive email size)
• SMTP Mail Flooding
• Address Spoofing
• SMTP Buffer Overflow Attacks

DNS

• DNS Query Malformed Packet Attacks (pdf)
• DNS Answer Malformed Packet Attacks (pdf)
• DNS Query-Length Buffer Overflow
• DNS Query Buffer Overflow – Unknown Request/Response
• Man-in-the-Middle Attack

SNMP

• SNMP Flooding Attack
• Default Community Attacks
• Brute Force Attacks
• SNMP Put Attack

MS SQL

• Buffer Overflow attack
• SQL Slammer Worm

 

ps

• #12 out of 26 Short Topics about Security
• previous stories: 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related links

• BIG-IP® Application Security Manager™