Welcome to Linux Support and Sun Help
Search LinuxSupport
From: Subject: =?Windows-1252?Q?Creating_Security_Policies_=96_Lessons_Learned?= Date: Wed, 18 Jul 2001 16:26:06 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_000F_01C10FA6.58A30130"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.sans.org/infosecFAQ/policy/creating.htm Creating Security Policies – Lessons = Learned

Creating Security = Policies –=20 Lessons Learned
Mark Worthington
May 4, = 2001


One of the core principles in = Information=20 Security is adherence to the organization’s security policy. = After=20 attending SANS training or other security classes we return to = work with=20 an eagerness to move forward with hardening servers, tightening = firewalls,=20 and implementing intrusion detection systems. As our first step, = of=20 course, we identify our need to comply with the existing security = policy.=20 So we begin our search to see if we even have a security = policy,=20 and end up dusting off an old notebook we found on a shelf = somewhere. What=20 we find may not even be applicable to our current environment, is = so=20 generic that it’s woefully incomplete, or has become totally = out of date.=20 What do we do next? This paper shows the reader some steps we have = taken=20 on our continuing journey towards a full set of security policies = and=20 procedures.

Revising the Policy

What do we do if the current = security policy is=20 incomplete or out of date? In our case I spoke with my Director = and shared=20 the vision with her of how important it was to update our current=20 Electronic Use Policy. She was quite receptive, already being = familiar=20 with the critical role played by such a document. It was clear = that the=20 current Electronic Use Policy would need to be significantly = revised and=20 enhanced to cover acceptable use of resources, greater levels of = security=20 awareness, and increased user involvement.

We needed to expand the scope of = what the=20 current policy covered, and to ensure that all 2500 employees knew = what=20 was in it. To accomplish that we would have to find an effective = way to=20 educate each person, and to verify that everyone knew what was = expected of=20 them in maintaining compliance. Rewriting the policy to cover = every=20 identified vulnerability, publishing it to users, and testing for=20 compliance seemed to present quite a daunting task, when what we = really=20 wanted to do was to get started making our environment more = secure. Where=20 do we start?

As it turned out we were able to = begin working=20 both issues concurrently. Implementing several server fixes would = not=20 violate any current policy, so we were able to begin hardening = certain=20 aspects of our enterprise even as we started updating our = documentation.=20

The Approach

Since the previous security policy = didn’t=20 address as broad a scope as what we need now, we decided to = temporarily=20 set aside the older document and begin to produce a new one. = Information=20 Systems had been charged with developing the original policy years = earlier, so after speaking with the Legal Department and Human = Resources I=20 simply began to write what came to mind. This became something of = a=20 free-form brain dump of concepts and ideas learned in the SANS = Security=20 Essentials curriculum and elsewhere. After a few rounds of this = core dump=20 I went back and began to refine the sections and wording. As time = allowed=20 I added to and modified different portions of the document, but = was unable=20 to devote full attention to it while balancing urgent work on all = our=20 other active projects.

An observation here: Whereas = security policies=20 must address the three foundational concepts of ensuring = confidentiality,=20 integrity, and availability, they are also designed to create end = user=20 awareness and participation. With this in mind it is logical to = include=20 other related matters in which we need user education. As we work = through=20 the process of creating security policies we will also focus on = areas that=20 may not seem to affect the "big three" security aspects directly, = but are=20 very important for the overall health of the organization. These = will=20 include acceptable use policies for the equipment, data, email, = Internet,=20 and others as needed. As we will see in a moment these can cause=20 significant liability problems if not handled carefully, and do = fit in=20 naturally with an instructional program on password selection, use = of=20 non-approved software, and social engineering.

During the writing process I was = eventually=20 able to go back and directly consult the SANS coursework where we = find=20 eight important topics that should be included in a good security=20 policy.

  • Purpose = – the reason=20 and goals for the document=20
  • Related = Documents – citing=20 other pertinent policies and procedures. These could include = specific=20 instructions for server administrators, network auditors, or end = users.=20 The policy paper I started writing tended to mix procedures in = with the=20 policies; those should be moved to other referenced documents = before the=20 policy is complete and ready to be reviewed, signed, and=20 implemented.=20
  • Cancellation = – describing=20 which documents this supercedes=20
  • Background = – a reflection=20 on the need for security policies=20
  • Scope – = the range of issues=20 covered and to whom they apply=20
  • Policy = Statement – SANS’=20 description says, "the statements should define actions that are = prudent, expedient, or advantageous to the organization." The = policies=20 must be realistic. It doesn’t help to declare that no = personal use of=20 computers will be allowed if that is not something that will be=20 enforced. An article from ComputerWorld as quoted by CNN=20 states=20
    • "Dallas attorney B. J. Thomas, = who=20 specializes in computer law, said that, as counsel for the = city of=20 Cleveland, Texas, her rule of thumb is that e-mail is a tool = like any=20 other. ‘Any policy can be violated by the use of another = tool as=20 well,’ Thomas said. ‘In municipal law, [the idea = is]: Don't have a=20 policy unless you can enforce it, and if you enforce it, = enforce it=20 uniformly.’"

An organization would probably = be better=20 off leaving out statements prohibiting personal use of email = or=20 Internet entirely if no one is expected to live by them, = rather than=20 to undermine the user community buy-in of the entire security = policy.=20 The policy also may not be legally enforceable due to = inconsistent=20 application of it, should a serious violation of some other = section=20 occur. Again, think things through carefully and be=20 realistic.

  • Responsibility –=20 identifies which people are responsible for the various affected = areas=20 within the policy. Examples include the CIO, system = administrators, and=20 attorneys. It can also define the need to create specific = procedures for=20 implementation and enforcement of the policies, referencing the = Related=20 Documents mentioned above.
  • Action – = specifies the=20 tasks to be done, and the timeframe in which they are to = occur.=20

Some of these sections I had = included, and=20 others need to be added still. It is definitely a work in=20 progress.

For further input I consulted an = excellent book=20 by Michael R. Overly called e-policy How to Develop = Computer,=20 E-Mail, and Internet Guidelines to Protect Your Company and Its=20 Assets. Mr. Overly very concisely covers numerous important = issues.=20 One suggestion is that the policy should state that "personal" = computers=20 and the data stored on them actually belong to the company, and = that=20 employees do not have an assumed right to expect privacy in what = they=20 create on the computer or send through an email system. The policy = also=20 needs to explain that the organization will be regularly or = randomly=20 monitoring network activity, including email, and that the purpose = of=20 users having secret passwords is not for their privacy, but to = provide=20 security for the company’s data. He even emphasizes the = importance of=20 maintaining the corporate culture in a way that does not belie = what is=20 expressly stated in the policy. In other words, if staff members = or=20 management speak or act in ways that suggest their computer work = or emails=20 are private it may weaken the company’s position if someone = were to file=20 an invasion of privacy lawsuit. By explicitly stating in the = policy that=20 the organization has the right to monitor emails and other network = traffic, and not undermining that understanding through subsequent = actions, an organization should be able to avoid privacy disputes. =

In the creation of all policy = documents be sure=20 to consult your attorney, the user community, human resources = department,=20 and perhaps the local bargaining unit as advised. Also, please = understand=20 that this paper in no way should be construed as providing legal = advice or=20 covering every pertinent issue.

Proactive = Monitoring

In addition to privacy issues, = there is also=20 the matter of "harmful material" entering the workplace. Items = such as=20 pornography or jokes in poor taste can create a hostile work = environment.=20 If someone in the office becomes offended by something they see or = hear as=20 a result of someone else’s email or Internet experience they = may file a=20 harassment lawsuit against the company. Filtering programs, from = companies=20 such as Surfcontrol and Websense, are available to block = URL’s, or to=20 monitor for combinations of words and phrasings within email = traffic=20 itself that might indicate offensive jokes and stories. =

The usage of email is an entire = issue in=20 itself. There are many ways email can be used to cause a company = great=20 distress in the event of a lawsuit, or can force expensive = discovery=20 processes to reconstruct an electronic "paper trail." Well-written = policies covering email classifications and retention are becoming = extremely advisable. Attorney Jim Bruce is quoted by = Infoworld on=20 cnn.com as saying "’If a company is sued, it is routine for = the other=20 party to ask the company to produce all their records [on the = subject],=20 including e-mail,’ Bruce says. ‘E-mail is a really = juicy target because it=20 can be searched by keyword.’"

Network and email filtering and = monitoring=20 technologies can be a very significant investment in time, = hardware,=20 software, and recurring maintenance costs for URL and other = updates, but=20 it is probably worth the expense. Compared to the potential legal=20 liability for failing to ensure a harassment-free workplace it = will likely=20 be a bargain well worth the cost.

The Downside

Using hardware and software = filtering tools are=20 good techniques a company can employ to protect its workers and = itself,=20 but there is further caution. If a company has such systems in = place, but=20 fails to act promptly and fairly on violations to the acceptable = use=20 policy, the organization can be held liable for failing to perform = due=20 diligence to remedy the situation. In other words, if you = don’t respond=20 quickly enough to document and enforce appropriate discipline for = any=20 violations you may still be held liable. It becomes, then, = extremely=20 important to properly implement and execute the policies and = procedures in=20 a way that provides maximum effect. This also emphasizes the = importance of=20 an organization adequately funding such an effort, including the = on-going=20 costs for personnel and their training in support of these=20 tools.

Whew! The more I studied on the = topic of=20 policies and their legal ramifications, the more I realized I had = no=20 desire to continue writing the stinkin’ things. I really = just wanted to=20 make the operating systems and network more secure.

Another Option

Somewhat overwhelmed and = discouraged I set this=20 project aside and resumed my other daily tasks, which of course = includes=20 reviewing security bulletins. In a recent release of the SANS = Newsbites I=20 found an ad declaring "Write Your Information Security Policies in = a Day!"=20 Hoping for the best I decided to contact Pentasafe to see what = they had to=20 offer. I was very impressed.

The link referenced in the = Newsbites article=20 took me to a page introducing Pentasafe’s VigilEnt Policy = Center (VPC),=20 which then led to subsequent links describing key features and = benefits.=20 The product apparently comes with pre-built security templates = written by=20 Charles Cresson Wood, an expert in the security field, and which = are=20 accessible through a wizard application that steps you through the = policy=20 creation process. According to their statements you can have a = draft=20 security policy prepared in about a day. That sounds good to=20 me.

A quick note: This paper is not = intended to be=20 a product review, but was created to share with the reader some of = the=20 steps and thought processes our organization is going through to = update=20 our security policies. I hold no stake in Pentasafe, and have not = even=20 seen a demonstration of VPC yet. I have requested one from the = vendor and=20 am looking forward to determining if this product will help = simplify our=20 task. If VPC works as well as claimed I plan to consider = incorporating it=20 into our environment, provided funding becomes available. We have = a=20 significant budget process to work through, so this may not be = feasible=20 right away. As I share with the reader some additional features = claimed=20 for this product, it should become apparent how they might prove = helpful=20 in the enterprise.

Publishing the = Policies

In addition to creating and editing = security=20 policies there must be an effective mechanism to distribute them = to the=20 user community. As mentioned earlier, we might have in place the = best=20 policies in the world, but if our users don’t know what they = are, and how=20 that impacts the way they perform their jobs, it will do little = good=20 towards accomplishing the goal of keeping our networks and data = secure.=20 User education is imperative, as is the ability to verify that = everyone=20 understands and has agreed to abide by the policies and practices. = PentaSafe’s VPC seems to provide a good solution to educate, = test, and=20 catalog user awareness.

According to the documentation VPC = allows=20 administrators, once they have worked through the automated policy = creation process, to publish the finished documents to a = company’s=20 intranet site. Rather than just hoping users will visit, read = dozens of=20 pages, and thereby become fully supportive, VPC goes further. The = product=20 is stated to provide a quiz mechanism to test and record user=20 participation in the on-line policy training program. Users log in = at=20 their convenience, or with prompting, and are then educated and = tested on=20 their knowledge of the company’s policies. A permanent = record of their=20 participation is stored, and remains available should an incident = of=20 violation arise later. Employees are protected by always having = on-line=20 access to the company’s policies in case they have = questions, and the=20 company is protected by being able to prove that it has performed = due=20 diligence in crafting policies and educating employees. It is=20 Win-Win.


PentaSafe’s VPC is certainly = not the only=20 method available for an organization to develop and implement = security=20 policies and procedures. It is entirely possible for a company to = create=20 its own policies from scratch, or to copy and paste some = boiler-plate=20 wording that might be provided by others as a service on the = Internet.=20 However, allocating sufficient internal staff time might not be a=20 cost-effective option, especially considering the potential legal=20 liability that is at stake. The proper skill set mix of writers,=20 attorneys, human resource specialists, technology experts, etc., = may not=20 even be available within local staff. Outsourcing a portion or the = entire=20 job may be an option for some. It is, of course, ultimately up to = each=20 organization to determine their best course of action to fill this = essential need.


As I noted at the beginning of this = paper I was=20 hoping to share with the reader some lessons we have learned. = Perhaps=20 trying to write all the policies and procedures ourselves is not = the best=20 way to go, hence our current interest in exploring VPC. We are not = yet=20 finished creating our documents, so we are actually still in the = thick of=20 it with you. It would have been nice to be on the other side, = encouraging=20 your progress along a well-worn trail. I wish we had the = definitive words=20 of wisdom for others heading down this path, but perhaps some of = the=20 issues discussed will help you explore a few options and to = determine what=20 works best for you.

Appendix A

As a reference I have included the = text of our=20 current work-in-progress. Be aware that this is only a draft = document and=20 in need of revision and review. Hopefully some ideas will = stimulate your=20 own thinking.


Acceptable Use = Policy

Security Policies = and Procedures=20 for <ORGANIZATION>


The <ORGANIZATION> has set a = vision and=20 is progressing on a path into the future of enhanced constituent = support=20 and service by maintaining a secure and available network of = electronic=20 data systems. These systems are interconnected via high-speed = switches,=20 routers, and firewalls to allow appropriate access to = <ORGANIZATION>=20 information stored on multiple file servers and databases. The = goal is to=20 maintain all of these components, along with the backup devices = and=20 supported client PCs, in a manner consistent with industry best=20 practices.

Contained in this document are the = policies=20 that direct the processes and procedures by which <OUTSOURCING=20 VENDOR>, in partnership with the <ORGANIZATION>, strives = to=20 maintain a secure and available data enterprise. By employing = industry=20 best practices along with proprietary processes we are working to = provide=20 due diligence in our best efforts to maintain the confidentiality, = integrity, and availability of the <ORGANIZATION>’s = data resources.=20

This endeavor is truly a = partnership, in that=20 all parties involved have a significant stake and responsibility = to comply=20 with all agreed-upon policies and procedures to ensure the highest = possible level of security. A single weak link anywhere in the = chain, from=20 the largest server, to any individual user running an unauthorized = program, could compromise the integrity of confidential data or = create a=20 catastrophic loss. There are "hostile" applications that can = inadvertently=20 or deliberately be run on a PC and cause data destruction or = disruption of=20 service to others. Information Systems is constantly working to = harden=20 systems against such attacks, and to implement services to screen = out=20 hostile mobile code and viruses, but it is still up to each = individual=20 user to comply with all revisions of published policies and = procedures.=20 Risk assumed by one is shared by all.

The latest version of the=20 <ORGANIZATION>’s Acceptable Use Policy will always be = posted on the=20 <ORGANIZATION>’s Intranet site for quick = reference.

As all <ORGANIZATION> network = users=20 carefully follow operational and security guidelines we have a = good=20 opportunity to continue providing the best possible services to = the=20 employees, residents, and businesses of the=20 <ORGANIZATION>.


This document contains multiple = sections that=20 are in many ways inter-related. Several concepts, with Security = being=20 foremost, become threads that run through the entire document and = are=20 common to multiple areas of discipline. The overall objective, of = course,=20 is to guard the <ORGANIZATION>’s vital electronic data = resources=20 that contain confidential employee records, payroll information, = customer=20 information, and much more. All of these records are stored in = electronic=20 data systems and must be treated in a manner consistent with = current best=20 practices to ensure their confidentiality, integrity, and=20 availability.

This document strives to define = methodologies=20 to support the three essential principles for guarding electronic = data=20 systems:

  • Confidentiality=20
  • Integrity=20
  • Availability =

Briefly describing each quality we=20 have

Confidentiality – Ensuring=20 that only authorized users can access confidential or sensitive=20 information. By precisely defining groups of users, and regularly = auditing=20 the accuracy and consistency of those groups, we can limit and = control who=20 has access to which data. Through a variety of policies, = practices, and=20 systems we work to ensure that only those who are authorized will = access=20 any given data resource.

Integrity – = Ensuring that data=20 has not been tampered with, either on the network or in storage. = Our goal=20 is to ensure that data integrity is maintained at all = levels.

Availability = – Data must be=20 available to those who are authorized to use it. Denial-of-Service = attacks=20 are becoming common, and our goal is to ensure that users can = access the=20 data they need.

Target Audience

The policies and procedures = described in this=20 document cover various groups of people. Some policies cover every = user of=20 the <ORGANIZATION>’s network and its resources, and = others apply to=20 specific groups who administer or manage the network. This is not=20 discriminatory, it is simply a function of roles and = responsibilities. The=20 identified groups are listed below.

  • <ORGANIZATION> = Employees=20
  • <OUTSOURCING VENDOR> = Employees=20
  • <ORGANIZATION> Information = Systems=20 staff=20
    • Includes both <OUTSOURCING = VENDOR>=20 and <ORGANIZATION> Employees=20
    • Managers=20
    • Network Resources = Division=20
    • Server Support Division =
    • Desktop Support = Division=20
    • Data Center Operations = Division=20
    • Network Security = Division=20
  • Each and every individual person = who uses=20 any portion of the network or its resources

Ownership of Network, PC, and Data=20 Resources

All hardware and software are the = property of=20 the <ORGANIZATION>. Although there are numerous "Personal = Computers"=20 provided for use by staff members they are owned by, are to be = used for=20 conducting business for, the <ORGANIZATION>.


Any computer or networking = hardware must=20 be approved through the formal Information Systems approval = process=20 before being connected anywhere on the network.=20


No software may be loaded on = or removed=20 from any <ORGANIZATION> computer unless it has been = approved=20 through the formal Information Systems approval=20 process.

Usage of Network, PC, and Data=20 Resources

Any person using the = <ORGANIZATION>=20 computer network or any of its components must agree to and abide = by all=20 parts of the Acceptable Use Policy.

No Privacy of Data

Detail here.

Privacy Rights = Waiver

Detail here.

Computer Usage = Monitoring

Detail here.

Network and/or email = Monitoring

Detail here.

Allowable Use of Computer=20 Systems

Detail here.

Formal Information Systems Approval = Process

Defined and explained = here.


Security must be an integral thread = running=20 through every aspect of the enterprise. Just as physical security = for=20 employees has been provided with policies, guards, and metal = detectors we=20 must also provide for security of the <ORGANIZATION>’s = data using a=20 multi-layered approach.

Each PC user is entirely = responsible for his or=20 her own user ID and password. No one else should share these. = Every file=20 server and piece of networking equipment has its own mechanisms of = protection through access codes as well.

Security is everyone’s = business, and is an=20 on-going refinement process as situations change and new = vulnerabilities=20 develop. This section discusses several aspects that should be = universally=20 applied in addition to any other, more specific, policies that are = developed.

Several other sections within this = document=20 will address security again as it applies to specific=20 areas.

UserID’s and = Passwords

Individual user accounts and = passwords are used=20 to create security for the systems and data belonging to the=20 <ORGANIZATION>. As mentioned earlier, users should have no=20 expectation that anything they create, store, send, or receive on = a=20 computer or through the network is private; all data is the = property of=20 the <ORGANIZATION> and is subject to review at any time by=20 authorized personnel. The purpose of a UserID and password is to = create=20 security from unauthorized access to the = <ORGANIZATION>’s systems or=20 confidential data.

UserID Creation

The <ORGANIZATION> has a = standard method=20 for creating login names to servers, applications, databases, and = email.=20 The UserID consists of 8 characters. The first character is the = same as=20 that of the user’s first name. Appended next is that portion = of the user’s=20 last name that will fit within the 8 character field. If the last = name is=20 too long, it is truncated at syllable breaks to fit.

Since all UserIDs must be unique = throughout the=20 <ORGANIZATION> there will be instances where a "tiebreaker" = must be=20 used to keep similar names from resulting in the same 8 character = value.=20 We will insert a new character into the second position to create = unique=20 ID’s.

For example, if Mary Smith already = has MSMITH=20 and Marvin needs to be added, we will create his UserID as = MASMITH. When=20 Mellisa Smitherington is added later her UserID will become = MBSMITH, and=20 so on. By sequencing letters of the alphabet we are able to = accommodate=20 numerous such situations.

Password Length and = Complexity

Most user ID’s have been = assigned by a system=20 administrator to be used for each individual person to log into = the=20 network. In addition, there may exist other ID’s for users = to access=20 specific databases or applications. It is permissible to use the = same=20 password for each system or application a user = accesses.

In all cases each user is entirely = and=20 personally responsible to maintain the complexity and secrecy of = his or=20 her own password.

All passwords must consist = of

  • At least 8 characters=20
  • A combination of uppercase and = lowercase=20 letters=20
  • Numbers=20
  • Special symbols (~!@#, and so = on).=20

Remember, each password should have = all=20 of the above in it.

Please, it is important NOT = to=20 use

  • Your login name=20
  • Your dog or cat’s = name=20
  • Anyone’s birthday=20
  • Any single word found in any = dictionary in=20 any language

Yes, this sounds difficult, but any = of the=20 above passwords are easy to guess or crack by an attacker trying = to access=20 the system. Even if you think you don’t have access rights = to anything=20 important, you must still protect the secrecy and complexity of = your=20 password. If an attacker can get in using your account, he has a = foot in=20 the door and may be able to break further into the = network.

How then do you select a password = that you=20 don’t have to write down on a sticky note and attach to your = monitor?=20 (Please don’t ever do something like that! You might be = surprised, but=20 that is a very common way attackers get into systems.)

Remember, you must safeguard your = password at=20 all times, so if you need to write it down, put it into your = wallet or=20 purse where you keep your other valuables like a drivers license = or credit=20 card.

Do you think you could come up with = or remember=20 a password that fits those requirements? How about the one=20 here?


It looks very difficult, but if you = are told=20 that it stands for "I love 2 shop at the Mall of America!" you = won’t have=20 any trouble remembering it. This is called a pass-phrase, and it = helps to=20 create a very complex password that is quite secure. Again, write = it down=20 but only store it with your valuables and don’t leave it = lying around.=20 Also, please don’t use this example since it has been shown=20 here.

Password Secrecy

Under normal circumstances no = password is to be=20 shared between people. If an instance arises where someone must = log into a=20 system to access another’s files, the owner of the login may = share the=20 password on a short, temporary basis to complete the needed work. = At the=20 earliest possible convenience the owner must create a new = password,=20 something unknown to others. If there is a reason for one person = to access=20 another’s files for longer than a few days, you should = contact the=20 helpdesk to request a change of access rights for your account.=20

Remember, you are entirely and = solely=20 responsible for any loss, damage, or misuse of data that may occur = by=20 anyone who logs on with your UserID and password. Keep your = UserID, and=20 especially your password secret.

Persons Exempt from the Password=20 Policy

No one! Some people find password = policies=20 annoying and inconvenient, but how embarrassing or damaging to the = <ORGANIZATION> would it be if the CEO or CTO’s PC and = network=20 accounts were hacked into and damage caused due to a weak = password. Let’s=20 all work together to ensure the security of the entire=20 network.

Password Rotation

Passwords must be changed regularly = to avoid=20 the possibility of them eventually being discovered and = compromised.=20 Therefore, each user must change his or her password at least once = every=20 six months. The password may be changed more often, but you can = not reuse=20 the same password within a three-month period.

Forgotten or Temporary Password=20 Assignments

Occasionally a user may forget his = or her=20 password. When that occurs they are to call the helpdesk to = request that a=20 new, temporary password be assigned. Helpdesk will comply by = scheduling or=20 having a technician put in a new short-term password. Neither the = helpdesk=20 person nor the technician is permitted to divulge the new password = to the=20 person calling. They must both hang up; helpdesk will look up the = user’s=20 name in the <ORGANIZATION> employee phone directory. They = will then=20 call that number and leave the new password on voicemail after = hearing the=20 intended person’s recorded message. By taking this small = extra step it=20 will help to reduce the likelihood that an attacker could = successfully=20 obtain a login by impersonating a valid user.

Password Cracking

Part of maintaining a security = policy is=20 ensuring that there are no weaknesses caused by failure of some = users to=20 follow policies and procedures. There will be times when certain=20 Information Systems personnel will test, or hire others to test, = various=20 portions of our enterprise to verify overall security. One test = will use=20 common tools to ensure that passwords are maintained with = sufficient=20 length and complexity as stated in the password policy. We will=20 deliberately and purposefully run tests in a manner that will = avoid=20 cracking passwords that are crafted properly. Passwords that do = not meet=20 ALL of the requirements will most likely be discovered during this = process.

This practice ensures privacy of = data for the=20 users who are helping contribute to the overall security of the=20 <ORGANIZATION>’s resources by following security = policies. Those=20 users whose passwords do not meet the proper standards will be = notified by=20 email to correct the situation.

It is expressly against policy for = anyone to=20 run any type of password cracking tool or network penetration = testing=20 without proper authorization. Only certain specific persons who = have=20 proper documents on file with the <ORGANIZATION> = Manager’s office=20 are permitted to initiate or permit such activities. Disciplinary = measures=20 will be taken against those who violate this policy.

Network Infrastructure


Routers, switches, firewalls, as = well as=20 various Unix and NT servers, comprise vital services that make = possible=20 the <ORGANIZATION>’s extensive data network. = Management of these=20 components is delegated to different groups, but they all must = work=20 together in a secure, stable, and managed way to provide an = effective=20 network. Because some of these components exist in the more = vulnerable=20 perimeters of the network they necessarily must be hardened and = configured=20 appropriately.

Network Components

These components include

  • Routers=20
  • Switches=20
  • Firewalls=20
  • DNS Servers=20
  • Proxy Servers=20
  • Web Servers=20
  • FTP Servers

Network Component = Passwords

Network components must be = configured with=20 passwords of the same type and complexity as described elsewhere = in this=20 document. Due to the critical nature of their functions they must = be=20 subject to more stringent policies, and therefore the passwords = are=20 managed as follows.

In keeping with the maxim to = provide defense in=20 depth, each infrastructure component located in or supporting the=20 perimeter networks must have a unique password. In other words, = the=20 external Internet router, firewall, proxy servers, mail servers, = DNS=20 servers, FTP servers, and all other DMZ servers must have = passwords=20 totally different from each other and from all others anywhere in = the=20 network. The reasoning behind this is that if an attacker is able = to=20 penetrate one level of security he will have to start over at each = new=20 device, not having captured "the keys to the kingdom" after = acquiring and=20 cracking one system’s password file. For the same reason, = only one or two=20 critical administrator accounts, also with unique passwords, = should ever=20 be stored on a system in the perimeter network.

Network Component Passwords – = Contingency=20 Access

Two sealed envelopes containing = passwords are=20 to be stored in a locked box in the office of the Information = Systems=20 Director. One envelope will contain the logins and passwords for = all=20 routers, switches, and CSU/DSU’s maintained by Information = Systems. The=20 other envelope will contain the passwords for the Unix servers and = all=20 databases. In the event that the appropriate Network Support or = Server=20 Administrators are not available in an emergency access to the = secured=20 envelopes can be provided by one of the following = people:

John Smith – Information = Systems=20 Director

Mary Jones – Departmental=20 Accountant

Judy Doe – Administrative=20 Assistant

Network Component Passwords – = Change=20 Cycle

Passwords on infrastructure = components must be=20 changed at the following times.

  • At least once every three = months=20
  • In the event that a password or = system=20 becomes compromised all infrastructure passwords are to be = changed as=20 soon as possible=20
  • In the event that the sealed = envelopes=20 containing the passwords secured in the Director’s office = is opened for=20 any reason the passwords are to be changed

Prior to any passwords being = changed, a new=20 sealed envelope containing the new passwords will be placed in the = designated storage area in the I.S. Director’s office. The = effective date=20 of the new passwords is to be written on the outside of the = envelope,=20 along with the names of the supported equipment. Both the old and = new=20 envelopes are to be retained in the locked box until the next = round of=20 password changes, or until the next Security Audit Reporting Cycle = occurs,=20 whichever comes first. This will cover the unlikely contingency = that one=20 or more of the devices is overlooked in the password change = process.=20

Network Component Passwords -- = Assignment and=20 Responsibilities

Routers and LAN = Switches

All routers and LAN switches are = maintained and=20 supported by the Network Services group of Information Systems. = Login=20 passwords and privilege-level passwords are assigned and retained = as=20 confidential by two support persons.

Bob – Network Services = Manager

Fred – Network=20 Engineer

Public Safety = DSU/CSU’s

All DSU/CSU’s are maintained = and supported by=20 the Network Services group of Information Systems. Login passwords = and=20 privilege-level passwords are assigned and retained as = confidential by=20 three support persons.

Bob – Network Services = Manager

Fred – Network = Engineer

Marvin – VAX Support=20 Technician

Network Infrastructure Support=20 Servers

All Unix servers are administered = by the Data=20 Center Management Group. Root passwords are assigned and retained = as=20 confidential by three support persons:

Oscar – Data Center = Manager

Ralph – Senior Systems=20 Administrator

John – Unix Systems=20 Administrator



All network operating systems are = subject to=20 problems that don’t become evident until they have been in = common use for=20 some time. Manufacturers periodically release service packs and = patches to=20 repair what has been found. Additionally, there are services and = features=20 that may be useful in certain, low risk environments, but for the = majority=20 of installations they create unreasonable security and operational = risks.=20 As various vulnerabilities are discovered by users and specialists = in the=20 networking field recommendations are made to make adjustments to = operating=20 systems to alleviate these problems.

New Server = Prerequisites

In light of the need for = remediation of=20 identified problems, and the severe security risks posed by = ignoring them,=20 no server will be permitted to be connected to the = <ORGANIZATION>’s=20 operational network until it has been sufficiently hardened. =

Procedures will be defined for each = unique=20 operating system to identify, document, and implement current best = practices for each platform, to include, minimally, Microsoft = Windows NT,=20 Windows 2000, Novell, Unix, and Linux. These procedures will = probably be=20 the most dynamically updated, as vulnerabilities are announced = almost=20 daily. Sources from which these procedures will be drawn are the = vendors=20 themselves, the SANS institute, and other reliable = sources.

Production Server Patch=20 Maintenance

A policy and procedure will be = developed to=20 allow quick dissemination of the current best practices for = servers to=20 ensure the production systems are kept in top condition. However, = no patch=20 or fix will be applied to any production system until it has been=20 carefully tested on the development servers to ensure that the = "cure"=20 isn’t worse than the disease.


New Workstations

Because the <ORGANIZATION> = standard for=20 PC desktop operating systems is Windows NT Workstation they are = subject to=20 most of the same vulnerabilities experienced by NT Server. = Therefore, all=20 new workstations must be subject to the same policies and = procedures as=20 the servers to harden them. In addition, there are many = applications and=20 PC settings that can cause weaknesses in the integrity of the = desktop, and=20 even other systems on the <ORGANIZATION> network.

To create uniformity of setup and = to ensure=20 that known weaknesses have been resolved it will be necessary to = create a=20 standardized image of PC desktops. It is expected that Novell = Zenworks=20 will be employed to help the imaging and deployment of = standardized=20 setups.


Backup Systems


Tape Rotation Schemes

Off Site Tape Storage

P & P’s for encrypting = data on tapes going=20 offsite

P & P’s for Tape Backups = performed on=20 Off-Site Servers

P & P’s for Tape Backups = performed by=20 Non-supported groups

Tape Integrity and Usability=20 Testing

It does no good to run regular = backups if=20 valid, useable data is not actually stored on the tapes. = Therefore, Backup=20 Policy requires that backup log files are checked daily. In = addition,=20 periodic testing will be done to ensure that a complete system and = data=20 restoration can be done. Spare servers will be made available by = the=20 <ORGANIZATION> to make this essential step = possible.


1. SANS Institute, The. "Basic = Policy."=20 Track 1: Security Essentials Book 1.1. Version 1.35 (2000): = pp.=20 5-12 and 5-13.

2. Op. cit.

3. Disabatino, Jennifer. "E-mail = probe triggers=20 firings." Computerworld. 11 July, 2000.
URL: http://www.cnn.com/2000/TECH/computing/07/11/email.firing.idg/in= dex.html=20

4. Overly, Michael R. = e-policy How to=20 Develop Computer, E-Mail, and Internet Guidelines to Protect Your = Company=20 and Its Assets New York: SciTech Publishing, Inc, = 1999.

5. Op. cit. 26.

6. Op. cit. 27.

7. Trombly, Maria. "Dow to fire up = to 40=20 employees over sexually explicit e-mails." Computerworld. = 24=20 August, 2000.
URL: http://www.cnn.com/2000/TECH/computing/08/24/dow.sex.firing.id= g/index.html=20

8. "If A Supervisor Engages In = Harassment, Is=20 The Employer Ultimately Responsible?"
URL: http://employment-law.freeadvice.com/sexual_harassment/supe= visor_employer.htm=20

9. Surfcontrol plc.

10. Websense Inc.
http://www.websense.com/ =

11. Steen, Margaret. "The legal = traps of=20 e-mail." Infoworld. 6 July, 1999.
URL: http://www.cnn.com/TECH/computing/9907/06/emailtrap.idg/index.html= =20

12. Overly, Michael R. = e-policy How=20 to Develop Computer, E-Mail, and Internet Guidelines to Protect = Your=20 Company and Its Assets New York: SciTech Publishing, Inc, = 1999.=20 36.

13. SANS Institute, The. "SANS = Newsbites Vol. 3=20 Num. 18." 2 May, 2001.

14. PentaSafe Security = Technologies, Inc.=20

15. http://www.= pentasafe.com/products/policyoverview.htm=20

16. http://www.pentasafe.= com/products/vspm.htm=20


to top of page |=20 to = Security=20 Policy Issues | to = Reading=20 Room Home


------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/sanslogo.gif R0lGODlhsACJAMQAAAADBQAJDgAHCwAtQwAfLwBmlwBKbgAXIgAQFwAFBwACAgABAQFmZj+MjHur q6PFxb3W1tHj497q6ujw8O/19fX5+fv9/fn7+////3BwcENDQyUlJRISEgoKCgQEBAAAACwAAAAA sACJAAAF/yAjjmRpnmiqrmzrvnDMfnRtf3Ku73zvy7fgb0gsGo/BG6zhgDgfDlTjQYwer0vH4+lo oB7eU9L2akoolYokAjU1JsOGpNeo2+93F35vZzUjE2kTERBWJRJhJmM1LVMYj5CQEl0kDRhxGIky DYROnp+ehioOnaCfVKMTkZEVYCWZKIs0LRCRFhVoFpCoIg6XPw8YojENFBeryBgQLQ5oyY+to7a4 FcePEImWmiSyOCsPFZESUA8SkBXYIrVDERi8OUyqz9DbKU3JbfYUkRTk7Y8XEPWCJUbWimKQKHS5 40CeMgfNLAzZF8EHwnnuXjSoFYlSCjmRwDD8hyECRHP1RP90U8Hp3LBeJPdhkGiRno9gGOdolFmS Bc5H70ZsZPUoJYOVKX4qsxfOllEYvopa5PnspQqOFqxWEvfR3CqtSFF4lWoP2dMXP4PqUJpsWZlH FM4y4PhIq4gG1iCBNYgi6jUWdMnyGOuWjq55FeRu7cmyKQY4377G4nuCZFYWFwXraOAYso/A+GCE K/wlZAuSwiYvknIYQ9wWShWv8Kt5B+1kr12YU3sokmwHrfeuPkHb80HHslWwtbsE40zmvXkLbU2Q BUnhY1AEJh25tgzUGWs6r+iiFvPib+uqzn5ibPhGTZOnoI5BJx3n3kszD0zehTzsSZzAmWkv/COf gMjkxoP/JfhJZ0IwzLlnH2zqFTRcCQxCwl13Bz6IzGX34aegcqmxFolxflSoCGUk3NZfI/m9ABpQ NVEAHjLQiQDhR6tUEMM+AAphwm0osrBPh70hs+Em9d2GTJEn7CiFWTCYt16AHrJyYC1ITpcMlMTU 94ZzOUpJHI5QlbjihSTMmCMJwXQ5UDIWyCnUYwywpaRPag65p0Z9csPiCDNOmKKdeup1Hxx4YTRi lIHCiUxigEoXFgk3RvrRBXa6t8qSzUE24yoO6qipqciUakI/VwpZQqaGsjTBmwjOE2uYkAHnaGR2 JVqnjJYOKkKmFqhKwiSbYUTpDpZ45lBVJPb6DKhRBssm/6HPKOSCSWuRuSCeqM7zood2OflIsS5s 0aoSWSYjkB9yZkpgsp5llgynSZ3KgLnnvsnEumS0m0wEdmKmCn2RUAujcYnOS25Z8zwaw6Uj8Hsu wVg0oAsECD8Cph7gzhlxvnZl+AyyOlB8F37pHOFLVp5C8iu9Sc6jlZkndBwJtzmozMCAzrVcRC1w jKoikyha/Mi4I+BsQszIvDuxsMPiV1LB7S1lsbE8omhvMik5XULDq0g8A9VzWW0BxnHoQoXJq9wK cpFk0/gwxPih/ILP+1p9DdYVq/e1zHI264ZjuNUjdiWI50SrSmgDbTXbPQSzrLz6HhRym96OnTkD mE8qH//fafstpg/m2Ec21whCqXR9d+Nt9bJnX9ui6X8tuA8vFivM0uYkUPXhNosvZrrUKpDOANQY sd6XLobAzU+XhkOKEXfFc4670Ckoryvuj3uI7wjC+wYP8EI1vsrMpuY4uHPGKr887q7JWYuhRn8+ 5cf5290+LfT7nPxeNzAd7IM7Wzvfx143oexVonzOmcBZ5Fc68DEpUNKThAJVwDxF/Y8ZAVQYBUGC O7NJg313UR8kkFS9vgStafrDFv3sQsG+0c956qifCTAXvpV97GcQNF+eYniXZ02ue2jzUwkPlDrr hQZX3ZkHKhx4ONzRrgQ1DJffHqex99xuWkg7iM489sH/MgQRjBZiT7rygh+mQSwljfpSh1qYgtCl horEOSMyxofFJKLAjlpK10yMcsY5ok+J81gGHp1oNatkUSj9k8xpGHOC/PWQjinoIAYSs0g31I1U acTSEj65i0bsTnafgiKfmtdJT46RK2tS4xIgoMK4wUhfXXSXKo+jrHb0cGx6tEkfbScjqynmZU95 X4z2Vx7nQK9yjYylKDdBSsW044egs1moXEBAIkqjc4IiJq0cgZEcjSaKqdqmbvBTruQ4gI3pHKYs R1Ad64wROl00CUT2yc97nEydzHilvvTmk1ouRZ7THAEKD2JEh51pJhaIqEQnGtF5SBBQ2HwgOHeI w/xt/8hn3rRhW1YQSbXJB5Mk3eircKhMCkjTVSQIaQVX4cZjBTAZXDwkj8pZx5qiUmYvZdcrfOcG CCpsQIOIgFKXylSldpCod8roq3j6R6lOdVJBDVgJLCA3Ev3JhTHMIFwwGgOl2SUCC00RVhEK0xFU YxPwpCSkrqgCgyYHpQzVpnbq2YiY0SSc8xRBOJAUM4W1o6s71CtmdOpVnKbASjHQU5F8Fo5f6qlU uaPQM1iHV146dq9QLcH3IME0yh40TaCckjct5lMMMfYq0NqrVRmXSrYKlQThQKxqO/JGjdTShK6d 7RfRtNe0ssCIajEtH0G2iqcQLQYd9NdrOfjZSvrvBf+eeolpveiC9X1EFaGVYXV/J9zh8navcl2n EAGbUME+QrcnsKWJcCjSr5J3M+qzC1Y65B66HoVqTTHuTksJ1ktadGE70JN+PYhdWNpWq7jVUHPO a93luqCQiy0vbSlsArrAtwTP4s12Nykf2gB3HxeNAQ8zzAPQLJjBmHEMiB7MCBMgznlKoRaDPiyw 2krDpbaRpHVJC6iEAKzGJUAccK96NM+ll5sHjox/d8LhEgRmxugE1Ygz2xhJPOUfrf2IzgSMLTJr tsna83ILxjLl/xIzv6tEs5eebEoprsArv9ywvmZkLNpQa8vQYI7k2jxEj7GwoRr8iEzo22EYW3mP qnL/Dw0B7K4Xy7mIkLAwfOZB5u8tWa17xo2Dcpw8SkPjRB4RilJ8Sk4JlzVocHQP92SA58eewxap vosDHIO8rCI5whVggwRubAUmBCbFjNTLSUv6kqEIOQc4WTBXHxABqhQiDFrgB3S6kYTKcoADG1AK BSYggXIHIhIZ6EASNAABCNroAekeQwc0kIEMRMCgCXmABj6wgQyQQn0UgEC9OcDtIGzgERlYRC0g sAFwZ4AV5DY3VRxA8IJb/AMB2UAN+m1HCWSg4kF4OH40ngQOPCCYOPqABoKJi31fnAYKCEbCx8Cx mfM7A5G8QAZI/nJuC+MGHchAOdwFb1loAAr95OcD/x7Ac6ALHelJj3rRjw71pC+d6T2ngQYwYPMg EELdNjh6BOI6AYGDPOuymIDLb8ABnEtgAnCXgMCbjva62/3ubBe4wrteAw8I/e1xNwnd8X4DDZy9 79/ud70bzgEPEP7xkH+5AjQw+BpQXt7gpncGDN/4yHv+86APvehHT/rSm/70qE+96lfP+ta7/vWw j73sZ1/6AxDg9rjPfe4RQPtuHMAABSgAAXrf+gEMAPjBT77yjU+ABRA/CQhQfgEG8PziSz/4BuB9 9ccwAOkbIADbVz0CkL/86gfAAMMPAvmxr/0kEMAAADj9+53P+gSsP/jpJ373D5CE+2d/DAtgAAag AP+mBwAC6Hr2d335R3vnVwD8FwQE4H2LEIEDaHrdZwAIeH/C93zd54BJEIDJ939J0IAVSHrjVwAY 2HoJKH0LKHsHkHwP6H7GJwCL0IElOHrIl4L1p4EtCHsnGHwxmHUdiIIEOHpDqIOrt4LK14OuJwDr F4QvF4EhWIShJ4XYl4EK2HMCQADGB4VJkABcOAAEQIMfgABQaIDS54UF94LKd4OfZ4VX2A0AcADG NwDg93hKmHwtGAB12IfpB4coGH/cd31iaADUZwMaaIh1OId92Id3WIbXN3112Hwf0IiL+AELQIeW CIXR5319eAD0RwMLAIgo+Ih2l4f4dwMCMIQhWIn/kTgAoWgDNnh763eIH9CAkah8AcCH1yeCbJiL 2EeAx3d9d/iD5VcDpEiIoeiEemiFIniKPJgErIiCNpiFNzCE7feLtjiNuah90yiCwNiGRfiLyfeI uJh8tqgA4YiO9HeOD/iL33d3qLiBEBiJBuB83yiINICLBpAANiCFtlgD16eG5IiC7fcBBemGNRAA xIiI0heQNACISFgDCnCEgniOENlz88iEpAh/NNCJIUiGNECOUAh8GTmQ0Od9B5mQVGgD5xh8pnh/ GSmRSUCOtrgArGiKGhmN9ZiGFKmSsih9Kzl9QYCSQQCS7GcDLDmC9xeTD9mTrXgDCvCEQYmO0GiN /zdAkz8plFW5hIh4kj55lEBZA0sZBC9ZAE55jP8ogTeAlM/4AXCokBe3ke7HljB3fQeZjLD4kV5o lG05liPpfS25kE3pkGqJjHZZA6wYj4gZgvq4k1i5lm1oA+rIlWSZi4yZBH5pA0hpkEopmEwpfWlp lVmZmDSwfpkJl9Lnj2hHl1AZh3dpmTSAhrmohh+wmTXQmW9ZljdwlqMZfDNpmh/gfwJYnGGZda5Z mpO5lcp3kAgZjkyImx8JmM8pjqGpi4ZJmpIZlTawjpH5csm5nbD5AZXZnK8pndIJiW04lNZploVZ AzJ5nhN5m22ok5AXno3JneSJl3WJmawpkMfJmf/UyZsu+Z6n+ZTKqZ80kJ6Eh58RmZjlmXzOSZYa CJw3kJ66yZ5TeJ3lmJ0WmqDjuaAsGHoOqprLGZvmOQbM2IsXGqC5OaCg6Z6i6aFECaIoqH4I+nkl qpUoKqFKuYAVyaLd6aLTuZ6f2Z69aaDDmaP5GaKuWJ9jEACDOZc8aaNIGKHBd5DHJ58tqnxqmKFH uqEyip3wyaQPeqJNmopH+ZbgWaXieaPM6aOK6YHXiKb06aUpaaSXiaQ2sKIdCnPxaaVBIACR6JwB KJcWt6MQyp9z2o9tSX4QaZQJEINguqdiigDtR5swOKdmaqLciQB3yI0GEINTWQATenFnSY+CGqf/ WVqVEOmnOnl/w1eROlipRap88Td++YeTbMmNNRqmcairt+qJHTgAU3pxv0eI0uh9ItmZdEoDQ2is +Rmcbfh+z0qKC6ip2Pd+HmmpIQh8AtipfgqcFKiPyQildTePH0qY1hikD0mF0zgAdCimNgCCyiqK idiSxhiCE+qr3/eNE1qQSdmVvXiqBReu4SiA1Oes6DiubUiGx8eFGriXSaCtv3quahqYenoDvGqk FdqDCXmqyfqQIhl+P0qWdXgAx1qvmkgA/4mcYWibuVmHBtsNW9iF3YAAk1iyJtuzPvuzQBu0Qju0 RFu0Rnu0SJu0Sru0TNu0Tvu0UBu1Uju1VNt7AiEAADs= ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/isrrtitle.gif R0lGODlh0wEpALMAAABmZgZqahFwcCN7ezyKil6enoGzs6XJycTb2+Tu7v///39/f0VFRRAQEA0N DQAAACwAAAAA0wEpAAAE/xDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru987//AoHBILBqP yKRyyWzuBIaEImEINAMHReE2MBgKAgnBGiwoDmHnZ3BAEChmtHpeziqmhoFogDAAClJ+TARSBzUB BgoIBVEHjGk/WFNvK1AId5hTBwaQMFBSCXoSAlkJlDCIl5l3m6J0apIKpyBYoRKlZEoDgTWJhhJ8 ClVCiQiuK8FuAIigszBmthPFnZ6XphIF1s6vS2bGIwKKE4hbRmAVAgO5MYQKx7sH6z4BA50D5Sek Z7ntCNQuBKYco/fvhSQ5wEAd46bE20IPcQYh1DGtAiN5RBil0BePgp1tLf8CRtNxsFMiLQybOBzh i0kbjDZKUSPACckuQfmydJR2BycMkQ9tlITDCmbKjIqCcmippJhRGid9AhBwzoiAS1JJcFxnRtgM oDyGTmi38yiSlXAO6CHQBt8fA9YYVe2CoM9DKFXYluuyhVSfNHTVVmBbN88EfXi+TOBLIUCBNo4u PF7bdkNXlBTUNc7WB2TgAmTwfgkjuioAtmMMCF7GaEAwRa1pevlChtFoDFspnHQ7Cq5dC4R/V3Dc Fuy4RxMevyHMe6rv1RvEYutpIQDhyBcC1xwcmc1fYHC3m8WAFkCUpCfv4GMU9zagAwQAeQVmx0A7 KvV3YfKn/44/CYicQdP/JGLAldgWBKiCEx8JFMBWUtJIYUx6mOGmyj4YEALfbhVEYV9FU+mUhj7f ZDPJSWic5w9NEraG2C8THDCSBbkBYw01gHxIIE8b3jHLVQ2ypRCAKoYhnykUukWIH1cpUldz44h4 mDULMehgFt+M4+GADY6lioNSFBUQJhONZxGEo3iDABqSINDhGRQEhFM75dBzyQGbSFFAMJu8ERV8 f6g3HYxY6qZILvTwsgwC0QT4H2uK4ClAm09NdaEyFfCBEzSuALIXVsmdAUlA31CliWqHOipKFj7p B+MtUB6mU2h28EZInSB6E6M4AGZBiT4jQaFIGI5pwiaWoSWQABl0EqDU/zJSLsNhYzKK4igkZqzn 4yjteOFnT4B2BZKZ5Z0mqBg7SsDUou4YOlIpy5Vz54hU9jrfutAYioA8oAbaqqIADHCuuddogFhP 60Rxin6CCKCsR4cOOiqa4WC4J7pZsvrmvofNSKNOBLB4xkNtTCyLunBOt+yguXBK1KMCz0cwJevq k9VwWDpoIKZE/TvfLhzvGrTDGAYs4YhZxDpeuaS6InDBKMNISAKDATxrBRrvOkzURlIRKtU8BT0B qPrM0qYoT7sSDtQaUIjQVW6EHF8h0/mkV6gTNT3KwGOhmfViA19kcCl1UWcBPHLPPV+OX1tRdpwC vQxYumtT8rd5RWMgSf8ChaeMTtLUQhgRUV1KcIlb/d6SuZmhZomx0+liDuO6E9Ct+tZaQ4y7L/8k OIW+/HrVjjPQUJL2YbFr4HtRRnNe1/N9WHG5BXFMnGXlwPkts72EKj2KTpYmH6jz0C9yge8rT32M cdPBTPmOl/tS6VClNKcf8QROXzFOp+tuaFmsa9/60BSw2K3rThYohdbkcTlW5YJ3cOCcAsMWPD+I xBljMl7k9sa2DRwMQaLKQP8yUL2+XU98egPA9Mb3Bj4863sYGlOZ/NUBQqxpClZwWd9m5I3JQQ17 gRJbIm4WOjnox3Xo6mAGAQCwUSDQdBVS4fbkF8CXDdB1T5vFAT23K7D/SRF3t9PdA0MYMEa9IV8U rACoLli1kxUwWOI7zD9O4qYUXuCJ5CGjuU7YwT2uantO9IrgBle0aeGtIIsx4/hyuMEkHqOHwHhf we4XyBdCi4xdkQob4ySFNzSRXTAaYRh5VKmUMI2AWfxfFxnoOQdibXuu5JrRgoZGlIkNihbkm7nc eDwOjusP22gS1TZ5R15RIB0SM6EogAi5jAHSlqTwHgx3IsxHEvBwnEsDNBjpRkdKLpI/TNdKfMUB sSBmFmOy1bYkNJzUifKL/yslQ06JRQN67iQL+Vssc7dAHoUBdCoDnhq9wrDBoKmXU4mjuqB0EqMB 8h5hOAnxtKnHFDJT/5mjzFQgDOPBq6Erc3QaDGikqK308Y19QfThKZiJBbi0ogPS6QckCtpMPWCp EwEQ5Tvjt7oA0hN2bFtXtyogBVfsM6NfHCObxPm7NFIAVGfrGeDg2EdpzBBzbkKMTzQSqGEtZjuQ FKAvs+fMm2lVnjVCWYVeo8UtBGBbKrNCMibGQ6++caU7yqk0LyCdruIkqqESRFfcEg6x7XSKPWXd T6eqRS6WwhVLEuMrfbJP3r01ZcCaSkRxKIAx4FIMeorSSBB60TM1Z4SXgQ9hrKWKRcwNH0s8zSX4 uI0Ugm8AGIRrR1cnzFOchAohk9QybAesAAhAWMIgg0S/eVfkFWyIcv+zZJT0eMluhrRX0WiS2LL1 1CjyFICsi8UsirdDfOSUgE2SA5COcdPMpE6KZamIHTbRB1YIlhWbAFDqElEw7u7wFOkkId+oqNZM KClMZMpFMPDjCFaMIWbNIS/mElCZY9ZFumW0a3KaYa9MQG2+4SmEH17ThzaIWLloIiaEVbcK//wy fB67zykk7N+EJHeWCgZYkyibWLM8BhNU0MN5YOMYVTSoyPvhKLAYNRE27OdTdwiyk3tCgIPBh8Tp KAQk5iuGC3FUPozimXnCtAgkT8E0uvlCYQxUpgBFuTnLuzEnWbHHMyJ4Nczwzxb6w9BX4cZAeu6E HRTxhoOxjcT10LL/jTBhH86NNM+EHnKZTYSH4w56FQkoSCqSfIz0mO8PEuLcNhbMKLsZOQ+vEUY9 Bg2oKsqgs1WmgXUW9hBneSBkGPaAa4AhF6XAOgP0iPUFOou2XA/b1h/bqwlwC5JZL+YhuNUDMlOg llmHjBFeCwmyMcBsebr62+A+CluMzbpNwEQx4U63utcNFSKmOyDjsg+7503vetNCNex5MbgJnBZv 2zsDDwi4wAdO8IIb/OAIT7jCF87whjv84RCPuMQnTnGIMwDBC6i4xjdO8YtPYQEMCDkD8NQAjpv8 5ChPucpXzvKWu/zlKfe4AjIO85pHnAEXwsQCHGDznvv850APutCHXh5zkBP96AFnwAKWzoCSI/3p UI+61KdO9apb/epYz7rWt871rnv962APu9jHTvaym/3saE+72tfO9ra7/e1wj7vc5073utv97njP u973zve++/3vgA+84AdP+MLbPQIAOw== ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/banners/dailynews_banner.jpg /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAPAAA/+4AJkFkb2JlAGTAAAAAAQMA FQQDBgoNAAALoQAAEmgAAB5IAAAvzf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoKDBAM DAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8fHx8f Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8IAEQgAOQHTAwERAAIR AQMRAf/EANkAAAEFAQEBAAAAAAAAAAAAAAQAAgMFBgEHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQF EAABBAEDAwQCAgMAAAAAAAABAAIDBBEhEgUQMRMgMEEUIjJAFVAjJBEAAgECAwQHBQYFBQAAAAAA AQIAEQMhMRJBUSIyEGFxgaETBCCRsUIjMMHhUmIzQPDRQ1PxgpIUVBIAAQMEAwEBAAAAAAAAAAAA IQBQERAgQHFgcAEwMRMBAAICAQMDBAMBAQEAAAAAAQARITFBUWFxEIGRIPChsTDB0fHhQP/aAAwD AQACEQMRAAAB9PZIjoIECBAgQNTq8+yFW9y8T3L3LhQrSCbIrMysJ6zQIECBAg4mMtUBVYoECBAg QIEDQEaDZGDQ4xwTonCROkF5SL2hsHRRIIDqcYQs1OTYlluTNqWn69czy56jq0yXHnb769HTYZxn Rd9HXR8/IPGd91dsrroIKzLnaguy52Cqwe01Ooz7nkxKuDQTOAcuC66OiUyoefIy2giQHExo03Zq E0LQKyFhKC5AUVweZCdNe20nUZiXaNHMGZA1qcqo+eMnx5bPu1z3NmHBoOi8lx5WGrsNNKbF6vs6 pa0xPn+fNV2m3RRc3Hc9HUJGcMQTelhrvQ83Fbb9IOfP1RCqN03r8sbHXcWM57oDLHV9noTPhzfL lBJd700OIIt6nr1r2qZgzHs6yjgxcmgV1kdUmfeBfH6nt54s0mWek1SCGtbnWZ5Mq3KY0PYFCMt2 u11OMWWlVGMa/t2CzkCJv+jbCefggJvTRdXdmeTkYpiUtSN02nq0A0ZgZ42u3SJGRumvAZK1vb0Z fj87X9muO4smhIyRvWdmpVscKYWaCtBDykdROfZdMrlJi1rGr+uSeuOIBgdNtJ9g1kSJcPrCKY8r oSMjTCimGzTeCVKxzKvHHonsP00aDE4JJKoaM0BV6IIpliT25argB55Wm2rZxsNM3GY8zIwLObje w4QkIna8qni0xy35eqWSG5FNiY659PIhWUZcFJojJwmWXuHQIECBqcK0gWkE6RKuDQIECDgUXNxi xnPVCRmVekEyhaLq7qnDmc2BnjK6YkxJBpuvrAz56zHE61GpjRIwzSi6cEo/WqbCJWX/AG7YNGFS DpQsklzyOSE0d3zMrOGs41DRxtwe8dFoECBAgQIEHE2jHWgEdLU0CDoutPF0TmmKZWOBzTFQk7da KeRFYSmclPiA4Y6omre0Q8usQIEHACDz8XnQuA0ECH0noyYRuYRCYzoNpiWfQuloECBAgQIECDgU +XdxUTWRNYzVk4ECBAgQIECBBT5d1hfMRWSBAgQIECBAgQIECBAMHmgvPyeN8QgQ+ktdFRNlicBA 1nKIaP/aAAgBAQABBQINWPYc0OD4y3pvcvNIvsSL7Ll9lOmeVkpthwTZmH2CQE6w0Jlhp9ohSaIl y19DUOnM25anHVuUvRT7ssc95WdibhOBKMWBs6Pe1jX8xPI+LlL4nnmZDFW5iaaxNII4oucmdLf5 EV44+RaKr+WtTKtcnfMrN98c39lO0xSCSPresOhjZJaNOnJbDW2E1zXdHDIOWnzSIknqyVzVY5fx z/YYvIPHx/JT2p+RumrHDYsy0akl5rOLuW7M1S/asXnBPICMwTpl5CmyJpyuQ5OChDJz1d3Gwvns STcbYjlhZsrPAXLv2x8fLvpkp2Fv6cw2V1OlyMlUU7kNxt6Z963AxsfLc3NtrT1jFFclN21zUBEd e+6FlYMsxyRujbXkZ9q1L9qaaACGdkUZnme2hBBcfFZBfPyMha6SIirPHAwRzSM46u20+LjfsOla 2Rt+1bc6WwyKNWp3/UdBP9ShvNerA6eSrAYxy8vipUbFqu21YnuT8vJ4YbTnQcTD/wA3D8FDiNTx lPO1eWJN8bk/bGyvy0EcFq7ZvO4aCdkVQ1I7N+cyzyOszw8RvHF8szdDxpxU7p1yIS7un90xljkb lOdmXUalfh7Lo6jSzk+QJtclzcQ+pwsQM8HOxFXpq9qShW+vW5mbZU4zja8tb69eCKs+vJY8cdi9 yQLrbozBDx7fJZh/6LxlbLaseJ8vIkNbP/ooUv8ATU41hdJXMTZWmg+Sz/uu8m/DHgw8bxssLBXb l3MymW20NrVeJYZ70v8A2cryrjYv808A1YfDXTpMKwS5T5ahZDXXLzn1218raxggbLJxwhkr2XRc cVjxu47kZYF/ZNtTt5GqyE8xgQuMkfllypKlaQxVq8SdXrvcvr194ggD3sY9rGQRCSvx7iGVGLKe xj00lo3vTzWgkhs10bFcB82WtLWgCJqMNff4ot07qzC2SOZbYixgjanRV5C769djGwp0UTjJ4xHV +q8Ne4LxtMm17hGyGEZpQzyinAI56k1l72sbBdhmA5SEumfhXLCmkAP9pIWMsNTppJIC9xr6F0mA 8MrP490+9jJ2k/ZQtKvPkbx6TuRM6P2ERKsH1snZHZlYfG9lX7Mz2SNe14twaxtxJPFKJW+VjL1i w15Y0mAOZC5mkrGxSKV/2FXPlVhs08zHgcc6Vpkrx15ZhOJYZi02YIaknI8rI3dx8U7hPZ+rXjmZ FxFCEfdsDI5KucSNGXjHTcSp3uctm2t3NwhsEb43RlsQWxiLI0AAN/tYC2MTxCE4jrhbSV43LxSL wyLwSJ9MvYKzl9Ur6ydAR0AJTa7l9ePbHGyNiIBU9SOZsVEQnMzU2UZ0WB6Oymc7HKyyAPdlyKx0 3Ow120ySeRQN8a3ooOynOW72z2f3HdiCHtyd4P099/68v3f3Xwh+x6V/3+B2RT/0X//aAAgBAgAB BQL3srKys9M+1lZ/n+RbyicISIoSpz8Lfp5Cg7oXregfQ84WuG5WfaMiz0a/Ke7CBOG5THEpriT7 p9UnZr8JrspxyR+0p0ITjkyBB+ENegOrjlEIonQApyeiNCFnQZTMr5c5FOOmNGJoymhSHRpITjlS aI6NGjYh7QPQdHIdMrPTyJ7gV+oEZTf2fqZRpGEJU45TBgSHRjNMYQXcv79kzuNTnUp6OgboGILR O1Mi7NYUFIdewj1J1c/UyID05WVn1BH1bQsLHTCx1wFp6dAgQshZ64Cwjhd+uAu3TCKbj06I4CyD 0Dsrf6MeodcLCKz/AAM6laZK+R0BWdSfSdUEdV8ZQWUe4AzImBE4WfxaNfUF8piI6Z/kYWFhYWFj rhY9BCDf4QR/wI/kn0jp/9oACAEDAAEFAvaB6YW0LYti2Lb0LEW+zsRZ/Pys9N3TcnaLGgJTXnKd Jr5Sgc+iR2ECcNCLFj0bR6C1HvsRQKJ6goH28eyUCgUV8u6FOTZMIPW8Jp1cdxLdHDCcfxa0p3eQ ojRwCz+LW5TQm93vThhPdptOI+zW5QGE4oIor4+G+y0HL4sJoDRKM9Aj6dyJXZbehTk1bkUE5AIa LK+XnKyFH3Grs5LlKnaNZoIgm9/xTtTKUdGxEJ6d0C+SnewIimNGSfyyvyQ0U2Ch0x7eFsQb0wsL COAhtX4raFsCDQFgLCdhZz1wCtAtFhFMx0w1HHqys+hpQDSnYaoTku6SuTXtRkC8oRmTn5WfVotF p7AdgkIgZOq+WruQcrP5Och27dBqicrcE52V8ekodPgerPoB/g5Qz6srIW4LcEXBb1vW9B/Xei70 ZQwtFt/wQ6H3Qnf4D//aAAgBAgIGPwJ9DIcmGGGAWnIjmW+jv//aAAgBAwIGPwLgkofMuwrCi+G8 3FBRSaHI/EVPnEPZW7NVNN9Mf//aAAgBAQEGPwL7TOZ9GU5Zu6McZu+wxmGMxw/hLl63+5gqndq2 zzTfc7WDEkNTZTrguDJgCO+bu7orQapQjo5egsxoozM0+ks6us1PgIlq7ZFXNKUKxrj5LEtlFAY0 2xrhyUViqyLpJANKxSnE7HIwXr/CTsHhD5Fnh34meVcSm/Z0G2ihqfGcdsdmIgcZH2Bo5mM1jiut l2Qm8ca4CcQmB9jOY9PVPKS3qyzNMT0FzgoFTNBRQgFScYpUAuxwBhvBB5rV8tR7tsu3PWYKgqBh 35RvMb6aDHDflNCt9HE0oOUdGUy9kPcBYsaKg2y96qzXWlF0Nsdsqw2zcYvfouJrU1jWCCb4OnQB 7sZaD0BVFDe7oSmC4g7NmEtljVqUPd7NEFeIa6bv9YQqhlbE1mrTR7ew7K7ovpbPIpz69p7oqLkr 090FsZ3D4CWH/wAq6vH+ksou5R3tiZa8tfprUGnhNGkMvugvW+zHMdULHlUVM826aZt3xVtCoGAl u2botqufXB5NzVviVPG9MfGVV9KtvOMSwMdFEr17YllDQKNnhEtm75f5nMBt3dbbZrY8WSnwlxxd KrtzjLaueXUcTH+c5p1amD0L76HGeTbbQuTPFNq7rbaZaFeN8T2TzGucOejtl7i0rv3b4eLTTHVn NGrWSczNAzucPdtjG1Z16/modkVWXS3IF7ZZ9NbNKYmm4YCW7ZNbl7P4x7nz3su/D4R7x+bhHYOi sxHRhGctwKKnsly47VYuxVNvVFF58FqUAG/ZPUt6itqxcXTqYfMMiOyf9j1BYsi1UAf3NmUNy5jc PN/TugshiUB16ScJ6YXK6tPhsi0w4oSx5WPjMIE1DE0w3zm6LiXF4AaKy9U02bdbpPPSkK5eo9Rs /KsW55nllhljFQmpVyCeyLZGQon9YhH9s+Ea83LaHifwlLy0OwrjEX0tri2kClYqHmzbtM0bbhp3 TzLyaix4cxh3RilsYCvbC/rGOnPbn3QW7I02yaDuzi+nXHTRe9piOG2PhGut8uPeZq2V1dwylb5I t18Iq2FoMu2st2BkoqYtv5mwPxMe8duPu/GPc2gYdpn11qPvipbtai3aILa5CiD74lodvcJTa+ff +EKn9xzgJWLZXHRh3mU+W0vwhut8tXPaZp+TVp/2rnFsL8tEHac5Z9MmSDLwEt2/yjHt29GUwSYi kznkjmfAtsnFtw74D8/LHTzAoa7w6zQYDGWtRU8QIKsGGfVOP1L69oFv8YQDVSM+qUuXKWxjjj3R rTuVtknQzcuVaj3R0L1GlXCUPEd3bKWbR/Tu/kRbpwY1985v1dFXtqTvpK27aqd9Jqe2rNvIHRr8 tdeeqgrWaxbUP+agrNLgMu4yiBUHVQSrW1r2T6aaeyYTjAamVcZRcAMhM4KW63TkFGMe4E8t7fNw gNFv0Gpjg2kaqzS5BU7DSFVVQDmABKqiL1gUlSq65q0Lq30gLoGc5ClWMIuWqaP8g3ylBo3bJRAB 1CYqpMZgoFN2cD6FVzjsrjKsgY9YrD5nIM55lu3pphUzAzVoTzM9VFrWFXKkbQcZUBEB2gBYiKir dfIqo+MPqHRQRjroK1M0P6fTeI1AuorSFnNFGZlwpXRbzc5RBofRcNEuUwJ+MymMLBh2TynUaR/N IdATfWlT41l03GUBQMdK1LHIVltPk5x2nOAVpG7Z6hqfVQAq3VWamQZVIXAYDd1zaPy/GcuY1d05 MspUcPV7WAmAHRjX7C+13nrROzqha5wtff8A4iWkAAt01dtcodKqDXQi0x/CC0nN5YTVu65Uitqx Vqb22S0eH/I9BltxJmoAgbKy417DCidkVCAFI1VcH4RLf/oetP0iX7tteEfTUfGNcSh8pK1UUFTL KjidjqutK0XVcagFMffCLYNE4deyeVaXzEtH6uNKndHFKF7tNW4UEu3rHJ6a2Etdpwr3T0yoNTD6 l9zX7+uXEX9/1d2hwyWL5On1C/trYIPCBh3ZZy6jKKIAlu2f07fCWvTvw2nNWubqbpfdGzotm+4q dI+6EX7mu8wOjCcHGXbTcqDQavwg8tje9PaXB2yDHdMISWlCYB0BS3DWIDQUFMIH+ZmwPVOsxUXL L3QEdlJWmcyFJygTKnV9plMph7GU5ZyzKZTS3LtmyZzOYGvRhMcIRv2wIgoq5DoxlKsm2qGhha2x LnNmxM5aictDK+2fa0nIZCVGyLv2w02zr6Oabx/GH+CMP2J6R0f/2gAIAQEDAT8hifwKAxntLTmA 6cAk7DDkE16vM5enaZrtvrOhExt26P0qG4I69ALVHeYLJEa9/j+IEg4M6qPczPWY6wqKplufMxC9 d2VfCYaW68y7fBAVWit4FxxoG8bf1F5LbYonHWXtKHHeF3s9GYG2uCV+3Hz6B2LacEbOrwJ54Pdg FgAlZasWyorVFfl4DzL75yZE26p+xqEKvOQFzUEEoC2qDLj2gnGR5dC3KkZA15C/igg0KbtSgC8j 6YKQM3lZrHmJIL3H5mPcdPHCez9F5qxOcG4CyK8Qq3TWpVo6Do5xOH3CCbvSxImgpnjEAKlS1b64 276Io3+C+AaepO0xPJlZ0MsQIUTLoG+8rUK0KDLj2lPgfgTl1zOHNUdWqKTMwAM9SvMVgA7xwZ74 ht2TouEi7ghZt8QnDD5a3MS4W2jLl0EMkkAU4Pi5uN9e5rZwn5nBFYTeEKrvZLZohZVgHPmc3nVH 9xhqxbfPkh7cT3VTBbrpGMs9vx6O1UQbVv8AVI22KLDfZJVlwLU2DSvmMRdR4I29hqcIX/h/Uvty vlfzUb+FP2H5EUvDeOKF9r/EbMP0LRb2uHERnqy3vMoivLp3G2YF+QnYyzXNehcvF8sR54Bu9viB tfPS+xZ3iXbbsYT3lyVY6q5fEr9z8lqx3xGNwdwsrPdiitGvYY7EIBSrmeqGTnvM4cw/u4qaq0Xe WnxDKsSzZotOxPKf4b4NQQO/BabHtK+QbDWec8BHrwupyVWcQzkCKYaG/eyBub0cs4BbDY4uN9Gx k4g8JC2y7xyS9lYN3xtgqlIfs/So0EVVPywJjcKUNDEpXI3mX00ZFNPB1biNqC1tpz30wTpha/E/ BZXzLPyn5fRDygvUR5pyn5ipMp3gSuX/AGWVeHSoax4RGtmqX3jb0dYsbE3fCWKkOUh58PaYZoad c07aEsJCdIq8zwRLd5PLOojhhtXbvNXRn4P9xcsUMWZl1PFtad3aU6OnouKvyzWGR3mYXQyK8dW5 b/OeQ4t7twQCw1NOrqd216qS4hefB8v2v8SkdAnhFfsJuGbfT/xMAV3OgTubjhc2lV9FG/LH3vdf 2YMTHH9Yy/0QDeZyoGORyMBrCIDNC6vcB2oihbYNkKjSrZJTQtJ8yrFUA7H/AJEavN7CP1IT9veb fNy+x2lVwQmcDRRnjMeumMIpd8zS+P0H9zpynyP/ABgNuuPGARtqq338RJdSiZs6nmWxFV4A5ct6 nVL7EP8AqHjI5HsEEEqt49f6VFIapQ5OM/M8ImohAe//AJD66nvTPzMteY72Py3O/wD2F3pmmH9g vz+JypenVwfB+YXOifk/KLOsst8sDKol8EJGbASK2hnHeX7x0O8usbEF3lspzfzKi+c+5T1uIt9V ZYOeiO2Rc+Fd03ClqILAqkXp7xjLL24Z7DTHmsJoNRWDScMCgYgGtMy5uNbXcGXihU5EKKSrPGp1 Gq/X/fTvbuL+dxbsAF/O53xZz8p6BUnbqxzdXczrValZ23V5iBI2YmM6YgSMobPiWA+SU/VQlO5S Ec8kPMoe2kp8wC1agwBO9+YsFlHvn0JgNczAvwXmNitcwabq5ZbM2h9masW7vyBN0nFK3xUTmbPF 31qd5F4r83uaiDxqdI2w9qcHRd9JsLrgPx1LTmaIe9EevM3F+9RqXOQAra8wOIvAdT9zuJQF+ZcQ JWUsolya/ALMXjL1lAV3oIIYBEutDaXcWyeuD3ItpLYhrWtytWWoY22NRxG2HijV2w2gK/w03lNQ OmamiV5NMpYtrN4OpNnJbYVjOF9oOJaYUoS6jh3Qx5Oqqx4ZaQa7geRsuYD3AmMIB4zUsJshhwV+ hAoxLzz2jQWsv3E5twUeiXWsamGK6EYnJ2JoFAmWNYe4RIi8Rn4PiWa1beeesu9RpxR75MeCcFc9 vP0riPln+xTr/iI0h5xmfqu9FQpVN0eVEKXRrfDf+xnfCs9H6gBVtk14bWoTHInQ5XtC2RXk2HgJ rkrYxQ6lepceHoWdTLiD0vRUU8MTP8ZjV1R37wk4bQxXZ8zIEi80vJd8Tn2rKgo3d7u+0csKPu6O IaABbhIYtvXsS26ey2To8x5XJ0O5fzF3kXYsH9QRuC6dqrWRcVcBMspmuo0jANQbbMF6avrqM2mt UAsYIMu5kN0p9kP29e9mu6ZwasE2UPRUqTY1qKGCiwp5ZTzZOBBbfWqErrAqPKHG4ygzF0DtEsH9 w6je2yYgJwzV0XmUTwfUS9pE669yAK/MBK202xl+L7g/2D6VRyVWIovPq18ZnTxN6nA6RmrQaHWf 2rfP8XbJ2s3uXQiXCj1tes8YnXU8S3ljtDiXorN/KJqraDXtBAWA0SzYxrE3vfxDbgTh+GL0Ljqv XpAKKUSmHPSVvNXoAULO8IOi9EPmb1I+2u8N8diPrZd4lWwz15imEs7+qCU5JgYMHEu6JchUR2De NwBCw9pbzuo5MreBiDuyJorywczaOr4lr/SJro9C417pXtAcGTglOn7/AN/j3Tf7+hp7zSa/xOmf t/xHP1M2el/OnEdvEOZ/VPv8x58TbH9Cfhzj77zn7/pn6Hp//9oACAECAwE/If4k9Ll/WC/4h/8A OqMfS5fotRTpC+klC461FRcS5UhsYpojrT6MNEvLC/opQfJHy+pf0DKmvReIylOKvzFkwxnU7J9a lSpX036EcM+tehdI0hOKQ1SaHWUg9ZRTEdJqSuRHELJlnEwhdQhpjeccTJqPgmhdQjTBElF3M2IX 85Y0Qhpi0i8poy1KZRGsIrioCPByzY6zBfrcuXLlxY1XoZYqhNI8eqnpvmaDc+Rla9QV7po+gzX0 gcwlh6JV5QmzKjEYsUUmpnSVSC7ehyy1KriY0TVm5Dm5W8wu0E0IuIwI8+i6kPggy+ieGPUVFfRf qsrOPQjMJlAr0fVTiBNRLx6VlYlwAjMBr0QfS42d5taqckYMQCZJSMb3BNiYrtAIpGhAIhlKzLMk uUSoATB7zYgjWYtQ/ZK/P0MNwzGHq5leph9bMzM/wAFcGM8sSjpFceHaa9ibSWSg7l+IGK6swW+0 N30IA115i+Ud6l1RmoP5x2TggFPlhY7qdDPaMcWjiJn9yllzCkcTIfQelQS79GTbEGWy0t9K/jqN fTUqVK9Df+EAK9bZTMy/5qiQVM5XpUCV/I+h/K//AFNfoJt6f//aAAgBAwMBPyH+Eal/pT0KSvpC SoEU/gCClH/39svFhDCAxyPRHUT0YoSjZKl/RQxuZPmIk9GKPQZv0A9QZjSWgqWyiXiC8xmWP8wP q1lEsitqEKJFcbXaIKgufQLNmsmIXRA2XFB1Yk3Mx0YlVCad1Babgy7FFxHUtKLTEDRuJXqxybl7 S7K/X0lUVx8RxBiB/AZiKG4mTMGyygJv+EAzSEG5kwY9BCvUFEWJinQhZuGnsl6BHiG7TeiOilFq FVRpTNixuUIF2gmr7TEEHuwXlixFmaJmxzGb6A+oGc7EF3TcOCNhlPFJUXoRUcnoczOVK9KIEr0q V6EW6RjpKiXiVlYeLMWTVVHC4+gaCZuLlekR2ZgNjXWUV2gBqMjTcDbTEu5Ss6luQiEYKcTBGiWX 6FvpneZoG/eY/WWEzTzLAh5BwwBkuUtfgna5nY56y99UqBJIxf1graYreUoziMH4iOJ0qadoMHzK 1yooFxx3gwOqWJTxDdnBAU68z3rD4peo1LfnMuekJf5jAL9Ii1BgZ9b9VQl04lxar/4Ll43D6LJT 6KkFSkr6bPRaiOIj9CnmMblOP8s/+Qmkf5mk3/8AjfRnHofwf//aAAwDAQACEQMRAAAQikkkjWKJ oeckhM0Ekkkglbd/q5cVyEs4r0fTnnboK8wTbzCXeJXLBbpzCpzm38WPJL75rfNrFy1KJnKMLfGJ 274oM7XlgXjKTKzJXy/9qxaCwApqNG9+6nlUkF8ozgRdglJrXMB7wLofWXUM81f0kjAXbbfGL8v5 K2TNbTidDAhHzQ2PykkkkiVLa0XM6GV1c3nGEggm3SoYf80kkkkhqWkkkkkFEkkkgkkgvZ33HAGL /9oACAEBAwE/ECEc41eNJADp2HtAr63B3cYuW+HPmoay9mtdI9g1sv8A9lVknen8sNt8gf1UNv8A DSn+x4qd1z9EtgsYrH+7hhy7kqyve38xe0YIlmT6ALQHVxALQnUz6U49ZVLoXjrB8sqBZ1a4ESxs eT66+JX/AGUhXtOWjfGI927/AHc51K8xeS/cxaXftcV6F/EEbR4jKOR2+yWhgXn/AMl3BNDhto4w uu8IFKCjYc0UKIYlZghCwBMuy5jkq0rDrLlBADsAOrK6c7jWFdlvLrXMF1WyLR5Yi1OIDjpZMVW3 W/L7blF3Wd/1HvufoCC9N3suskrCqEWllYGHWpq3Ixei1ysEzRPCJF2tXjpNDzi1dyW7uIEtBsaK ylhKkdaFo5g4ae8NWaDaRNG7IS4NKRvytz0zAmYtywQ301L/AOZmVqRDaVAjox1mPI3YQfKviW+2 xgUKivBOOkdvv+Jn8b8eYmBSNNG1TZeQ1AzKoBMC7UrF+8QBjVkCzwN3z0hqUOv+TLYHZz8egUN2 aiGwo2dPEywTGXLEieZc+0r769Z94+9RMHVvJ7VqHHe0UZwBZiCJy8lH+yzZDcDU+CYfASpZaUWv Roj913O2zBwo945ZUShLtnFbbUYwqChraW4ALYkr2aVQoGqF7TnSlEKON3YPmA5Iy3Gzi25fBZOH UK1F43DYAP5eb/qZ4p6pX7iyAbUL01qIkzTiLbaBuAH1jbApYmsWElE9oKjqXGeGKxC+PsBm4FN0 xW4bPhQIlfCArcUWCskDV937I4uoZZCnKhNBmFktK2o45ug6TIS9D/vcwgKaHMtetr+HoILBSoFd GXJ/MBInDMV0R2R9szAL6VIUubKXQ9pZIfYuCp1h1ZrZDcpDuVA2fOUSsC08Wrvkk1SNUmB8uXuH oWAoOwiQ+wQCo67QUAxjxoRdocA75Limg4YMJQaacNamI+mSg39EaKmxy9QV1s9oYRbXJLJ0GNxy 5bWxq8DVvJjNLoC0pGrm7fiXbnuppZc3QF7xlhgdtjIM20kUKxla0kfI8SwlBQLdIwcfkhpjPdkH aFuNfTiZCmyV0lV3hCpeYbC9uCnYitc9Q5tfQtHzCQg9JIRT8IvF5jh0bwoElVENlz2ZFsNnRYyx WeOCzAG9XceOHVlrTVoLjLNW7UecGf3AFK4wh3CKERzFSxroYBsvO7gtMyg5oAOEDrKEiPUGT4+S O3QA0oKHBNxzZ9RJSrKX46xa21E3iVzJ7kQTC1bch0vJlmcuc1r10Bmwgl6No80e3o+IgyHiMTlB p/NJLtactSyA55Ojs1DAdycXEb6dYogATAAvEBugaVuoCYV7yg+sSoJcL5MdNeULDKEHF+Uy2OVq EVJ42j35jxXUELz9VwHXvKAqt0qqr2OWYxVbhC10PTECuLRooDZ82lZJCyGVXV+Elz7hjMZraWKc YnynpouHVgEsKIUTxUNJT1SXkJntpx71L+oy1j0dC4H+kJvo0DmCRspr5zNu8UVoyzmrl5IO5U3g vcGGFRcNL0+DKfS2bwEv2hxM8ItGhGjWMXfaEqVECB0MHg8RshddKxWWboLc1L+sDHCZ/wDHuR71 0NZsWbRdal4fe11Y7WuWLMRhSxpA2o7fLi6CBqE5wusQkbR7kFeEwQhqgvq2r3XzEiuj2rEL9rQt JRcdUB0zQjMoZtmJ2i0WMw0KnCBHoZKvzH04Y6C/nC95YXDpNJwnSvzhAhmuLBvd0zHsInNlN54N +YPr0hkzAJwRibCbFJlnQs1WZxIBGtlXa/hM+xrNUFeO6/EtcJgWFWsTuZQPPWpAxCALa3vLBlmq /E0Sk3bir2rOSRsxtryicr0WRUfkDxNe4hzZQqHyDuxD7wwsGGjtQYAnAfMGEcjQIQtEKtZPdMAM w7DgcH+wQJwvq/3NgwYtISfImquGflfSogooZ/qMqmJzYHJkA8jdmbIAgFaHWQUaBr/YCx+gySt9 YMQufgh8yrWV01FaUSymFXmAZhPHD4GzIkDGi7iBlOWCUNvWo8e8Scv1UoaC0PXeZiK2iQiFxXo1 gjjhNSDkg5AyM1Djb+tAWBpkm945xj/1v0Vp2wH5NL5gsbEDKvHvdYxT6vFZRkOD0ZrrYK4rXkXu 4vak5RcXJZvOZQBVZdqWCYS4gvaeqqtCXiKEa0JK9d3vBh22C+XbrmPy5i1LGve2dVdUa4iDLA6T FAUH4lN8+Mr7zGPvXFlwOqbm5fKOWumxayr3FX0Lt2OgtG1ikSUIPoijCXmoaWzEDuswF3Sf8spt rUfsMqy7ay2954Ate52MveUszOPhkXxi3xD4GITZduSQOvVhSmwwcXUG6k615didHn5V7lb7wi0E 6gFrlaxGprTUYXQro/dmiwAPAtCwu42zEN4BOpiBzDkJqpoIV1xVZbjfgNzHE6QYJ8CdwL1ambps fM5dMqFk0KW1FOG2MJYAog+ZmJ4KJVhaj1nQwpMrVwYX0h3Wt6DvE2ToYwkzUC2iBY3lwxxcgF/C Aq1+KyupSCLi2+fHmMTC0tT7XASlo2l+OCpnBqNQGqRbCuRCLeOCLjlEpcRS7ZKZVjIOIejBKJlC 6GUVy98QdBrLa0g3UFf7dIsSZMobN9fDzIzlzumNysSqFXzarY8QJVbE5Bm5AV2l1qtFK7UUbcsf uENQgbrCjMXEMuSsq6K5de/5+k36g/qW6o9S37qJjkHifrMvrtbu2oHJvJ21KGz2+7meN8db1P8A n/n+Tnvxz7bnTng/8n2RuzFmAKA6bf8A2bO+zshcb6HjvFI2xCmL1uIEysPO3gkroMtxBFz8o1Wx ovvUZqPhw9rDGEvnMVqVLpqrCbYejDLPCIixQJauY34cBQFwW+vnxFiBeO0WBZBex6kyyaBRgNJa KX7Q3O8hAbFwz3zBTSGamg2QL2bhfhWG71umcWeYC9iroCAOCjWZi84IY9LLpy1B5l4O9NZqsA/U VoqbhjpLf0Y6bYs2CErN7NBcSZd1XZ+AzMN7u5R6UqTD1I0NmYmLR6MwVBdsudVKpcUSiq90rbwk fEqlwFSGLabGrmQAZljkTI07+IuLrFuxIEH/AAikaUkWxQ7IO4lCxgEtnBOcHXkuDB2q6qMHReGa 7RZOnaNLgADyaKUouhuORW/9zDiegZMCo8/1EGAAsY6uINcSrFaZpIA/KFaGAq5Xlb5ms9wyrTkx 3Ez/AAgBIWED4lsBaXkDZk4i93xRoYdK3UA6wwDfPbGowagucZC62/8Akr0/hhB2XFNt5CL7+Mg7 U8WzET0Yu/3Oa394hbov77S4N0bbHjEQVZdU/u5YFV0XI8So0LbcBa7eINzDunMr0FOERXxK4lIv YEdDTWYNaMBeA4JaF7ksqe16hiQRp2rzLaAbKpx7y+zvhyZ8P3/ZJDehf/kMoBxy1+iASxCUaKjT 3hfwDcB16rtfSgC66AlnmJRBArrYuhWekCnIVB0GlV4IBRK7a3veK/UTLjmzffTDEAZTTTpcJpdA Wfn1QAJsckqjRoGJSL/FeJWQM7tcxh7X9R+D8oiAi7QXjxGYVgXqtTbaxQvO8Eo0EUbEKwyqa0sL LO0umyxVguMSxcBiopC5Wc1G5bYC1n9TOoWaOG7rErxU5UQY1UquUUjjnHdmXTdeVb7P5F+b/abv P9T7HtNM3+f4vxmflfszR98v8Jv4P7+rT3P3Pw39M/M/sn5z9MNZ+Yn7D9E3eY3943+zmfY8E2fZ n0A/WNPOL839Zz7f1P/aAAgBAgMBPxBZf8CXKPS0vLS/pUy4KBf4FiJZ/GSvpfotIZgJWvQNZmb6 gFuotVkMdj2houIXoZgsuIgCFSqTLCNOdBvmVU9KiXE3JAIc/QoVtjr7UosnXBH0Sal4vqpMCLlI ks6lfoqVFbZUh2QZoniKrYSlD/4gw9B6DDGDGb6xBfQhEi/Q9SPNnxLACxhl1kiFoPu4IjhlMDdI ff4lUOh+Y5QYRhhZGMihXiZh7yhBCEUH5iBkgje0vg0MCJ4olKcUoC7jArsZeVzxHAoSxCrH37wi l2w9lR1la2MqTtmTOOku5qImypRq7mL64hC2X2YFEp1XpoYV9mZn8orXV6DD0LTugJQXOZqFVRV7 Tl6gxNHprlBr1ajBi4NQ8pah/wCZEC2UQB4hVjx/swE4ZmvQjtYWMn7lMO+ZjIpzdwUpF68TENfa 5YTxj3Y+CEuFx/c3uNxFzhADiKg8TD5P2w2yquj9xDHiIli5otalICHB1/uYZ2YMyjHH7YDtCLY4 z7zQ4v8ABGA8YldHB/yVfR636CUJU6MRxxOA8sYwLdzLUbhEiMGW8xZxLfTMImvBErQvj0y3RfiA tgX4gCksmkAjthNIqXN4XDBRLTUHsJkAttjMSCpb2LgJTVQGAB7EDkAjmUXM10XEMLXa2WnB1lKm IJgqK5BYnIGIGmgWZBBngISoqEXN0X4IpKamvo/Es4ALoQZoeazKy12yEAW6lkmuUEQprR9FqIzB iAbIHSPjpNICwtkTq7RZm/vUL89pjtg13L9PpbiwwkV9brvxNzD8RKx0fMAYAzR1gSroJzPV8sKd jq/9hGwxBhj0ho4bz/kuP/EQVIxGCHsEoW1mB6bXv8zJNDmGgU2/yUs6wC6dR/sPTeyCwf5IhGB1 tj76waTWA8f8gquFtibD2EcTH3K6xDx5tp94e6lt4e0uIwU4iv0QZrMMtOsLhwE0QW7NxAQfF6nc YdSNrv8Aj1KQCPrUylukv0l5aVqdQfrtIkC4TWqhgDR6JcM1aeIWY5eWWIHpKifyAu+ZYVMuKawI k4iS33/z+Nm0P5m00/8AiPofpOfTf76+lxP/2gAIAQMDAT8Q/hdWQDKi2wi3EYvAs8536UqonWJ3 L6QuJXojqM3iNkZ/+Rh6KwxCMqV6LWYtcIC0kALYy1UVFxFqoSLzBGgRrYn+GnpSq/8AYs/0giOf oU+SKqy4upmdRNwelTcAGSN2oBr18zG1cv8As8cuo8RFVSpBtiVFhDMWjj6r9FiyogLv1tiV9JXC LATikAUJQVKQesshEA4TGgk1zMwXcynXPvKgMATW33iQwXE6JdygwonR7uY64BGA+4/feA3elxM8 RLegiaRgA5v/ALLS05Y0N6ANhk+G68yzLR+usdc1XMubeqYHvH4RHKgEdB1mx1mK/pqVLgFSwQFw NcOrrvFFPYy/e4YA/wAb8ePTeDPrfpQUZqDMz3GJV3DVe81fQDN9IPMDRMZKKdYLZi7E5U+YsIqK 8NExt0iu+P2zx137Gv6loW32RnDGvMABomDzf+szzn+tfmInT+2LE4/uIVhZjnR/1AA+fv74mD5/ t/5AUXNKadZZSB7EOT0TwRaJUB61KZTFcRFvFzv4IKS2pV9XmoRmXtC4xqeubiEFHdiB3E3n/sYq YOsaYqc6jHBaCwZhKZTp6LbIJoiHZ6Vu6gLuolxeCDRq6Q6psg+0OifE7JFgyXARBkNsZgAZv5nL CA6JkMIvZIZbpfiIYFdrZdlHY6y2mP0mKAeI9kFjcAx8wlUE8XGrA+0zoAcao/dQLaFxGAY00VMk GRglEzFDLAt2lMd5UCWG4UuIZ94jX2naNEDfWWjv/kuusH7jRCaHtt/UolQxz/7LFkFtZz9kBFjn B8ZlOHV+zEes5cf5uA4Fy8P9lc1Xvc8fpHJnIX0x6qA4+vwAPHb8Rh4X4CYCCl+b1MIAyArP/kId 1bdO8zum58vEYnHVQ45ywKAh3gkwxj7++YwKhF4P6iP/AAJALY0/v9Q06u0VmU0ym1mB02VrPzMo 8PPiUQYb79oE6cNPxFRFoKgFK95kJypk4z2iHceh1Gyj7yllzAMJxMh6X6FlRRV4IlwcwdiqWW3M Ajp9LxX0V/ELrAeWaBxAhlv1xHkY9clXMepHrSxLqV6GPQj2QFSVNwMmGxlMFqABR6XCqtNAteds 4jUYLEqV9b6m4zDPoG4Yj/8ABtNU09Lv+TV/8Ox19DaG3po/SQ9P/9k= ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/searchblack.gif R0lGODlh0wEnALMAAMzM/zNmmWaZzABmmTOZmZnMzMz//////8zMzJmZmWZmZjMzMwAAAAAAAAAA AAAAACH5BAAAAAAALAAAAADTAScAAAT/8MlJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv /8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvter/gsHhMLpvP6LR6zW6733DPYE6v2+/4vH7P7/v/ gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4 ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx 8vP09dBx+Pn6+/z9/v8AAwocSLCgwYMIEypcyLChw4cQI0qcSLGixYsYM2rcyLGjRw0RAQAAOw== ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/smqueen.jpg /9j/4AAQSkZJRgABAgEASABIAAD//gAmRmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcKgg NS4w/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEMDAwM DAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQRDAwM DAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAMgAyAwEiAAIRAQMR Af/dAAQABP/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAA AQACAwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVS wWIzNHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSl tcXV5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFR YXEiEwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOE w9N14/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//aAAwDAQACEQMRAD8A 5PJ65iY17qLGWFzIktDY1G7u8eKF/wA5MH/R2/c3/wAmsfrP/KV39n/qWqmpMh4ZyA2BIa+LFGWO EjvKIJ+oek/5yYP+jt+5v/k0v+cmD/o7fub/AOTQ/qb0npfVupDGzTY19RFzQ0bm2NaffjWf6Pf7 f0n9ddV9efqp0DHw7euBtmE4DaMapoDLLXaVaf4H963ame4bpf7EPF5n/nJg/wCjt+5v/k0v+cmD /o7fub/5Nc2kjxFXsQ8XukkklI1H/9DzbrP/ACld/Z/6lqpq51n/AJSu/s/9S1U0/L/OT/vS/Njw fzOP+5H/AKL0H1H6w7pfX6CBuZlEUP5BG9w2ObH8tdn/AI1/rBfXgY/Rdg/WwLrXEkkMY79G1v8A XsavNulT+1MOOfXqj/Paus/xtuLvrLSOzcOsD/OtUdasjxKSSSKnukkklM57/9HzbrP/ACld/Z/6 lqprbz+j5OTl2X1uYGviA4mdGhvZp8FX/wCb+b+/V97v/IKfJgyGcyImjItXDzOEY4AzAIjEH7Hp f8Xv1Ox+q7esZGQA3FuHp47NSXs22Ndfr7K10/8AjC+pjOq47ursyBTlYWOZa7+bexm62C+f0dnu dtXneFgdbwLPUwsv7O88mt72z/W2t9ysZx+tPUavRzepOvq/0b7XlvzZt2pn3fNfylk+9YP84HnE lp/83839+r73f+QS/wCb+b+/V97v/II/d8v7hV96wf5wPTpKHqN80lJ7OT90tL3YfvB//9LnUlxi S2nnXs0lxiSSns0lxiSSns0lxiSSn//Z ------=_NextPart_000_000F_01C10FA6.58A30130 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/policy/transparent.gif R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAEBMgA7 ------=_NextPart_000_000F_01C10FA6.58A30130--
Valid HTML 4.01! Valid CSS!