On Wed, 3 Apr 2002, Sean Donelan wrote: :Instead of a neighborhood watch do we need a network watch? :While we need a few people with "deep" security knowledge, we also :need to spread a thin layer of security pixie dust throughout the :entire organization. The NIPC, CERT, OCIPEP(Canada) and other organizations try to fill this role. The Incidents mailing list also tries to do this on a more ad hoc basis, along with the honeynet projects, and to a great extent Nanog. If ones definition of security includes integrity and reliability, then Nanog has been performing that role since its creation. The problem that exists with the neighbourhood watch model is that it assumes some sort of community and, despite a few exceptions, there is no community of internet providers. There are communities of network engineers and other specialists, but the possibility of corporations getting together with a common goal, which may temporarily supercede their individual competetive advantage, is just not going to happen. They can have industry associations, lobby groups, interest groups, and other representative bodies, but community is not one of these, and thus any network watch program which depends on community will be hampered. So, the challenge is to find a model of information sharing in which a balance between effectiveness and the protection of competitive information that is slanted heavilty to the latter. This on top of providing value to the participants. There are some private security alert services like this. I can personally highly recommend the securityfocus ARIS tool and their commercial Threat Management System. NAI's virus alert system is excellent, as is a similar service from sophos.com. The non-classified government briefings I have seen don't really provide value from an up to the minute threat analysis perspective. They might help an executive hold an intelligent conversation on current affairs, but they do little for people who are responsible for protecting the infrastructure. Personally, I would like to see a mixture of the MAPS RBL and aris.securityfocus.com available, where emerging hostile netblocks can be blackholed for short periods of time using attack information gathered from and coroborated by a vast array of diverse sources. -- batz