Thursday, January 31, 2008
2. The bad guys beat us because they're agnostic and we're religious.
4. Vendors are like politicians – they lie to us because we ask them to.
8. Network security is the result of a mistake, not an industry worth perpetuating.
9. Disclosure is dead.
etc. Read on!
Wednesday, January 30, 2008
Excerpt: "... I stopped short and said, “That’s never going to work!” A little stunned he asked, “Why not?”" (read more)
There is also a side conclusion: if you don't plan to actually use the tools or don't have anybody who would use it, it really won't matter which one you'd pick - you are guaranteed to flush your money down the toilet ...
If you are sharing online - think 'you are sharing with the world.' If you want it private, keep it private (= offline) ...
It starts like this: "Dr. Anton Chuvakin from LogLogic has agreed to be interviewed by the Security Laboratory and we certainly thank him for his time! He is probably the number one authority on system logging in the world, and his employer is probably the leading vendor for logging, so we appreciate this opportunity to share in his insights."
Monday, January 28, 2008
"In my previous articles, I have covered specific topics (log management, incident response, intrusion detection, and computer forensics), but now it's time to take a step back and look at the forest rather than the trees. Those specific subjects are all covered by the same broader umbrella: the corporate security policy." (read more)
Friday, January 25, 2008
"A 20-year-old Estonian student has been fined for participating in a cyberattack that paralyzed Estonian Web sites and soured the country's relationship with Russia, a government official said Thursday. [...] Galushkevich must pay $1,642. "
So, will the scaremongers please shut up?
If you review your web logs (web server, for example) and blindly click all referred URL to see who sent traffic to you site, there is a good chance that you'd be 0wned!
Is this cool or what?
I bet it is an "or what" :-)
Others say "more than a year after the TJX breach first came to light, only 30 percent of retailers are PCI compliant, according to Sophos’ 2008 Internet Security Report. "
What's the story here? Some numbers are for Visa 'Level 1s' only while others are for all merchants (all levels?), but this is still too big a difference...
January 29, 2008
2:00 p.m. EST/ 11:00 a.m. PST
Direct link to registration.
If you are dealing with logs (or planning to start!), it is a very worthwhile presentation to attend. And fun too!
Thursday, January 24, 2008
Today I will speak about evil. Yes, evil! There is plenty of evil in the world of logs (e.g. ugly logs), but this is a "bigger, better" evil :-): siloed approach to logs!
There is little that I hate more than siloed approach to logs. A situation when you have your security team "owning" network IDS logs, network team having firewall and router logs (as well as all SNMP traps) and, say, a sysadmins possessing (or, rather, ignoring!) the logs from servers and desktop is not only sad, counterproductive, inefficient and wasteful, but also dangerous.
Where does such approach to logs (where they are divided by both technical and political chasms) breaks down most painfully? In case of an incident response, of course. This is where instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you'd end up with having run around, beg, connect, wait, swear, wait, download logs, dig in many places at once, wait, grep, suffer with many UIs, swear more - and have a time of your life in general! :-) All of the above instead of connecting to your shiny new log management system and running a few reports, drilldowns and searches across the relevant logs.
Ideally, you'd fight the evil and break down the silo walls by deploying a log management platform across the entire organization and then letting every team that needs logs to get them from the system in a controlled fashion, via the interface or a web API (BTW, LogLogic has a web API to get logs!). Apart from being a trend (e.g. see recent ESG report on that), it will make your IT and security operations that much more efficient - and pleasant!
On the other hand, what is bizarre is that some newer vendors, who claim to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5000 to each of the many separate teams within the organization IMHO must be made illegal :-) as it builds walls, not bridges; digs holes and overall "silo-izes" your operation...
Here are some log-related examples from the guidance:
"R5.1.2. The Responsible Entity shall establish methods, processes, and procedures
that generate logs of sufficient detail to create historical audit trails of
individual user account access activity for a minimum of ninety days. "
"R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days.
R6.5. The Responsible Entity shall review logs of system events related to cyber security
and maintain records documenting review of logs. "
So, again: have logs, retain them ("Top 11 Reasons to Collect and Preserve Computer Logs") and review them ("Top 11 Reasons to Look at Your Logs").
Wednesday, January 23, 2008
Tuesday, January 22, 2008
losing your IT, your connectivity and all your data (e.g. you are a lemonade stand! :-)) than it is OK to fire that security manager :-) If not, get to work - your security likely needs improvement!
So, think about it, it is 2008 now and the paper says that "for the non-Web-centric business, the loss of the Internet likely would likely be, at the very least, a major inconvenience as well" (obviously, "[online] businesses would also come to a crashing halt").
Now think 2018. Will a typical business of 2018 survive that intact?
If you are still not getting it, think 2028. Will there be any businesses that will survive the "stop of the Internet"? My guess is NO (not even lemonade stands....).
"Breach disclosures don't always affect revenue or stock prices ... Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken."
"TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs."
"... many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI."
Wow! If accepted, this will quite some implication to logging (ha.ckers.org outline a few fun implications as well), since it will dramatically increase the sensitivity of logs and will turn all logging projects, no matter how small and tactical, into "PII collection efforts" with heavy privacy price to pay.
Now I have to share the dirty, evil thought that crossed my mind when read it: at one point, Google and other companies should just boycott those "'dumb privacy' freaks" and conduct a wonderful experiment: how long those Europeans will survive without search engine "service?" But wait a few years, Google, before pulling a plug: it will make sure that Internet becomes truly indispensable ...
Also, what do I mean by "dumb privacy"? Am I anti-privacy? No (not anymore), this is where I explain it. I did experience my eureka moment during a webcast on privacy when I realized the existence of a "privacy chasm" (see more here)
UPDATE: Richard Stiennon calls it "crazy talk of the third degree" here.
Specifially, "CMS to check hospitals for HIPAA security compliance" paper claims that "The Centers for Medicare and Medicaid Services (CMS) will begin on-site reviews of hospitals’ compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996. "
Can these guys kick (eeeeh, "bite," not "kick," since we are talking about "growing teeth" :-)) some insecure healthcare ass? Only time will tell, but HIPAA won't be another PCI DSS (for many reasons)
Monday, January 21, 2008
Past polls were:
Thursday, January 17, 2008
I was thinking about logs the other day :-)
And the following thought occurred to me: Logs = accountability.
So, what is accountability, really? Wikipedia defines it as "Accountability is a concept in ethics with several meanings. It is often used synonymously with such concepts as answerability, enforcement, responsibility, blameworthiness, liability and other terms associated with the expectation of account-giving."
Yes, there are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if you IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending?
Ignoring logs is not just stupid (due to losing that important resources for troubleshooting and security), it is not only illegal (due to various regulations), but it is also unethical! :-)UPDATE: OMG, how can I miss it when writing this post. Dan Geer's classic testimony before "Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology" succinctly states: "Priority number five: Accountability, not access control." He then explains how accountability and monitoring succeed and shine when access control and restrictions fail.
It is a very useful reminder that a lot of our "security" is luck-based: in other words, you are not 0wned 'cause nobody got around to hacking you yet :-)
Wednesday, January 16, 2008
I predicted that "Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner [or serving malware thru other means] ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!" and it does worry me, but I am not yet truly paranoid about this.
OK, change that "am" to "was." Today I officially became Internet-phobic (where do I sign up? :-)) when I've heard (through a little birdie, as usual) that one of the security publication websites was 0wned (maybe thu banners? the details are not available yet) and serving malware. Nice! In a few minutes, I was also informed that one of the leading business publications is also serving malware. Fuck!
Yes, my personal system probably won't be 0wned by this, but many will be (IE users are clearly screwed, but I doubt that Firefox users or Mac fans will be immune either).
So, welcome to 0wned Internet 2.0, where every site is 0wned and is serving malware?
Bonus question: do you think major brand AV will protect you from the above?
UPDATE: a similar post from Andy, IT Guy called "Will Malware Kill the Internet?" is here. And another update on that from him (even more insightful)
UPDATE2: another fun one "Trend Micro Hacked - Serving Malicious Iframes"
Wikipedia defines "Guanxi" it as "basic dynamic in personalized networks of influence" (here), while Stratfor says "many U.S. and other Western businesses, however, simply regard guanxi as corruption."
It seems like this thing has some pretty darn peculiar security implications ... especially this part of the Stratfor piece: "Chinese business ethics, however, are built on the basis of guanxi, which places relationships above other considerations, including an employer’s code of conduct and even the law. The idea that taking a job with a company, particularly a non-Chinese company, cancels obligations toward people with whom someone has long-term relationships and to whom one owes much guanxi is seen not only as alien but also as the essence of immorality."
UPDATE: more discussion of this here.
- Report Card: 2007 Incite #4 - Trust No One
- Report Card: 2007 Incite #5 - You (Mal)ware it well
- Report Card: 2007 Incite #8 - Identity Everywhere
- Report Card: 2007 Incite #9 - Help Wanted: Fortune Teller
and while we are at it: this bit from Mike on security management trends in 2008 is fun too (especially check his reference to log management!)
Tuesday, January 15, 2008
So, it seems like Raffy baited some poor folks from Prism with his post on "IT search" (what an abomination of a term!). But, seriously, "IT search" is a marketing term (nothing wrong with that, BTW!), so it will mean whatever the folks who coined feel at any given moment. I really hate it when folks try to argue objectively with a clear fluke.
I think this debate is mostly about two approaches to logs: collect and parse some logs (typical SIEM approach) vs collect and index all logs (like, ahem, "IT search").
You can see where this one is going, right? :-)
Yes, Virginia! You do need to do BOTH - and you know who does both? LogLogic!
Among all the 2008 predictions I am tagging, this one is special:Top information security risks for 2008. Apart from the interesting insight, they - wow!- defined and used the terms for threat, vulnerability, risk and control. The actual doc is called top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls [PDF]
Examples: "Our offering is very unique in the origination space." (#10) or "It’s a single, interoperable, scalable, extensive security framework that protects the data today and tomorrow as the infrastructure changes." (#3) and of course his old fave "They’re not related. There’s no relationship to our funding and our research and development cycle." (#1)
On the other hand, I am pretty shocked that the author missed OSSIM tool, which has more features compared to others mentioned.
Keep in mind that some surveys by ESG Group say that logs are requested in 74% of e-discovery case. It might well be that e-discovery will power the next (or the one after next!) compliance wave.
Required reading to those of my colleagues who just coined new strategist titles for themselves...
Fun quote: "Most people I have managed have told me, at one point or another, that their strength is strategy. For the most part, I hear this as “I don’t know how to execute what you’re asking me to execute.” "
First, a fun Read: "Busting the 10 Myths About Data Protection"
For example: "Myth No. 4 I should be most concerned about protecting my data from data theft and malicious internal leaks." or ""
Why aren't more people thinking about it? Why such obsession about trying (and failing!) to block if you can log - and achieve the same policy outcome!?
Wednesday, January 09, 2008
I just have to start with this quote from Rich Mogul: "... Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein." :-) Amen to that, Rich. Onwards to my 2008 predictions!
So, just as in 2006 and 2007, I am coming up with security predictions that cover both technology and market. I just posted a review of my last's year's prediction where I mostly erred on the conservative side. I promise to be more 'extreme' this year, while still keeping the old wisdom of Richard Feynman in mind: if you predict the status quo, you are more likely to be correct...
Here is my 'twitter-style' (I guess what used to be called telegraph-style :-)) view of predictions in no particular order:
- Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.
- Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"
- Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.
- 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!
Hacking, data theft, etc:
- Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!
- Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...
- Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...
- A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.
- The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)
- More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
- Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...
- Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...
- PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)
- ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.
- Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.
- eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)
- Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)
- NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)
- More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.
- Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!
- Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!
- IPv6 = no (while most think 'not yet', some start thinking 'not ever') In other words, Internet 'secure by design' = pipe dream in 2008.
- Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data
- More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!
- 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...
Logging and log management:
- Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.
- Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...
- Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)
Last year's drag-ons :-) and ongoing trends:
- Some things make dumb predictions since they are so pitifully obvious and have been going on for years already. Thus, I pile them in this section...
- So, client vs server exploitation: it started a few years back and will continue, for sure: more client vulnerabilities will be used to 0wn more desktops. Similarly, application vulnerabilities will beat platform ones. And targeted, commercially-driven attacks will overtake indiscriminate ones (another "no-brainer" that some try to sell as a prediction...)
- Both of the above will power further evolution of network and system security into data and broader information security (it will be happening for another 3-5 years)
- More fun "web 2.0" threats will come our way, but then again, this is true about most of the technologies that are being actively adopted ...
Dark horses, that will influence security in a major but unknown way in 2008:
- Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.
- Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)
Come back in Jan 2009 to see how I did!
Any comments? Additional predictions?
Indeed, we will see MUCH more log management in 2008!
BTW, all predictions that I am noticing are tagged here at http://del.icio.us/anton18/security+predictions+2008
Tuesday, January 08, 2008
What can we conclude from this?
First, a "duh" conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope! :-)) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.
Second, I am saddened by the fact that application developers have not warmed up to logs, at least no en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...
Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response (yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms)
Am I reading too much into this? Hey, maybe I am! :-) Then again, I am a former theoretical physicist - thus, I can explain anything!
Next poll coming soon!
Friday, January 04, 2008
If monthly, why not annual blog round-up? These are my top popular "Security Warrior" blog posts for 2007! To make this a competition of posts, I am removing the links to the main blog, search labels (e.g. log management, which was indeed one of the most popular resources on the blog) as well as grouping posts together in theme clusters.
- Same as during past few months, the "fallout" from being featured on a high-profile programming site continues to drive humongous loads of traffic which made this set of posts the most popular, even for the year. The topic that got such a huge boost was anti-virus efficiency. The posts are: Answer to My Antivirus Mystery Question and a "Fun" Story, More on Anti-virus and Anti-malware, Let's Play a Fun Game Here ... A Scary Game, The Original Anti-Virus Test Paper is Here!, Protected but Owned: My Little Investigation as well as a final entry about my own switch away from mainstream major-vendor anti-virus tool: A Bit More on AV and Closure (Kind of) to the Anti-Virus Efficiency/Effectiveness Saga.
- Next by rank is a set of my Top11 lists: Top 11 Reasons to Collect and Preserve Computer Logs and Top 11 Reasons to Look at Your Logs (the third list, Top 11 Reasons to Secure and Protect Your Logs, was not quite that popular - I have long argued that, sadly, few people care about log security yet).
- Wow! I love, love, love the fact that my blog readers made my first Common Event Expression (CEE), post introducing this emerging log standard, (official site now live!) one of the most popular: Finally, Common Event Expression (CEE) is Out!!!. My other CEE-related posts are labeled here.
- Hurray to database logging (finally!) My posts related to database logging top the charts. Specifically, How to Do Database Logging/Monitoring "Right"? as well as its "prequels" :-) Full Paper on Database Log Management Posted and On Database Logging and Auditing (Teaser + NOW Full Paper).
- Finally, security ROI saga that flared up mid-year is also among the most popular. Indeed, Security ROI Pile-Up! post made it into Top5 (the related posts are: The Entire Security ROI Blood Trail and ROI, ROSI, RROI and Harry Potter Tales). The rest of my ROI-related posts are labeled here.
- At the risk of destroying my math credibility, I will add an item #6 to my Top 5 list, again. This little post called On Open Source in SIEM and Log Management have also generated a lot of traffic and discussion. Indeed, log management vs SIEM as well as reasons for a lack of a popular and complete open source log management solution are fun topics!
See you in 2009! :-)
Possibly related posts / past monthly popular blog round-ups:
Thursday, January 03, 2008
I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today.
So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.
- Same as during the last few months, the "fallout" from being featured on a high-profile programming site continues to drive loads of traffic. The topic that got such a huge boost was anti-virus efficiency. Thus, these posts with same theme of anti-virus efficiency were the most popular: Answer to My Antivirus Mystery Question and a "Fun" Story, More on Anti-virus and Anti-malware, Let's Play a Fun Game Here ... A Scary Game, The Original Anti-Virus Test Paper is Here!, Protected but Owned: My Little Investigation as well as a final entry about my own switch away from AV: A Bit More on AV and Closure (Kind of) to the Anti-Virus Efficiency/Effectiveness Saga
- Hurray to database logging (finally!) My blurb, table and paper on database logging top the charts. Specifically, How to Do Database Logging/Monitoring "Right"? as well as its "prequels" :-) Full Paper on Database Log Management Posted and On Database Logging and Auditing (Teaser + NOW Full Paper).
- Surprise.... not! Next up is Review of My 2007 Security Predictions: Too Wimpy post that reviews my 2007 predictions.
- Next is again my Top11 logging lists: Top 11 Reasons to Collect and Preserve Computer Logs and Top 11 Reasons to Look at Your Logs (the third list, Top 11 Reasons to Secure and Protect Your Logs, was not quite that popular - I long argues that, sadly, few people care about log security yet).
- Interestingly, my post titled But What Does It ACTUALLY DO? where I expressed my frustration with some of the obscurity marketing also made it into Top 5 for the month.
- And, finally, I need to leave some room (as #6 of 5 :-)) for my my logging polls! Yes, they are popular too - and fun to read!
See you in January:-)
Possibly related posts / past monthly popular blog round-ups:
- Monthly Blog Round-Up - November 2007
- Monthly Blog Round-Up - October 2007
- Monthly Blog Round-Up - September 2007
- Monthly Blog Round-Up - August 2007