- Văn bản
- Lịch sử
Chapter 11 Security PolicyThe FAA w
Chapter 11 Security Policy
The FAA was very smart in how it went about building the inventory so that securing
and auditing could begin. First, it built the inventory from all the information it did
have and any it could gain from analyzing its network with various tools.
Once the network group felt that it had done the best it could on its own, it was
time to announce the new auditing policy to all the IT organizations within the FAA.
The group’s first thought was to announce that any network connections not on its list
and therefore not secured and audited would result in trouble for the people responsible
for the network connection. However, the group realized that this would simply make
people increase their effort to hide such connections. It would, in fact, encourage people
with unreported connections to go “underground.”
Instead, the group announced an amnesty program. For a certain number of months,
anyone could report unofficial network connections and receive no punishment but
instead help in securing and auditing the connection. However, anyone who didn’t come
forward by a certain deadline: Well, that would be a bad thing.
People confessed in droves, sometimes via email, sometimes by a very scared person
entering the office of the director to confess in person. But the program worked. Many
people came to the group for help; nobody was punished. In fact, even after the amnesty
program ended, one person who came to the director nearly in tears confessed and
received no punishment. The goal was to secure the network, not to get people fired;
being as open and forgiving as possible was the best policy.
At the same time, the network team had many of its own undocumented connections
that required analysis to determine where they connected to. Sometimes, billing records
were consulted to help identify lines. Sometimes, the jack was labeled, and a little research could identify the network carrier, which led to more research that identified the
line. Other times, the team wasn’t as lucky.
In the end, a few connections could not be identified. After all other attempts failed, the
team simply picked a date and time that had the fewest flights in the air and disconnected
them. In some cases, it was months later before the country that was disconnected noticed
and complained. The remaining were never identified and remain disconnected. We’re
not sure which is more disconcerting: the connections that were never identified or the
fact that some countries flew for months without complaint.
11.1.2.1 Get High-Level Management Support
For a security program to succeed, it must have high-level management support. The management of the company must be involved in setting the policies and ground rules for the security program so that the right decisions
are made for the business and so that management understands what decisions were made and why. You will need to be able to clearly explain the
possibilities, risks, and benefits if you are to successfully represent the security group, and you will need to do so in business language, not technical
jargon.
11.1 The Basics 281
In some cases, the security staff may disagree with the decisions that are
made by the management of the company. If you find that you disagree with
those decisions, try to understand why they were made. Remember that you
may not have access to the same information or business expertise as the
management team. Business decisions take into account both technical and
nontechnical needs. If you represent the security group well, you must believe
that the management team is making the decisions that it believes are best
for the company and accept them.2 Security people tend to want to build a
system so secure that it wouldn’t be completed until the business had missed
a market opportunity or would be so secure that it would be unusable. It is
important to seek balance between building the perfect system and keeping
the business running.
Once the corporate direction on security has been agreed on, it must
be documented and approved by the management team and then be made
available and publicized within the company. Ideally, a security officer who
is not a part of the IT division of the company should be at a high level of
the management hierarchy. This person should have both business skills and
experience in the area of information protection. The security officer should
head up a cross-functional information-protection team with representatives
from the legal, human resources, IT, engineering, support, and sales divisions,
or whatever the appropriate divisions may be in the company. The security
officer would be responsible for ensuring that appropriate polices are developed, approved, and enforced in a timely manner and that the security
and information-protection team are taking the appropriate actions for the
company.
No Management Support
When Christine arrived at the computer company described in an earlier anecdote, she
asked about the company’s security policy. Two years earlier, a cross-functional group
had written a policy in the spirit of the company’s informal policy and had submitted
it to management for formal approval. The policy got stalled at various levels within
the IT management hierarchy for months at a time. No one in senior management was
interested in pushing for it. The manager of the security team periodically tried to push
it from below but had limited success.
2. If you think that you didn’t represent the security group well, figure out what you failed to communicate and how best to express it, and then try to get one more chance to discuss it. But it is best to get
it right the first time!
282 Chapter 11 Security Policy
This lack of success was indicative of the company’s overall lack of interest in security. As a result, the company’s security staff had a very high turnover because of the
lack of support, which is why the company now outsourced security to a consulting
company.
If the security team cannot rely on high-level management support, the security program inevitably will fail. There will be large turnover in the security
group, and money spent on security will be wasted. High-level management
support is vital.
Training Your Boss
Having a boss who understands your job can be quite a luxury. Sometimes, however, it
can be useful to be able to train your boss.
In one financial services company, the person responsible for security found himself
reporting to a senior VP with with little or no computer background. Should be a
nightmare, right? No.
They created a partnership. The security person promised to meet the company’s
security goals and keep to the technical aspects as long as the VP got him the resources
(budget) required. The partnership was successful: The VP provided the funding needed
every step of the way; the security person fed the VP talking points before any budget
meetings and otherwise was left alone to build the company’s security system.
Together they were a great success.
11.1.2.2 Centralize Authority
Questions come up. New situations arise. Having one place for these issues
to be resolved keeps the security program united and efficient. There must
be a security policy council, or central authority, for decisions that relate
to security: business decisions, policy making, architecture, implementation,
incident response, and auditing.
It is impossible to implement security standards and have effective incident response without a central authority that implements and audits security.
Some companies have a central authority for each autonomous business unit
and a higher-level central authority to establish common standards. Other
times, we have seen a corporatewide security authority with one rogue division outside of its control, owing to a recent acquistion or merger. If the
company feels that certain autonomous business units should have control
over their own policy making, architecture, and so on, the computer and
11.1 The Basics 283
network resources of these units should be clearly divided from those of the
rest of the company. Interconnects should be treated as connections to a third
party, with each side applying its own policies and architectural standards to
those connections.
Multiple autonomous networks for the same company can be very difficult to manage. If two parts of a company have different monitoring policies,
for example, with no clear division between the two business units’ resources,
one security team could inadvertently end up monitoring traffic from an employee of the other business unit in contravention of that employee’s expectation of privacy. This could lead to a court case and lots of bad publicity, as
well as alienation of staff.
On a technical level, your security is only as good as the weakest link.
If you have open access to your network from another network whose security
you have no control over, you don’t know what your weakest link is, and
you have no control over it. You may also have trouble tracing an intruder
who comes across such an open link.
Case Study: No Central Authority
At a large company, each site effectively decided on its own (unwritten) policies but
had one unified network. Many sites connected third parties to the network without
any security. As a result, a security scare occurred ever y few weeks at one of the offices,
and the security team had to spend a few days tracking down the people responsible
for the site to determine what, if anything, had happened. On a few occasions, the
security team was called in the middle of the night to deal with a security incident but
had no access to the site that was believed to be compromised and was unable to get
a response from the people responsible for that site until the next day. By contrast,
at the site that did have central authority and policies, there were no such scares or
incidents.
11.1.3 Basics for the Technical Staff
As a technical member of the security team, you need to bear
The FAA was very smart in how it went about building the inventory so that securing
and auditing could begin. First, it built the inventory from all the information it did
have and any it could gain from analyzing its network with various tools.
Once the network group felt that it had done the best it could on its own, it was
time to announce the new auditing policy to all the IT organizations within the FAA.
The group’s first thought was to announce that any network connections not on its list
and therefore not secured and audited would result in trouble for the people responsible
for the network connection. However, the group realized that this would simply make
people increase their effort to hide such connections. It would, in fact, encourage people
with unreported connections to go “underground.”
Instead, the group announced an amnesty program. For a certain number of months,
anyone could report unofficial network connections and receive no punishment but
instead help in securing and auditing the connection. However, anyone who didn’t come
forward by a certain deadline: Well, that would be a bad thing.
People confessed in droves, sometimes via email, sometimes by a very scared person
entering the office of the director to confess in person. But the program worked. Many
people came to the group for help; nobody was punished. In fact, even after the amnesty
program ended, one person who came to the director nearly in tears confessed and
received no punishment. The goal was to secure the network, not to get people fired;
being as open and forgiving as possible was the best policy.
At the same time, the network team had many of its own undocumented connections
that required analysis to determine where they connected to. Sometimes, billing records
were consulted to help identify lines. Sometimes, the jack was labeled, and a little research could identify the network carrier, which led to more research that identified the
line. Other times, the team wasn’t as lucky.
In the end, a few connections could not be identified. After all other attempts failed, the
team simply picked a date and time that had the fewest flights in the air and disconnected
them. In some cases, it was months later before the country that was disconnected noticed
and complained. The remaining were never identified and remain disconnected. We’re
not sure which is more disconcerting: the connections that were never identified or the
fact that some countries flew for months without complaint.
11.1.2.1 Get High-Level Management Support
For a security program to succeed, it must have high-level management support. The management of the company must be involved in setting the policies and ground rules for the security program so that the right decisions
are made for the business and so that management understands what decisions were made and why. You will need to be able to clearly explain the
possibilities, risks, and benefits if you are to successfully represent the security group, and you will need to do so in business language, not technical
jargon.
11.1 The Basics 281
In some cases, the security staff may disagree with the decisions that are
made by the management of the company. If you find that you disagree with
those decisions, try to understand why they were made. Remember that you
may not have access to the same information or business expertise as the
management team. Business decisions take into account both technical and
nontechnical needs. If you represent the security group well, you must believe
that the management team is making the decisions that it believes are best
for the company and accept them.2 Security people tend to want to build a
system so secure that it wouldn’t be completed until the business had missed
a market opportunity or would be so secure that it would be unusable. It is
important to seek balance between building the perfect system and keeping
the business running.
Once the corporate direction on security has been agreed on, it must
be documented and approved by the management team and then be made
available and publicized within the company. Ideally, a security officer who
is not a part of the IT division of the company should be at a high level of
the management hierarchy. This person should have both business skills and
experience in the area of information protection. The security officer should
head up a cross-functional information-protection team with representatives
from the legal, human resources, IT, engineering, support, and sales divisions,
or whatever the appropriate divisions may be in the company. The security
officer would be responsible for ensuring that appropriate polices are developed, approved, and enforced in a timely manner and that the security
and information-protection team are taking the appropriate actions for the
company.
No Management Support
When Christine arrived at the computer company described in an earlier anecdote, she
asked about the company’s security policy. Two years earlier, a cross-functional group
had written a policy in the spirit of the company’s informal policy and had submitted
it to management for formal approval. The policy got stalled at various levels within
the IT management hierarchy for months at a time. No one in senior management was
interested in pushing for it. The manager of the security team periodically tried to push
it from below but had limited success.
2. If you think that you didn’t represent the security group well, figure out what you failed to communicate and how best to express it, and then try to get one more chance to discuss it. But it is best to get
it right the first time!
282 Chapter 11 Security Policy
This lack of success was indicative of the company’s overall lack of interest in security. As a result, the company’s security staff had a very high turnover because of the
lack of support, which is why the company now outsourced security to a consulting
company.
If the security team cannot rely on high-level management support, the security program inevitably will fail. There will be large turnover in the security
group, and money spent on security will be wasted. High-level management
support is vital.
Training Your Boss
Having a boss who understands your job can be quite a luxury. Sometimes, however, it
can be useful to be able to train your boss.
In one financial services company, the person responsible for security found himself
reporting to a senior VP with with little or no computer background. Should be a
nightmare, right? No.
They created a partnership. The security person promised to meet the company’s
security goals and keep to the technical aspects as long as the VP got him the resources
(budget) required. The partnership was successful: The VP provided the funding needed
every step of the way; the security person fed the VP talking points before any budget
meetings and otherwise was left alone to build the company’s security system.
Together they were a great success.
11.1.2.2 Centralize Authority
Questions come up. New situations arise. Having one place for these issues
to be resolved keeps the security program united and efficient. There must
be a security policy council, or central authority, for decisions that relate
to security: business decisions, policy making, architecture, implementation,
incident response, and auditing.
It is impossible to implement security standards and have effective incident response without a central authority that implements and audits security.
Some companies have a central authority for each autonomous business unit
and a higher-level central authority to establish common standards. Other
times, we have seen a corporatewide security authority with one rogue division outside of its control, owing to a recent acquistion or merger. If the
company feels that certain autonomous business units should have control
over their own policy making, architecture, and so on, the computer and
11.1 The Basics 283
network resources of these units should be clearly divided from those of the
rest of the company. Interconnects should be treated as connections to a third
party, with each side applying its own policies and architectural standards to
those connections.
Multiple autonomous networks for the same company can be very difficult to manage. If two parts of a company have different monitoring policies,
for example, with no clear division between the two business units’ resources,
one security team could inadvertently end up monitoring traffic from an employee of the other business unit in contravention of that employee’s expectation of privacy. This could lead to a court case and lots of bad publicity, as
well as alienation of staff.
On a technical level, your security is only as good as the weakest link.
If you have open access to your network from another network whose security
you have no control over, you don’t know what your weakest link is, and
you have no control over it. You may also have trouble tracing an intruder
who comes across such an open link.
Case Study: No Central Authority
At a large company, each site effectively decided on its own (unwritten) policies but
had one unified network. Many sites connected third parties to the network without
any security. As a result, a security scare occurred ever y few weeks at one of the offices,
and the security team had to spend a few days tracking down the people responsible
for the site to determine what, if anything, had happened. On a few occasions, the
security team was called in the middle of the night to deal with a security incident but
had no access to the site that was believed to be compromised and was unable to get
a response from the people responsible for that site until the next day. By contrast,
at the site that did have central authority and policies, there were no such scares or
incidents.
11.1.3 Basics for the Technical Staff
As a technical member of the security team, you need to bear
0/5000
Chương 11 an ninh chính sáchFAA là rất thông minh trong cách nó đã đi về xây dựng hàng tồn kho để bảo vệvà kiểm toán có thể bắt đầu. Đầu tiên, nó xây dựng hàng tồn kho từ tất cả các thông tin mà nó đã làmcó và có nó có thể đạt được từ phân tích mạng lưới của mình với nhiều công cụ.Một khi nhóm mạng cảm thấy rằng nó đã làm tốt nhất mà nó có thể ngày của riêng mình, đó làthời gian để thông báo chính sách kiểm định mới cho tất cả các tổ chức CNTT trong FAA.Suy nghĩ đầu tiên của nhóm đã thông báo rằng bất kỳ mạng kết nối không phải trên danh sách của mìnhvà do đó không đảm bảo và kiểm tra nào dẫn đến rắc rối cho những người chịu trách nhiệmkết nối mạng. Tuy nhiên, nhóm nhận ra rằng điều này chỉ đơn giản là sẽ làmngười tăng nỗ lực của họ để ẩn kết nối như vậy. Nó sẽ, trong thực tế, khuyến khích ngườivới các kết nối không được báo cáo để đi "ngầm."Thay vào đó, nhóm đã thông báo một chương trình ân xá. Đối với một số tháng,bất cứ ai có thể báo cáo kết nối mạng không chính thức và nhận được không có hình phạt nhưngthay vào đó giúp bảo vệ và kiểm toán kết nối. Tuy nhiên, bất cứ ai không đếnchuyển tiếp theo một thời hạn nhất định: Vâng, đó sẽ là một điều xấu.Người thú nhận trong droves, đôi khi qua email, đôi khi bởi một người rất sợbước vào văn phòng của giám đốc để thú nhận ở người. Tuy nhiên, chương trình làm việc. Nhiềumọi người đến nhóm để được giúp đỡ; không ai bị trừng phạt. Trong thực tế, ngay cả sau khi tổ chức Ân xáchương trình kết thúc, một người đã đến giám đốc gần nước mắt thú nhận vànhận được không có hình phạt. Mục đích là để bảo mật mạng, không phải để có được người sa thải;như mở và khoan dung như có thể là chính sách tốt nhất.Cùng lúc đó, đội tuyển mạng có nhiều người trong số các kết nối không có giấy tờ riêng của mìnhmà yêu cầu phân tích để xác định nơi họ kết nối đến. Đôi khi, thanh toán hồ sơđược tư vấn để giúp xác định dòng. Đôi khi, jack đã được dán nhãn, và một ít nghiên cứu có thể xác định chiếc tàu sân bay mạng, dẫn tới nhiều nghiên cứu xác định cácdòng. Lần khác, các đội đã không may mắn.Cuối cùng, một vài kết nối không thể được xác định. Sau khi tất cả các nỗ lực không thành công, cácđội chỉ đơn giản là chọn một ngày và thời gian đó có ít nhất các chuyến bay trong không khí và ngắt kết nốihọ. Trong một số trường hợp, nó đã vài tháng sau đó trước khi đất nước bị ngắt nhận thấyvà phàn nàn. Số còn lại đã không bao giờ được xác định và vẫn còn bị ngắt kết nối. Chúng tôi đangkhông chắc chắn đó là hơn disconcerting: các kết nối đã không bao giờ được xác định hoặc cácthực tế là một số quốc gia đã bay trong nhiều tháng mà không có khiếu nại.11.1.2.1 nhận được hỗ trợ cao cấp quản lýMột chương trình bảo mật để thành công, nó phải có hỗ trợ quản lý cấp cao. Quản lý của công ty phải được tham gia trong việc thiết lập các chính sách và đất lệnh cho chương trình an ninh như vậy rằng quyết định đúng đắnđược thực hiện cho các doanh nghiệp và do đó quản lý hiểu được quyết định những gì đã được thực hiện và tại sao. Bạn sẽ cần để có thể giải thích rõ ràng cáckhả năng, rủi ro và lợi ích nếu bạn muốn thành công đại diện cho nhóm bảo mật, và bạn sẽ cần phải làm như vậy trong ngôn ngữ kinh doanh, kỹ thuật khôngbiệt ngữ.11.1 phần khái niệm cơ bản 281Trong một số trường hợp, các nhân viên an ninh có thể không đồng ý với quyết địnhđược thực hiện bởi quản lý của công ty. Nếu bạn thấy rằng bạn không đồng ý vớiCác quyết định đó, cố gắng để hiểu tại sao họ đã được thực hiện. Hãy nhớ rằng bạncó thể không có quyền truy cập vào cùng thông tin hoặc doanh nghiệp chuyên môn như là cácđội ngũ quản lý. Quyết định kinh doanh đưa vào tài khoản cả hai kỹ thuật vànhu cầu nontechnical. Nếu bạn đại diện cho nhóm bảo mật tốt, bạn phải tinđội ngũ quản lý là làm cho các quyết định mà họ tin rằng là tốt nhấtcho công ty và chấp nhận them.2 an ninh người có xu hướng muốn xây dựng mộtHệ thống an toàn vì vậy nó sẽ không được hoàn thành cho đến khi các doanh nghiệp đã bỏ lỡmột cơ hội thị trường hoặc sẽ an toàn vì vậy nó sẽ không sử dụng được. Nó làquan trọng để tìm kiếm sự cân bằng giữa xây dựng hệ thống hoàn hảo và giữCác hoạt động kinh doanh.Một khi doanh nghiệp hướng về an ninh đã được đồng ý về, nó phảiđược ghi lại và được chấp thuận bởi đội ngũ quản lý và sau đó được thực hiệncó sẵn và công bố công khai trong công ty. Lý tưởng nhất, một sĩ quan an ninh ngườikhông phải là một phần của bộ phận CNTT của công ty nên ở một mức độ caoHệ thống phân cấp quản lý. Người này cần phải có cả hai kỹ năng kinh doanh vàkinh nghiệm trong lĩnh vực bảo vệ thông tin. Sĩ quan an ninh nênhead up a cross-functional information-protection team with representativesfrom the legal, human resources, IT, engineering, support, and sales divisions,or whatever the appropriate divisions may be in the company. The securityofficer would be responsible for ensuring that appropriate polices are developed, approved, and enforced in a timely manner and that the securityand information-protection team are taking the appropriate actions for thecompany.No Management SupportWhen Christine arrived at the computer company described in an earlier anecdote, sheasked about the company’s security policy. Two years earlier, a cross-functional grouphad written a policy in the spirit of the company’s informal policy and had submittedit to management for formal approval. The policy got stalled at various levels withinthe IT management hierarchy for months at a time. No one in senior management wasinterested in pushing for it. The manager of the security team periodically tried to pushit from below but had limited success.2. If you think that you didn’t represent the security group well, figure out what you failed to communicate and how best to express it, and then try to get one more chance to discuss it. But it is best to getit right the first time!282 Chapter 11 Security PolicyThis lack of success was indicative of the company’s overall lack of interest in security. As a result, the company’s security staff had a very high turnover because of thelack of support, which is why the company now outsourced security to a consultingcompany.If the security team cannot rely on high-level management support, the security program inevitably will fail. There will be large turnover in the securitygroup, and money spent on security will be wasted. High-level managementsupport is vital.Training Your BossHaving a boss who understands your job can be quite a luxury. Sometimes, however, itcan be useful to be able to train your boss.In one financial services company, the person responsible for security found himselfreporting to a senior VP with with little or no computer background. Should be anightmare, right? No.They created a partnership. The security person promised to meet the company’ssecurity goals and keep to the technical aspects as long as the VP got him the resources(budget) required. The partnership was successful: The VP provided the funding neededevery step of the way; the security person fed the VP talking points before any budgetmeetings and otherwise was left alone to build the company’s security system.Together they were a great success.11.1.2.2 Centralize AuthorityQuestions come up. New situations arise. Having one place for these issuesto be resolved keeps the security program united and efficient. There mustbe a security policy council, or central authority, for decisions that relateto security: business decisions, policy making, architecture, implementation,incident response, and auditing.It is impossible to implement security standards and have effective incident response without a central authority that implements and audits security.Some companies have a central authority for each autonomous business unitand a higher-level central authority to establish common standards. Othertimes, we have seen a corporatewide security authority with one rogue division outside of its control, owing to a recent acquistion or merger. If thecompany feels that certain autonomous business units should have controlover their own policy making, architecture, and so on, the computer and11.1 The Basics 283network resources of these units should be clearly divided from those of therest of the company. Interconnects should be treated as connections to a thirdparty, with each side applying its own policies and architectural standards tothose connections.Multiple autonomous networks for the same company can be very difficult to manage. If two parts of a company have different monitoring policies,for example, with no clear division between the two business units’ resources,one security team could inadvertently end up monitoring traffic from an employee of the other business unit in contravention of that employee’s expectation of privacy. This could lead to a court case and lots of bad publicity, aswell as alienation of staff.On a technical level, your security is only as good as the weakest link.If you have open access to your network from another network whose securityyou have no control over, you don’t know what your weakest link is, andyou have no control over it. You may also have trouble tracing an intruderwho comes across such an open link.Case Study: No Central AuthorityAt a large company, each site effectively decided on its own (unwritten) policies buthad one unified network. Many sites connected third parties to the network withoutany security. As a result, a security scare occurred ever y few weeks at one of the offices,and the security team had to spend a few days tracking down the people responsiblefor the site to determine what, if anything, had happened. On a few occasions, thesecurity team was called in the middle of the night to deal with a security incident buthad no access to the site that was believed to be compromised and was unable to geta response from the people responsible for that site until the next day. By contrast,at the site that did have central authority and policies, there were no such scares orincidents.11.1.3 Basics for the Technical StaffAs a technical member of the security team, you need to bear
đang được dịch, vui lòng đợi..
Các ngôn ngữ khác
Hỗ trợ công cụ dịch thuật: Albania, Amharic, Anh, Armenia, Azerbaijan, Ba Lan, Ba Tư, Bantu, Basque, Belarus, Bengal, Bosnia, Bulgaria, Bồ Đào Nha, Catalan, Cebuano, Chichewa, Corsi, Creole (Haiti), Croatia, Do Thái, Estonia, Filipino, Frisia, Gael Scotland, Galicia, George, Gujarat, Hausa, Hawaii, Hindi, Hmong, Hungary, Hy Lạp, Hà Lan, Hà Lan (Nam Phi), Hàn, Iceland, Igbo, Ireland, Java, Kannada, Kazakh, Khmer, Kinyarwanda, Klingon, Kurd, Kyrgyz, Latinh, Latvia, Litva, Luxembourg, Lào, Macedonia, Malagasy, Malayalam, Malta, Maori, Marathi, Myanmar, Mã Lai, Mông Cổ, Na Uy, Nepal, Nga, Nhật, Odia (Oriya), Pashto, Pháp, Phát hiện ngôn ngữ, Phần Lan, Punjab, Quốc tế ngữ, Rumani, Samoa, Serbia, Sesotho, Shona, Sindhi, Sinhala, Slovak, Slovenia, Somali, Sunda, Swahili, Séc, Tajik, Tamil, Tatar, Telugu, Thái, Thổ Nhĩ Kỳ, Thụy Điển, Tiếng Indonesia, Tiếng Ý, Trung, Trung (Phồn thể), Turkmen, Tây Ban Nha, Ukraina, Urdu, Uyghur, Uzbek, Việt, Xứ Wales, Yiddish, Yoruba, Zulu, Đan Mạch, Đức, Ả Rập, dịch ngôn ngữ.
- địt con cụ mày
- 精米につきまして
- bạn đến rạp chiếu phim vào lúc nào
- bao gồm
- địt con cụ mày
- Morethan 2,000 plant species are grown i
- Đèn pha của Ford Focus mới nổi bật với đ
- The wide range of temperature fluctuatio
- CELEBRITIES
- dove hair therapy
- Specification and estimation of the mode
- by the way
- Tran hung dao ở đâu
- choose the word that has the underlined
- người phụ nữ đứng cạnh chồng của cô ấy v
- bạn là giào viên tiếng anh của tôi và tô
- nói với em là anh vẫn ở đây
- có rất nhiều món ăn đặc sản như chả cá,n
- Got complete conversation what do you
- I am trying hard question to solve this
- 就去爱
- có rất nhiều món ăn đặc sản như chả cá,n
- Công việc của bạn thật thú vị. đươ
- xin chào các anh chị. Cảm ơn đã cho tôi
