Saturday, 31 May 2008

Support Vector Machines

Support Vector Machines
SVCs are a classification technique that is commonly used in some of the work I do. This generally involves considering the case of Linear discriminant analysis (LDA) for two classes, with data that is perfectly separable.

  • Of the candidate separating planes, the “best” one is the one that is “furthest” from each set of observations
  • The question then comes to how one can find the best separating plane
SVMs were developed by Cortes & Vapnik (1995) for binary classification. Their approach may be roughly sketched as follows:
  • Class separation: basically, we are looking for the optimal separating hyperplane between the two classes by maximizing the margin between the classes’ closest points - the points lying on the boundaries are called support vectors, and the middle of the margin is our optimal separating hyperplane;
  • Overlapping classes: data points on the “wrong” side of the discriminant margin are weighted down to reduce their influence (“soft margin”);
  • Nonlinearity: when we cannot find a linear separator, data points are projected into an (usually) higher-dimensional space where the data points effectively become linearly separable (this projection is realised via kernel techniques);
  • Problem solution: the whole task can be formulated as a quadratic optimization problem which can be solved by known techniques.
A program able to perform all these tasks is called a Support Vector Machine.

Where to go when developing an IT policy.

To find out more on the creation and testing of policy visit the following sites

The SANS Policy Website
o http://www.sans.org/resources/policies/
o The SANS Security Policy Resource page is a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.

Information Security Policy - A Development Guide for Large and Small Companies
o http://www.sans.org/reading_room/whitepapers/policyissues/1331.php
o A security policy should fulfill many purposes. It should: protect people and information; set the rules for expected behavior by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation.

SANS Policy Primer
o http://www.sans.org/resources/policies/Policy_Primer.pdf
o This short primer on developing and writing security policies was taken from Michele D. Guel’s full day tutorial titled “Security Governance – A Strong Foundation for a Secure Enterprise.
· RUsecure Information Security Policies
o http://www.information-security-policies.com/
o A commercial Policy creation program
· Technical Writing for IT Security Policies in Five Easy Steps
o http://www.sans.org/reading_room/whitepapers/policyissues/492.php
o As management requires more policies, staff comfort levels drop. As policy writers include complex, confusing, and incomprehensible language, staff comfort levels continue to drop. Therefore, IT Security policy writers need a writing resource, not just a policy resource. This paper points new policy technical writers in the right direction and provides a solid foundation from which to start. Follow these five easy steps when writing IT Security policies. Your management and employees will thank you.

Security Policy Roadmap - Process for Creating Security Policies
o http://www.sans.org/reading_room/whitepapers/policyissues/494.php
o Information is an important business asset and is valuable to an organization. Thus, it needs to be protected to ensure its confidentiality, integrity and availability. The very first thing in information security is to set up policies and procedures on how to protect information. This paper presents a systematic approach in developing computer security policies and procedures. All the processes in the Policy Life Cycle will be discussed. In particular, it will list all the issues and factors that must be considered when setting up the policies. It makes some recommendations and suggestions on relevant areas and produces a framework for setting security policies and procedures.

SANS Score - Security Consensus Operational Readiness Evaluation
o http://www.sans.org/score/
o SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large.
o SCORE Objectives:
§ Promote, develop and publish security checklists.
§ Build these checklists via consensus, and through open discussion through SCORE mailing lists.
§ Use existing references, recruit GIAC-certified professionals, and enlist subject matter experts, where and when possible.

Friday, 30 May 2008

Analyzing 802.11 traffic

Captured traffic can be processed and displayed in a number of ways. Some the uses of captured traffic detail below:

  • Summarizing AP, station, and channel activity in near-real-time or after the event or;
  • Decoding raw packets into human-readable protocol fields and values;
  • Using name resolution to replace numeric addresses with alphanumeric labels;
  • Using display filters to extract subsets of data after the event;
  • Reconstructing TCP sessions;
  • Creating graphically presented statistics about network usage, error rates, etc;
  • Generating maps that visualize relationships and traffic flows among network nodes;
  • Generating alarms to warn of unexpected traffic and potential problems; and
  • Providing protocol-specific analysis to supply warnings and recommendations.
Similar to LAN analyzers, WLAN analyzers must be configured would support for the 802.11 protocols, security vulnerabilities, and potential performance problems to be effective. Most modern wireless analyzers also carry out one or more functions that are designed to provide for those network planning and administration tasks which are solely associated with wireless LANs:
  • Spectrum analysis investigates both the 802.11 protocols and the underlying radio waves. A spectrum analyzer can observe the entire ISM radio-frequency band to detect non-802.11 signals that can result in network interference. As Bluetooth and microwave emissions set within overlapping frequency bands, these can interfere with 802.11 based traffic .
  • Stumbling is the process of discovering wireless LANs through listening to AP beacons alone. When associated with a GPS, these programs can be used to record the approximate latitude and longitude of discovered APs making pinpointing them simpler.
  • Some software analyses flag previously unknown APs or stations to trigger the detection of rogue APs.
  • WLAN analyzers can be used during wireless site surveys to record signal and noise at selected intervals. The data points collected during this process may be then used to create a site survey that plots the coverage on a floor plan. The site survey can be used to visualize coverage holes and signal leakage.
  • Analyzers may be used as network probes to capture traffic from remote locations. This is useful as this data can be forwarded to a central wireless IDS.
  • By configuring a WLAN analyzer with the WEP keys or WPA pre-shared secrets but he used within the organization, the analyzer will be able to decrypt the traffic it captures enabling payload analysis.
  • Some wireless analyzers can act as APs.
WLAN analyzers vary significantly in the levels of support, processing depth and breadth, the richness of their features, presentation approach, form factor, platform, and cost.

Thursday, 29 May 2008

WLAN and Wi-Fi

WLAN (Wireless Local Area Network) covers a greater area than a WPAN. These data networks are also faster with the majority of 802.11b implementations having a throughput of 11 Mbps or greater and a range of over 500 meters (1500 feet). More advanced specifications (such as 802.11n) that are placed closer to an AP (Access Point) can achieve throughput of up to 100 Mbps.

IEEE standard 802.11b uses the 2.4 GHz ISM (Industrial Scientific Medical) unregulated band and provides throughput from 1 Mbps up to 11 Mbps over a range of around 500 meters. This standard uses DSSS (Direct Sequence Spread Spectrum) to encode data before transferring it.
The IEEE 802.11, 802.11a, 802.11b, and 802.11g standards all use a CSMA/CA (Carrier Sense Multiple Access / Collision Avoidance) protocol in the data link layer.

The Wi-Fi standard is derived from IEEE 802.11. Table 16.1 displays the various 802.11 implementations that are in widespread use. The main standards include 802.11a, 802.11b, 802.11g, and 802.11n.

802.11a
54 Mb/Sec

802.11b
11 Mb/Sec

802.11g
54 Mb/Sec

802.11i (WPA2)

802.11n
100 Mb/Sec

Wednesday, 28 May 2008

Bluetooth

Bluetooth is the industry standard for PANs (wireless personal area networks). Bluetooth provides a means connection and the capability to exchange data devices. Bluetooth is commonly used in connecting personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras. It is designed to be a low-cost network option using short range radio frequency.

Bluetooth devices transmit on the 2.4 gigahertz (GHz) radio frequency. Bluetooth devices function using the frequency band between 2.4 to 2.4835 GHz. A frequency hopping algorithm with 1600 frequency hops per second is used in order to circumvent interference that is caused by other devices operating on the same frequency band.

Various Bluetooth devices are not discoverable automatically. However, when a Bluetooth enabled device is made discoverable, the device sends radio signals to advertise its location. When in this state, an attacker can attempt to connect to the Bluetooth device.

Monday, 26 May 2008

The Concepts of Organizational OPSEC (Operation Security)

There are a number of specialist topics in organizational OPSEC and concepts that need to be defined before going into detail. These include:

· Trusted Computer Base (TCB). The totality of protection mechanisms within a computer system including hardware, firmware, and software. The combination is responsible for enforcing a security policy.

· Malware Management. Malware management is more than an Anti-Virus system. Any system that gives administrative control to a user allowing the loading or execution of any software has an increased vulnerability to malware (such as worms, viruses and trojans) and risk from unexpected software interactions. This can lead to the subversion of security controls.

· Principle of Least Privilege. Never grant users more than the least level of access to a system that is needed for them to be able to complete their roles or jobs. That is, if a user needs Read only access to a file, set their permissions to only allow read access blocking write permissions such that they cannot modify the data.

· Privileged operations. This type of operation includes the use of:

  • operations system control commands,
  • The ability to configure interfaces,
  • Rights to access audit logs,
  • The ability to manage user accounts,
  • The ability to configure security mechanisms and controls,
  • The privileges to back up and restore data, etc.
· Privacy. The privacy of data involves the protection of personal information from disclosure to an unauthorized party (either being an individual or organization). This involves the maintenance of confidentiality.

· Legal requirements. Adherence to the law and regulatory controls is the foundation or baseline upon which a security infrastructure can be built. At a minimum, it is necessary to adhere to the requirements imposed by law on the organization.

· Illegal activities. This involves being able to identify both the criminal and tortuous (see the “Information Systems Legislation” chapter) An organization needs to be able to facilitate attribution. Attribution is the discovery of who is responsible and proving it through the use of evidence. The organization should also be able to support non-repudiation of transactions.

· Record retention. The organization’s policy needs to define what information is collected, maintained and how long it is to be kept. This aspect of OPSEC is commonly driven by regulatory and legal requirements such as consent to monitoring, and financial controls (eg SEC filing or Tax rules).

· Marking. Marking is the process of setting a classification on the data stored on media.

· Handling. The transportation of media from one point or place to another securely is the realm of handling. This involves media control from purchase through to storage and lastly destruction.

· Storage. Data needs to be stored in secured facilities. These should maintain the temperature and humidity within a controlled range.

· MFFT. All media has a MTTF (mean time to failure). This is dictated by the number of times it can be re-used or a time based life.

· Destruction. Any media that has reached or exceeded its MFFT needs to be replaced. When destroying the old media, it should first be purged before being destroyed. This process is commonly referred to as sanitation. This involves any number of processes that prepares the media for destruction. This could include wiping hard drives and other magnetic media or degaussing. The idea is to either return the media to its original pristine, unused state or render it permanently unusable and unrecoverable.

· PII. Personally Identifying Information (PII) is any information that may be used to identify an individual. This includes information such as a Social Security number (USA), TFN or Tax File Number (Australia), Credit Card and Banking details and other forms of ID.
In addition, there are a number of legal terms associated with operations security. Good corporate governance (and as an offshoot, good IT governance) require that due care and due diligence.

· Due Care. This involved the use of a reasonable level of care in order to guard the interests of the organization from risk and consequently damage.

· Due diligence. This is the practice of activities that are designed to maintain due care within the organization.

Together due care and due diligence make the foundations of governance. Effective governance is often the only way to disprove negligence if an incident ends up as an action in a court of law.

Sunday, 25 May 2008

Soaring on Eagles wings.

Another week ended. I have just returned from a couple weeks interstate (Perth WA) on the other side of Australia.

This week was bitter sweet with some soaring highs and a few annoyances that seem all the worse only due to the hights.
I completed and summited my dissertation for my LLM (Ecommerce Law) in Feb this year. I recieved my grading etc this week. I recieved a commendation.
Why bitter sweet? The adversity (represented by the magpie in the image above) was being in Perth at the time.
Though I did enjoy going out with people from work, but I would have prefered to be at home with the wife. I would have also been less rushed and stressed with a book due to be completed next week (on schedule, no thanks to being away).
Well you know what they say...

When life hands you lemons...