Academyplux

My 2012 Technology Prediction

2011-12-22T11:20:00.004Z

Here is my high-level list of six technology prediction for 2012. What do you think?

1) There will be significant acceptance of BYOD (Bring Your Own Device) into corporate estate, and there will be changing corporate policy and governance around this. As we are currently seeing, some organisations have started to incorporate BYOD into corporate policies and governance models; and some now are starting to make budget provision for IT to include BYOD in the corporate procurement.
2) There will be formidable challenges from Mobile Application Security, resulting from overwhelming demand in mobile applications and Mobile and Cloud-based technologies.
3) There will be significant Greenfield Regulatory demand around Data Protection and Privacy. 2011 was the first time the ICO (Information Commissioner’s Office) was given absolute powers to fine and penalise organisations in breach of privacy, and while the movement for ‘Privacy by Design’ is gaining momentum in Canada, and Australia etc., We will see in 2012 a global demand for privacy impact assessments (PIA), this will be driven by various factors including, but not limited to, data protection regulatory obligation, changing delivery models (cloud computing) and end-user awareness (media phone hacking, invasive journalism).
4) There will be, as has been, information security drivers coming from Social Networking Media. This will see convergence of personal data protection & privacy and corporate office use of social networks for enterprise ad and sells medium.
5) There will be a good wave of discussion around Situational Awareness in Computers and Networks. This will be around mechanisms to protect valid assets and detect attacks exploiting emerging technologies and changing operating models. So such mechanisms will be around mechanisms to secure BYOD, deter velocity-based attacks, cloud-based attacks, and mobile application related issues.
6) As always, Protection against Terrorism and Serious Organised Crime will be a central theme in government, such as counter-terrorism, bio-informatics and Intel.

Computer Network Defense Approaches

2011-12-14T11:00:00.005Z

Defenses to cyber attacks become very efficient when appropriate defense approaches are deployed accordingly to protect valued assets. Inappropriate application of defenses to treat risk in information systems will result to weakened defenses and consequently lead to significant impact on the confidentiality, integrity or availability of these assets when compromised. This paper presents defense approaches to computer network that assist information asset owners in deciding on appropriate defense approaches to adequately protect their valued assets. Download the paper

'The Science' of Privacy Impact Assessment (PIA) - Part 2

2011-09-09T13:13:00.003+01:00

What is PRIVACY IMPACT ASSESSMENT?

Privacy impact assessment (PIA) is an assessment of privacy related risks. To carryout PIA, four distinct assessments should be completed, comprising:

1. Assessment of the project’s characteristics or features such as technologies or mechanisms deployed or intended of use in the project. This assessment is to check if the technologies or mechanisms to be deployed in the project would be privacy invasive.

2. Assessment of a project’s compliance with privacy regulations, state, federal, national, bilateral or multilateral privacy legislations. This relates to compliance with privacy regulations and legislations, especially those that operate where the project is located or situated. For example, the Data Protection Act 1998 in the UK or the ‘the Privacy Act’ in the US, or other privacy related pieces of legislations in other parts of the world, such as Canada, Australia and Germany.

3. Assessment of personal information data being processed, or to be processed by the project. For example, is personal information data collected identifiable or not; are they sensitive personal data; are they ‘obsolete’ but identifiable personal data etc.

4. Finally, it is an assessment of the collection, sharing, distribution, storage, transportation and destruction of personal information data, and whether the processing of personal information is in line with privacy legislations.

It is important to mention that PIA assessment can be carried out for a project, programme, task, policy, platform or ICT System.

Is Privacy Impact Assessment necessary for all projects?

2011-09-06T11:37:00.000+01:00

Privacy impact assessment is an assessment of privacy risks that may be associated with a project and ensuring that privacy legislations are not breached, and sensitive personal identifiable data (PID) are not compromised, too.

Privacy risk assessment is an assessment of risks associated with - failing to comply with state or federal privacy legislation - protecting personal information data of individuals, and satisfying privacy requirements of information systems, that may need to be redesigned or retro-fitted at considerable expense.

This means that privacy risk assessment should be carried out on all projects to ensure that:
1) They comply with privacy legislations or regulations;
2) They provide adequate safeguards to manage, handle, share, store or transport sensitive personal data or personally identifiable information (PII), and
3) Finally, they comply with project-specific information systems’ privacy requirements.

Managing privacy risks can be challenging, not because of the numerous issues of concern, but also because each project is unique and utilizes fundamentally different technologies and mechanisms to deliver its own service. While the steps involved in carrying out privacy impact assessment are the same for any project, but each assessment of privacy for any project is different.

Just completed another book project - Situational Awareness in Computer Network Defense: Principles, Methods and Applications

2011-08-24T12:50:00.007+01:00

I'm extremely pleased to inform you folks that my current book project is now successfully completed. I've been informed by the publisher - IGI Global - that the book - Situational Awareness in Computer Network Defense: Principles, Methods and Applications is published :-)

Please place your orders soon !!!!

Link is provided .... Situational Awareness in Computer Network Defense: Principles, Methods and Applications

'The Science' of Privacy Impact Assessment (PIA) - Part 1

2011-08-24T12:42:00.007+01:00

The challenges organisations face in managing privacy risks are numerous and inherently diverse. Traditionally, organisations had focused on addressing business and security requirements of a project, but most recently, privacy impact assessment has become an essential part of the risk management regime for most projects. Hence significant efforts are now directed toward providing appropriate guidance on how to conduct privacy impact assessments.

Appropriate assessments of privacy invasive technologies, justification for project, collection and handling of personally identifiable data (PID) and compliance to privacy legislations possess enormous challenges to carrying out appropriate privacy impact assessments.

In series of articles, I hope to provide practical and demonstrable guidance on how to assess privacy risks of both new and in-service projects. Further, lessons learned from managing privacy risks of new and in-service projects resulting from aggregation, collection, sharing, handling and transportation of personally identifiable information will be shared and discussed.

Book Chapter Invitation: Situational Awareness in Computer Network Defense: Principles, Methods and Applications

2010-10-07T20:38:00.003+01:00

CALL FOR CHAPTER PROPOSALS
Proposal Submission Deadline: December 15, 2010
Situational Awareness in Computer Network Defense: Principles, Methods and Applications
A book edited by Cyril Onwubiko and Thomas Owens
Research Series Ltd, London, UK
Brunel University, London, UK

To be published by IGI Global: http://www.igi-global.com/AuthorsEditors/AuthorEditorResources/CallForBookChapters/CallForChapterDetails.aspx?CallForContentId=216a3334-f89b-4bd3-9681-208c67e34285

Introduction
Computer crimes around the world cost organizations and governments billions of dollars each year. In response, organizations use a plethora of heterogeneous security devices and software such as firewalls, Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) to monitor networks in conjunction with Computer Security Incident Response Teams (CSIRT), that are responsible for ensuring availability, integrity and confidentiality of network services. Their primary challenge is to maintain situational awareness over many critical network objects some of which include critical national infrastructures, the impact of a cyber attack on which could result in a breakdown in national communications networks or essential support services, which may impact on citizens’ safety or livelihoods. Maintaining consistent high-level situational awareness over such objects requires that the CSIRT has the knowledge and ability to perceive and analyze situations that may have security related implications, make sound decisions on how to protect organizations' valued assets and offer accurate predictions of future states in a dynamic and complex environment. This is the underpinning of situational awareness in computer network defence.

Computer Network Defence (CND) is a growing field which is geared towards measures to protect and defend information, computers and networks from attacks that could cause disruption, denial of service, degradation and destruction. Situational awareness (SA) is described as knowing what is going on around you and within that knowledge of your surroundings and being able to identify which events in those surroundings are important. SA is very complex and involves very dynamic states, e.g. of a computer network with hundreds of network objects (firewalls, IDSes, routers, switches, servers, PADs etc). Maintaining a consistently high level of situational awareness over these objects can be challenging.

Objective of the Book
This book will provide security practitioners, academia and organizations insights into practical and applied solutions, frameworks, technologies, and implementations, for situational awareness in computer networks. The book will present situational awareness solutions in computer network defence (CND) currently being researched or deployed in book chapters contributed by leading researchers and practitioners in the field. The key objective is to fill a gap that exists in the way CND and security is being approached by formalizing the use of situational awareness in computer network security and defence. This will be achieved by providing contributions to situational awareness in network security and CND made through research, the prescription of formal concepts, and implementations. The book will supplement chapters on the theoretical (research) aspects of situational awareness in CND with discussion of their real-world implications and where applicable their implementations. The theoretical chapters will be complemented by chapters that address existing solutions for situational awareness in CND and the issues associated with them.

Target Audience
The primary audience for the book is professionals, practitioners, researchers and academics working in the field of Situational Awareness for Computer Network Defence which is evolving rapidly and growing as an area of information assurance. Practitioners and managers working in information security areas across all industries could significantly improve their knowledge and understanding of critical technical human and social aspects of situational awareness, and information security in general, by reading this book. Air Space Controllers, Aviation Systems and Defence Agencies will also find this book a very helpful and practical resource.

Recommended topics include, but are not limited to the following:

• Theoretical Underpinnings of Situational Awareness
• Analysis of Situational Awareness in Computer Networks
• Functional Requirements of Situational Awareness for Computer Network Security
• Situational Assessment and Human Factors
• Situational Assessment and Decision Marking
• Situational Understanding in Command and Control Networks (CCN)
• Situational Awareness in Military Operations
• Situational Awareness in C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance)
• Computer Network Defence (CND)
• Computer Network Operations
• Usefulness of Data Fusion for Security Incident Analysis
• Security incident analysis - Data Association and Correlation
• Security Information Visualization
• Security Monitoring
• Implementing Situational Awareness Systems
• Emerging Applications of Situational Awareness Solutions
• Incident Response and Management and Emergency Preparedness
• Computer Security Incident Response Teams (CSIRT)
• Information Security Metrics and Measurement
• Digital Forensics
• Forensics and Investigation Issues
• Digital Forensic Information Analysis
• Enterprise Information Security Policies, Standards and Procedures
• Risk Management, Governance and Compliance
• National and Critical Infrastructure Security Issues
• Trust, Privacy and Anonymity Issues
• Application Security, Audits and Penetration Testing
• Information Security
• Risk Assessment & Management
• Information Security Management Frameworks
• Security Event and Information Management
• Risks posed by Wireless Networks, including through the use of Mobile Computing, Smartphones & Apps in a CND environment.

Submission Procedure
Researchers and practitioners are invited to submit on or before November 15, 2010, a 2-3 page chapter proposal clearly explaining the mission and concerns of his or her proposed chapter. Authors of accepted proposals will be notified by December 15, 2011 about the status of their proposals and sent chapter guidelines. Full chapters are expected to be submitted by March 15, 2011. All submitted chapters will be reviewed on a double-blind review basis. Contributors may also be requested to serve as reviewers for this project.

Publisher
This book is scheduled to be published by IGI Global (formerly Idea Group Inc.), publisher of the “Information Science Reference” (formerly Idea Group Reference), “Medical Information Science Reference,” “Business Science Reference,” and “Engineering Science Reference” imprints. For additional information regarding the publisher, please visit www.igi-global.com. This book is anticipated to be released in 2011.

Important Dates
January 15, 2010: Proposal Submission Deadline
Feb. 15, 2011: Notification of Acceptance
March 15, 2011: Full Chapter Submission
May 15, 2011: Review Results to Authors
July 15, 2011: Final Chapter Submission
August 15, 2011: Final Deadline

ACPO and Seizure of Recorded Photographic Materials

2010-09-13T13:57:00.004+01:00

While it might be permissible to seize cameras or photographic recording of people taking photographers in public places under the PACE (Police and Criminal Evidence Act 1984), that wasn't the case with the latest guideline distributed by the ACPO (Association of Chief Police Officers) WRT to the recent incident in Sussex.

The ACPO guideline previously stated that 'seizure of recorded photographic materials is only permissible by a court order', this have now being reversed by the amended version of the guideline, which states that 'seizure is permissible, but deletion of the evidence is not unless authorised by a court of law'.

One would wonder if the goal mouth changes with incidents, while the former was the prevalent until yesterday, the revision might have happened because the position of the Sussex police were different to that of the ACPO standing.

Your comments please!

Digital Forensic Readiness

2010-09-11T18:23:00.007+01:00

Digital forensic readiness is about developing forensic capability in an organisation that assist them in the event of a forensic investigation. For an organisation to be forensic ready, they should have a forensic programme in house, which should aim to train and equip some of their employees (especially, the SPOC group)- Single Point of Contact group about forensic (computer and network) process and techniques to obtain, share and handle digital evidence (crime scene evidence).

Here are some of what may be contained in a forensic readiness programme:

1) Forensic readiness policy - this policy must exist in the organisation, and should state precisely what should trigger a forensic investigation, the capability target of the organisation within a timeline (e.g., an organisation's present capability may be 'elementary' meaning they are still in the embroynic stage, or it may be 'standard' meaning the organisation have made some progress with traning staff and equipping them with tools to do the work; or 'enhanced' meaning the organisation have made some advancements in the forensic process, trained their staff and can support complex forensic investigations, such as those affecting business partners or involving various personnel.

2) Forensic readiness procedure - this procedure should outline who deals with forensic investigation in an organisation, such as the SPOC, the reporting of incidents, how escalations should be reported to Senior Management, the Police or the Law enforcement etc. The procedure should also outline how personnel monitoring and investigation should be carried out.

3) Rules of evidence - this explains how evidence should be handled, including 'storage', distribution and destruction of digital forensic evidence. It should also include how to present (admissible) evidence in a court of law.

4)Forensic investigation process - this outline the 5-step of forensic investigation, namely, evidence gathering, preservation, analysis, review and presentation. It is pertinent to note that digital evidence must be preserved, and must not be tampered, otherwise it wont be admissible in a court of law. To analyse forensic evidence, it's a rule of thumb to bitstream copy evidence, and work on the duplicate copy while still retaining the original copy untampered (without manipulation.

5)Chain of custody - this is a document accomplaining all digital evidence that provides assurance in the form of witness to crime scene evidence gathered. A chain of custody should show date evidence was collected, names of people that witnessed the evidence gathering/collection, who evidence was collected from, and photo of what was siezed and collected etc.

6) Training - Staff must be trained especially on forensic policy, procedure and the process of handling their in-house investigation. Evidence handling, sharing and destruction must be thought, especially, rules of evidence, how evidence can be presented to a court of law (admissible), and tools to be used to analyse evidence collected.

7) SPOC - A Single Point of Contact must be appointed to deal with forensic investigation. This group are the 'need to know' who shall carry out investigation, report or escalation investigation to law enforcement and manage incident and preserve evidence.

There are many things to be included in a forensic readiness programme, and in the next couple of weeks, I'll be sharing them as I have the time to blog. Enjoy it :-)

Security Awareness (SA006-10): Security Audit

2010-06-11T12:08:00.006+01:00

Auditing for security management is a systematic process of evaluating and examining an organisation’s core security policies, technical controls, processes, procedures, practices and operations in order to ascertain that the security protection offered to its valued assets are adequate, applicable and compliant [Cyril Onwubiko, ‘A Security Audit Framework for Security Management in the Enterprise’, Communications in Computer and Information Science, ISBN 978-3-642-04061-0, pp.9-17 [Online] http://www.springerlink.com/content/v12786838l8046h3/].

Security audits can be very useful to an organisation in many ways. For example, security audits assist an organisation as follows:
• Reveal business practice nonconformity,
• When policies, standards or procedure are not being followed (noncompliance),
• It also assists with finding out regulatory or legislative noncompliance (desk-based audits).
• Above all, audits assist an organisation find out if its employees comply to the organisation’s security policies, standards and procedures.

There are four types of internal audits recommended in the industry, namely:
• Desk-based compliance audit
• Spot check audit
• User accountability audit
• Operations audit

To assist anyone wanting to carry out an internal audit, the E-Security Group at Research Series Limited has drafted the questionnaire (sampled, not comprehensive) that could be a useful starting point, irrespective of the business the organisation is into.

Questionnaire for Audit
Policies and Procedures
• Are all personnel/staff aware of the Programme’s security policies?
• Does the Programme have its own written security policies, procedures, processes and local working instructions?
• Are these policies, procedures and processes available in an easily accessed location? Please establish media type (hardcopy, electronic, online, intranet)
• Does staff have written guidelines for protecting their workstations and storage media files?
• Does the Programme have a system administrator?
• Are there clearly defined system security procedures for the Administrator?
• Is staff instructed on basic workstation security?
• Do personnel in the Programme have sufficient authority to accomplish IT security related duties and policies?
• Are there available and competent personnel to provide cover when a System Administrator is unavailable?
• Does the Programme have a process to address incidents or compromises?

Regulatory/Legal Compliance• Does the Programme comply with the HMG Security Policy Framework (SPF)?
• Does the Programme comply with the Data Protection Act 1988 (DPA)?
• Does the Programme comply with the Privacy Act?
• Does the Programme comply with the Official Secrets Act (OSA), and do employees and direct delivery partners sign-up to OSA?
• Does the Programme comply with the Regulation of Investigatory Powers Act 2000 (RIPA)?
• Does the Programme comply with the Freedom of Information Act (FoIA)?
• Does the Programme comply with the Telecommunications
• Does the Programme comply with The Data Protection (Processing of Sensitive Personal Data) Order 2002?
• Does the Programme comply with The Human Rights Act (HRA) 1998?
• Does the Programme comply with the Lawful Business Practice Regulations 2000?
• Does the Programme comply with the Privacy and Electronic Communications Regulations (PECR)?
• Does the Programme comply with the Data Handling Review (DHR) 2008 & CESG IA Standard no. 6 – Protecting Personal Data and Managing Information Risk?
• Does the Programme comply with ISO 27001 - Information Security Management Systems (ISMS)?

Environmental
• Is the Programme data centers located in places that are safe and free from potential danger, such as close proximity to popular tourist attraction centres, near to target structures, sufficient power sources, etc?
• Do Uninterruptible Power Supplies (UPS) provide alternate source of power to the data centres?
• Is the heating, cooling and ventilation keeping systems at the appropriate temperature and humidity?

Physical Security
• Has a physical security audit been done? If yes, when was this assessment carried out?
• Does the Programme have physical security standards policies and procedures?
• Are there procedures for access control to the data centres or computer rooms?
• Does the Programme have an physical alarm/warning system?
• Are workstations and laptops locked down to deter theft?
• Are all servers and workstations cases locked to prevent access to internal components?
• Are unused laptop computers kept in locked storage areas?
• Is there an asset record log for all assets are sent or received from other office locations?
• Does the Programme have a standard and procedure for sanitizing and disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, etc.?
• Does the Programme have a policy and procedure for assessing authorised access to secure rooms and data centres?
• Does the Programme have a policy and procedure for user physical access request and authorization?
• Are CCTV used to monitoring all buildings, data centres and secure operations rooms?
• Are there proper building security in place, and are there security guards monitoring the environments – office building, data centres and communications rooms?

Hardware• Is there redundant hardware to allow work to continue in the event of a single hardware failure? When were they last tested?
• Is there alternate power supplier to the data centres? Does this involve the use of UPS?
• Does the UPS notify someone when it goes into operation?
• When was the UPS last tested?
• Is there a plan to have Programme hardware upgraded/replaced at regular intervals?
• Does the Programme have system maintenance standards and procedures?
• Do the System Administrator/Secure Ops Admins ensure that all sensitive data is removed from equipment before being sent out for repair or replacement?
• Is diagnostic hardware and/or software maintained onsite or offsite?

Software• Does the Programme Administrators have original disks to reinstall the software if the hard drive fails?
• Is all software vendor/supplier supported? If your software is old or unsupported, what are your plans to replace it?
• Does all software have current and valid licenses and have OEM support?
• Is locally developed software supported by an easy to reach developer?
• Does Programme have provisions to continue operation if business-critical services software becomes unavailable?

Network and Communications Security• Does the Programme have a logical network map/diagram? If yes, where is diagram stored? And who has access to the repository?
• Does the Programme have an (asset database) or inventory of devices attached to the network?
• Are the network points mapped to a switch port?
• Is there a policy as to how network services are accessed by users?
• Does the Programme have network documentation to assist problem resolution of a computer or network fault?
• Does the Programme have physical and remote access to network devices and the platform?
• Does the Programme have the ability to continue to function in the event of a wide area network failure?
• Does the Programme have a network diagram that includes IP addresses, room numbers and responsible parties?
• Are end users prevented from downloading and/or installing certain types of software? How?
• Are contents of system logs protected from unauthorized access, modification, and/or deletion?
• Is the CD-ROM Auto run feature disabled on all workstations?
• Is USB ports disabled on all workstations?
• Are there specific rooms for secure systems and operations? If yes, does the secure room have its own security policy?
• Are trusted workstations secured if used for other purposes?
• Are trusted workstations SSL or VPN enabled?
• Are trusted workstations required to have complex passwords?
• Are chat clients (ICQ, Yahoo Messenger, IM, etc.) managed? How are they managed?
• What security precautions are taken for dial-in modems?
• Is ActiveX, JavaScript, and Java disabled in web browsers and email programs for all workstations?
• Are the Administrator accounts, and any equivalent accounts, on all workstations limited to the technical support team? Is it password protected?
• Is the guest account on all workstations disabled?
• Is file sharing permitted and secured on any workstation in the Programme? If so, how is it secured?

Logical Security• Is there a Programme policy for selecting strong passwords?
• Is the Programme using software that enforces strong passwords?
• Are passwords changed regularly? If so, how often?
• Does the Programme use other forms of authentication other than usernames and passwords? If so, which ones?
• Is the Programme planning to use other forms of authentication other than passwords in the future?
• Does the Programme have an account decommissioning process?
• Does the Programme have a method for identifying unauthorised users?
• Do personnel receive regular computer security awareness training?
• Is there a document establishing the identity of those having root access to the platform?
• Is the identity of those having remote access to the platform known?
• Are there written procedures for terminating accounts when an employee leaves employment (leavers procedure)?

Host based firewall
• Do all ICT systems in the platform have a host-based firewall?
• Is the platform protected using some network-based firewalls?
• How often do the Programme review or audit firewall logs and rules?
• Is critical data stored on a server protected using a host-based firewall?
• Is the network monitor for user access to secure/critical data?
• Do you have enough technical staff to manage individual firewalls on all desktops and network firewall?
• Are settings password protected?
• How often are logs reviewed?
• Is there central monitoring of settings and logs?

Antivirus Software
• Are all workstations running the latest version of antivirus software, scanning engine and the virus signature file?
• Are users aware that email attachments should not be opened as a regular practice on PCs?
• Are employees aware of the dangers attachments can bring?
• What is the frequency for upgrade of virus definition?

Web Servers• Is the web server set to only accept traffic on port 80?
• Is the web server set to reject attempts to remotely administer it?
• Is the web server set to authenticate certain user traffic?
• Have the sample files, scripts, help and development files been removed?
• Is WebDAV installed on your Web server?

FTP• Are all FTP servers set to authenticate users?
• Is this traffic encrypted/secured?
• Are all FTP directories set to either Read or Write but not to both?

Email• Is SMTP/POP3 ports enabled and used?
• Are other email services enabled, such as webmail, exchange and OWA?
• What email clients are in use in the Programme?
• Is the E-mail server set to scan mail and attachments for viruses?
• Is the e-mail server set to reject attachments?
• Is there an email server application that detects SPAM, that SPAM filtering software?
• Is web access to e-mail secured?
• Are client connections from outside the subnet secured/encrypted?

Disaster Planning• Is there a written contingency plan to perform critical processing in the event that on-site workstations are unavailable?
• Are there plans for the platform to continue working in the event that one of the data centres was to be offline for an extended period of time?
• Are there supplier/vendor support partnerships that can help in an emergency if equipment is damaged due to disaster?
• Is the contingency plan periodically tested to verify it can be followed to resume business-critical processing?
• Are the data centres redundant, or hot-standby? If yes, has the failover being tested, and when was it last tested?

Backup and Recovery• Are backup files sent off-site to a physically secure location?
• Are files kept on-site in a secure location?
• Are critical files regularly backed up? If yes, how often?
• Are backups encrypted? If yes, what type of encryption is used?
• Are backup media stored off site?
• Is the environment of a selected off-site storage area (temperature, humidity, etc.) within the manufacturer’s recommended range for the backup media?
• Are backup files periodically restored as a test to verify they are usable?

Change Management• Are records kept of systems changes?
• Do all changes go via change control? If No, what types of change do not go via change control?
• Is there a process for communication of systems changes?
• Does the Programme have a configuration/asset control plan for all hardware and software products?
• Does the Programme have a version control plan for software products?
• Are only trained authorised individuals allowed to install computer equipment and software?
• Are maintenance records kept to indicate what repairs and/or diagnostics were performed and by whom?
• Is there always a back-out plan in the event of a failed change deployment?

Training• Does the Programme require new employees to read IT security documents?
• Does the Programme require new employees to be familiar with security policies, procedures and LWIs?
• Does staff know what’s expected from them regarding security for your Programme?
• Are there regular information security awareness training for all staff?
• What forms of security awareness program is provided?
• How often do staff go on security briefs, trainings and seminars?
• Are specific security training provided based on roles and responsibilities?
• Are their security training specific for senior management team?

3rd-party Supplier/Vendor Management• Do all 3rd-party suppliers sign in when they visit?
• Do all 3rd-party suppliers have both physical and logical access to the environment? If yes, please specify.
• Do all 3rd-party suppliers undergo supplier security audit assessment?
• Do all 3rd-party suppliers comply with the HMG Security Policy Framework?
• Do all 3rd-party suppliers have security cleared personnel?
• Do all 3rd-party suppliers have dedicated manpower in the environment? If yes, please specify.

Security Awareness (SA004-10): System Log Files Transmission

2010-05-24T20:58:00.004+01:00

A system or network log file is a file containing piece of vital information about the system or the network. These pieces of information are time-stamped recorded activities and events that had happened on, and to the system or network.

System or network logs contain very useful pieces of information to both users and attackers. Logs are useful to users when performing auditing, troubleshooting system or network problems/faults and also when carrying out forensic analysis, and are used to support internal investigations, establish baselines, identify operational trends and long-term problems.

To attackers, logs can be extremely useful to gather and piece together the target environment, especially when such logs contain publicly available pieces of information such as routable IP address, DNS entries and location information etc.
When there’s a fault on the network which can’t be immediately resolved, vendors supporting the platform often request logs file be sent to them. Why there is no problem in sending logs files to support vendors, however, this log file can be accidentally sent to the wrong person, or could be intercepted on transit or could be abused by someone working for the vendor. Therefore, it’s absolutely important that log files are protected at all times, in store or in transit.
The practice is usually that logs stored on one’s network is protected, but when in transit, fewer people remember to consider protecting log files, even before sending it to a legitimate supplier or vendor.

Here are a few tips on how to protect log files before sending it to a supplier or vendor:
• Sanitise all log files before sending it externally to a vendor or supplier. This means, replacing publicly available information with made-up information. For example,
o replace all public IP address with private addresses;
o replace fully qualified hostnames with random strings, and
o DNS server with a local copy of non-routable IP etc
• Anonymise log files. This means replacing user identifiable information in the log file, such as
o remove all sensitive user information from the log, such as usernames, password, hashed passwords, SNMP strings, etc
• Sanitised/anonymised log data must be encrypted (Use any method of encryption to ensure the file is properly protected. For example,
o use PGP (Pretty Good Privacy) if installed, or
o use Zip + authentication pass-phrase
• Obtain a hash of the ‘sanitised’ log being sent. This will ensure that when the supplier/vendor receives the log, they can ensure that it has not being tampered. Example,
o MD5 digest/hash, checksum or other mechanisms readily available to you.
• The encrypted log data should be sent via encrypted, or trustworthy channel, such as SFTP, PGP email, or VPN connection etc
o Where STFP is used, please ensure that the password is communicated to the vendor/supplier in a secure way.

Security Terminology

2010-02-18T21:32:00.007Z

Information security (Infosec) terms are used in varying ways by both security and non-security professionals. It's interesting how many of these terms are used loosely to mean the same thing.

I came across a set of documents recently about security policy, process and standard; this has made me to attempt to clarify these terms in my own understanding. Hence, the table below is an attempt to provide some distinction among these terms.

Policy
A policy is a plan of action based on principle decided by a body/organisation/individual.

A policy outlines requirements, rules or expectations that must be met.

Different types of policies:

Corporate Policy – is a high-level (strategic) plan of actions, rules or requirements. It’s the foundation on which the business operates. It should be broad, concise and applicable. It should not include detailed specific actions, requirements and procedures required for every area of the business.

For example:
• Information Assurance Policy.
• Corporate Security Policy

System-specific Policy – is a detailed plan of action or requirement covering a specific task.

Examples include:
• Antivirus Policy
• Firewall Policy

Procedure-specific Policy – is a detailed specific requirement or rule expected of people who work in a particular organisation.

Examples include:
• Acceptable Use Policy (AUP)
• Identity Card (ID) Policy
• Clean Desk Policy

Standard
A standard is a collection of policies (system-specific and procedure-specific policies) that governs people/bodies/organisations.

Different types of standards:

Organisation Standard - organisation-wide standard that governs everyone who work for that organisation. This may include its delivery patterns.

For example:
• Organisation standard for Encryption

Technology Standard – technology-specific standard that has been approved by industry consortiums or industry standard’s group.

For example:
• IEEE 801.11 - Wireless LAN Standard

Industry Standard – industry-wide standard that governs a particular industry.

For example:
• PCI DSS standard that governs credit card handling industries

Worldwide Standard – standards that have been approved by international standards’ organisation.

For example:
• ISO 270001 (British Standard),
• ISO15408 (Common Criteria)

Process
A process is a series of operations (series of stages) required to complete a task. For example, the series of stages which a product passes resulting to the development of it.

A process is a series of actions that is required to complete a task.

For example:
• Operating System Rollout Process
• Forensic Readiness Process
• Incident Handling Process

Guideline
A guideline is a recommendation of best practice. It is not a requirement to be enforced, but must be recommended based on best practice.

For example:

• How to create a strong password guideline (should contain alphanumerical characters, mix of upper and lower cases, etc)

Procedure
A procedure is a step-by-step working instruction on how to complete a specific task, action or activity. A procedure can be perceived to be synonymous to a working instruction.

For example:
• Audit Log Procedure
• Data Backup Procedure

Working Instruction
A working instruction is a task-specific guideline on how to carry out an action, task or activity.

Human factor security issues

2009-12-29T01:12:00.003Z

Security of our valued information and system assets depends very much on the people that are responsible for handling the assets. Users who are responsible for managing, operating and administering these assets are responsible for their safety, security and survivability. Unfortunately, people are not perfect in handling information assets. Users cause harm to systems accidentally. For instance, omission of data backup may lead to accidental harm, likewise, accidental deletion of files or folders may leave a system unable to load useful system files or operating system files... as a result unable to operate within acceptable standards, acceptable performance, or may fail to start.

Human factor ranges from inadequate care provided to a system from those who are responsible for its protection, to accidental harm caused by those who are not 'directly' involved with its protection. For example, a casual staff (cleaner) who's asked to vacuum clean a network node may accidentally disconnect or damage a network cable.

Accidental harms can come from both expert users of the system and inexperienced users alike. For instance, an experienced network engineer could accidentally plug a network cable to a wrong port or propagate disparate routes to the global routing table causing the performance of the network to deteriorate.

Human factors can be mitigated by having several controls. Most of these controls are administrative and technical. For example, an enterprise should have a change control and advisory board that must assess all changes before they are implemented. This is control to minimise problems caused by people. Again, there should be a supervisor monitoring casual workers when they are working in areas of high technical demands, such as network nodes, cabinets etc.

An enterprise must have laid down policies and operating procedures which must be followed by all personnel in charged with the delivery of its services.

Finally, there are several controls that can be used by an organisation to minimise human factor issues, most of these controls centre around due care.

Security Awareness (SA003-09): File and Folder Encryption

2009-11-27T14:34:00.005Z

Today, computer users (Home Users and Office Users) face many computer security risks. Most of these risks are intentional, and are caused by intruders and attackers. These attackers can be inside or outside your network. Outside attackers use the Internet as a connective medium to exploit, harm and compromise computer systems through computer viruses, worms, back-door Trojans, and system penetration tools to gather and steal valued and proprietary information assets. However, other risks happen ‘unintentionally’ from legitimate users of the system, such as accidental deletion of an important file or folder; or failure in the protection mechanism/control of the system.

Unfortunately, computer attacks do not only target enterprises or big networks but also target home users. In fact, the number of attacks targeting home users is in the increase. One in 20 home users has had her computer broken-in, or has lost some useful files or received computer viruses. One in 40 home users has had her credit card number compromised by engaging in online transactions.

Unfortunately computer attacks can not be completed stopped. What is feasible is for home user to protect their computer system properly so that the effects from these attacks can be reduced. One way to reducing the adverse effect of a computer incident is be having your hard disk encrypted so that even if an intruder penetrates your computer, your personal and confidential files may not be easily compromised or stolen. Personal and confidential documents such as credit card numbers, bank statements and confidential files must be protected by encrypting them whilst in-store or in-transit.

Benefits of file & folder encryption:
- You will be able to prevent an intruder from viewing files and folders in your computer. This is extremely useful, and especially important should you use shared home PC, where other people have legitimate user access to the same computer.
- File encryption prevents file and folder viewing, and password-protects files and folders and their contents.
- Even when your computer is penetrated, the contents of the files can not be easily understand or stolen.
- Files and folders can not be copied, although they can be moved, but their contents remain unreadable to the intruder.

How to encrypt computer files/folders:

- Use Windows XP Encrypting File System (EFS) - http://support.microsoft.com/kb/307877
- Use free third-party software, such as AxCrypt http://www.axantum.com/axCrypt/
- Use COTS – commercially of-the-shelf software, such as FineCrypt http://www.finecrypt.net/about.html
There are many file and folder encryption software out there. Please check and select the right one for you.

How secure is your home Wi-fi?

2009-10-30T13:09:00.003Z

It is certainly true that most homes today have at least a wireless broadband connection or two. A broadband connection (wired or wireless) is a form of high-speed network connection that allows users get connected to the Internet. Wireless broadband connection is a broadband connection that does not require the user to plug network cables from her laptop or PC to the access point before it can be connected to the Internet. So that the user can use her laptop, PC or desktop in any apartment without much hassles of moving network cables around the home. The easy of using your desktop or laptop in any room of your convenient without clattered loose cables is beautiful and appealing. But, with this leisure comes a concern.

The concern is how many home Wi-fi's are secure? I want to believe that all home wi-fi's are secure, but unfortunately, most of these connections are not secure. Some of the connections have no security mechanisms, no authentication and no encryption either. There are countless home wi-fi connections that are open, allowing anyone to use the connection. And consequently, allowing home laptops, PCs or desktops to be easily hacked and compromised. Not only would these computers be compromised, the attacker can then use the home wi-fi to step up multiple attack points to invade and penetrate other computers, leaving the liability of any abuse to the home wi-fi owner.

Here are easy things to do to secure you wi-fi connection.
1) Ask your wireless broadband provider to assign a secureID to your connection, and provide you with the password. Once you've logged on for the first time, please change the password to a new password you can remember. Make sure not to write your password on a piece of paper or in a book or folder.
2) Setup your connection not to accept any incoming wireless connection without a password. That is, do not accept insecure communications.
3) Install a personal firewall on your desktop, laptop or PC, and ensure it's properly setup to monitor activities that go on in your computer. Also, the firewall must be configured to inspect your wireless connection. Always check firewall logs to ensure that you're aware of what may be going on behind the scene.
4) Ensure you change your wireless connection password regularly.
5) Ensure you have an intrusion detection system running on your computer or laptop. IDS help to alert you what maybe happening behind the scenes.

Thanks, and hope this will offer some assistance to some home users.

IEEE International Conference on Intelligence and Security Informatics (ISI 2010)

2009-10-13T15:45:00.002+01:00

IEEE International Conference on Intelligence and Security Informatics (ISI 2010)

May 23-26, 2010
The Fairmont Waterfront Hotel, Vancouver, B.C., Canada

WEB: http://conferences.irmacs.sfu.ca/isi2010/
THEME: Public Safety and Security
HOST: The IRMACS Centre, Simon Fraser University, British Columbia, Canada

Intelligence and Security Informatics (ISI) research is an interdisciplinary research field involving academic researchers in information technologies, computer science, public policy, bioinformatics, medical informatics, and social and behavior studies as well as local, state, and federal law enforcement and intelligence experts, and information technology industry consultants and practitioners to support counterterrorism and homeland security missions of anticipation, interdiction, prevention, preparedness and response to terrorist acts. The annual IEEE International ISI Conference series (http://www.isiconference.org\) was started in 2003, and the first seven meetings were held in Tucson, AZ (twice); Atlanta,
GA; San Diego, CA; New Brunswick, NJ; Taipei, Taiwan; and Dallas, TX. Proceedings of these ISI meetings and workshops have been published by IEEE Press and in the Springer Lecture Notes in Computer Science (LNCS) series.

ISI 2010 will be organized in four main streams focusing on
- Information Sharing and Data/Text Mining,
- Infrastructure Protection and Emergency Responses,
- Terrorism Informatics, and
- Computational Criminology.

For detailed information on Topics, see the ISI 2010 website at
http://conferences.irmacs.sfu.ca/isi2010/. Instructions and template
information can soon be found on the Submissions page.

WORKSHOPS: In conjunction with ISI 2010, the National Center for Border Security and Immigration (BORDERS) at the University of Arizona will hold its Second Annual Workshop on "Challenges and Solutions at the Northern Border - 2010" on May 26. MITACS (Mathematics of Information Technology and Complex Systems) will hold a workshop on "Modeling Complex Adaptive Dynamic Social Systems" on May 23.

HOTEL AND LOCATION: Vancouver is a scenic destination, a dynamic and multicultural city set in a spectacular natural environment where the Coast Mountain range meets the Pacific Ocean. Majestic mountains, sparkling ocean and a cosmopolitan flair make it a perfect meeting and convention destination with exceptional cuisine, first-class hotels and outstanding facilities, consistently rated as one of the top 10
meeting and convention destinations year after year. Special room rates at The Fairmont Waterfront (for a limited number of rooms) will be available for participants of ISI 2010.

Program Co-Chairs:
Donald E. Brown (The Univ. of Virginia, USA)
Ke Wang (Simon Fraser Univ., Canada)
Christopher C. Yang (Drexel Univ., USA)
Daniel Zeng (The Univ. of Arizona & Chinese Academy of Sciences)
Workshop Co-Chairs:
Antonio Badia (Univ. of Louisville, USA)
Elyse Golob, DHS National Center for Border Security and Immigration, The Univ. of Arizona, USA
Jay F. Nunamaker, The Univ. of Arizona, USA
Publicity Co-Chairs
Bhavani Thuraisingham (The Univ. of Texas at Dallas, USA)
Sharad Mehrotra (The Univ. of California at Irvine, USA)
Finance and Registration Co-Chairs
Pam, Borghardt (The IRMACS Centre, Simon Fraser Univ., Canada)
Catherine Larson (The Univ. of Arizona, USA)

General Co-Chairs:
Patricia L. Brantingham (Simon Fraser Univ., Canada)
Hsinchun Chen (The Univ. of Arizona, USA)
Uwe Glässer (Simon Fraser Univ., Canada)

IMPORTANT DATES: The paper submission due date for the main ISI 2010
event is January 29, 2010. Notification of acceptance: March 12, 2010;
Camera ready copy due: March 30, 2010. The due date for Tutorial/
Workshop proposals is Feb. 10, 2010.

PAPER SUBMISSION: Submission file formats are PDF and Microsoft
Word. Required Word/LaTeX templates (IEEE two-column format) can be
found at the conference Web site. Long (6,000 words, 6 pages max.) and
short (3000 words, 3 pages max.) papers in English must be submitted
electronically via the conference Web site. The accepted papers from
ISI 2010 and its affiliated workshops will be published by the IEEE
Press in a formal Proceedings. IEEE ISI Proceedings are EI-indexed.

Authors who wish to present a poster and/or demo may submit a 1-page
extended abstract, which, if selected, will appear in
Proceedings. Proposals for tutorials and special-topic workshops in
any areas of Intelligence and Security Informatics research and
practice are welcome. Such events will be an integral part of the
ISI-2010 conference program. Proposals in PDF or Microsoft Word not
exceeding 3 pages should be emailed to the conference organizing
committee at zeng@email.arizona.edu by February 10, 2010 and contain
the following information.
- Title of tutorial/workshop
- Preferred duration
- Information about instructor(s)/organizer(s)
- Objectives to be achieved
- Scope of topics to be covered
- Target audience and evidence of interest (for tutorials)
- Target audience and the list of potential presenters/contributors (for workshops)

PROGRAM COMMITTEE

Using email to send sensitive information

2009-10-07T14:13:00.002+01:00

Electronic mail (email) is the use of an application such (MS Outlook, MS Mail, Eudora, etc) to send online mail. Email is very fast and can be used to communicate to people far and wide. Hence, email has become an essential part of our everyday communications life.

We use email to send and share sensitive documents, photos, contracts, bank details, user credentials etc. Some of these documents may already be in the public domain, such as photos, which we may already have in some social networking site that are shared with friends and family. Unfortunately, some of the other documents we send via email may be sensitive, contractual or of competitive value. For example, marketing information that is still of competitive value, contracts that have been signed or accepted, bank login that can be used to transfer/withdraw funds from an account. It is pertinent to note that when any of this information gets to the wrong hands, our valued assets can be compromised leading to stealing of funds, marketing information or business contracts. Therefore, it is important that we protect our email communications, or the content of the email we send, as at when necessary.

Recommendations:
To share/send sensitive information of information or information of competitive value such as bank details, contracts, marketing information etc via email, the email content must be secure. Here are ways to send secure emails:

1) Use secure mail. Secure mail is an email client that uses digital keys for encrypting and signing of the email. For example, PGP (Pretty Good Privacy) is an email client that provides digital signature and encryption. Digital signature helps to proof that you’re the one who sent the email, but it does not protect the content from abuse of misuse. Encryption is used to protect the content of the email, by transforming the content into an unreadable form till when the message arrives to the intended recipient. Another secure email client is S/Mail for secure mail. Some of these secure email applications are not free, but free legitimate versions exist on the web. There is open source PGP available that one can download and install.

2) Use WINZIP. WINZIP is an application used to compress and decompress files/documents, but it also provides security through encryption. It is an improvise way of sharing sensitive information via email. First, you need to winzip the document you intend to send. While zipping the information, you go for the option of encrypt before zipping. This will allow you to use a key to encrypt the document before sending it across. When the recipient receives the email, he/she would require you to share the key with them. So you will need to send them the key either via text/phone call or a second email.

Tips:

1) If you can’t afford secure mail, and don’t want to use Winzip; then form the good habit of sending all sensitive documents in multiple parts emails. For example, send the first part of the document that does not contain the sensitive bits. After few minutes, send another part, and after several minutes send the remaining parts. What you achieve with this technique is reducing the possibility of anyone who intercepts the message to have the whole content intact; except the person who is the intended recipient. Note that this technique is not future-proof, because a motivated attacker may be able to intercept all the messages by continuously monitoring your communication-link until the attacker gets all the messages. But this chance is very remote unless the attacker is an insider who’s able to monitor communications path before they exit your default gateway into the big web.

Caveat: Some email message containing zip files may be trapped by firewalls and may never get to the recipient. Please check that your firewall or your recipient’s firewall does not trap zipped files.

Concepts in Numerical Methods now on Amazon!

2009-09-22T14:11:00.003+01:00

Concepts in Numerical Methods is now available at most reputable offline and online bookstores including Amazon. Please do get a copy, it's worth a read!

Concepts in Numerical Methods

2009-07-30T16:13:00.004+01:00

I've no date in mind when this book will be in the market, but one thing is certain, it will be published and distributed before end of September 2009. Just a couple of months away ...

If you're in school and pursuing a degree in Mathematics, Physics or Engineering, I strongly recommend getting a copy of this useful resource material. It teaches many concepts in Numerical maths. It uses real-world examples, solved tutorials, algorithms and representational graphs to demonstrate usefulness and applicaation of each topic discussed. There are practice questions for the reader to solve at her study time. It's an excellent resource book for students and relevant to other readers as a refernce manual.

Managing Security Threats & Vulnerabilities for SMEs

2009-06-22T11:51:00.013+01:00

Managing security threats and vulnerabilities in assets are two fundamental challenges for SMEs. Vulnerabilities in assets are weaknesses in assets or the absence of security procedures, technical controls, or physical controls that
could be exploited to harm or predispose assets to harm [1]. Harm to assets occurs in various forms, such as interruption, destruction, disclosure, modification of data, including denial of service. For example, in 2001, the Code Red incident exploited a buffer overflow in a library module of Microsoft Windows' Internet Information Server. This allowed it to infect hundreds of thousands of computers [2], causing millions of dollars of damage. The Slammer [3], MSBlast [4], and Sasser [5] worms all exploited known vulnerabilities in computer systems.

There are also accounts of security threats (for instance, Computer worms) used as attack agents in denial of service (DoS) [6], and distributed denial of service (DDoS)[7] attacks. These types of threats affect the confidentiality, integrity, reliability and availability of computer network services.

In this respect, what ways can security be properly managed in an Enterprise? What may provide valid and appropriate options? Answers to these questions are provided in the article.... Please download a copy from this link. Your comments are useful and highly appreciated, please leave a comment. Thanks.

This discussion is shown in a presentation, please download the presentation in DPF.

References:
[1] Computer Security Handbook: The NIST handbook, Special
Publication 800-12, pp.62
[2] D. Moore, C. Shannon, and J. Brown (2002) “Code-Red: a case study on the spread and victims of an Internet Worm”, Proceedings of the ACM/USENIX Internet Measurement Workshop, France, November, 2002
[3] C. C. Zou, L. Gao, W. Gong, D. Towsley (2003), “Monitoring and Early Warning for Internet Worms”, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31 2003
[4] Microsoft Security Bulletin MS03-026, (2003) “Buffer Overrun In RPC Interface Could Allow Code Execution (823980)”, July 2003: [Online]:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
[5] W32.Sasser.worm (2004), April 2004: [Online]: http://securityresponse.symantec.com/avcenter/venc/data/w32.sass
er.worm.html
[6] CERT/CC (2001), “Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL Redirecting is enabled”; [Online]: http://www.kb.cert.org/vuls/id/544555,

Security Awareness (SA002-09): Intrusion Detection Systems

2009-06-22T11:35:00.002+01:00

Intrusion detection systems (IDSes) are used to monitor systems and networks for security policy abuse, compromise and abnormal behaviour. Different types of IDSes exist, such as host-based, network-based and hybrid.

Host-based IDSes are installed on systems such as PDAs, Laptops, workstations, PCs and servers to monitor system behaviours.

Network-based IDSes are appliances that monitor the entire network for policy violation, network behaviour and abnormal traffic thresholds and ongoing malicious activities.

Giving the nature of recent attacks on end user systems, such as PCs, laptops and also due to the growing proliferation of viruses and computer worms, it is a recommended best security practice for end users to install personal intrusion detection systems on their laptops, workstations or PCs. In as much as it's a good security practice to have a personal IDS installed on an end-user system, but it is a waste of time if an IDS log is not checked and analysed regularly. It is important that IDS logs are regularly checked and analysed.

To enhance the security posture of systems and networks, the following is recommended:

1) Spend time to check IDS logs and alerts, this will help you identify ongoing activities and attacks that may have happened undetected.
2) Identify resources that are frequently seen on the logs and what this event is about.
3) Set your IDS to be always on.
4) Configure your IDS to always inform you about a software download or a request that is about to change registry settings.
5) Configure your IDS to always inform you when a request that is about to change registry settings.
6) Configure your IDS to always alert you when a certain threshold is reached or exceeded.
7) Configure your IDS to automatically download latest signatures or patches; this will enable your IDS to remain up to date with software development.

Enterprise-wide Security Attack Detection

2009-06-16T13:07:00.009+01:00

With the growing number of security incidents, a requirement is to provide adequate security protection to computer networks. To protect computer networks from security attacks, a current approach is to deploy countermeasures, such as firewalls at the network perimeter, intrusion detection systems (IDSes) within the network and virus scanners on end user systems. Whilst these countermeasures provide a degree of protection, they struggle to detect emerging security threats. Emerging security attacks appear to be distributed and coordinated, while the defences offered by these countermeasures operate in isolation from one another. Each countermeasure possesses only fragments of evidence about the overall state of the network and consequently its response may be both delayed and limited in scope.

To accurately detect enterprise-wide security attacks that are perceived on various networks today or on multiple complex security domains an integrated security framework is proposed, discussed and tested. This innovative security framework is well presented in this book – “Security Framework for Attack Detection in Computer Networks”. This well written book is highly recommended for all security practitioners, analysts, consultants, engineers and decision makers at various levels.

Understanding Risks to Cloud Computing

2009-06-16T12:51:00.003+01:00

A major concern with the cloud is that the cloud provider offers the software, platform and infrastructure to the user. On top of that, the actual data/information of the user also resides with the provider. The risk with this model of service is that users risk having their information abused, stolen, unlawfully distributed, compromised or harmed. What is the guarantee that the user’s information/data is not sold to her competitor? What ethical constraints exist to prohibit, prevent or protect the user in this new model of service? Another important risk to consider when using the cloud is with the ownership of the information or data residing on the provider’s system. When a user puts her information in the hands of the provider, what control has the user over the data? Its confidentiality or integrity.

When we consider small to medium-sized organisations or end users, one can discuss risks associated with cloud services pretty easily. What happens to the government, the enterprise in relation to the cloud? Can the cloud be used for government marked information? For example, ‘strictest in confidence’ document, say for the CIA, MI5 or the MoD. I certainly do not think so, especially at this current stage of the cloud. In this respect, maybe cloud computing is not ideal for all facets of the society. Certainly, I can’t imagine any organisation with security in mind who would hand strictest in confidence, on ‘in confidence’ information to the cloud, without a second thought.

Again, whose security policies are used for operating the cloud? Is that of the enterprise, the government or the MCSP? If the policy is the end users’ then how would the MCSP marry diverse security policies from myriad heterogeneous users of very diverse background, from diverse countries and of very diverse legal and socio-cultural value systems.

What of data location? The data an end user had created on an MCSP’s system, where does this data reside? Location of end user data is of great importance. For example, the EU Border legislation (Safe Harbour) stipulates countries where EU private and personal data can and can not reside, which borders it can and can not traverse. With the infrastructure as a service, the cloud provider can use dynamically localised infrastructures that exist outside the EU or US terrorises. This may contravene or abuse fundamental privacy and legislative issues, especially if the end user was not away of where her information is stored. This applies specifically to EU and US customers, SMEs, government and Enterprise who may wish to use the cloud for delivering service, and I believe other countries have other legislation that should be considered when using the cloud. Some kind of information can be easily abused with cloud computing, for instance personal medical data (health record data) are subjected to strict compliance act such as HIPPA. A significant concern is that personal medical data can be easily circumvented with SaaS or IaaS models of the cloud. These highlights some inherent risks that exist with cloud computing.

Africon 2009 - Nairobi, Kenya

2009-04-08T20:59:00.005+01:00

Folks, we've extended submission date to 30th April 2009. Anyone willing to pitch in a publication should do so now.

Here's the conference site:

www.africon2009.org

Africon is a primer IEEE conference for Africa, and this year it's hosted at the beautiful country of Kenya.

The submission deadline for a full paper has been extended to 30
April. Please refer the Call for Papers page for further information
on related date changes.

Security Awareness (SA001-09): Protecting Computer Networks using Firewalls

2009-03-12T20:40:00.005Z

Using firewalls is an essential part of protecting computers and networks. End users require personal firewalls to provide access control to their computers, PCs, PDAs or home servers. Similarly, SMEs also require firewalls to protect their valued assets, such as information asset, network and system infrastructure assets.

Although firewalls can be relied upon to protect computer networks, it is important to understand that firewalls alone are not capable of protecting an enterprise (see Data Fusion in Security Evidence Analysis). There is a limitation to what a firewall or suite of firewalls can protect. Even when a range of multiple heterogeneous firewalls are deployed in an enterprise, chances are that they may not detect, prevent of mitigate all forms of attacks, vulnerabilities or threats.

To enhance security posture in an enterprise the following is recommended:

1) Investigate your options in time - Research available firewalls, what each firewall offers, read product/manufacturer's product literature and determine the best choice for your environment.
2) Determine best locations or points to install a firewall - where a firewall is place on the network contributes greatly to how much of the network it protects. A border where an organisation peers with other vendors, partners or ISP is a good starting point to put a firewall. Departmental demarcations may be another, and before a critical asset a host-based firewall may be required.
3) Always check firewall logs to determine and audit its events. It is absolutely important. If you are not going to check logs, there's no need installing a firewall.
4) If you're going to use multiple firewalls of different types, it is advisable to test each one in the same environment alone before integrating all the firewalls in the network. The reason for this is to ensure specific capabilities of each firewall before your put them in the network.
5) Always update firewall operating systems and patches. Go for tested and approved vendor OS versions and latest patches. It is not recommended to run an untested firewall OS in a production environment, because you may cause ha voc and be reliable to breach of SLA.
6) Configure firewall for lest privilege.
7) [...]

...My New Book is out Soon

2008-12-01T21:17:00.007Z

I'm very excited; gradually, it has all come together. Integrated Security Assistance Framework (ISAF) for detecting widespread attacks to Computer Networks will be out end of this month. I've been working on this book for nearly a year now. And finally, there's a breath of fresh air around :-) It's very exciting......

SHA-3 Proposal by NIST

2008-09-10T16:37:00.001+01:00

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications. The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. Entries for the competition must be received by October 31, 2008. The competition is announced in the Federal Register Notice published on November 2, 2007; further details of the competition will be available at the specific sites indicated in the menu on the left.
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

Security bug with the recent F-secure Linux Security 7.00

2008-07-28T20:03:00.004+01:00

It has been discovered that Linux Security 7.00 that was released by F-secure just about three weeks ago contains a very serious bug that can have severe consequences for customer systems. Hence, F-secure has call for total withdrawal of the sode. Please if you have installed Linux Security 7.00 and you are using the Client Edition keycode, please uninstall immediately to prevent further damage to your system.

You obtain the latest code - Linux Security release 7.01 without the bug at F-secure site at: http://www.f-secure.com/linux-weblog/2008/05/23/linux-security-701-released/

Multisensor Message Exchange Mechanism

2008-07-09T22:56:00.003+01:00

With the recent advances on data fusion as a step in the right direction for combining, correlating and fusing security evidence from myriad heterogeneous sources (such as FW, IDS, AV and Sensor) to create situational awareness. I thought it’s about time to discuss the need for a secure message exchange mechanism that assists various “sources”, such as Sensors, Firewalls, intrusion detection systems (IDSes), etc to connect, contribute and communicate their observations securely. At the International Conference on Global e-Security held in London, UK, on the 23-25 June 2008. I presented a paper on "Multisensor Message Exchange Mechanism." (MEM).

MEM is a mechanism that allows various sources on the network to securely send their observations of the network to a centralised analysis module where these pieces of evidence can be collated, correlated and combined in making decisions about the situational awareness of the network that is not possible with any single source on the network.

Recall that the intrusion detection community proposed the IDMEF - "Intrusion Detection Message Exchange Format" – RFC 4765 that specifies a message format for IDSes required in an exchange. However, the MEM is not another “standard” on how IDSes should format their messages, rather MEM outlines a high-level process for “sources” in general, to communicate and exchange their intelligence. Hence, the MEM can be seen by some as a complementary mechanism to the IDMEF framework, but not solely for intrusion detection systems.

Details of the described mechanism can be found at Springer-Verlag; however, an early version of the paper can be downloaded from my site - www.research-series.com/cyril

Your comments will be highly appreciated.

European Conference on Computer Network Defense in cooperation with ENISA (EC2ND)

2008-05-20T14:35:00.003+01:00

Call for Papers
The fourth annual EC2ND conference will take place on December 11th & 12th 2008 in the Faculty of Engineering and Computing at Dublin City University. The theme of the conference is the protection of computer networks. As with past EC2ND conferences, this year's event will encourage participants from academia and industry within Europe and beyond to discuss current topics in applied network and systems security.

EC2ND 2008 invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Topics include but are not limited to:

Intrusion Detection
Denial-of-Service
Privacy Protection
Security Policies
Peer-to-Peer and Grid Security
Network Monitoring
Web Security
Vulnerability Management and Tracking
Network Forensics
Wireless and Mobile Security
Cryptography
Network Discovery and Mapping
Incident Response and Management
Malicious Software
Web Services Security
Legal and Ethical Issues

European Conference on Computer Network Defense in cooperation with ENISA (EC2ND)

SANS WhatWorks

2008-01-31T09:56:00.000Z

WhatWorks is an Event and Log manager. It aims to simplify log management, and currently been used for Simplifying Global Log Management at Rockwell Automation.

The need to filter, analyse and correlate logs is something of an increasing demand to most enterprises. Many organisations see this as a necessity that is helpful in analysing global logs, and assisting them to pick-up threats or ongoing attacks targeting their assets. See attached Pdf

Scuba: Cross-Platform Database Vulnerability Scanner

2008-01-26T06:15:00.000Z

Scuba by Imperva is a free, lightweight Java utility that scans databases, such as Oracle, DB2, MS-SQL, and Sybase databases for known vulnerabilities and configuration flaws. Based on its data security assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format, illustrate overall risk levels. "With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management." Keep here to download Scuba for free.

2007 TU24: Time to get an Amateur Telescope...

2008-01-25T06:16:00.000Z

"An asteroid that's likely as big as several football fields will fly past Earth next week. Astronomers said the space rock will be visible the night of Jan. 29 to amateur astronomers with modest-sized telescopes." That's great, read more...

A guide to conducting efficient Computer Risk Assessment

2007-09-12T06:27:00.000+01:00

A survey of different companies reveals that most of them have no methodology when it comes to risk management. It is quite surprising though, but it is true.

The banking industry is much regulated, so they appear to practice a methodology. For instance, in the UK, most governmental or finance institutions use the UK's CRAMM - Risk Assessment and Management Methodology.

There are also a couple of well-known Risk Management methodologies, such as OCTAVE -Operationally Critical Threat, Asset, and Vulnerability Evaluation; Security Concepts and Relationships by Common Criteria's ISO15408.

The choice of a risk methodology should be carefully evaluated. It should be done organisation by organisation. The adoption of a particular risk methodology must be carefully evaluated. Laws and compliance do affect why organisation favour a specific risk methodology to the other.

What factors affect risk assessments and what methodologies are employed? See [1] .

Cyril Onwubiko and Andrew Lenaghan, "Managing Security Threats and Vulnerabilities for Small and Medium Enterprises"; Proceedings of the 5th IEEE International Conference on Intelligence and Security Informatics (IEEE ISI 2007), May 23-24, 2007, in New Brunswick, New Jersey. abstract publication

Security Policy

2007-09-12T06:19:00.000+01:00

A security policy is a formal statement that governs who gets access to organisations’ resources, what they can do or should not. A security policy is therefore defined as a formal statement of the rules that govern people who are given access to an organization's technology and information assets (see Site Security Handbook [1]).

A security policy encompasses processes and procedures (rules) required by an organisation to protect its information assets, and to prosecute personnel that default. It is pertinent to note that one significant characteristic of a security policy is that it must address specific security issues of the organisation. That is, it must be “point–specific”. For example, an ‘Acceptance Use’ policy would cover the rules and regulations for appropriate use of the computing facilities [2]” While an ‘Email Policy’ would address rules and regulations for accepted use of corporate email facilities. And a ‘Cryptographic Standards’ policy would state the Encryption Algorithms, Hash Algorithms, Pretty-Good-Privacy (PGP)-type and Key Sizes that are allowed for use in exchange of corporate information within and outside the organisation. Most activities engaged in an organisation must be carefully stipulated in an organisation's security policy.

The practice of copying 'verbatium' another organisation's security policy is discouraged. Because, security policies must be specific and must apply to an organisation. When organisations' copy security policy, chances are that the copied policies may never apply to them.

1: B. Fraser (1997), “The Site Security Handbook”, RFC2196, [Online]: http://www.faqs.org/rfcs/rfc2196.html [Accessed 12th Dec. 2006.
2: SANS – (SysAdmin, Audit, Network and Security) Institute http://www.sans.org/resources/policies/ [Accessed 5th Dec. 2006]

Security Standards

2007-09-12T06:12:00.000+01:00

Security management standards are distinct set of information security guidelines that consist of processes, procedures and training that assist security personnel in implementing the right set of security controls. Security controls enable organisations manage, and protect their computer, information and network services and resources. An information security management standard should be carefully evaluated vis-à-vis the organisations security requirements where the standard will be implemented before a choice is made on which information management standard is chosen.

Improper implementation or selection of an inappropriate information management standard can have significant implication to the assets in which it aims to protect. Security controls consists of mechanisms that provide guidance to connections seeking access to information assets, such as authentication, authorisation and auditing. For full details on security standards contact the author - Cyril.

Advances in Information & Communications Engineering Conference in London

2007-08-09T07:13:00.001+01:00

Theme: Technology Intelligence, Global Perspectives & Future Directions

The conference is designed to accelerate the application of ICT, primarily amongst developing economies as well as facilitate discussions that harmonise the digital gap between advanced and developing economies. This it hopes to achieve by way of exploring, examining technologies and innovative ideas that are likely to transform rural and urban communities both socially and economically.

The theme for this year's Conference has an objective of bringing to light to the benefit of delegates, technological Intelligence from a global perspective, whiles stimulating global interaction and exchange of "know how", as well as asserting an agenda for future directions and development. This should provide the platform for businesses, corporate bodies, Academia and Government agencies and all stake holders to optimise the application of technology for future development, by ensuring mutual benefit and added value to their Sectors and Organisations.

The conference, is scheduled to be a yearly programme. The proceedings will be published in both e-book and CD formats. Selected papers will appear in a book by Springer-Verlag.

3rd International Conference on Advances in Information and Communications Engineering, will be held on 6-8 Sept. 2007 at the Novotel, London Excel, UK. Please send me your publication, you can still make it!

Here's the conference site: AICE foundation.

Re-focusing on Security

2007-08-08T18:37:00.000+01:00

I have been using this blog for PhD research information gathering and dissemination. Since, the process of completing my PhD is coming to an end pretty soon. I will be channelling this blog towards more general security related issues. However, I'll still be posting PhD related stuff. Please accept my apologies!

Please see my research site at Kingston University, London, UK .

Security Informatics

2007-08-08T18:28:00.000+01:00

The 2007 IEEE Intelligence and Security Informatics conference has been completed, where I presented a paper on managing security vulnerabilities and threats for SME. I forgot to upload my paper before the conference.

Since I came back in May from New Brunswick, NJ, I have been pretty busy, so haven't been able to do a lot on my blog.

I will be uploading my paper in a week's time. But in the mean time, a copy of the paper is accessible via my personal website: www.research-series.com/cyril

The last 400m in a journey of 2000km.

2007-07-10T03:26:00.002+01:00

I thought I could write my thesis in few weeks, but actually, this wasn't true. I've spent the last two month mulling over it. I would like to blame work pressure, my supervisor or my wife for the very little progress I have made so far; but the truth is, it’s no one's fault!

A quality thesis requires time, dedication, perseverance, originality and constant reflection. And these qualities don't just come at once. It takes time, energy and self-belief. For anyone in a similar situation now, just remember, writing a quality thesis takes time, requires dedication, energy and endurance. Above-all it needs self-belief. So don’t give up yet!

News: Graduate Students Fellowship Opportunities in SA & US

2006-12-10T15:31:00.000Z

Guys, I thought this might be useful to some of us. I’m pretty sure some of us are either completing their studies or starting, anyway, either case; there are excellent fellowship opportunities in South Africa – African Institute for Mathematical Sciences (AIMS) and US - Centre for Discrete Mathematics & Theoretical Computer Science (DIMACS), both are taught and research based positions with full incentives. AIMS is only for 3 months, while DIMACS is a 2-year programme.

Useful Links:
a) The African Institute for Mathematical Sciences (AIMS). AIMS Fellowship

b) The Centre for Discrete Mathematics & Theoretical Computer Science (DIMACS).
DIMACS Fellowship

News: IEEE EUROCON 2007 Conference

2006-12-06T07:24:00.000Z

We would like to encourage you to submit a paper to IEEE EUROCON 2007 International Conferenceon Computer as a Tool, which will take place in Warsaw, Poland on September 9-12, 2007, and to let your colleagues know about it. We expect to have a great conference, which will certainly benefit even more from your technical participation.

- paper upload system: http://eurocon2007.isep.pw.edu.pl/index.php?id=pap_upload.php

The proposed tracks are:

1. System Design
2. Signal and Image Processing
3. Computer Engineering
4. Measurements and Sensors
5. Computational Intelligence and Control
6. Telecommunication and Multimedia Systems
7. Photonics
8. Power Systems and Power Electronics
9. Electrical Machines and Drives
10. Electron Devices
11. Modeling and Simulation
12. Education

The above listed topics do not exclude submission and presentation of papers
from other specific fields close to or related to the general theme of the Conference.

-------------------------------------------------------------------------------------
All accepted papers will be included in IEEE Xplore database and EI Compendex, the most comprehensive interdisciplinary engineering databases in the world.
-------------------------------------------------------------------------------------
Best papers will be recommended for publication in IEEE Transactions,
Electrotechnical Review, Bulletin of the Polish Academy of Sciences and in a few others.
-------------------------------------------------------------------------------------

The EUROCON 2007 deadlines are as follows:

Submission of full papers: January 31st, 2007
Notification of acceptance: April 30th, 2007
Camera ready papers and registration: May 31st, 2007

“Writing up Psychosis”

2006-12-02T13:03:00.001Z

It's really an “exasperating period” writing up, everyone I know or have talked to, has complained, or shown one form of frustration or another! For me, I use the tips... on the article "How to write your PhD in 5 minute a day ...", not sure of the exact title of the article now..., to try to write something always, no matter how little I write everyday, irrespective of how I feel about my writing.

Tips:
a) Free-writing: Try writing whatever comes to your head, sometimes, you might find the materials you've written useful, but often times, they are not, but they can be excellent pointers (new ideas) that require further developing.

b) Avoiding reading through what you've written until you’ve finished putting down all you can remember. This will help you avoid the “distraction” of going over what you’ve already written and loosing the “freshly conceived” – new ideas that should be put down to paper.

c) I've done a couple of draft chapters … but each time I read through them, I see potentially new things I can say, sometimes, off the point, really. It sounds farmilar. Does it?

PhD Expectations

2006-11-25T12:02:00.000Z

I heard a joke about “PhD candidates been theoretically sound, but technically poor” Whether this is true or not, I do not know. However, I intend to clarify two assumptions from this joke, firstly, “theoretically soundness” and secondly, “technically poor-ness”.

Theoretically sound, I think, the audience think or believe PhD candidates are theoretically sound, because, these candidates are often full of knowledge of their unique area of interest, they have spent time examining, and understanding the underpinning of how things work in their area. And often they relate their thoughts to others in their areas, and therefore, often provide a more comprehensive knowledge on how things work, conceptually speaking. However, they may not in some cases, have the capability to demonstrate all the applicability of their thoughts. I personally think it’s almost impossible for any person to demonstrate exhaustive possibilities of anything though.

Technically poor, I think that “PhD audience” often expect far too much from PhD candidates, they expect them to perform “miracles” in the face of nothing. They expect them to “fasten” and “unscrew” plugs and remove car parts. That’s the only way they can prove themselves. I think this type of reasoning is wrong and generally unconnected with reality! The reality is that, PhD candidates’ posses far more understanding of their environment; they have the capability to demonstrate the “applicability” of things. However, they are not “in a commercial environment” and are not designing tools for commercial consumption. And therefore should not be expected to build “enterprise application” in order to ascertain a claim. I think, we should reserve this expectation when they are employed, then they can use their skills to develop commercial (COS) tools/toolkits for general consumption. Until then, PhD acceptance should be based on their exquisite knowledge of the “object” they are trying to explain. This opinion may not be shared by many, even among PhD’s, but, it is a personal opinion, I’ll be greatly encouraged if you send your comments in this regard.

DIMACS

2006-09-06T13:31:00.000+01:00

Center for Discrete Mathematics & Theoretical Computer Science
Founded as a National Science Foundation, Science and Technology Center.

List of call for participation on Mathematics, Computer Science, Computational Biology, Modelling and Information Security

GECCO 2007 in London

2006-09-04T14:22:00.000+01:00

Genetic and Evolutionary Computation Conference plans to hold in mid-July 2007 in London: http://www.sigevo.org/gecco-2007/index.html.
Please make plans to attend Planned Free Tutorials:

Genetic Algorithms by Erik Goodman
Genetic Programming by John Koza
Evolution Strategies by Thomas Bäck
A Unified Approach to EC by Kenneth De Jong
Ant Colony Optimization by Christian Blum
Learning Classifier Systems by Tim Kovacs
Probabilistic Model-Building GAs by Martin Pelikan

My code and myself

2006-08-16T05:13:00.000+01:00

It’s often an open debate when two or more computer scientists sit around… whether programming is essential and should be compulsory for computing students. When say programming I’m consciously thinking of languages, such as, Java, C or C++. For me, I think it should be made compulsory for computing students and maybe an elective for others (especially for BIS students); I think they struggle most often with programming; this could be as a result of their background. They seldom do programming in their early days, as students. Programming is fundamental in the life of a computer scientist (professional or student). But the agonising thing is that most computing student of nowadays, do not believe so. This could be because most industries hardly request the service of a structured programmer, what maybe in demand are script writers, coding in programs like Perl, TCL, or VisualBasic. OOP such as Java and C++ may not be in high demand as the use to, put it this way, as they should.

I used to program in Java few years ago, but I left it for TCL, but now am back to Java… I’ve to use Java in demonstrating part of my PhD work. In fact I should be doing some C++ programming as I write. Programming seems unavoidable in the life of a computer scientist, its always about my code and myself!

Reasoning out uncertainty and doubt

2006-08-15T07:10:00.000+01:00

Reasoning out uncertainty and doubt in evidence that appear to be, consistent, diversified and maybe contradictory

Because most real life events/situations possess some degree of uncertainty or/and doubt there’s every need to reason out these uncertainties in the faces of compelling evidences gathered. I’ve always thought there should be a way to reason out this… especially for events that are independent in occurence. So I went down the route of ‘fuzzy sets’ and fuzzy logic, but although fuzzy sets are excellent for what the do most, which is … giving a level of membership to events, say, how hot? It’s not very hot, or it's extremely hot; but I thought, although you could express the degree of hottest as a membership function, this still has not eliminated the doubts you still have in the result. Again, I tried ‘Rough sets’ which is similar in concept to fuzzy sets but quite different in application. Finally, found what I was looking for - in Dempster-Shafer Theory of Evidence, which is use to reason out uncertainty, allocate beliefs/support, then compute doubts and plausibility that help demonstrate the quality in the evidence provided. Again, without requiring either a good model of the system or knowing fore probabilities in hand ('a prior') like Bayesian Networks, Bayesian Probability Model(Bayes Model).

"Impossible Minds"

2006-08-05T12:14:00.000+01:00

Impossible minds the work of a smart genus or just a wanderer trying to explain concepts beyond time?

On Wednesday 2nd August, I left for the University aiming to complete setting up my testbed machine, in the MDC server room. My testbed machine will be use to carryout my research work. Unfortunately, I couldn’t do anything meaningful with my time, because the cabling infrastructure at the Lab was either disconnected or disabled, and am not authorised to handle the cabling as a student, plus am not very familiar with the closet. I called for assistance but the Tech who should have helped was on day-off. At of frustration and not knowing what to do to use my time meaningfully, I wandered off to the library. In the library I was looking for books in other areas not related to my discipline or maybe not closely related, I should say. So I went to the Machine Intelligence shelf. As I was checking on books to read - (I didn’t use the library catalogue), so don’t blame me, sometime ad-hoc scenery is much better! – I picked a text with a fascinating caption – “IMPOSSIBLE MINDS, My neurons, My Consciousness” by Igor Aleksander.

“Impossible Minds” was published in 1996, so not relatively a new book, especially for people in this research area, pretty sure, they are aware of it… But for me, it’s fascinating and interesting. My take on this book, is similar to my frustration and the awaken consciousness to do something useful with my time, when my attempt to complete setting up the testbed machine couldn’t go ahead.

Igor in his book tries to associate machines a human characteristic – ‘human consciousness’, although, he has tried hard to assert his observation by subtly philosophically abstracting conscious attributes to machine behaviour, his “magnus” will still remain a mysterious object if it can exhibit conscience in any form or manner!

I have not finished reading the book, but I think it makes an interesting read, I strongly recommend it.

Are you there?

2006-07-31T03:18:00.000+01:00

Suddenly I’m confused, dismay and overwhelmed… I can’t imagine anything worrying me more than successfully completing my research. But research work requires a lot of thinking, and thinking is a very difficult thing to do; but in the midst of all these thought processes are some personal demands… I’d honestly wanted to give up on life, but I’ve to hang-in there!

Impossibility is nothing!

2006-07-30T03:16:00.000+01:00

Do you remember the popular ad by one of the very famous ‘sport foot wear coy’ - their slogan, was, ‘impossibility is nothing’ – meaning, nothing is impossible. Frankly speaking, this is true, and very true if you believe God for it. Recently, I was asked to chair a conference session in Athens, Greece. And a month later, joined a scientific reviewing group (Scientific Member) of the prestigious IEEE EUROCON 2007 conference in Warsaw, Poland. If someone had told me this would happen pretty soon, I wouldn’t have believed it. But, I’ve always known with God, ‘Impossibility is nothing!’ The next significant thing will be completing my research soon.

Should I say yes?

2006-07-30T02:59:00.000+01:00

…Few months ago, I thought I’ll be completing my research come December’06… but it appears this is not going to happen then, completion would be most probably, some time before June’07. In as much as I had wanted it earlier, what I really want is a successful completion in time, whatever the reason for completing late (June’07). I want to believe it’s all for good. You may have been in a similar situation, maybe not, but if you were, what would you do?

What if …? You ask. From experience, most ‘what if’s’ do not seem to come to pass. However, it’s not to say, they never come to pass. Whatever happens, “it happens for good for those who love Him”.

A sound mind in a sound body ...

2006-07-06T16:19:00.001+01:00

I have just managed to listen/watch 3 out of 7 DVD's on 'Critical Thinking' by Dr. Richard Paul. Fortunately, some of the materials by Richard are available on his home page. He explains and discusses rational critique in a manner very unique and aims at educating students. I strongly recommend it to anyone!

Paul's list of books includes:

Active and cooperative learning
Ethical reasoning
Critical Thinking
How to study and learn
Critical and creative thinking
The Human mind
Fallacies
Scientific reasoning....

Am not trying to market Dr. Paul's books, but I consider thinking as important as I consider food, this is why I strongly recommend these books - "A sound mind in a sound body"

...Everything gonna be alright!

2006-07-06T13:15:00.000+01:00

I recently started a new role at work ... although challenging, but at the moment am loving it. I used to work as a network engineer, looking after routers, switches, vpns, mpls and routing stuff, but now, am working as a security analyst, which is a totally different ball game. Am now looking after the firewalls, sensors, scanners, threat and event monitors... all sounding great, but not to me as a starter :-( I suppose all I have to do now is it prioritise my activities, because I've got many things lined up...

I've to carry on with writing up my PhD thesis, which is quite demanding and time consuming, also, I've to plan when and how to study since, am currently doing 8:30-5, Monday through Friday. Anyway, instead of moaning all day, I probably should start thanking God for His mercies, after all, some people out there are looking for these opportunities, you know? About time I realised it.

What do you think? :-)

...A little bit to the Left, a little bit to the Right

2006-07-01T06:37:00.000+01:00

I started off thinking I'll use this blogger as a repository for PhD materials, but it certainly doesn't look so. If it were, I won't be saying so :-)

Just remembered I can say a few kind words to my little daughter - Jessy Brown, whose pics is shown above. Because am studying for a phd and also holding a FT job, I working pattern is shift-type, which helps me acoomodate a part-time studies and family...

Today when I picked 'Brown' up from school in the evening, I told her I'll be going to work and she said that's alright. Few hours after, while at work, Brown asked her Mum to ring her Dad... my mobile phone rang ... and it was my wife, Honey was the matter? I asked, she said brown wants her Dad to come back home.... poor little brown... I suppose, its not easy on her to constantly miss her Daddy, becuase he's either studying or at work, conference etc... Although these day, I try as much as possible to take with me, my faily while at conferences or seminars, where possible.

I've to go now.... end of today's shift, to be completed later ;)...

The Hour Has Come ...

2006-07-01T06:19:00.000+01:00

Yesterday I received an email from my supervisor... in the email was '...we are think of appoiting Dr ... Chen as your external for your PhD thesis viva'. Just as I read the line... I was horrified, I wandered off imaging what if... but the truth was, I have not started writing although I should. Again, I was frigthented because it was natural to do so... PhD viva is by His grace, and as soon as I realised that, I prayed!

The good news is that I was able to draft a tentative table of content which I've sent to my suppervisor for perusal and approval, and finally, I was also able to write my thesis problem statement, aim and objectives!:)

The night turn out to a fruitful one... if I can do same every night, I'll be through in few months. Hum...

Greece holiday cum conference

2006-06-30T22:52:00.000+01:00

Writing-up

2006-06-27T11:32:00.000+01:00

Suddenly I have found myself here, a stage I've been waiting for, but, it's frightening to me, hopefully it will be over soon - writing-up.
I consider these materials useful, and they may be of help to you, however, they are not in any way the only materials available. Please use alternative materials if you think these couldn't help:

How to write a PhD Dissertation , by Prof. Joe Wolfe, School of Physics, The University of New South Wales, Sydney.

Writing and Presenting Your Thesis or Dissertation, by S. Joseph Levine, Ph.D., Michigan State University, East Lansing, Michigan USA.

A guide to PhD Research, by Prof. Sean Gong

Back from ICCSIS Conference

2006-06-25T12:56:00.000+01:00

Just back from Athens, Greece, where the ICCSIS conference was held. Athens is a lovely place to be, extraordinarily rich in preserved culture, history and ethics. We visited the Acropolis, Museums, Plaka (food ..) and the Marathon Village. Lots of other places we couldn't go, especially, the islands...

...probably another time another day;)

Now, I will have to start organising my publications to see if I could get a table of content for my dissertation and writing-up starts as soon as I can get myself to work. At the moment, I'm finding it very difficult to motivate myself to work. It's hard to start any thing meaningful now, there's the World cup going on, summer time events etc... When shall I start again?

Another Nervy day for England

2006-06-25T12:39:00.000+01:00

Am not overly certain what will happen between England and Ecuador, but knock-out stages can be very unpredictable. But although I failed in predicting exact scores, I think England should go through, fingers crossed!;)

C'mon England!

2006-06-15T17:04:00.000+01:00

Time to put down my pen... set to go cheer England up, I expect an excellent game, score 3-0 to England... World Cup 2006 - England

PhD Forum

2006-06-15T16:24:00.000+01:00

I thought this link might be useful to you if you're planning of doing a phd research or currently doing one, here is a forum for you. It features some salient information, complains, faqs, reviews and contributions towards phd studies. Please find time to check it out...;) phd forum

Writing an attribute

2006-06-14T01:47:00.000+01:00

Just tidying up a conference paper to be presented at the 2nd International Conference on Computer Science and Information Systems ICCSIS in Athens, Greece... . So I'lll be travelling nextweek for the conference, hopefully, should enjoy Athens, I've not been there before, here comes an opportunity;-). Oh dear, did I forget to say, I'll be chairing one of the sessions... what a great experience;)
Writing has become a useful habit I would say, I picked up (developed) whilst doing this research... I really don't know if writing is essential or not for a phd research, and will not argue for or against it anyway. But what I know is that, as phd students, we MUST someday write-up our dissertation, so its necessary to develop any skill that will be neccessary for a successful completion.
I am use to using MS word in processing my documents, although Springer and other publishers I've dealt with recommend latex, but I have not really used Latex or Lyx until I met a colleague at the university last week who recommended Lyx, a document processor. To be honest, Lyx is really great, especially its features for mathematics (equations, symbols etc). I must recommend this to anyone in the physical or natural science and engineering. Again, its striaght forward to learn and use.

First things first ...

2006-06-09T14:41:00.000+01:00

I've just created my blog page, just making sure things are working as they should ... Please revist soon for excellent thoughts on carrying out a research work, especially, the highs and lows involved - a personal experience ... Thx

Research process

2006-06-09T14:35:00.000+01:00

I started my phd research investigation about three years ago, at first all seemed great, inviting and cool, but within a couple of months, suddenly the joy and feeling of 'am a great researcher' started to evaporate, it then dawned on me that the demands of a phd is enormous. ... I probably have started something, either I've not given a good thought about, or something really cool but quite demanding. Off course, the later is the case, phd is something cool, but quite demanding. The first of a couple things I did in the first month, was to submit a research proposal, written as if I knew all the necessary steps, phases and nitty-gritty of my intended research area - 'content security'. Anyway, days turn to months, months turn to years, but here i'm still thinking when will be the final day?
Well, let me think that am making good progress... after all, other of my mates have the same or similar problems... someday we'll all complete... but completing is one thing, phd reserach or being a researcher is not just completing, its a process for life? Do you agree. I can see this as one of the lengthy discussions, as you would expect from many researchers... and 'young researchers'... But I'll leave this for you folks. Bye for now... come back again soon please.