Friday, March 18, 2011

RFID: Tech Issues & Privacy Concerns

Radio frequency identification or RFID is a type of automatic identification system used to organize and track people, goods and other assets. It is a portable tag contains data that includes identification or location of the product it is attached to, or specific characteristics about product tagged such as price, color or date of purchase) that are stuck on any kind of product (cloths, smartcards, currency) that contains a tiny chip, which can transmit data wireless to readers and exchange information with a reader (which are often connected to computer network) via radio waves. The reader can pass information to a database and software application that processes the data according to the needs of a particular use. So, it could be say that the RFID technology is key lever for that increased productivity.RFID use that involves personal information can spark privacy concerns. RFID tags come in different sizes and shapes. Some tags are easy to spot, such as the hard plastic tags connected to merchandise in stores, while other tags are no bigger than a small section of pencil lead. On the other hand, some tags are designed to be embedded within the fibers of a national currency.
There are some kinds of concern about the RFID privacy. For example, the newest technology embedded in some RFID readers allow them to read data transmitted by many different RFID tag. We should be aware and careful about the potential abuses of such technologies, so we will not fail to incorporate them on the right time. By acknowledging the weak areas in the system on early time and by working to eradicate those vulnerable security points, the current RFID technology will continue to improve and perhaps be a reasonably secure option for widespread.

Privacy Preserving Data in Data Mining

According to the text, data mining is becoming increasing common in both the private and public sectors. Industries such as banking, insurance, medicine, and retailing, commonly use data mining to reduce costs, enhance research and increase sales. In the public sector, data-mining applications initially were used as a mean to detect fraud and waste, but have grown to also be used for purposes such as measuring and improving program performance.
Nowadays, data mining is an emerging field, connecting the three worlds of databases, artificial intelligence and statistics. The current information revelation gives many organizations the opportunity to gather hug amounts of data as needed. Data mining consider as a knowledge discovery used to answer any data needs.
Data mining - non-trivial extraction of implicit, previously unknown, and potentially useful information from large data sets or databases.
Privacy preserving data mining - study of achieving some data mining goals without scarifying the privacy of the individuals.
A data owner wants to release a person-specific data table to another party or to the public for the purpose of classification analysis without scarifying the privacy of the individuals in the released data.

Data mining techniques
Data mining techniques are used in business and research and are becoming more and more popular with time. Data Mining produces a number of techniques to perform the data mining tasks in a privacy-preserving way and to set where very large databases are involved. These techniques are
  1. Data modification techniques.
  2. Cryptographic methods and protocols for data sharing.
  3. Statistical techniques for disclosure and inference control search for interesting information without demanding a priori hypotheses.
  4. Query auditing methods.
  5. Randomization.
  6. Perturbation-based techniques. 
Privacy Preserving Data Mining is designed for researchers, professors, and advanced-level students in computer science.


References
Acquisti, A., Gritzalis, S., Lambrinoudakis, C., & Vimercati, S. D. C. d. (Eds.). (2008). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

Sunday, March 6, 2011

BS 11, Forcing Firms to Focus: Secure Software

Nowadays, approximately all the software developers for commercial software developed software to meet the market requirements but unfortunately the security is always a secondary concern.  Primary goal of software is to provide functionalities or services but managing associated risks is a secondary concern. There is often a trade-off/conflict between the security, and the functionality and convenience.
According to the text, the security in commercial software is distasteful. There are many vulnerabilities and actual attacks, scrambling among developers to fix and release patches, and continual exhortations to customers to perform rudimentary checks and maintenance. Software developer needs to find an effective solution to meet the customer explicit requirements and also include the implicit requirements in commercial software development but all that will also affect the cost and the development time.
Explicit requirements - software providers should deliver exactly what the customers’ time-to-market needs.
Implicit requirements - automatically include as a matter of professional duty but not always considered. Adding those requirements for both customer’s and providers benefits could be powerful.

Implicit Requirements Can Still Be Powerful

This chapter provides three different examples that approve the powerful of the including the implicit requirements. These examples are: Buying the hamburger from McDonalds, Buying a book from Amazon, and buying a software Application.
The implicit requirements for buying a hamburger - the hamburger is should pipe hot.
The implicit requirements for buying a book – the book should not miss any page.

The implicit requirements for a software application - a software application should meet the customer needs.

How One Firm Came to Demand Secure Software

According to the text, software security is more than identifying and removing defects in software code.
Over 50% of software vulnerabilities are based on defects in the architecture, not the code itself.

Identifying and addressing software defects early in the lifecycle is far more cost effective than fixing defects once the code is in production.

Encouraging software developers to think of security vulnerabilities as defects would be a significant challenge, requiring both a comprehensive education program and organizational development techniques for managing behavior change.

How I Put a Security Plan in Place

Choosing a focus and winning over management

It is very hard to fix everything at once.
The developers have to choose one area of software and focus on and strive for measurable improvements in security there.
The concentration of vulnerabilities in modern software makes the choice easy, as it is also consistent with the highest risk exposure.
Recent trends in security threat data clearly show the migration of hacker exploits away from network perimeters (routers, switches, firewalls, etc.) to the web application layer. Web applications are targeted because this area is the most economical approach to data compromise.

Setting up formal quality processes for security 

  1. Integrated security within software could be very costly but of course it depends on what kind of security wants to be integrated and the how many levels.
  2. Integrated security within software makes the software itself more complex software.
  3. First of all they should create a list of key deliverables from CLASP (Comprehensive, Lightweight Application Security Process), a methodology for developing secure software developed by John Viega and adopted by OWASP.
  4. The security requirement need to be documented to helped define the application’s security requirements based on the classification of the data it handled
  5. The next step is making an intensive review o approve the architecture before development could proceed to the next phase.
  6. We have to choose the appropriate tool to verify the software before it goes to the quality assurance. A key criterion when we selected the tool was its high-quality contextual help, allowing relatively untrained developers to easily identify and understand security vulnerabilities.
Developer training
Encouraging the software developers to adopt and use the static analysis tool in the development process.
Security team should take a special educational program to teach them about security. Once the pass, they should teach their peers.

When the security process really took hold

After finishing the security education, the developers were willing to challenge the need for a static code analysis tool.

Fixing the Problems

Fixing any problem with the software may need time and more money. The developers should make and good schedule and milestone and stuck with it.
The developers’ team may discover the security flaws during the development process. Some of the security flaws are discovered during the testing the verifying process.
The developer team should early identify the vulnerabilities to minimize the actual cost.

The experience gained from the training and from pervious design process should be documented and could be used for the future software development and that would absolutely minimize the time and money.

Microsoft Leading the Way

Microsoft is one of the few commercial software providers that addresses security in the software development process. They updating their software development lifecycle with security controls, and currently have one of the most mature sets of security controls within their development process today. Consumer perception of Microsoft products may be influenced by the relatively large number of patches released monthly, but the reality is that Microsoft has listened to customer needs for security and has made progress addressing these needs.

Some of the security requirements are:

• Patch management

• Anti-virus and anti-spyware software

• Operating system security patches

• Vulnerability scanning

• Disk encryption

• Multifactor authentication

DP 01, Enhanced Internet Privacy Technologies

This chapter explores and examines various classes of privacy enhancing technologies. E-mail anonymity systems allow a user to send e-mail without revealing his or her personal information, such as identity, e-mail address, or Internet protocol (IP) address. Also, E-mail pseudonymity systems give the users the opportunity to set up persistent pseudonymous systems, where users can participate in ongoing e-mail conversations while maintaining their privacy.
The authors define four types of Re-mailers. These are:

  1. Type-0 Re-mailers: it is could be the simplest email anonymity systems. By keeping a master list matching the pseudonyms to senders’ real e-mail addresses, replies mailed messages can be delivered to the original sender. Also, the master list provided a tempting target for attackers; anyone who could get his hands on list could reveal the email addresses of all the users of the remailer.
  2. Type-I Re-mailers: also called cypherpunk remailer. It removes the sender identifying information and then sends the messages out. It is more secure type than type-0. This type of remailer provides several types of improvement. There are:
    1. Chaining: a user sends his message to the remailer with instructions to send it, not to the intended recipient, but rather to a second remailer (run by an operator independent from the first). The remailer is instructed to send it to send it to a third remailer, and so on.
    2. Encryption: the first remailer receives an encrypted message. When it is decrypted, it finds only the address of the second remailer and another encrypted message. The inner message is encrypted to the second remailer, so the first remailer can not read it. The second remailer received the message and decrypted it to find the address of the third remailer and another encrypted message and so on. The last remailer decrypted his messages and found the address to the final recipient as well as unencrypted message to send.
    3. Mixing: incoming messages to any remailer are batched together and randomly reordered before being sent out. This was attempting to prevent a passive observer of a giving remailer from determining which outgoing message corresponds to which incoming message. 
  3. Type-II Remailers: it divides all messages into a number of fixed-sized packets that are sent separately through the network of remailers in order to defeat size correlations. These remailers also employ more complex techniques to defeat replay attacks. It is more secure type than type-I.
  4. Type-III Remailers: This type of re-mailer has apparently been available since 2002. It provides improved protection against reply attacks and against key compromise attacks, where an attacker learns the private decryption key of one or more of the remailers. It is more secure type than type-II.
The growth of the Internet has increased the use of anonymity and pseudonymity in electronic communications. The process of protecting Internet applications, such as the world-wide web, remote logins, voice-over-IP and games, poses a much more significant challenge than the corresponding problem for email. Anonymity could be defined simply as being without a name or with an unknown name, while Pseudonymity could be defined as the use of a false name. Anonymous and pseudonymous electronic communications have been used to damage commercial interests, harass victims, and launch hoaxes into cyberspace. We can overcome the problems of anonymity and pseudonymity in cyberspace by using traceable identification. If we can make the ISPs enforcing the chosen level of strong identification and authentication that will allow non-legalistic approach to reducing abuse by anonymous and pseudonymous Internet users.

References
Acquisti, A., Gritzalis, S., Lambrinoudakis, C., & Vimercati, S. D. C. d. (Eds.). (2008). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

BS 12, Here Come the Infosecurity Lawyers!

Chapter twelve explores the principles that will help us understand the positive interaction between law and information security. It discussed culture, balance, communication and doing the right thing. In addition to the return on investment (ROI) and return on security investment (ROSI).
According to the text, security professionals deal with systemic problems including poor user practices, buggy software, and a deliberate lack of leadership at the national level. The pervasiveness of the problems, the regularity with which incidents containing common elements occur, and the depth of cultural influences that determine their continued existence suggest that legal intervention can make a difference. As a result, the information technology and law have already collided and will continue to collide at an increasing pace.
In this chapter, one of the important things to make any invesment calculations is using the ROSI (Return On Security Investments). This calculation gives us the opportunity to justify the investments of projects. Awareness in organizations grows insofar as the relationship between Information Security and the fulfilling of business objectives, investments in security-related issues position themselves to compete with more significant projects for resources and budget costs. in general, Return on Investment (ROI) formula is widely used by finance and management departments: ROI = (Benefit – Cost) / Cost. The ROSI formula is: ROSI = (Mitigated Risk – Cost) / Cost. When we analyze the investment in information security, we do not seek a mitigation of the risk to which the main business processes will be exposed.
Many executive managers view the security as a legal issue as much as a technological one. Small companies take all of the security responsibility from the CIO and giving it to the legal team. Normally, the legal team is responsible for writing security policies, while the IT team is responsible for enforcing those policies.
When it comes down to a decision between which are you going to have, faster response time, shorter time to market, lower cost or some other objective which is a traditional IT job, security in many cases will be going in the opposite direction slowing things down, and reducing time to market. The CIO may make decisions that will indirectly compromise information security. Approximately, everyone recognizes the need for the IT and legal teams to work together, at least on some level.
Finally, many organizations equate compliance with security, rather than noticing that compliance is achieving the minimum level of the required security.

References:

Oram A., & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think. Beijing: O’Reilly. ISBN: 978-0-596-52748-8

Beautiful Log Handling

Data logging means the procurement of information for understanding and learning more about a process or system. A data logger is any device that can be connected to other devices for the sole purpose of collecting information.
The logging of information increased knowledge of how different processes work, for example, there are many loggers archive information such as temperature using sensors and then convert the information into electrical signals. After the archived the data and once retrieved, it can be easily filtered and easily understood. Another example, if any person in a supermarket for shopping and try to use his or her credit card to pay for something he or she buy, a data logging device may track his or her pending movements by the store. It can assess which items he or she has bought, how many times a month a person buy them and even, how many times he or she visit that store for shopping.

According to the text, few of many recent U.S. laws have clauses related to audit logging are the Health Insurance Portability and Accountability Act (HIPAA), where it covers logging and monitoring controls for systems that contain a patient’s protected health information (PHI). Centralized event logging across a variety of systems and applications, along with its analysis and reporting, all provide information to demonstrate the presence and effectiveness of the security controls implemented by organizations. These practices also help identify, reduce the impact of, and remedy a variety of security weaknesses and breaches in the organization. The importance of logs for regulatory compliance will only grow as other standards (such as PCI DSS, ISO2700x, ITIL, and COBIT) become the foundations of new regulations that are sure to emerge. System log files produced by Unix, Linux, and Windows systems are different from network device logs produced by routers, switches, and other network gear from Cisco, Nortel, and Lucent. Similarly, security appliance logs produced by firewalls, intrusion detection or prevention systems, and messaging security appliances are very different from both system and network logs.

Challenges with Logs

Too much data - Hundreds of firewalls and thousands of desktop applications have the potential to generate millions of records every day, the reason behind the log volume is getting higher every day due to increasing bandwidth and connectivity. The sheer volume of log messages can force analysis to take significant time and computing resources.
Not enough data - The processing of event responses could be hindered because the security device could not record essential data, or because the administrator did not anticipate the need to collect it.
Poor information delivery - Many logs just do not have the right information.
False positives - These are common in network intrusion detections systems (NIDS), wasting administrators’ time and occluding more important information that may indicate real problems.
Hard-to-get data - For technical reasons, data is frequently unavailable to the person who can benefit from analyzing it, undercutting log management projects.
Redundant and inconsistent data - Redundant data comes from multiple devices recording the same event, and confusion can arise from the different ways they record it.
Heterogeneous IT environments - boost some of the preceding problems as well as bring forth new ones. For example, more peculiar file formats need to be understood and processed to get to the big picture. Volume gets out of control, NIDSs get confused by what they’re monitoring, and custom application logs complicate this already complex problem dramatically.

The text also talked about the demilitarized zone or DMZ. DMZ could be any small network could be inserted as a neutral zone between a company's private network and the outside public network. DMZ allowed users from outside to get access to a server that has company data. A DMZ considers as a secure approach to a firewall and effectively acts as a proxy server. For example, a DMZ configuration for a small company could be a separate computer receives requests from the company employees within the private network to access to other companies accessible on the public network or specific website(s). Then the DMZ initiates sessions for these employees’ requests on the public network. The DMZ is not able to initiate a session back into the private network. It can only forward packets that have already been requested. Cisco is one company that sells products designed for setting up a DMZ

References

GlobalSCAPE . (2004). DMZ Gateway. Retrieved on February 08, 2011 from http://help.globalscape.com/help/guides/GlobalSCAPE_DMZ_Gateway_User_Guide.pdf OramA & Viega J (2009). Beautiful Security. O’Reilly Media Inc., Sebastopol CA.
VMware BEST PRACTICES.  DMZ Virtualization with VMware Infrastructure. Retrieved on February 08, 2011 from http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf