Monday, August 31, 2015

First woman to write a computer program

Next year 2016 it will be 200th birthday of Augusta Ada King, Countess of Lovelace, born 1816. Ada Lovelace is said to be the first woman said to have written the first computer program in October 1843 translated from Menabrea’s paper "Notions sur la machine analytique de M. Charles Babbage" (1842).

Lovelace's diagram from Note G - photo courtesy of

Ada's work recorded in Sketch of the Analytical Engine invented by Charles Babbage -Translation originally published in 1843 in the Scientific Memoirs, 3, 666-73 and one folding chart. This work represented the first edition in English of the first published account of Babbage’s Analytical Engine, and, significantly, of its logical design (

Bromley, Allan G; referred toAda's translation as “the most important paper in the history of digital computing before modern times” - "The Evolution of Babbage's Calculating Engines, xv" Annals of the History of Computing, 9 (1987).

A more pragmatic explanation (The Cogwheel Brain at 165 by Swade, Doron David published in 2000) of Ada's work that when supplied with algorithms for the solution of various problems, Ada illustrated in her notes in the form of charts detailing step-wise sequence of events as the machine progressed through a string of instructions input from punched cards. It is Ada's finite work that many have referred as recognised in the 20th Century as the first published example of a [computer] "program".

Great woman, unique story and fascinating event in computing history and for the development of information systems.

The information in this discussion is condensed from numerous sources and searches.

History Links

Tuesday, August 11, 2015

BYOD: Cyber Classification

Having an effective Cyber defence requires " identification " of the methodology proposed for each measures adopted in the Critical Security Controls (CSC) programme. The Critical Security Controls listed below has been developed from the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem.

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Malware Defences
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 12: Controlled Use of Administrative Privileges
CSC 13: Boundary Defence
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Data Protection
CSC 18: Incident Response and Management
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises

It is not surprising that given the adoption of CSC classifications it would be in the interests of organisations to adopt the short form code associated with the Critical Security Control in place found to have been breached. For instance where a BYOD is found to be the cause of the breach it may be said a CSC-7 breach took place. The use of a short form code

(i) informs immediately those who are aware of the short form code of the style of breach taken place.
(ii) creates standardization across the organisation
(iii) enables an organisation's first responder to identify and locate BYODs
(iv) labels a breach in accordance with internationally recognised CSC classification
(v) removes the need for organisations to generate in-house difficult and complex classifications that later require translation e.g. technically, legally, commercially......

CSC 7: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.

Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.

Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the
organization network.

Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the  following:

1)  Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2)  How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3)  How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?

4)  Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5)  Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?

CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1)  How many rogue wireless access points have been discovered recently in the organization (by business unit)?  This should include non-persistent, temporary and transient access points.
2)  What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3)  How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?

CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team has to configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points have to not be directly connected to the organization's trusted network. Instead, they have to simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point has to have the wireless radio disabled for the duration of the test. These systems have to be configured to test each of the following scenarios:

•  A wireless client with an unauthorized service set identifier configured on it.
•  A wireless client with improper encryption configured.
•  A wireless client with improper authentication configured.
•  A wireless access point with improper encryption configured.
•  A wireless access point with improper authentication configured.
•  A completely rogue wireless access point using an unauthorized configuration.

When any of the above-noted systems attempt to connect to the wireless network, an alert has to be generated and enterprise staff has to respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.

A control system is a device or set of devices used to manage, command, direct, or regulate the behaviour of other devices or systems. In this case, we are examining the configuration and management of wireless devices, wireless IDS/scanners, wireless device management systems, and vulnerability scanners. The list of the steps shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.

•  Step 1: Hardened configurations applied to wireless devices.
•  Step 2: Hardened configurations managed by a configuration management system.
•  Step 3: Configuration management system manages the configurations on wireless devices.
•  Step 4: Wireless IDS monitor usage of wireless communications.
•  Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities.
•  Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.

Sunday, August 02, 2015

National Digital Science and Justice Office (NDSJO)

A recent forum discussion I read recently mentioned a Digital Forensics Capability Review. The discussion also identified the document that forms the basis of this review:

There were some good responses from forum members. Those responses combined with the initial enquiry and the download reference document suggested to me that keep tinkering here and there with different elements in "digital forensics" is perhaps why there is no real substantive change consolidating "digital forensics". There is a desire to galvanise a unifying system but as digital forensics is made up of so many constituent elements it maybe quite difficult to know where to start.

Some observations:

1) Industry specific foundation materials are need to make work ISO/IEC 17025; the latter document tries to be all things to all men - ISO/IEC 17025 is used by many industries from chemical production, metals, drugs, fertilisers through to food products etc. People may passionately argue it is the right standard to follow. ISO/IEC 17025 is a commercially orientated document for business. It outlines what is expected to get business but not how to go about achieving the results it defines should be met. Achieving the result requires specific i) competencies ii) knowledge iii) skillsets and iv) experiences which are not defined when simply applying over-arching generic principles.

2) A document that should be replaced is the "Association of Chief Police Officers (ACPO) Principles (ACPO, 2012)". There should be in its place an industry document for digital forensic principles similar to the US NIST documents. This document should be for all and created by all and not created by public servants. Just because a document is not 'authorised' as the de facto standard doesn't mean to say it isn't being used in that way to ensure public funds are misguidedly placed in only certain sectors. This means an industry document would apply to everyone following the same criteria set by a 'body' as opposed to "don't do what we do, do what we say" brigade.  

3) There needs to be a body such as National Digital Science and Justice Office (NDSJO) that is not run by public or private cronies or apparatchik but by an elected office with elections every five years and no employment-for-life positions. It is important that at least one Active or Retired Senior Judge should be elected to post responsible for safeguarding independence, objectivity and impartiality and with the legal authority to enforce that. 3.1) The NDSJO shall avoid discrimination of any sort and the NDSJO to publish lists of those engaged by the NDSJO measured against criterion such as "age", "sex", "ethnicity" etc. and identify and put deterrents in place to prevent favour to one particular group of persons or political pressures. 3.2) The NDSJO to feed knowledge into national schools, academies, and colleges science education system for the future development of our children. 3.3) The NDSJO shall also provide for a membership and membership fee to ensure wisdom, knowledge, skills and experience thrives within the NDSJO. 3.4) The NDSJO shall work with the Competition Commission etc. to detect and stop cartels or monopolies taking place on public sector contracts. The higher proportion of public sector contracts to go to small and medium sized businesses to help them grow and to avoid large organisations dumping high levels of staff that can undermine the British economy.  3.5) To prevent major contract holders (a) suppressing salaries, wages or self-employed payments and skimming off profits whilst forcing sub-contractors to constantly find savings causing significant detriment to work performance, salaries/wages/self employed payment that when unfettered influence upturn in the British economy. 3.6) The NDSJO shall be responsible for preparing and producing particular digital science industry documents.

4) All manufacturers providing purchased or free tools (software and hardware) to be used for acquiring evidence whether commercial or forensic tools shall be registered with the NDSJO. Manufacturers shall legally self-certify their product as fit for purpose and those who sell tools provide the necessary insurance for all claims. The NDSJO to identify insurance schemes for free tools that have been produced through goodwill but having an effective and affective role when used in acquiring evidence. The latter may equally involve the user of the free tool providing an insurance that might be encapsulated as part of the membership fee of the NDSJO. it true that someone is smiling on the plans above? Well it could act as a needed fillip to the British economy.