bill’s blog

Here in the United States we use a base10 system for many things… certainly we count using a base10 numbering system. Our currency is base10. I can remember the big push in the late ‘70s to move to the metric system, which by the way is a base10 system. Yet we may not realize that there are many different numbering systems ingrained in our society. We use an English system to express units of measure (length). Which in many ways is based on a Roman system of measurement! An example being the mile… Originally based on the Roman mile (5000 feet), in 1592 it was extended to 5280 feet to make it an even number (8) of furlongs (wikipedia.org, 2010). By the way… The distance between the rails on a high-speed train line is 143.5 centimeters. Why? Because that was the distance betweens the wheels of Roman chariot. That was the distance needed to fit two horses side by side in front of the chariot.

In IT, we are familiar seeing different numbering systems. We see both Base2 (binary) and Base16 (Hexadecimal) numbering system quite a lot.

The binary number system contained just two values, 1 and 0. George Boole is considered by many as the father of modern day computing. It was his work with logic that ultimately boils down logic and the math behind it to simple yes or no (1 or 0). This can make computing numbers extremely fast. If one thinks in terms of electricity switches you either have an on or an off position. Computer microchips are designed in such a fashion that depending of the state of the signal (1 or 0) a logic pattern can be computed and the software then executed. We in IT often find behind this logic. It is so ingrained in our beings that it is often hard for us to factor in the randomness that plays such a large part in life. Why? Because we are surrounded by 1’s and 0’s. Yes we all know that computers use on and off as a basic premise of computer code… But did you know that CD/DVD/BluRay Discs are perfect illustrations of the use of the binary system. They are encoded by a laser punching holes in the foil membrane embedded within the protective plastic casing. These holes (or pits) represent a 0 (or no signal) and the untouched foil (or non-pit areas) represents a 1. When played back the software converts this binary stream into the music or movies that we’ve come to enjoy!

We also come across hex numbers quite often as well! The hexadecimal number system complements the binary system. Each hexadecimal digit represents four binary digits (bits) (also called a “nibble”), and the primary use of hexadecimal notation is as a human-friendly representation of binary coded values in computing and digital electronics (wicketkeeper, 2010) We see hex used when looking at MAC addresses. We use hexadecimal representation for RGB colors in Photoshop, HTML or CSS documents. We will be using hexadecimal numbers when writing out Ipv6 addresses! If you’ve ever used a packet capture tool such as Wireshark. Network packets as written in hexadecimal as well. 192.168.1.1 can be represented as c0 a8 01 01. A lot less characters that need to be put out onto the wire.

Different number systems are be fundamentally thought of as ways to keep track of information in the most efficient way that the numbers can be grouped together.

Resources:

Various, (2010, April, 10) English Units, Retrieved on April 28th, 2010 from http://en.wikipedia.org/wiki/English_units

Various, (2010, April 28th), Hexadecimal, Retrieved on April 28th, 2010 from http://en.wikipedia.org/wiki/Hexadecimal

Intrusion Detection System

IDS (or Intrusion Detection System) have become the buzz in the last few yews. IDSs can be deployed in a number of ways. They can be network based or host based. They can be hardware appliances or software based. BUT no matter how they are deployed… They are there to detect malicious behavior. In order to be effective they need to be configured correctly.

The first thing that needs to happen is a true security policy. Without this document you’re just flying by the seat of your pants. All your intentions may be well intentioned by without this policy you’re making the rules and they may not be in the best interest of the company… certainly there are things that everyone agrees upon!

Once the rules are in place one can start to deploy the proper technologies to start protecting your network. Strong firewall rules need to be effective against attacks.

Once that’s all in place the implementation of an Intrusion Detection System is in order. Again with any technology that is deployed a strong understanding of the system is in order… This may seem like common sense but with an IDS sometimes the best defense is blocking the object of the attack. If you’re not careful you could block legitimate traffic or deny legitimate users access to network resources.

Things like: false attack stimulus, false positives, and false negatives can lull security administrators in complacency. Ignoring alarms when their attention is needed most! So what are these things?

Well let’s look at what True Attack Stimulus means… It is an actual event/attack that left unattended to could cause a system to be compromised. These events/attack alerts (or alarms) are based on a number of rules that have either come preconfigured on the IDS or have been tuned over time to make the system more reliable. Remember, just standing up a system with factory defaults is never a good thing. If the system isn’t tuned (configured) to reduce the amount of false positives, the system will be ignored.

False attack stimulus is traffic that will issue an alarm. The traffic of this nature is often seen when an attacker probes a network but no actual attack occurs. These probes offer no real threat to your systems. Known false attack stimuli can be used to test your system once tuned to insure that your system ignores false positives.

False Positives is network traffic that while not normal is not an actual threat to your systems. This information should be used to tune your IDS and over the course of time should no longer trigger alerts. When we speak about tuning your IDS, we are letting the IDS know what the network baseline is. These events should be eliminated, as they will eventually led to complacency when an alarm is issued.

False negatives are really bad! In this situation, an attack has occurred and your system has not alerted you to this. Again this is where tuning come into play. A balance needs to be struck between systems that are too responsive verses a system that doesn’t react at all.

In order to be truly effective, there are a few other things that need to be discussed.

Site Policy Awareness – This is the ability of the IDS to adjust its rule settings to react to a series of events. The changes in rules happen dynamically. Again the IDS needs to learn what is acceptable behavior for what s not. It needs to know the status of the hosts it’s monitoring.

Confidence Value – This is a measure of how well an IDS will respond to a predefined series of events. In other words, how likely is the IDS able to detect a DOS attack? It is usually expressed a percentage. 90%? OK when it detects an attack with this rating we’re pretty sure an attack is happening. 50%? Well an attack may be happening but then again it may not. Let’s keep an eye on things and see what we can learn. As the device ‘learns’, the confidence value goes up!

Alarm Filtering – This is where we can tell the IDS to ignore false positives when the traffic is coming from a known source. Again this is not foolproof! Attacks are equally likely to come from within an organization as it would from outside. One must understand the working of the network before making any steadfast filters.

Intrusion Detection Systems are a valuable part of a network’s defenses. Taking the time to configure (teach) it is well worth the effort! Don’t ignore the alerts! You have two actions items when you receive an alert… stop the attack OR learn from the false positive and teach your IDS to better handle the event!

Computers and science fiction are intrinsically bound at the hip! And no one individual ties the both together than Star Trek’s Mr. Spock! Spock could be seen in most episodes working at his computer workstation fine-tuning the results of a search, calculating odds or presenting definitive course of action. But it wasn’t Spock’s love of computers that made him so special… It was his impeccable logic! SO sound was his logic that Kirk would go on to say, “You’d make a splendid computer, Mr. Spock” (Roddenberry, 1967).

We as human beings often think with emotion rather than logic. Thinking with emotion clouds logical thought. In IT the ability to think logically about a problem is a must… ones and zeros. It helps with the reasoning process… “I understand that your computer seems slow but can you be more precise?” If we can eliminate subjectiveness, we can often get at the root of the problem much more expeditiously. But logic isn’t only used to troubleshoot software bugs. Logic comes in handy for project management concerns as well.

We are constantly moving solutions into and out of the organizations we work for. Returning machines on lease seems pretty benign. We buy machines… they get delivered… we image them… we deploy them to the end-users desktop. One needs to be worried about interrupting the user. We don’t want to incur additional costs because we can’t turn around the number of machines ordered. It takes a lot of planning. The more you touch a piece of hardware the more time it takes to deploy… the better your chances of messing up! Understanding how to stage the machines and being able to be flexible to change needs to be a part of your logic.

Technology data migrations are another place where logic plays a hand. The more complex a migration is the more logic needs to be applied for a successful outcome. One needs to be able to determine the order in which changes happen. Formatting out a hard drive before you move the data off would be a really bad thing. Does the users home directory reside on the server or is it cached locally on their laptop? When was the last time the data was synced? These are just some of the questions you need to adequately plan. It is logic that you use to formulate the best way to make things happen.

Common sense… plays a part here too. The most common meaning to the phrase is good sense and sound judgment in practical matters (Wikipedia, 2010). It is this judgment that when strung together makes our logic sound as well! Some may Logic does not come naturally. Just like our reasoning skills logic needs to be learned. The study of logic enables us to communicate effectively, make more convincing arguments, and develop patterns of reasoning for decision making (Angel, 2007). The more you exercise your logical thinking the better you become at it.

Resources:

Angel, A., Abbott, C., & Runde, D., (2007), A Survey of Mathematics with Applications, Pearson/Addison Wesley

Roddenberry, G., (1967, February 9), Star Trek [The Return of the Archons], New York: National Broadcasting Company.

Various, (2010, April 20th), Common sense retrieved on April 21, 2010 from http://en.wikipedia.org/wiki/Common_sense

Man’s ability to reason sets us apart from any other animal on the face of the Earth. Some call it the “Divine spark” others “God’s crowning gift to man”! Sure animals have instinct and there is an argument to be made that instinct is a learned behavior. BUT it is our ability to think through “all” the possibilities to reach our conclusions. Webster’s dictionary defines reason as the power of comprehending, inferring, or thinking especially in orderly rational ways (merriam-webster.com, 2010). Reasoning can be broken down into inductive reasoning AND deductive reasoning. We use these two forms of reasoning without ever thinking about the fact that we are using our reasoning skills to guide our actions. So how are these skills applied in real life?

Inductive reasoning is the process of reasoning to a general conclusion through observations of specific cases (Angel, 2007). In the course of everyday life we take notice of a great many things… some overt, some unapparent. We use these observations to learn from and approve our existence! For instance, we learn a flame is hot… and all fires I’ve seen have flames therefore all fire is hot. We learned not to put our hands in the fire! Taken in the context of day-to-day business dealings, we learn how to deal with individuals. In IT this is extremely important. We learn how to prioritize our work based on the person who calls in for help. “If I don’t get back to this user right away she’ll call the president of the company and try to get me fired!” Why because that’s what she’s done in the past many times over. Some successfully others not so much BUT she’s tried just the same. “Why try my luck?” We use inductive reasoning to avoid the pitfalls of our corporate existence!

In contrast, Deductive reasoning is the process of reasoning to a specific conclusion from a general statement (Angel, 2007). In IT we use this form of reasoning quite a lot. We are often faced with problems that need to be solved and in fact must if we are to keep our jobs! Very often we start with a gut reaction to a problem (or hypothesis). For example, my computer is not getting an IP address. We gain valuable new data… multiple computers are not getting an IP. We then draw some conclusions and state our hypothesis… therefore the DHCP server is down!

We start looking at possible things that could be causing the problem de jour. We check to make sure the computer is jacked into the network correctly (my computer). We check to make sure the network switch is working correctly (other computers). These basic troubleshooting skills test the soundness (or validity) of our hypothesis. We constantly narrow the scope until we prove the validity of our original hypothesis. Some conclusions are valid, reinforcing that we are on the right track (assuming our logic is correct), while others are invalid which in turn leads us to modify our thinking or come up with a completely new hypothesis. In other words, we fix the problem!

Resources:

Angel, A., Abbott, C., & Runde, D., (2007), A Survey of Mathematics with Applications, Pearson/Addison Wesley

Unknown, (2010), In Merriam-Webster Online Dictionary, Retrieved April 15, 2010 from http://www.merriam-webster.com/dictionary/reason

apotropaic |ˌapətrəˈpā-ik|
adjective
supposedly having the power to avert evil influences or bad luck