Many large organisations use multiple sub domains to divide their various divisions either by function or geographically.  When using email addresses in this type of environment they can get pretty complex. For example bank.com might use the sub-domain us.bank.com as the email sub-domain for it’s US employees. So, John Smith might have an address like “john.smith@us.bank.com“. Data loss can occur when a user types the wrong email suffix, such as usbank.com. An email to this address would normally be bounced back to the sender with an error as the domain wouldn’t be recognized. It is however very easy for an attacker to set-up the wrongly spelled email domain, putting them in a position where they receive all email for that domain.  Researchers have found that by doing this they managed to grab over 20GB of incorrectly addressed mail over a 6 month period. The data grabbed included personal details, usernames, passwords and a bevvy of other sensitive information.

This is a loop hole often ignored by companies, but one that is easily mitigated.  By using an information classification tool such a the Boldon James Email Classifier product, organisations can not only categorized their emails by their level of sensitivity, they can also control what domains are allowed to receive emails from their employees. This is known as white-listing. If you would like to know more about email white-listing please contact me or contact Boldon James directly at www.boldonjames.com

My local Council, Salford, has assessed the proposal for the plant and all of the for and against arguments. Thankfully, they have decided to reject the application to build the facility.  I have really enjoyed working with our 1,500 member campaign group and feel lucky that I have had the opportunity to work with and get to know my close neighbours, as well as my local Member of Parliament (MP), Hazel Blears, who has provided support and guidance throughout.  In addition, my dual role as campaign Chairman and Spokesperson, has resulted in valuable leadership experience as well as experience with newspaper, radio and television appearances (which I hope to put to good use in future challenges and endeavours).

The case is by no means closed, as the developer may choose to appeal the council decision. Regardless, I’d like to say thanks to “Say No” supporters and all those people who contributed to the victory. Especially Boldon James for letting me take short notice holidays at critical junctures in the campaign.

]]> http://www.infosecandbeyond.com/2011/09/hi-mum-im-on-tv-campaign-win/feed/ 0 http://www.infosecandbeyond.com/2011/07/eprivacy-directive-eu-to-tighten-up-on-data-breach-notifications/ http://www.infosecandbeyond.com/2011/07/eprivacy-directive-eu-to-tighten-up-on-data-breach-notifications/#comments Tue, 19 Jul 2011 06:19:45 +0000 Hani El-Qasem http://www.infosecandbeyond.com/?p=649 You may be aware that the EU recently put into force the updated ePrivacy Directive (2002/58/EC).  As of May 2011, the use of cookies to track website visitor information is now strictly prohibited.  Cookies which were previously used to track visitor behaviour and personal details may now only be used with the express permission of the visitor. Interesting website based outside of the EU, do not have to operate with the same constraints.  The enforcement and technical implementation of the directive may take some time to filter through to every cookie using site on the web, and penalties for not doing so are yet to be seen.

Work continues on the ePrivacy Directive in the coming months. One InfoSec concept which the EU are looking to tighten up control of through the directive is “disclosure”.  Whereas in the past, companies or organisations may have been a little shy about publicising their information security breaches, it’s soon going to be come a strictly enforced legal requirement to do so. Under the ePrivacy Directive disclosure requirements will be covered under Data Breach Notification rules.  A public consultation is currently underway and is sue to conclude in September:

ePrivacy Consultation

The consultation will cover the mechanisms for categorising. assessing and reporting breaches.

The hacker groups Anonymous and Lulzsec have made a mockery of the security controls of some major organisations in recent months.  Data loss and it’s prevention continues to be a major challenge for infromation security managers.  It’s time for organisations of all sizes to get serious about InfoSec, and this legislation could help push for that.

]]> http://www.infosecandbeyond.com/2011/07/eprivacy-directive-eu-to-tighten-up-on-data-breach-notifications/feed/ 0 http://www.infosecandbeyond.com/2011/07/phone-hacking-how-to-hacking-voicemail/ http://www.infosecandbeyond.com/2011/07/phone-hacking-how-to-hacking-voicemail/#comments Mon, 18 Jul 2011 19:00:26 +0000 Hani El-Qasem http://www.infosecandbeyond.com/?p=623 I’ve been asked in recent weeks how the News of the World private investigators were able to hack into the voicemail of the alleged 4,000 victims of the phone hacking scandal.  While the details of all that activity are something for the police to worry about, we can explain the basic methodology of a simple attack to do this. The one probably used in the majority of cases.

In the world of Infosec there is such a thing called a spoofing attack. A spoofing attack is where you have your device (whether that be a phone, pc or laptop) send out network packets with the identity of someone else.  In the IP world, communications are broken down into thousands of small packets of data. Each packet has a destination address and a source address. When we’re trying to use a spoofing attack, we can use specialised software to send out packets, with someone else’s source address.

With the convergence of data and voice networks over the last 10 years, there’s been a proliferation of technologies that allow data networks to connect to older technologies traditionally used to provide voice services. This has come in the form of VoIP, technologies that provide Voice Over IP data network. This has brought voice communications into the realm of the computing community, and also into the hands of the bad guys in that community.. hackers.  Hackers have produced software tools, that allow them to control the data sent out over VoIP data connections, where calls are made and received.

On your mobile network, you actually have two phone numbers. Your mobile number and also another number that connects to your voicemail. These might be, for example:

Mobile: 073666266266

Voicemail: 7311111188888

Your voicemail mailbox sits out in the mobile operator network.  As your voicemail number is essentially just another mobile number, they can be difficult to remember and keep track of. So when you want to check your voicemail, you usually dial some kind of shortcut number, which routes you to our personal voicemail (e.g. O2 uses a shortcut of 901).  When the voicemail service receives a call to the 901 number, it will check the incoming call for a CallerID (source address). It then maps this source address to the corresponding Voicemail number and puts you through to your messages.

To gain access to your voicemail, a bad guy simply needs to use the special software that allows him to set callerID.  He sets his callerID (source address) to your mobile number and dials 901, hey presto he’s in your voicemail and listening to your messages.

There are measures in place to make this more difficult. For instance, a PIN number can be applied to the Voicemail. Unfortunately, unless forced to do otherwise, most people leave the PIN number as the default one (usually 0000 or 1234).  Easily tested and overcome to get access to your messages.

Most network operators are on to these attacks now, so it’s not as easy as it was 4-5 years ago when most of the press hacking was allegedly occurring, but no doubt there are many vulnerabilities out there which can still be exploited.

Disclaimer: Phone hacking as with all other hacking is very, very illegal. This article in no way intends to encourage readers to go out and break the law. Don’t do it, they’ll lock you up and throw away the key. 

Robocop	Rebekah Brooks	Tom Pellereau	Harry Potter
After a long retirement, could Robocop be convinced to take the helm of the Met and utter those immortal words, “Phone Hackers, dead or alive, you’re coming with me”? His credentials for bringing justice are well documented and revered.	Rebecca recently became available for new roles . In her previous role she was CEO of News International, an organisation famed for it’s ability to investigate the lives of  individuals, finding the truth at any cost.	Winner of the Apprentice 2011. During the Apprentice selection process Tom came up with the revolutionary idea of “The Emergency Biscuit”. Could Tom’s genius be reapplied from Emergency biscuit to Emergency Services?	Finally realizing that he was 10 years to old to play a wizard at prep school, movie bosses have brought the Harry Potter series to an end with HP7: The Deathly Hallows Part 2. In the series, Harry has proved himself immune to corruption from evil, a trait to be expected from the next Met Chief.

Please vote for who you think would be the best candidate to bring new leadership to the Met. Results to be published at the End of July:

• Jim Eastwood – The Jedi Salesman
• Helen Louise Milligan - The “Almost” Unbeaten Master Organiser
• Tom Pellereau - Inventor, Genius, Nerd
• Susan Ma - The Spirited but Inexperienced Entrepreneur

After a serious grilling of each contestant and their business plan by Lord Sugar’s close associates, it was finally announced that Tom would be the winner of the Apprentice UK 2011.  The finalists had seriously different styles this year, but I’m happy to say that nerd ingenuity clearly prevailed over spiel, efficiency and spirit.

Jim was a clear favourite for me from the early stages when he rolled out Jedi mind trick after mind trick. Bagging a £1.6million deal for some kids biscuits you’d spent a day designing and branding was phenomenal, but the extended sales waffle appeared to have done him no favours in the final hour.  Susan was starting to look strong through-out the interviews, but failed to provide any realistic figures or objectives for her plan. Her lack of experience shone through, but she has perhaps gained the most from going through the process, even without winning. Helen was pipped as a front runner due to the long unbeaten track record she achieved through-out the series. What failed her at the last hurdle was her lack of ability for imaginative business ideas. In her current role she acts as the executive assistant to a CEO (their organiser). Her business plan hoped to draw on those organisational skills and develop a service for the general public to help organise themselves. In the final minute, she cleverly attempted to redress the weakness of her plan by picking up on a suggestion Karen had made earlier in the process, bakeries. This was however, too little, too late and the victory went to Tom.

I do have to say that Tom’s business plan did actually seem, well, pretty rubbish. He wanted to go into companies to do tests on employee back-pain, to see if he could save the businesses money by reducing sick days. While the sentiment was admirable, to quote Tom himself from the biscuit episode, as a business plan it was a ”Lead Balloon”.  Despite this seemingly off-the-mark shot, Tom allegedly had another 22 business ideas in his back pocket should he misfire with this one.  I think Lord Sugar just realised that if he gives this guy some scope to create, one day he’s going to do something really special, we just don’t know what yet.

The cherry on the top of last night’s episode was Tom telling Lord Sugar about his first computer, bought especially by his Grandad.. An AMSTRAD512. Way to butter up your new partner Tom. You nerd credentials are complete.  Well done Tom, keep flying that flag for us all in the top flight of Sugar’s business empire.

Rights management pertains directly to managing permissions for individuals to access specific information. Our two jargon busting acronyms for this area are DRM (Digital Rights Management) and IRM (Information Rights Management). For the purposes of this article we will consider both DRM and IRM one in the same.

Development of this area of technology primarily driven by Copyright. Publishers of books, music and films have in recent years been more and more motivated to try to protect their material, in the face of the proliferation of internet use. The Internet has been it exponentially more possible to share copyrighted materials with the click of a button, and not to just one person, but hundreds of people, even one’s that the sharer has never even met.  The need to control who has the right to access, read, modify or even delete information and also become prominent in both government and commercial organisations.

Microsoft AD RMS – Active Directory Rights Management Services

Controlling content is at the heart of fulfilling those requirements, and Microsoft provides an Active Directory integrated service ADRMS, to do exactly that.  The basis of the AD RMS service is that each document is automatically encrypted by an RMS client, at the point of creation (the desktop). It is then, by default, protected from unauthorised individuals trying to access it.  When created, the creator is able to apply a list of permissions to the document, to specify who have what level of access to read or change it.  These permissions are stored in the central AD RMS server, so at the time any other client tries to access the document, the server can be queried to see if the requested access should be permitted. Simple enough?

The Problem With Getting Individuals To Use AD RMS

Oncem we have implemented the back-end infrastructure (which can be a hurdle in itself), we generally find that the average desktop user wants things to be done quickly, simply and in as few steps as possible.  They don’t want to have to dig into multiple level dialogue boxes to check boxes, and search for users to apply permissions to. If they have the choice, they simply won’t do this.

RMS Templates help with this.  They provide a mechanism to apply a pre-configured list of permissions to documents.  This means that by digging through a few menus and selecting the appropriate template we can ensure RMS control are applied. Unfortunately, this still doesn’t go far enough.  In certain applications, like Outlook, the RMS templates are currently listed with other default classifications. There is no way to distinguish between which are RMS templates and which ones are not. Also, there’ no way to force the user to select a value from the menu, if they want to ignore it they can. In which case the RMS implementation becomes severely underutilised, and may break elements of an organisations security policy.

Using Labelling To Ensure Adoption Of AD RMS

The Boldon James classification products are used to add labels to emails and documents.  These labels are used for many things. They can be used to implement security checks on email recipients, they can be used to raise user awareness and educate them on security policy, they can be used by border guard devices to automatically encrypt emails or block them from leaving an organisation and finally, they can be used to automatically apply an RMS template to a document or email.  What this means is that when a user selects a certain label for a document, a corresponding RMS template can automatically applied. The label selection controls are highly visible, easily accessed (simple drop-down selectors) and more importantly can be made mandatory.  This gives us the ability to “enforce” RMS use and it’s pretty much transparent to the user.

To save the best until last. There is a FREE version of the Boldon James Classifier product which can do this.  You can find the FreeMark Edition of Classifier at www.freemarkinitiative.com. The FreeMark Edition is unsupported so if your selling, implementing or supporting AD RMS the Boldon James Classifier product is a must have.  Take some pain out of the process, the simplest approach is usually the most effective.

http://www.boldonjames.com/products/information-classification-products/emailclassifier/

Those fabled 3 letters, E C O , are being used and abused by all and sundry to get that green tickbox filled. Whether a product in environmentally friendly or not, the ECO label gets thrown around like confetti at a wedding. We have Eco-Homes, Eco-Heaters, Eco-Computers, Eco-Laptops, Eco-Cars, Eco-Trucks… you name it we have it. In a shameless attempt to look more trendy, I’d like to throw my hat in the ring and talk briefly about how appropriate labelling of documents and emails can help save the planet. Eco-Labelling for short.

I’m sure at some point you will have received an email with an nicely formatted footer, which cordially requests that you don’t print the email on paper and read it on screen. This helps save paper and in turn trees.  What you may not realise is that every email/document, sent or received, needs to be stored somewhere and the storage device uses electricity.  The more information that is stored, the bigger the required storage device and the more electricity is needed.

On an individual basis in our homes, electricity use may be negligible and stored information is managed by the owner. Old videos, pictures, documents and emails are usually cleared out periodically as storage starts getting tight.  In the work place, it is no so negligible and it’s also much harder to manage. Due to stringent legal requirements, most organisations must keep certain types of data for specific periods of time. For example, in the UK financial data should be stored by companies for at least 7 years.

In order to fulfil these legal requirements, document stores or archives are implemented to centralise data, where it can be easily retrieved if needed.  The problem is, how do we know what needs to be archived and for how long?  If we have our data spread across desktops through-out the enterprise, or distributed across many different individuals corporate email mailboxes, how can we distinguish between things that should be kept and things that shouldn’t.  A lack of capability in this area, usually forces organisations to take an “archive everything” approach.  What this means is that we’re essentially having to store absolutely everything.  This may seem like a reasonable approach, but 90% of the information we would be storing, doesn’t need to be stored at all.  Stored data would include old documents which are no longer relevant or needed. It would also include personal emails and documents that are on each users desktop.  When Bob sends John the 2Megabyte image of his giant cock.. again, do we really want to be paying to store that email for the next 7 years?

This image is Safe For Work, It's a painting of a man standing next to a giant chicken.

 The answer, is no. Now imagine an organisation with ten thousand Bobs and ten thousand Johns. That’s a lot of emails.

To manage our information more effectively, we need to start applying some structure to what can be considered unstructured data. To do that we need to categorize the type of information contained in the email/document and we do that through information classification. By applying an appropriate label to information we can make decisions about how we will treat that information. Most archives have the ability to understand document meta-data (or labels) and make decisions on what to do based on that label. It can decide whether or not to store the document in the archive, and if it does, what the retention policy should be.

Not only would implementing labelling save the organisation money on storage device costs, but also on electricity.. that’s our win-win right there. We’re saving the company money and also helping save the planet, one email at a time.  If you work in IT, Eco-Labelling could mean a promotion for you, seriously. Just don’t run into the CEO’s office shouting that you have a great idea and picture of a giant cock.

If you would like to explore this in more depth (i.e. with sensible figures and explanations), you can find a whitepaper here:

http://www.boldonjames.com/solutions/papers/archiving/

The problem is that X.400 is just one of those protocols that refuses to die, and it will continue to be a slow and steady migration as it disipates. There are certainly many automated mail systems out there, that are simply not being upgraded, because the message transports are transparent to the users and many organisations take the approach of, “well, if it ain’t broke, why fix it”.

Microsoft Exchange 2003 And X.400 Support

In earlier versions of the Microsoft Exchange, X.400 support was inherently provided as part of the core MTA.  Microsoft Exchange 2003, for instance, had an X.400 MTA and Exchange users could send messages to X.400 recipients via configurable X.400 connectors.  This MTA and X.400 connector support was completely removed from Exchange 2007.  Considered a legacy technology by Microsoft, they decided to completely remove support for sending messages in the X.400 format moving forward.

While this support is no longer needed in 99% of Exchange implementations, it does cause serious issues, for those systems that require X.400 connectivity to talk to legacy email systems, or older automation systems which utilise an underlying Exchange to X.400 transport mechanism.

Microsoft Exchange 2007/2010 and Using Exchange 2003 Co-existence To Support X.400

One option that was available for organisations who need to retain X.400 support is to Upgrade the core Exchange server to 2007, but to keep one Exchange 2003 server to act as a gateway to the legacy X.400 environment. This does work, but it is messy, messy, messy.

First of all, between Exchange 2003 and 2007, the transport and routing architecture has be completely revamped. In Exchange 2003, there was a concept of grouping servers together in Routing Groups. Routing Groups were configured completely independently of physical or other constraints, thus giving the administrator more granular control over routing.

To retain X.400 support while moving to 2007/2010 we must install our new 2007/2010 server into an existing Exchange 2003 organisation. A special routing group is created that contains your entire 2007/2010 environment. Doing this allows us to pump messages via the remaining single 2003 server which can then convert to X.400.

There are several problems with this approach, the main one being:

• Exchange 2003 has just (or is about to) be end of life’d, and unsupported in future.
• The administrative overhead of keeping the co-existence environment running is significant.
• There is no option for putting an Exchange 2003 server into a 2007/2010 organisation. It can only be done one way, retrofitting isn’t an option.
• There will be no technical option to do this in the new version of Exchange (Exchange 15). So if 2007/2010 are deployed in this way, a complete reinstall will be required when upgrading to E15. So X.400 support will be lost anyway.

Keeping Exchange 2007/2010 X400 Support The Easy Way

Boldon James has worked with X.400 solutions for over 20 years. We have been very tightly involved with Microsoft in this area for the last 16 years. You may even find that some of the code within the Exchange 2003 X.400 MTA has been written ans supported by Boldon James.

Since Exchange 2007 was released, we have developed and released our X.400 Bridgehead Server for Exchange 2007 and subsequently our X.400 Bridgehead Server for Exchange 2010.  Our Bridgehead Server is deployed on the Hub Transport role of the Exchange system and is considered what MS call a foreign connector.

It provides a light and easy approach to implementing X.400 connectivity in any 2007 and 2010 Exchange organisation.  This means that is can be deployed in new installations as well as old. It sits on a fully supported Microsoft platform (2007 and 2010) and provides assurance that X.400 capability will still be available on future platforms such as Exchange 15.

If you would like to learn more about the Boldon James X.400 Bridgehead for Microsoft Exchange, or to request and evaluation. Please feel free to contact me. Or contact Boldon James at www.boldonjames.com

GCSx stands for Government Connect Secure Extranet.  This is the network which will specifically connect Local Authorities (LAs) to the central government intranet (GSI – Government Secure Intranet). GCSx relates only to LAs in England and Wales. Scottish LAs will connect through GSX (Government Secure Extranet). Local Authorities must achieve CoCo compliance in order to be access access to the Government Secure networks. Confused yet? Being driven CoCo.Nuts?

Here’s a diagram to help see how it all fits together:

Click to Enlarge

There are jut under 100 controls and measures that a Local Authority needs to put in place in order to be CoCo compliant. The most prominent of these are listed here:

 The current version of the GCSx CoCo is 4.1. The most recently published (enacted) before this was version 3.2. In version 4.1, changes included the addition of protectively marking emails based on central government methodology for protective marking issued by the Cabinet office.  Boldon James provides products to assist in Email Labelling, and also in User Education and Awareness.   The Boldon James Classifiertool can be implemented to restrict the distribution of emails based on their label. It can also be the central lever to educate users about the information they are dealing with on a day to day basis and its level of sensitivity.  If you want to more know more about the Boldon James Classifier product, please visit:

http://www.boldonjames.com/products/information-classification-products/emailclassifier/

Though it was definitely worth a share. Enjoy.

The world needs a double dose of the medicine that is corporate responsibility and employee accountability.   Whether or not the chiefs at the head of these corporate tribes were aware of the activities of their employees, ultimately they have a duty of care to take reasonable measures to prevent this kind of unacceptable behaviour occurring. Failure to do so is a slippery slope which rapidly evolves from the occasional cheeky rogue, to an inherent culture of wide spread wrong doing. Individuals should not be given a shield of plausible deniability or proclamation of ignorance. Each and every individual should be liable to take responsibility for their actions.  Chiefs have a responsibility to foster and enforce an ethical culture through the correct provision of training and providing the right tools for employees to adopt that ethical behaviour.

Just this week we have learned that News International were in fact in possession of emails which were withheld from the police in an attempt to control possible damage from implication of law breaking. Although possible, it’s difficult to release information in  an email without actually thinking about it’s content before clicking send. Much more difficult than giving the go ahead to do something in the spur of the moment over the phone. Information created or received by an organisation should be treated with the respect it deserves, but with the casual use of email in day to day life, it’s easy for the lines to blur. People generally use their work email accounts for general informal internal communications, even external at times.  When wrong doing is suspected, the legal defence of “that email was sent in this context” is used all to often.

As an organisation, one line of defence to this legal minefield is.. yes.. you have guessed it.. email labelling.  Forcing users (whether employees, directors or other execs) to select an appropriate label before sending an email builds not only awareness of company policies, but also re-enforces a culture of employee accountability.  Investment in an email labelling tool, could in the long run save your organisation millions or may even save it from the recently bloodied axe, which took out News of the World in one fell swoop. Furthermore, there are no longer any excuses on cost. You can do this for free.  Although you don’t get all the benefits of the paid version of Boldon James’ Email Classifier, the FreeMark version of Classifier allows you to do exactly that, label emails. ITS FREE,  the clue is in the name – FreeMark.  If you want to learn more about the FreeMark initiative, please visit www.freemarkinitiative.com

AAS (As A Service) is one of those marketing tag lines which seems to have taken hold and gained great tracking across the IT industry. Perhaps the most prominent of these is SaaS – Software As A Service. In this post, we’re going to explore where this paradigm has come from and we’ll look at some of the more visible acronyms out there.

From Product to Service

Historically, the majority of Information Technology was provided to organisations by software development companies, who would create products and then sell licenses to use those products. The products would be delivered and installed on site and hosted by the organisation on the hardware available at the customer’s location.In cloud computing circles, this is also referred to as “on-premise”.  Due to the capacity of public networks (i.e. the internet) it was difficult to remotely host business applications, the performance just wasn’t available to make it viable.

In more recent years, endless reels of fibre networks have been deployed, upgraded and then upgraded again. This has made the possibility of remotely hosting services infintely more feasible. In addition, propritary middleware technologies are being slowly replaced by universal integration technologies such as web services, making it much easier to componentize capabilty and deploy it in different locations.

This has enabled service providers to start migrating services “off-premise” and into the cloud. By doing this, there is no longer a requirement to install, administrate or maintain software at the customer premises. Developers are no longer selling an off the shelf package, but a service which can be instantly provisioned, used and then stopped at will.

Why Is a Service Better?

There are many benefits to implementing capability as a service rather than a traditional product, but clearly one of the, main drivers for adoption of cloud and AAS implementations is cost.  If you have one data-centre, with 3 admins, running an information service for 20 companies, this is obviously going to cost much less to run than 20 data-centres with 2 admins each. By consolidating software and sharing the underlying solution stack between several organisations the benefits are immediate, visible and significant.

In addition to the inherent efficiencies of shared environments, the recent economic battering the whole world has received has made upfront capital investment much more hard to come by. From an accounting perspective, product purchases would be charged under Capital Expenditure (CAPEX). This means that the product would be considered an asset of the company that would degrade in value over time.  By purchasing the same capability as a service, the charge becomes an expense and is filed under Operational Expenditure (OPEX). OPEX charges can be offset against profits usually come in smaller chunks. They usually entail much smaller upfront payments, are easier to budget for and can take some of the hassle out of the procurement process.

Service popularity = Users Happy = IT Dept Happy =  Finance Happy = Management Happy

A Service Solution Stack

Regardless of whether on or off premise, In order to provision an information service, there are various layers of services which must be provided. Let’s look at an additive model of how the layers may be loosely defined.

At the bits and bytes end of the spectrum we have the actual hardware that the upper services will run on and the capabilities that hardware provides (e.g. storage, processing power, networking). Moving up the stack, we then have a group of infrastructure related services, these may include the management of machines and processors along with other capabilities such as high-availability, disaster recovery and virtualization. Moving even further up the stack, we then have our operating systems and also other software that facilitates our business applications, this will be referred to as the platform, example components in the platform layer may include Windows, Linux, SQL server, Microsoft SharePoint, etc. At the top end of our service stack we have our application software, this software utilizes the lower layers to provide it’s functionality.

If you read through the preceding paragraph you may notice some widely used AAS terms in bold, hardware, infrastructure, platform and software.

On the left of the image above you can see the following acronyms:

• HaaS – Hardware As A Service
• IaaS – Infrastructure As A Service
• PaaS – Platform As A Service
• SaaS - Software As A Service

The definition of layers provided is by no means fixed and depending on who you talk to, components may shift up or down a layer. Each layer requires the lower layers in order to function and there are a variety of providers who will provide access at different layers. This does not mean that if you want to use a certain piece of software as a service, that you also need to buy all of the lower supporting services individually. As a SaaS subscriber you will automatically get the underlying service in the price you pay for the application you use at the top end. You have however, decide that you just want to use a PaaS and develop/implement your own software applications on top of it.

These groupings cover the majority of offers out there today, you have here of others, but all will fit loosely fit into the categories above, Some more you may here include:

• DaaS – Desktop As A Service – This sites somewhere in-between IaaS and PaaS
• XaaS – Everything As A Service – The clue is in the title.
• Another SaaS – Storage As A Service.
• Another SaaS – Security As A Service.

Security As A Service is one of the most interesting. As your data moves to the cloud, the relevant and appropriate protections which you currently provide on-premise will have to move their too. Cloud Security is an emerging area with several vendors migrating capability there.  Cloud Security is pretty much embryonic today, but I see it rapidly gaining traction. That concludes the article Cloud Security is a whole world of tangents that I’m not going to slip into just yet.

What is Gravity?

Gravity is a force which attracts and pulls physical objects towards each other. All objects are known to be affected by gravity, from the smallest atom to the largest star in the night sky. A general rule for gravity is, that the greater the mass of an object, the more gravitational force it will exert on the other objects around it. The sun, for instance, pulls the earth towards it in the same way that the earth pulls the moon ever closer as time passes.

At an atomic level, the closer to the center of an object we get, the greater the gravitational force is. As density increases, the movement of those central atoms is more restricted whereas the outer atoms are often able to move more freely.

The Analogy

In the same way as gravity applies force to those atoms drawing them towards the center, we can secure information by applying varying levels of enforcement based on sensitivity. If we imagine the sum of our organisation’s information as a spherical object made up of thousands of information atoms, we can start to visualize the relationship. Our most sensitive information is at the core of our infosphere (information sphere) and we must apply more force to protect it. As we move further towards the surface of our infosphere, the controls we will want to apply will be less restrictive and we will let those less sensitive information atoms move more freely.

The sensitivity of information does decrease over time, meaning that to follow the analogy strictly, there should be provision for information atoms to move to the outer layers as time passes. Gravity, of course, doesn’t do this.. so in order to avoid having to draft in some professors of physics to come up with a plausible fact for this, we will continue with the understanding that the analogy refers to  the forces applied at a specific moment in time.

 Increasing Security Toward The Core

The images above show four layers leading to the center of our infosphere.  In order to apply controls to our information we must first categorize it by sensitivity level, in other words give it a classification.  As an organisation, we define a security policy that mandates the rules and regulations that all people in the company must follow, when dealing with the organisations information.  As part of this policy, a classification scheme helps us to define what types of information we have and how important it is to us.

A typical corporate classification scheme might include:

• PUBLIC
• CONFIDENTIAL
• MANAGEMENT

Or for a government organisation:

• UNCLASSIFIED
• RESTRICTED
• CONFIDENTIAL
• SECRET
• TOP SECRET

To refer back to our infosphere, UNCLASSIFIED may refer to our outer layer of information atoms, and TOP SECRET atoms would be in the core. 

In loose terms, there are also four levels of controls that we may want to apply to information and these are as follows:

• None – Information we do not want to control or protect (e.g. emails including ”Someone left their lights on in the car park”)
• Awareness – Controls such as security labels to make information users aware of the nature of the information they are working with.
• Restrictions – Controls to block access to information or restrict it’s transmission from person to person (e.g. clearance checking tools, gateways and DLP)
• Enforcement – Full protection of information including physical security, encryption and logical access control mechanisms (encryption, firewalls, rights management, etc)

These levels are by no means exclusive and there may be an amount of overlap.

Practical Application of Security Policy Controls

We now have the basis of our security policy complete. We know what types of information our organisation deals with and also the classifications we are going to apply to the different information.  In addition, we should also know what controls we intend to apply to the different classification levels. A mapping of controls may look something like this: 

So how do we implement this on our systems?  Most information is stored in documents and emails. There are artificially intelligent systems that scan the content of these and attempt to apply controls based on their understanding of the content.  They are often unreliable and very rarely do this at the point of origin or creation, which is at the user’s desktop.  By giving the user the ability to apply a classification or label to their document or email at the point of origin, we can invoke tools to bridge the gap between the policy objective and the technical implementation of the controls. It is of course necessary to apply controls that are not user driven. Malicious users will often try to do bad things.

TheBoldon James Email and Office Classifier products provide a way to implement technical controls in Microsoft environments. Based on the label selected by the user, Classifier can automatically invoke controls including:

• Applying a visual marking to emails/documents to increase user awareness
• Applying restrictions on who can receive emails/documents.
• Automatically invoke SMIME encryption on emails.
• Automatically apply Active Directory Rights Management Services templates to emails/documents.

By understanding our information security needs and implementing the correct technical controls, we can ensure that people only get access to the relevant layers of the infosphere for which they are authorised.

Summary

To summarize, this article discussed the relationship between gravity and mass. We then went on to discuss how this could be metaphorically applied to the relationship between the sensitivity of information and the level of security required to protect it appropriately. Classification of our information was then covered, followed by a practical description of how we can achieve some our security policy objectives using different levels types of controls.

What is Grid Computing?

Grid computing is a computer processing model which takes large computational tasks and splits them into smaller sub-tasks. These sub-tasks are then distributed across a network of computer processors, each doing a small part of the overall job. The sub-task results are then passed back to the central grid node for inclusion and correlation in the overall project results.

One of the pioneer projects in the field of grid computing was the SETI At Home project initiated a Berkeley University in 1999.  I was a participant in the project from 2000-2006 and recently returned to continue my contribution.  The purpose of this project is to Search for Extra Terrestrial Intelligence (SETI). Radio-telescopes are used to monitor the vast amount of signals coming from space to seek out evidence of narrow-band signals which do not occur naturally in the universe. Analysing this vast amount of data is no small task and has been a core driver for the implementation of the grid computing project. The collected data is farmed out to millions of volunteer computers across the world, the data is crunched and then sent back to Berkeley processed.

Since 1999, several more projects have appeared across the various fields of scientific study including cancer research, global warming, astrological and many more. I recently joined(rejoined) the following:

SETI@Home - Search for Extraterrestrial Intelligence
Rosetta@Home – Medical research (Protein, Cancer)
World Community Grid – Medical research (Cancer, MS, AIDS), Environmental (Energy, Clean Water)

What is Cloud Computing?

There are tonnes of websites and books out there that can explain this for you. In short, Cloud Computing is all about moving information services out of a traditional local processing model and out to a remote location. That remote location is usually the Internet, operation of the cloud is usually managed by a 3rd party provider and you will usually be sharing the infrastructure with other organisations and individuals. Sharing in this way yields many benefits. Here are just a few: It costs less, it makes maintenance someone else’s problem and it also allows you to scale as your requirements increase.

Virtualization – Cloud Facilitator

The development and adoption of cloud services has been driven in no small part by advances in virtualization technologies. Virtualization has had a major impact on processor utilisation and efficiency. By allowing several virtual machines and operating systems to share the same hardware, processors which were previously hitting 10-20% use are now up to 90-95%. This yields significant benefits for organisations moving to a virtualized platform. It simply means that you can do more with less. Use of the hardware is optimized to a point where there is little free capacity.

Using the granular control over hardware resources which virtualization provides, has allowed Cloud providers to provision computing capability on demand. Amazon’s EC2 service is an example of this where you can buy processing power by the hour.

Cloud Versus Grid Computing

As migration to the cloud continues, processing power has and will continue to become a more tightly controlled commodity.  In the pre-virtualization era, Grid projects would use idle processor cycles to complete it’s work. Although this would require additional energy in the form of electricity, this was minimal and the projects were simply making efficient use of the unused 80-90% processing power. In the Cloud, this idle processing power is no longer widely available, as processor cycles can be provisioned on demand. If they are not used they are allocated elsewhere.

Most grid computing applications are developed for the desktop. It is assumed that most volunteer nodes will be in homes, academic establishments and less so in offices. So the current mass virtualization of enterprise servers shouldn’t have had much of an impact so far. VDI (Virtual Desktop Infrastructure) initiatives may however be more damaging to the overall power available for volunteer grids. In addition to this, the longer term direction of centralisation of data and processing in the cloud, with dumber terminals for accessing services at the front will be severely detrimental.

“Grid in The Cloud” – Way Forward For Achieving Grid Project Objectives

In addition to the cost and efficiency benefits of the Cloud, there are of course others including environmental and energy efficiency.  More efficient use of hardware means less energy is required to run the infrastructure. This really then turns into a more philosophical discussion about achieve the volunteer project objectives, perhaps even a charity issue. The benefits of allocating processing power to the grid projects must be balanced with the energy cost in doing so.

Either way, there should be choice. There should be some way of donating processing power in the cloud. Cloud providers could be thinking of how this would work.  Cloud infrastructures are built to scale quickly and contract where required. This must mean that somewhere in there, there is idle CPU time, and even at it’s most efficient level of operation, there is  probably still a vast amount in comparison to our desktops. This could be used to help drive at least a percentage of the projects.

I’ll monitor the grid projects with interest to see how this evolves. If anyone knows of any “Grid in The Cloud” initiatives, please send me info.

The enemy of progress.

An hour passes and I’m still happily launching through levels, getting 3 stars where I can and pre-emptively restarting levels where defeat is certain. I’m then on to two hours of playing, still happy to squash as many pigs as is possible. After a while, it occurs to me that I’ve just done this for most of my evening. In fact, in addition to this evening,  I’d probably lost 7-8 hrs to it over the whole week.

It’s easy to get caught up in this simple but addictive game playing, but unfortunately, there’s little to no value in doing it. In 2 years time, am I really going to care how many levels I managed to get 3-stars in? In 5 years, am I even going to remember the game at all? Probably not.

Sometimes you need a gentle shove to look at how your spending your time, so I thought I’d stick my old film director’s hat on and launch the “war on procrastination”.  A few hours later and I actually feel like I’ve achieved something.  If you’re currently slinging angry birds at rogue pigs, or for that matter playing any other useless game, take a moment to think about what you could be doing instead. Do something epic, do something worthwhile, aim high and think big. 

With some common sense ground rules like: you can’t include every dishwasher with a microprocessor you’ve ever used, I spent an hour to see what I could remember. The list is by no means a statement of expertise for each item, but experience does go beyond having read about it on wikipedia.

Here was the result:

Industries:

Secure Email
Military Messaging
Networking
Telco
Directory
Network Management
Information Security
CRM and Billing
Payroll
Virtualisation
Web Development

Hardware Platforms:

Sharp Electronic
ZX81
BBC Micro
Dragon 16/32bit
Commodore 64
Sinclair Spectrum 48/128
Atari 800XL
Atari 800XE
Atari ST/STE
Atari ST Falcon
PC x86
PC x64

Operating Systems:

Windows Server 2003/2008
Windows 3.51/NT/2000/XP/Vista/7
Linux (RedHat, Fedora, Ubuntu)
Unix(HP-UX, Solaris)
Cisco IOS
Riverbed – RiOS (Riverbed)
Atari – TOS/GEM
MS-DOS

Products:

Email and Collaboration:
Microsoft Office 95/98/XP/2003/2007/2010
Microsoft Exchange 5.5/2003/2007/2010
Microsoft SharePoint
Microsoft LiveMeeting 2007
Lotus CC:Mail
Lotus Notes
Lotus Domino 7.x/8.x
Mercury Mail Server
Pegasus Mail
MailEnable Mailserver
Isode – M-Switch/M-Store
DeepSecure – Mail Protocol Guard
Commpower – TREX Profiler
Clearswift – Mimesweeper
Boldon James – SAFEmail
Boldon James – Enterprise Mail
Boldon James – X.400 Bridgehead for Exchange 2007/2010
Boldon James – Email/Office Classifier
Icecomm – TurboPrep
JBM Management – Common Message Processor (CMP)
Systematic – Iris Forms
Wingra – Netjunction – Email Gateway
Outlook Spy
Isocor/Critical Path – ISOPLex/Nplex/inScribe MTA
Qinetiq – Sybard Guard

Virtualisation:
VMware (Workstation, Server, ESX/i)
Hyper-V
Terminal Services

Directory:
Active Directory 2003/2008
ADAM/Active Director Lightweight Services
Maxware
Isode – M-Vault (X.500)
Boldon James – Enterprise Address Book (Formerly Masterkey+ LDAP client)

Web Technologies:
IIS Webserver
Apache WebServer
Web Position Pro
Mambo – CMS
Drupal – CMS
Wordpress – Blog
Cpanel
DreamWeaver MX
FlashStudio MX

Telco:
Protek – Customer Care and Billing
Protek – Network Management
Protek – Service Provisioning
Cerebrus – Fraud Management

Database:
MySQL
Oracle DB (8, 9, 9i)
ObjectStore Database
Microsoft Access

Security Products:
Entrust PKI
Baltimore PKI
World Secure Server – World Talk
Brutus AE2
Aircrack
Cain & Abel

Networking:
Riverbed – Virtual Steelhead
GFI Lan Scanner
Nmap
Wireshark/Ethereal
ExtraPutty
Graphical Network Simulator
FileZilla
LeechFTP

Graphics:
CamStudio
Adobe Photoshop
Paintshop Pro
Camtasia
3D Studio Max (R2,R3,R4)
Poser(v4)
Abode Premiere (1.5, 2.0)
Windows Movie Maker

Programming Environments:

MS Visual Studio
Eclipse IDE
Aptana Studio
Borland Delphi
Notepad++

Languages:

BASIC
PASCAL
STOS BASIC
C# (Sharp)
Java
C
C++
Javascript/AJAX
PHP
Zend Framework
Shell Scripting
Windows PowerShell
.NET Framework
SQL
PL/SQL
HTML
XML
CSS

Protocols/Standards:

Network:
OSI Model
TCP
IP
IPX/SPX
UDP
TELNET/SSH
FTP
STANAG5066
SNMP
CIFS
DHCP
DNS
ARP
HTTP/S
SSL/SASL
802.x
ICA
RDP
RIP
OSPF
IPSec
PPTP
L2TP
SPTP

Telco:
PDH
SDH
Frame Relay
ATM
TMN
MPLS
GSM
GPRS
3G/UMTS
eTOM
SS7

Email/Messaging:
ACP142/P_MUL
SMTP
X.400
MAPI
STANAG4406
ACP123
ACP127
CMS
XMPP
SIP
SMIME
IMAP
POP3

Directory:
LDAP
ACP133
X.509
X.500
DISP

Security:
Public Key Infrastructure(PKI)
Kerberos
WEP
WPA/2
AES
DES
RSA
Diffie-Helman
ISO27001

How many can you remember? Post me a link to your list.

This x-mas I took a small trip around the world of PHP and took the opportunity to write some enhancements for my better half’s online retail website.  PHP is very C-like in it’s syntax, but one of the easier languages to get around if you’re not working with coding on a day to day basis.  

In my 3 weeks, I essentially wrote a plug-in to the aforementioned website which automatically logs in to other websites and intelligently processes the pages of tabular data behind the authenticated curtain. It then takes this tabular data and squirts it out into an XML file, which is then used for some reporting.  

If you are looking to understand a bit about how screen-scraping works, or how to mimic interactive HTTP requests to a web server, this blog may be useful for you.  

OK, let’s crack on.  

Just like the A-Team trapped in some garage, in just about every episode I can remember, we need tools. Never did understand why the bad guys always stuck them somewhere where they could practically build an F16 fighter plane out of what was there, but I suppose that was part of the magic.  

What you will need in your toolbox:  

• A LAMP, WAMP or XAMPP (e.g. www.apachefriends.org) web development environment.
• The following PHP extensions enabled: cURL and HTMLTidy.
• A target website.
• An account at the target website that you need to log in to, to be served up with your tabular data.
• A copy of a protocol analyzer or other similar packet sniffer (I’m using Wireshark – www.wireshark.org)
• Peace, quiet, patience and determination.

Our process is going to run a little bit like this:  

1. Learn the behaviour of the target website.
2. Use cURL to mimic the client side behaviour of the site.
3. Sanitize the tabular data into a nice HTML table.
4. Access the HTML as if it was an XML object.

1: First Up: Learning about the target

Websites are simple beasts, and so is the HTTP protocol which is used to facilitate communication between web-server and web-browser.  When you click a button on a web page, this is usually associated with some kind of request. You are effectively making the web-browser ask the web-server to do something. The website receives this request, decides what to do with it and then sends a response back. The response usually comes in the form of another web-page.  

The question is how do we actually know what the browser and website are saying to each other behind the scenes. The great thing about HTTP is that the requests are text based. So if you know what you are looking for it’s relatively easy to understand the communication between the two. This is where our first tool comes in Wireshark, our protocol analyser.  

Wireshark’s pretty easy to install (click next, click next, etc) and you should do this on the same machine as your web-browser.  Wireshark is going to capture the network data from our network card as it is generated by the browser.  The intricacies of Wireshark are out of the scope of this blog. In short, you want to select your network interface and start capture here:  

Seconds after clicking start capture, you will redirected to the capture screen and most likely start getting inundated with masses of what we call “network crap”:  

Click to Enlarge

To ensure we only see what we are looking for, in the filter box, next to “Filter:” type “http”. This will filter anything other HTTP out of the view, so we are good to go.  

Open up a browser of your choice (IE, Firefox, Chrome, whatever) and head over to your target site.  You should start to see HTTP packets bouncing back and forth. Drill down into some of these and see if you can see what’s happening down there.  As I said earlier, HTTP is pretty simple so you should get a picture of what requests and responses are sent and received with each action you perform.  

You now need to start to build the steps that your HTTP bot will go through to get to the data you want to extract from the site. Ask yourself these questions.. Would you go to the home page of the site on any visit? Is the log-in form there, do you need to go to another page to log in? What happens when you log in? Are you redirected to another page? Like a home page? Is that where your data is, or do you have to perform a search or navigate some links to get to it?  

Build up a list of steps you as a person goes through to get to the data. Your bot is going to use this same list of steps. As you go through each step, make sure you record what Wireshark is telling you. You are going to use cURL to mimic these requests later.  

2: Time to get cURL to do the work for us

We now know much more about our target than we did before, and we’re ready to start a bit of coding.   

cURL works with a simple 3 step process:  

1. We initialize a handle for our cURL session.
2. We set a bunch of options on the request (e.g. URL we are connecting to).
3. We execute the request and receive the results, either directly to the screen or we can pipe to a variable.

Here’s a simple block of code which will go to www.google.com, put the results in a variable and then print that variable to screen:  

$ch = curl_init(); // Initialize Curl Handle
curl_setopt($ch, CURLOPT_URL,”http://www.google.com“); // Set cURL options
$contents = curl_exec($ch);  // retrieve Google Home page to initialise a session
echo $contents; // print the contents in the web-browser. 

Congrats, if you put this in a .php script and run it in your browser, you just made a simple but functional bot. At this stage we haven’t closed the session with curl_close(); so if we reset the options with setopt and execute the handle again, we will get the next page we request. It’s as if a user is at the browser clicking away in the same session.

cURL has a vast array of setopt options. It even supports HTTPS. I’d recommend browsing through these at: http://www.php.net/manual/en/function.curl-setopt.php 

cURL does support HTTP authentication, but most sites use application based auth. This means you usual put a username and password into a form on a web-page, then click submit to send a POST request to the server. cURL can replicate all of this. 

It is actually possible to find some details on what the form will send to the server, by right clicking the page containing the form in your browser and selecting “view page source”. You can record the names of the username and password fields and ensure you use these in your cURL POST request. 

You may be asking at this stage, if you can view the fields sent to authenticate why use Wireshark? Well, some websites like to put extra checks on requests they receive to try to beef up security. For websites like these, you may want to include cURL options such as CURLOPT_USERAGENT and also CURLOPT_REFERER. These can help convince the site that you’re not a nasty bot trying to do nasty things. 

We have to work through each step of our reconstructed navigation of the site here. You can add each naviagtion stage, then run it with output to the screen, and hopefully you will eventually get through to the page that holds the data. 

3: Sanitizing our table data 

Ok, so now we have our html page that holds our table of data in a variable. How do we get at the data? 

Well, unfortunately a HTML page will never come just as the table, there will always be some kind of header and footer formatting.  At this stage we have to use our “view page source” tool again and find some kind of unique text string in the HTML, that identifies the start and end of the table. Once we have this we can run a simple function to trim around the table.  In the words of any well-known TV chef, “here is one I prepared earlier..”:

function trim_page($page,$headertxt,$footertxt)
{
// Trim header and start of page information.
$trimfind=$headertxt;
$trimpos=strpos($page,$trimfind);

$trimmedpage = substr($page,$trimpos+strlen($trimfind),(strlen($page)-$trimpos));

// Trim footer and end of page information.
$trimfind=$footertxt;
$trimpos=strpos($trimmedpage,$trimfind);

$trimmedpage = substr($trimmedpage,0,$trimpos);

return $trimmedpage;
}

Hey presto, we have a table.

4: Accessing the data in our table, as though it was XML

So, how do we turn our HTML table in XML.. hmmm, tricky. Well not really tricky at all, as HTML is already in XML format. So all we really need to do is make sure that the HTML table is well-formed XML. Then we can get at the data.

To do this we use HTMLtidy. It’s another simple function used:

function tidy_page($page)
{
$tidy = tidy_parse_string($page);
tidy_clean_repair($tidy);
$tidiedpage = tidy_get_output($tidy);

return $tidiedpage;
}

We now have a well-formed XML document which contains a table data, which we can use with standard PHP XML manipulation tools such as DOM and SimpleXML.

For my purposes I loaded my XML into a DOM document like this:

$doc = new DOMDocument();
$doc->strictErrorChecking = FALSE;
$doc->loadHTML($html);

Then converted from DOM to SimpleXML like this:

$xml= simplexml_import_dom($doc);

I then used an Xpath Query to load <tr> table rows into SimpleXMLelement Object

$trowsxml = $xml->xpath(“body/table/tr”);

And just like magic I now have a SimpleXML object from which I can access each row and column of the table, just as though it was an array.

Where you take the data from here is up to you.  Using cURL and Wireshark can be a powerful combination of tools. This is a very basic example of what can be done, my plug-in also included some logic to navigate multiple pages with a table on each, plus an additional function to aggregate the lot at the end.  Automating the retrieval of data from the web like this could potentially save you hours of manual scanning, screen by screen. If you are checking tabular data, whether that be sports scores or perhaps supplier price-lists, spending a little effort on creating some scripts like this could save you a lot of time.

Disclaimer: Screen-scraping may be against the acceptable use policy of your target website. It could get you banned, blocked or even legal action could be taken.  If this is the case, you should not attempt to retrieve data in this way. This blog is for information only and should you end up in court, I will be there with you… Not sharing liability, just saying “I told you so”.

You can download the pdf here:

Command Email – A New Military Message

Or read on:

Introduction

The Legacy – Military Message Handling Systems (MMHS) – Implementing Yesterday’s Technology Tomorrow

Traditional MMHS approaches can be summed up as complicated, expensive and fraught with risk.

In past decades, military organisations have looked to international standards for guidance on what they should and should not be implementing as messaging capabilities. The STANAG4406 (Standard NATO Agreement) standard from NATO and the ACP123 (Allied Communication Publication) standard from the Combined Communications Electronics Board (CCEB), provide a great depth of information in this area.  These standards aim to specify a base level of capability for military messaging solutions and also to facilitate interoperability between organisations by providing standardised messaging formats and transport mechanisms.

A key problem here is that these international standards take a long time to develop, agree and ratify.  For instance, although updated in the last decade[h1] , STANAG4406 was created 20 years ago, a lifetime in the field of Information Technology.  This lengthy process fosters a gap between the standard’s technologies and the modern technologies that fulfil real operational requirements today.  Assumptions which were correct 20 years ago are no longer valid today.  In addition to this, the standards address functionality at such a granular level that providing such a messaging capability requires the inclusion of a significant amount of components, often with several different vendors being integrated into a wider system.

The complexity of a typical MMHS

These MMHS systems can evolve into proprietary and complex beasts. They are not only difficult to deploy, but once in place, become a nightmare to administrate and costly to maintain. The inherent complexity introduces risks which often push projects over budget, even after the detailed and extensive procurement process which is required to purchase such systems.  It’s a long, expensive and complex process, the result of which is that, if an organisation is lucky, it will be in a position to switch the thing on. Once switched on, it’s already obsolete and they are stuck with it.  Ongoing maintenance costs are considerable and generally increase as the technology becomes more and more obsolete.  Something clearly needs to change.

Command Email – A Modern Approach to a Modern Requirement

A modern military messaging system should be built on a solid but dynamic platform of technologies. It should primarily be based on today’s widely-adopted interchange mechanisms and formats. Proprietary systems and custom-built technologies are not dynamic; it is difficult and costly to keep them up-to-date. This level of flexibility can only be achieved by a widely-deployed and mature Commercial off the Shelf (COTS) based platform.  In addition to this, experience shows that simple solutions deliver results. Complexity should be stripped out in favour of delivering only the minimum functionality required by each user as they need it. Modularity (or plug and play capability) in the overall solution is key to achieving this simplicity. Systems should also provide interoperability with international standards.  This is the focus of Command Email.

Command Email is based on:

•    Simplicity
•    COTS Products
•    Modern Technology: SMTP/XML
•    Modularity
•    Interoperability

Simplicity

Some MMHS purists maintain that a complex requirement demands a complex solution. If this is true, then the definition of the requirement needs to change. Solutions need to be achievable and the simplest solution to any problem is usually the most effective.    When we refer to simplicity, this should not only be applied to the user experience, but also to the design, implementation and administration of the system.  Simple systems deliver results in shorter timescales and at lower cost.

Functional Requirements:
Keeping the solution simple starts with defining system requirements. When defining the requirements of a system, it is all too easy to get sidetracked into pursuing what is possible, instead of what is actually needed.  When assessing a list of requirements, each should pass a ‘Need Test’.  Although some features may look exciting, the following question should always be asked and answered with honesty: ‘Do I 100%, without ambiguity, need this functionality?’  While many things are possible, more often than not, the list of ‘must haves’ can be reduced to a level which will provide the functionality required to fulfil the day-to-day operational needs of the system.  For most organisations, these must-haves can be loosely summarised as follows:

   Messaging services: the ability to create, apply additional attributes to, guarantee delivery of, send, receive, route and store messages

   Classifying and labelling information/messages

   Access Control: Based on classification, role, project, etc

   Enhanced security: Digital signatures and encryption

   Interoperability with Partners

System Architectures:

Once the list of requirements has been established, the technologies, products and components of the solution need to be identified, selected and integrated.  In legacy MMHS approaches, the list of proprietary products and components can quickly become unwieldy.  Incorporating 50 components from 20 vendors, all specialising in proprietary technologies, will make projects bumpy, drawn-out and expensive.

The reality is that a COTS-based solution with minor extensions will provide what is needed at a fraction of the cost and complexity. Using this approach still enables organisations to retain interoperability by addressing this at the border, but removes the headaches of design and integration.[RJ3] 

Command Email

User Experience:

Some legacy systems,based on international standards allow users to add up to 40 additional attributes and pieces of information to a military message.  It is difficult to imagine an environment where a user would want to use all 40 different fields, dropdowns and check boxes in a message. They don’t exist.  In reality, all that is required is a few additions to what is provided by a standard email client.  Only those should be available and visible to the user.   If a user has used standard email before, it is a simple step for them to start military messaging.

Commercial Off The Shelf (COTS) products

How many attempts did the inventor of the wheel take to produce something that was round, could be attached to a vehicle of some kind and would rotate to allow movement? Why go to that trouble all over again? If someone has already has the wheel, we only need a few additions to use it to fulfil our needs. A new surface may give it more traction and a hub cap might provide some protection. Building a military messaging solution from COTS components avoids reinventing the wheel.

Using COTS products provides a long list of important and tangible benefits. Here are a few to consider:

•    Robust: Widely deployed and tested.
•    Scalable: Often proved in large environments.
•    Flexible: Designed to adapt to ever-changing markets.
•    Reliable: Guaranteeing messages are processed and delivered based on priority
•    Cost effective: Broad customer base provides economies of scale.
•    Less Training Required: Users are often familiar with the products from non-military use. Administrator skills are transferable into and out of the military.
•    Up-To-Date: Follow latest trends and implement latest technologies quickly.
•    Extensive support: Bugs fixed and issues resolved quickly

Proprietary and custom- developed solutions simply cannot provide these same benefits. They are difficult to shoehorn into an infrastructure and even more difficult to get out, once in place.  COTS solutions, with the addition of some specialised and packaged components, can provide the extra services and enhanced capabilities to fulfil the core criteria and requirements of a military messaging system.

Modern Technology: SMTP/XML

X400 and SMTP:

The relative benefits of X.400 and SMTP as email messaging technologies have often been debated. The argument goes that X.400 provides a much more complex and compressive set of capabilities whereas SMTP is easier to implement and manage.  While X.400 still has a place in some niche specialist applications, SMTP has been almost unanimously adopted.

20 years ago, X.400 was the sensible choice for systems where granular control and reliability were required for message transport.  While it was accepted that there was a greater configuration and administration overhead for X.400, this was considered an acceptable trade-off to fulfil the requirements of the day. It has been subsequently included in many of the standards that were created in the early 1990′s.

SMTP and the underlying platforms and infrastructures supporting SMTP messaging have evolved.  Hardware and network technologies have vastly improved reliability and throughput rates. This makes the bulky protocol exchanges of X.400 much less important, some even defunct.  With new dynamic routing technologies now available, SMTP systems have evolved beyond the capabilities which were the original reasons for inclusion of X.400 in standards instead of SMTP.

X.400 emails are encoded in ASN.1 format. This format is very prescriptive and provides an extra level of complexity to systems, as messages are encoded and decoded for transmission.  The ASCII (text) based format used in SMTP makes it very easy to encode messages in format which can be easily understood by other systems.    It can be stated that XML is the dominant data format used in most systems that need to exchange data with other systems.  As XML can be transmitted as ASCII, this makes it a very simple process to include XML data in email messages.

SMTP systems are easier to implement, troubleshoot and maintain. It is the sensible choice for a messaging platform using today’s technologies, today.  The ability to easily utilise XML in conjunction with SMTP makes it very easy to integrate with existing modern systems. Supporting XML also goes some way to future proofing the messaging solution as and when new XML supporting applications are developed and released. It is very unlikely that new systems will provide any kind of support for ASN.1.  With this in mind, putting an X.400- based system into a modern IT infrastructure is like putting a square peg in a round hole.

Modularity

Do all the users of a military messaging system need the ability to use every function of the military messaging system? The answer is no.  What is needed is the right capability at the right time for the right people and at the right price.

Not all functionality is required by all users. Capability that is required on a case-by-case basis, should be provided on a case-by- case basis.  A Command Email solution provides only the components to each user that are required by each user.  In order to do this, functionality must be modular or component-based.  Each component should deliver its function and also should be able to function independently of the other components where appropriate.

Some users may only require some basic labelling and security, whereas others may require the ability to create and send formal organisational messages on behalf of the organisation to partners or other organisations.  Users should not be presented with the option of using capabilities which they neither need nor are unauthorised to use.  This can cause confusion and dissonance.

Once we understand our user’s needs, we can create profiles for them and only provide the components required for each profile.  Different grades of messaging capability can be defined and deployed to different users. Using this modular approach not only makes things simple for the user, but it also presents a very cost-effective way to provide the capability. An organisation only pays for the minimum that it needs, not the maximum that the product can do.

Interoperability

In the contemporary geopolitical landscape, it is rare for military organisations to act alone.  Military operations are usually undertaken as part of a large coalition of forces.  There has been a substantial shift in mentality towards co-operation and communication, where ‘need to know’ has become ‘need to share’.  In order to communicate with partners and other coalition members, we need to share information and we need to do that in a common language.  This is where international standards come to the fore and provide significant value.

International standards will always be characterised by the protracted timescales associated with bringing many nations to agreement on how things should and will happen.  Selecting the latest modern technologies for our systems doesn’t mean that we are at odds with the standards and that interoperability won’t be possible.  Interoperability and communication instead has to be addressed where it happens.  Either logically or physically, communication with outside organisations, partners or even nations, will occur at the border between the two parties.  As long as your internal system has the capability to carry the required message information, messages can be converted to the international interchange format at the border.

At the border, specialist gateways can not only be used for format conversion, but also content inspection and security checks.  Using a COTS-based infrastructure and dealing with proprietary and legacy message formats at the border, enables organisations to adhere to international standards, while at the same time meeting their real day-to- day operational requirements.

Extending the Baseline

Command Email as described above provides the minimum number of components to each user based on that user’s requirement for functionality.  Over and above COTS email, the following suggested components would provide the most benefit and greatest value, but with the least complexity:

•    Military Messaging Forms – providing additional message attributes
•    Labelling – providing either simple of extended
•    Access Control – Restricting user access to send or receive messages
•    Security Module – Enhanced signing and encrypting of messages
•    Border Gateway – Converting incoming and outgoing message formats

Of course, there are always a number of environment-specific requirements which must be catered for and specialist components which may be introduced to do this.  For example, components that provide the following capabilities are also available:

•    Automatic actioning of messages based on priority
•    Automatic distribution of messages based on content
•    Draft, review and release of messages
•    Tools for fixed format messaging such as MTF Editors
•    Integration with:
•     Document management systems
•     Archives
•     Command and Control (C2) systems
•     Low bandwidth messaging capability

There are a lot of possibilities, but it is recommended that simplicity prevail. If some of the more specialist capabilities are definitely required, it is highly recommended that these be considered after the core system is operational. A considered and phased approach to implementing capability will always ensure that projects have the greatest chance of success.

Conclusion

In this whitepaper we have examined the military messaging landscape. Starting with the traditional approaches to MMHS systems, we have seen that these beasts are driven by complex and dated standards, which are often at odds with current operational needs.  This puts organisations in a position where they have to seek out proprietary or custom-built products from a plethora of different vendors, which all need to be integrated in order to provide our required capabilities.  The systems are difficult to implement, maintain and administrate. No sooner are they in place than they are obsolete.  Ongoing maintenance and upgrade costs are substantial and continue to increase as time goes by. In summary, these systems are complex, costly and fraught with risk. Something needs to change.

Command Email provides a simple solution to a complex problem.  COTS-based products provide a modern technology base, SMTP/XML, which can easily keep in step with the rest of the IT infrastructure.  Robust, scalable, dynamic and easily-implemented components are able to fulfil the real operational needs of the organisation. Couple this with a modular component approach and we are able to provide only the functionality that each user needs to that user.  This has a direct and measurable impact on the cost and efficiency of the system.  Interoperability is included and achieved where it is required, at the border.

Taking all of these factors into account, we can conclude that Command Email provides many significant benefits in military messaging. It’s a simple way to increase efficiency, implement capability and reduce risk in a cost effective manner.

Author

Hani El-Qasem

I’ve been looking at boosting my cert. status over the last few months and assessed a few professional level certifications, particularly in the area of Information Security.  Having examined the various possibilities my conclusion was that the CISSP is simply awesome.  I’ve been studying for it for a few months now and thought it would be a great idea to blurb my findings into blogs.  Not only to help me remember the vast amount of information incorporated into the certification, but also to help anyone else who may be thinking of or in the process of taking the exam.

The first thing that struck me when investigating the requirements for the CISSP, was the shear breadth of topics covered.  It really does touch every area of IT, after-all,if we are going to try to secure a thing, we need to understand how the thing works.  Delving deeply into each of the subject areas would present a lifetime of activity. So, if you are into InfoSec, this is a great place to start to examine all of the possible paths.  I should mentioned at this stage that it doesn’t cover each area exhaustively, you will only be required to understand an overview of how each area works and then in more depth the security considerations for that area.

Ok, let’s skirt the perimeter and take a look at the structure of the information we need to learn.  This information is defined as the Common Body of Knowledge (CBK).  The CBK breaks down into 10 sub-categories (or domains to use the official terminology) which are as follows:

• Access Control – Access control is defined as the control of the flow of information between two entities, an object to a subject.
• Application Development Security – This are delves into application and database security concerns. It highlights common security issues in the development cycle and how these are exploited.
• Business Continuity and Disaster Recovery Planning – What happens when we have a major breach? How do we continue to maintain the availability of systems and data.
• Cryptography – Primarily focused around Encryption of information so it can’t be disclosed in transit. Cryptography may also be used in operations which ensure integrity.
• Information Security Governance and Risk Management – How does an organisation manage its security policies, risks and people?
• Legal, Regulations, Investigations and Compliance – The long arm of the law, how we can use it, how it can be used against us.
• Operations Security – Security of administration and maintenance of networks, systems and applications.
• Physical (Environmental) Security – The tangibles – Security of things which can be seen, touched, stolen, burnt and flooded.
• Security Architecture and Design – Architectures, expect to discuss hardware (CPUs, Memory, etc) as well as operating system design.
• Telecommunications and Network Security- WANs, LANs, MANs and PANs.

Throughout each of these domains, we can reinforce at every stage the how each control supports the three primary objectives of Information Security.  Theses being:

• C – Confidentiality – Objective to prevent disclosure of information to those unauthorised to see it
• I – Integrity – Objective to ensure that the data presented to a consumer is accurate, in as much as it hasn’t been maliciously or inadvertently altered at any point.
• A – Availability – Objective to ensure data is available for consumption, when it is required.

This is known as the CIA Triad and as you explore the CBK, these should always be kept in mind.

UPDATE: Further blogs on CISSP are unscheduled and may come in an ad-hoc fashion. The sheer magnitude of the content of the certification is mindboggling and it would take a signficant amount of time to essentially re-cover what so many others have already covered so well. For further reading search on Google for Shon Harris and Ed Tittel. Great training resources for CISSP.

What is Web 2.0? Well, what was Web 1.0?

Web 1.0 could be considered static.  Although web pages could be dynamically generated at the server in the Web 1.0 environment, the user experience was somewhat stale. Every piece of information which was requested or delivered to the server, required a complete page refresh.  This was great for delivering pages of documents for research purposes, but not so great for the average Joe to do most of the things we take for granted today, such as online shopping and social networking.  There was a certain sense of restriction with Web 1.0 which lasted for some years.  Most software development decisions ended up being driven towards thick client applications (Usually Java or Microsoft based) as web based technology simply couldn’t provide the capabilities needed.  For a brief moment, hopes were raised by Java applets, which could be delivered through a browser, but due to performance issues and download times, these hopes were ultimately dashed.  The web predominantly remained the archive for research documentation and online static corporate brochures.

Bring on AJAX.

One of the key factors in the rebirth of the the Web was Ajax. Ajax was a term originally coined by Jesse James Garrett.  It’s shorthand for Asynchronous Javascript And XML (AJAX).  What Ajax essentially allowed developers to do, was bring data objects to the client, without requiring a full page refresh. This is done by utilizing a javascript capability called XMLhttprequest. It’s worth noting that other technologies were starting to be used before this, which achieved similar results. The use of hidden inline frames gave some ability to bring data to the client for use.  The hidden frame technique is still in use today and in some circumstances is more appropriate than Ajax (details of this are out of the scope of this blog). By combining, data retrieval, the viral spread of XML as an interchange format and advances in JavaScript’s client side graphical manipulation capabilities, developers soon realised they had something to work with.  It wouldn’t be long before a web client could do everything a thick client could do and more.

This really did revolutionise the way client-server communication could work over the web, and many pioneering companies began to publish application to take advantage of these developments ( e.g. Google, Yahoo, Myspace, etc). Client-server communication would never be the same again.

Did you see that picture on Facebook? Social Networking.

How many people reading this can put up their hand and say, “I’ve never looked at Facebook”? You may not have an account, but have you really never had a peek?

These massive leaps in usability at the browser, made things easier, faster and slick.. everything the average Joe appreciates in technology.  Social networking has exploded. Facebook, Myspace, Bebo, Linkedin (social or business? you decide) and Twitter. At some stage you will have used, seen or heard about one of these sites.  People are now, more than ever, willing to share their pictures, videos, wants, likes, needs and thoughts with the wider world.  This is happening in a way that people never expected.  This promotes an inclusive approach to one’s social life, encouraging sharing.  The Internet is no longer the playground of the techie, it’s for everyone and this can only be an overall positive.

What about web services?

Web services have a wide number of definitions. These have developed alongside Web 2.0, or maybe even as a result of the success.  When pundits ramble about Web 2.0, most focus on the consumer experience. Perhaps web services aren’t really part of Web 2.0? For me, I think they’re integral.  I consider a web service any web based service which can be consumed by either a browser, or another server application.

For years standardised forms of communication between applications was difficult to achieve. Hundreds, perhaps thousands of proprietary protocols were introduced to facilitate communication between applications and application modules.  Several proprietary middlewares also attempted to achieve this.  With the success of Web 2.0, developers started to realise that there was a gigantic interconnected, integrated and globe spanning network of servers that seemed to just work. So, why not use those technologies in enterprise applications.  Hello Web Services!!

Web services essentially sit on a web server.  They listen for http requests and provide data responses to those requests, simple.  There are a couple of schools of thought on what the definition of web services should be. Here, I’ll just tip my hat to them as that’s a whole series of blogs to discuss as a single topic.  If you want to know more, look-up WDSL (Soap based Web services) vs RESTful.  Google search can tell you the rest.

Web services promise a giant leap in standardisation. Different vendors can have their applications talk to each other over the web and web services. E.g. Order entry system talks to inventory management system using SOAP based XMl messages over http requests. We could maybe have half of our apps in “the cloud” and the other half held on-premise talking to each other via web service.

What does this mean for my business, what does it mean for security?

With most things in life, this means potential opportunities and potential threats.  Social networking gives businesses new opportunities to engage with your customers, suppliers and partners in ways which were not possible before.  It’s not just about posting a few brochures any more, you can give your contacts insights into the everyday workings of your companies and products.  Those slow to react to this, will lose ground in the market.  Web services again present new opportunities to improve both technical capabilities and efficiencies. They may deliver on your goals and objectives for modularity, flexibility and scalability in your distributed applications.  The technologies are evolving and so are we. Openness is the order of the day, but it can be difficult to strike the balance between security and disclosure.

Being open here means connecting to the outside world.  This means, unblocking your firewalls. This means, allowing your employees to use social networking. There must be a realisation that social networking is not only a route for procrastination, it’s also a business necessity.  Your employees need to communicate with their contacts in this way.  This also means that your firewall, which previously did a great job of blocking port scanners and dodgy emails, needs to evolve.  If we need to allow a bevy of new web services and web traffic through to the outside world, we also need a way to control and monitor that traffic.

This doesn’t mean that just because it’s there all your employees are taking the opportunity to pump out company secrets, but they do need to be educated about the information they put out there. Linkedin is a great example of this.  You can pretty much look at any company in the world and see who works there, who recently joined, who recently left.  This perhaps is less sensitive than someone posting a Facebook status saying “Just came out of a strategy meeting, decided to do ****** with our product suite”. As you can see, the potential for security breaches just got worse.  Solutions continue to develop to address these new needs, but always remember 80% of the time, it’s about helping the good guys make the right decisions. Only 20% security breaches are malicious.

I’ve not addressed “the cloud” much here, but will be following up with a blog on virtualization and security in the cloud.

For now I’ll leave you with this questions. How has Web 2.0 affect me? and What will Web 3.0 be?

The DLP market does seem to be a slow starter with a very small percentage of companies intending to deploy, with a further fraction of that minority actually having a deployed system.  The bulk of these solutions are what Gartner terms “content aware”.  They generally monitor network/email traffic and at the same time deploy agents which can scan internal network resources (file shares, etc) for sensitive data which is available where it shouldn’t be.  The idea is, that when sensitive information is located, it should be either removed, quarantined, blocked in transit or authorised to remain in place or be distributed.  The problem is, that while it is easy enough to recognize information like credit card numbers, it becomes exponentially more difficult for these systems to understand more qualitative content. Qualitative content (e.g. information that is expressed in verbose literal wording and not distinctive formats or patterns) is difficult for an AI system match up against a particular pattern or template for it to effectively classify the information.  Examples of this type of information may include, a new product idea for an investment bank, a ground breaking formula for a new medicine in a pharmaceutical company or perhaps even a world cup winning team strategy for a national football team.  Information of this nature is usually specific on a company-by-company basis and also a case-by-case basis. One sports team strategy may not look anything like another.

 It is for this reason, the term “False Positive” is becoming widely used in the market and anyone who’s worked with DLP systems (or tried to deploy one) will  certainly understand what a False Positive is.  A False Positive is where the system has incorrectly classified an information asset and blocked the normal use or distribution of that information because it believes it needs to be protected.  False positives can become a nightmare in administrative terms and also hinder the day-today working of individuals within an organisation.  They create a necessity for an extensive amount of “tuning” to allow the right balance of security to applied. The deploying organisation has to decide what an acceptable level of false positives is and trade the restrictions that will be applied off against the new security afforded to the information.  The problem is that this creates a massive amount of work, not just for the administrators, but also for the deployment teams and in some cases additional work is required by the users.  After spending all of this effort to tune the system to understand what the business is all about, they can then get hit with another tirade of tuning, when the business or organisational model changes. Constant tuning may be required to change with the business, what could be hot information today, could be of no importance to the business tomorrow.

Introducing the capability for users themselves to classify information is becoming increasing important. How many times have you heard an organisation say this before: “Our employees are our most valuable asset.”? This is a phrase which most organisations like to throw onto a website or into a brochure where appropriate, but when it comes to DLP this couldn’t be closer to the truth.  By using the intelligence of your employees, and their natural ability to understand what is sensitive information and what isn’t we can significantly improve our ability to prevent data loss.   Giving users control over there own information by introducing the capbility to ensure that they make an informed judgement on the classification of the information they are working with, allows us to implement appropriate controls on that information.

Boldon James provides an Information Classification product called ICS (SAFEmail ICS works with Microsoft Outlook and SAFEoffice ICS works with Microsoft Office Documents).  Using a system like ICS with some simple firewall filtering rules can decrease data loss in a simple way, without introducing the extensive overheads of deploying, tuning and maintaining an AI based system.  This does not however become an either or decision. ICS style user classification can be deployed alongside an AI based DLP to help it do it’s job better. By having clear labels in both content and Meta-data, we can reduce not only the analyse requirement from the DLP system but also the amount of false positives, further decreasing the cost of deployment and and maintenance. It will be interesting to see the AI based DLP market develop, but we are many years off having the power and capability for a system to do a better job than the human brain.

If you would like to find our more about ICS, please contact me or Boldon James on the link provided.

Boldon James – SAFEmail ICS & SAFEOffice ICS

It appears that Google Street View cars were driving around taking pictures of various locations, but were also kitted out with network sniffers that could connect to unsecured public wi-fi access points, monitor and record data transmissions across those networks. Naughty stuff Google.  This went on for a total of 3 years and accordingly to Google the activity was a “simple mistake”.  This continues to re-affirm beliefs that public Wi-fi networks are serious security risks for both individuals and companies. If one of the world’s largest IT monopolies can do this by accident, cough, what could a determined plan of attack achieve.

So how did they do it? The answer is, without rocket science. It’s easy enough to connect a laptop to an unsecured wi-fi network as no passwords are required. Once connected, you can run a network sniffer to see what’s going on. Why not try it yourself on your own network? Try Wireshark, or perhaps Cain and Abel if you want a little more security analysis.

For an intro to packet capture and analysis using Wireshark, spend a couple of minutes watching this video:

To understand the differences, I decided to take a cursory look at Microsoft’s C# language(an example of managed code, pronounced C Sharp) and also revised some of my old C++ (example of unmanaged/native- mostly) books. Using Visual Studio from Microsoft it’s possible to create applications in both languages. To see C# in action, I created a small app to read and manipulate some local windows registry settings.

To summarize, managed code (like C# and Java) is generally executed through some kind of management framework and not directly on the operating system. This may be a Java Virtual Machine or the CLR (Command Line Runtime in the Microsoft .net environment).  The framework provides a protective shell which will manage memory and other hardware resources, so the code never has to deal with accessing those resources directly.  This makes it much more difficult for the application code to perform an action which will compromise the system.  It also makes the code portable.  The code will run anywhere where the framework can run.  To achieve this the source code is sort of, partially, complied into an intermediate langauge that can be understood by  and fully compiled by the framework at run-time. This is referred to JIT compiling (Just-In-Time)

Un-managed code runs directly on the OS.  It can manage memory and other hardware directly. It is compiled for the specific processor on which it runs. Bypassing the aforementioned frameworks and working directly with the operating system gives a major boost in power and performance. The same can not be achieved with managed code, but this also sacrifices portability.

This really gives us a clear distinction between the two one representing performance and the other portability. Their are other issues to consider such as the ease of development. Managed code is often easier to learn, produce and understand. From a customer’s perspective they are probably less concerned about how easy something was to produce and more concerned that it performs it’s function correctly.

So, in summary, if a customer asks this question it is likely that they have some requirement regarding either performance or portability.  In high-performance mission critical applications they are likely to have an expectation that the code will be un-managed. In a disparate, multi-platform environment, portability may be there hot spot.

If you would like to learn more about C#, I’d recommend the following book: Rob Miles’ C# Yellow Book – It gives an excellent overview.

If you believe, like many, that using c# managed code ties you to the windows platform you should check out the Mono VES project, an open source project promoting cross-platform .net development capability.

If the answer is yes. The BackTrack (BackTrack 4 – www.backtrack-linux.org) pentration testing OS would beg to differ.

BackTrack 4 manifests itself in an entirely customised distribution of Linux.  The underlying Linux distro is Ubuntu, but has been specifically enhanced, configured and packaged for the purposes of penetration testing.  Within the package you receive a wide variety of wireless cracking, network scanning and password breaking tools.

There are several options you can select for running BackTrack to start your activities. You can install it as an OS on your harddrive, you can install it and run it from a USB stick and you can even run the entire OS from CD. The latter option requires no installation at all. You simply select a machine, boot from the CD and then remove the CD when finished.  I chose the latter option for running my tests to see if it really worked.

I started by booting the OS and starting x windows. Most work is doen from the Konsole terminals.  In short there are 4 key utilities you can use to crack WEP and WPA keys. These are:

airmon-ng: Used to put your own wirless card into monitor mode.

airodump-ng : Used to collect wireless packets and save them to disk.

aireplay-ng: Used to implement a number of replay attacks on the Wireless Access Point(AP).  In our scenario this is useful to make the AP accept or generate more packets. Cracking wireless is generally about getting enough packets (100k-500k) to derive keys.

aircrack-ng: Used on the collected packets to find the keys.

Check out these videos for a step by step example.

Part 1:

Part 2:

Disclaimer: You should be aware that is illegal to hack into a wireless network that you do not own.  This example is for test and education purposes only.

Any determined attacker can usually find away to get access to your networks, but here are four tips to make it much more difficult:

1. Use WPA encryption – its more difficult to crack than WEP.
2. Restrict network access to known MAC addresses – MACs can be spoofed but it’s another hurdle to delay.
3. Switch it off when you are not using it – If there is nothing in the air, there is nothing to analyse. The information an attacker requires to crack the keys is simply not there.
4. Change the Key.. Regularly.

On occassion, it is easy to become complacent and make an assumption of security. Implementing effective counter measures to possible breaches of security can give an over confidence in our perception of the level of security in our systems. The reality is that our applications and systems become increasingly more complex.  The primary challenge of any development of technology is making something that works, making something that works but also has perfect security is a pipe dream.  Modern operations systems can contain upwards of 50 million lines of code.  There are always holes in applications and operationg systems.  If you doubt this, check the amount of security patches released by any OS vendor you know.

With this is mind effective security becomes about understanding that it’s not possible to fill every hole and block every gap in security, not without an unlimited amount of time, money and resources.  What drives security activity is not generally a desire for total security, but managing risks for both individuals and organisations.

Drivers for Individuals primarily  include:

• Theft of banking or other financial details.
• Identity theft.
• Loss of privacy.

Organisation drivers will differ depending on industry, here are some generic drivers:

• Protecting Intellectual Property and other senstive information.
• Acheiving regulatory compliance.
• Safeguarding reputation.
• Ensuring business continuity.

These are not all inclusive and there are many more drivers.  As I continue to explore, we will pull more of these drivers into the discussion so we can understand in depth what motivates us, what we implement and why.

Check out the widgets below to find the latest information on current virus, malware and other threats.

Symantec’s ThreatCon Widget:

McAfee:

Trend:

Internet Storm Centre (isc.sans.org):

Public Key cryptography is implemented by generating a pair of keys (numbers) which are mathematically linked. One is deemed the “Public Key” which is available to all and the other is the “Private Key” which is held by the intended recipient of the information which will be encrypted.

The Public key is used to Encrypt and the Private Key is used to Decrypt. The Private Key can also be used in digital signing operations where the recipient can use the corresponding Public Key to verify the signature applied to a piece of information. Eloquently described by are long bearded and grey haired expert.

Practical experience is particularly useful in environments where you are working with multiple products and multiple product components. Understanding the underlying requirements of each component and how they will integrate with the other components can be of vital importance when proposing a solution.  You may find that two of your components have conflicting requirements and simply can not fit together in the configuration you have designed.  It is better to understand as much as possible about these dependencies early in the sales cycle as these can become show stopping issues which may become critical at the later stages of a sale.

Simple advice on this would be read the manuals, install your virtual machines, install the products, configure the products and run through some mock scenarios.

1. Cairo, Egypt
2. Whitianga, New Zealand
3. Paris, France
4. Moscow, Russia
5. Cochabamba, Bolivia

• View my profile
• Create your own travel map or travel blog
• Travel Info at TripAdvisor

Maps and pins aside, working outside of your home country can be a daunting idea for some. Especially, if you are not used to working with different cultures. Here’s a list of quick tips which I hope are helpful.

Top 5 Tips

Tip 1: People are the same.

People are pretty much the same the world over. Of course, we all have different cultural quirks and ways of doing things but fundamentally people are the same wherever they are from.  They all have hopes, dreams and motivations and you’ll find the same hopes, dreams and motivations in each country.  If you’ve worked in your home country then working abroad is exactly the same.. the only difference is language and location.

Tip 2: Nudging the language barrier.

Very few customers are going to expect you to be fluent in their language.  They know you are a foreigner and won’t expect you to have a full grasp of their language.  That said, out of courtesy, you should try to understand at least the basics such as greetings.  Customers will appreciate any effort you make to fit in with their culture. If it’s possible to use local names and locations in your demonstrations, it would be good to include these.  If you are going to be there for a longer period of time, it’s worth getting a language survival guide so you can get around and order food, etc.

Tip 3: Accommodation.

Check your accommodation before you go and change it once there if necessary. In short, try to find reviews on the hotel or get recommendations from local partners where possible.  Your logistics and administration department will do their best to find you appropriate accommodation, but as hard as they try there can sometimes be a bit of a gap between their perception from their nice warm office back at base and the reality of where you’re staying.  Administrators sometimes get the idea that, if you going on a plane, you’re going on holiday.  I’ve worked in some deep, dark 3rd world countries before and it never failed to make me chuckle when a logistics administrator would say “Ooo you’re going there, must be nice jet-setting around on holidays”. What they failed to realise was the country you were heading to has just been through a 20 year civil war and doesn’t have roads.  Hotel accomodation should be secure and safe above all else.

Tip 4: Safe Travel Advice.

Always search for official governmental travel advice.  A lot of countries are in a state of conflict with continually shifting borders.  It may be tempting to jet of to some country to secure an x milion dollar deal and that can be a strong motivation to go.  For the UK, check the FCO travel advice – www.fco.gov.uk If they say don’t go.. don’t go.

Tip 5: Experience the Culture.

Find out what’s on. Any visit to a county where you don’t get to experience some of the local culture can be a wasted visit.  If  you’re free for an evening, go explore.  The hotel staff are a good place to start to find out what’s in the area.  The concierge will most likely have a bunch of leaflets for events.  If you’re looking for something a little more lively, the bar tender in the hotel bar will know more.

There’s a whole world out there and it’s ready to be explored.  Be careful, you might get the travel bug and if that happens.. pins in the map will follow.

Thank you for reading.

I came across this video on YouTube. It is probably more interesting for Sales people, but I found it an interesting approach.  The Interviewee hear has written a book called “The Funnel Principle”.

He argues that the traditional Sales Funnel is outdated and an artificially created process developed by Sales people for Sales people and not customers.  The Buy Cycle changes the focus back to the customer, where you as a sales organisation are working to understanding the buying process of the customer and matching your activities to fulfil the procurement needs of the customer.  The jury is out on this one for me, the Sales funnel is a time tested logical process for generating  a large amount of leads which you can whittle down to closed deals.

In this blog we’ll chronologically examine a brief history of the development of programming.  I’ll be writing this with-out reems of reference books around the desk, so please take the dates, claims and details as generally correct (this blog is not written to be used as a reference).  There are hundreds of different languages out there, most of which aren’t covered here. It’s purpose is to give you a general idea of how your developers are creating the functionality that you are ultimately trying to sell.

Before we start, I’ll pay quick homage to Charles Babbage. He’s pretty much the Grandfather of modern computing and you can read about him by clicking his name above.

Ok, Let’s start.

I’m going to start with Binary.. yes, binary.  I remember when I was around 10 years old. I bought a computer game magazine which had in bold letters on the cover.. “Write your own game!”. After asking my dear old Mum to buy the mag. I started reading and realized that the mechanism for writing the game was to literally write the binary 0′s and 1′s into a text file which would later be run as the game.  After several hours of type 1010110110101001010010010110101, my long suffering Mother stepped in with her superior typing skills and finished the job.  Unfortunately, it didn’t work.  Somewhere amongst those 1000′s of 0′s and 1′s there was a mistake.  Were we going to go back and check each one?  I think not. This was my first ever failed attempt at coding.  You’ll see as we continue that the development of code has somewhat improved since then.

Assembly

Assembly was one of the first primitive languages to be created to allow developers to create code.  The language primarily consisted of 3 letter acronyms (e.g ADD, MOV, RTN, STA)  which gave the direct control over computer memory locations and allowed calculations to be performed through the CPU with the use of an entity called the accumulator.  You can find an example here.

In earlier versions of systems from the Unix family, Assembly was used as the core programming language for the operating system.  This was later replaced by C as the evolution of Unix progressed.

Procedural Code – For Example – C

C was originally developed by Dennis Ritchie of Bell Labs in 1972.  It was created as a systems programming language with a goal of simplifying and making the process of system software installation more portable. In C, software packages are developed, compiled and added to the library of code available to the system where it’s installed.

C is a procedural programming language. Being “procedural” in nature means that it is generally written in a linear fashion.  Batches of logic can be grouped together into functions, which are reusable blocks of code, but procedural code is notorious difficult to maintain, extend and debug.

Enter Object Orientated Programming (Java, C++ and more)

In the 1980′s, C became C++. C++ built on the foundation of the systems programming language C. It introduced Object Orientated concepts to coding.  Object Orientated programs try to model real-world objects and abstracts directly into the code.  What this essetially means is that if our program is related to dogs, we can create a dog as an object in the program. This object may have many attributes, such as colour, height, breed.  If we want to do something with the dog we have to invoke a “method” (in procedural terms this would be a function).  An example of a method may be “walk the dog”.  By walking the dog we may change some of the attributes of the dog, e.g. location.

You may ask, why would we go to all this bother?. Well, the great thing about objects is that they’re reusable. We can create a blueprint for one (referred to as a class) and create as many dogs from that blueprint as we like.  Additionally, if we have a slightly different type of dog, perhaps a different breed, we can use the same blueprint, but extend it slightly for the new object, this is called inheritance.

Another great benefit of “encapsulating” these objects into their own seperate spaces is modularity. A program should never change an attribute of an object directly, interaction with objects should be done through methods.  This means that we can isolate the logic related to an object.  So, when we change the logic or code for an object, it should not affect the other objects in the program. Now, imagine 100 developers working on a program. How difficult would that be with procedural code? The answer is very.

What you tend to find is that there is more overhead for OO in the beginning, but once a library of objects is built up, it becomes a very fast process to create new code and functionality.

In the early 90′s, Java arrived. Java was fully Object Orientated.  Java was billed to be the internet’s answer to cross-platform capability and got heavily associated with the development of the web. As it stands, although pretty portable, Java hasn’t been as sucessful as hoped. It’s main drawback appears to be performance. It’s viability as a platform for the development of web based applications has diminished in recent years as the rise of newer web development technologies such as AJAX, Javascript, PHP, Ruby on Rails, ASP.NET.. have somewhat over shadowed it.

Libraries, Frameworks and IDEs

As languages have matured over many years, developers have made their own code freely available to others.  After all, why start from scratch when you can download and use someone elses hardwork as a base. I believe the term is “Standing on the shoulders of giants”. Libraries are pre-packaged batches of objects and procedures.  Depending on the language being used there are usually thousands of pre-developed snippets of code available for use.

A framework takes this a step further.  A framework will not only make pre-built modules of code available to developers, but they can also provide a structure for an application.  This is where an Integrated Development environment(IDE) comes in handy. IDEs usually provide a graphical interface which helps to implement the structure and model of an application.  The structure and model will guide the developer on where files are stored, how to segment different types of logic and in some cases also provide functions to assist in the testing of the code.

Summary

Key topics to understand here are the differences between Procedural and Object-Orientated code.  You can see through the evolution of programming how different coding is today from when it started those many years ago.  Although for Pre-Sales it’s a very rare occurence to even see the code of your application, you may however be in regular contact with the developers to discuss new features and requirements.  Having an understanding of their environment can give you confidence that you truly understand what’s going on in the heart of your offering.

One warning worth taking on board is that you shouldn’t get too pre-occupied with the bits and bytes of the code. That’s the developer’s responsibility and if you slip too far in that direction you may find yourself wearing shorts, white socks and sandles to the office.  You may also find that you’ve developed new and interesting social quirks that you never knew existed.

Thank you for reading.

I’ve recently been assisting my partner with her SEO strategies for her online perfume retailing website.  It seems great prices on perfume, fragrances, aftershaves and gift sets isn’t going to get you to the top of google alone. During this activity, I’ve read several articles on books on SEO, and also recognised how applicable an understanding of SEO could be for Pre-Sales.  This may become more evident as we discuss SEO below.

Search Engines

Most professional people know what a search engine is, so we’re not going to go into the basics.  If we are going to discuss search engines that are out there we must start with the daddy of all search engines, Google.  Google has been so successfully that it’s actually managed to make it’s way into the moderns world’s language as a verb.  You can often hear people telling other people to “Google this” or “Google that”. It’s almost become synonymous with the act of using a search engine.  In fact, if you submit your content to Google, you will often find it on the other search engines as most actually index the content already provided by Google. It is however worth submitting content to the other engines and monitoring your position there.  Other notable engines worth evaluating are Yahoo, Bing and Ask.  Each of these with the exception of Ask provide a toolbox of functions you can use to evaluate how your site is viewed by the engine.

All engines aim to index the entire content of the web and serve up that content to users as relevant to the users search term of phrase.  Getting to the top of the results list depends on a multitude of factors which we’ll discuss through-out this blog.

Google Page Rank

Google Page Rank is a score given to any particular web page by Google. It rates Google’s view of the importance of the page from 1 to 10. 10 being the most important.  Page Rank is a great high-level performance indicator to track will implementing a rank increasing strategy.  The Page Rank(PR) of your site can be affected by a number of factors.  This includes but is not limited to the number of quality “backlinks” linking to your site from other site in the same community of interest.  If the site which is linking to your site has a high PR and is directly relevant to your content then you get more brownie points with Google which will ultimately mean a higher PR for you.

There are a number of different approaches to gaining backlinks through either directory submission, blogs or forums.

Black Hat vs White Hat

As search engines have evolved they’ve become more intelligent.  As webmasters have analysed and understood the algorithms behind the rankings during searches, they’ve found ways to exploit them through what are known as Black Hat SEO techniques.  An example of a Black SEO technique is using a forum-bot to automatically crawl the web for forums and then spam links to your site.  Other examples include hidden links to boost you backlink count.

It’s generally accepted that Black-hat SEO techniques will give you a short term boost in your rankings, but as soon as the search engines work out how they’re being exploited, they’ll find ways to stop it happening and will also penalise your site (in some cases permanently de-listing you from the engine all together).

White Hat SEO techniques try to promote rank increases while adhereing to the rules and guidelines laid out by the search engine.

Content, Content and More Content

Although links to your site are important, the search engines have a major focus on content.  They’re tirelessly crawling for new, comprehensive and relevant content.  When users enter “keywords” into their search term, the search engine will search for those same keywords in your site.  A web page may contain those words in the Page Title, It’s Meta-Information or in the body of the web page.  The more frequently those keywords (or phrases appear) the more relevance the search engine attaches to your page for the search.  This is not to say that if you repetitively spam your page with the same keywords that you’ll get a higher score. Google’s search algorithms reportedly have over 500k variables which check for repetition and that your content is semantically viable.

I’m Pre-Sales Not Marketing – Why do I need to know this?

Well, Pre-Sales resources are often called upon to assist Marketing in validating and producing collateral. Marketing collateral can come in the form of Datasheets, Brochures, White Papers and Case Studies.  All of this information should be published on your company website and if you have an understanding of which keywords and phrases your marketing department are targeting you can write your content accordingly.

Remember that Search Engines are constantly looking for “new” content related to a subject matter.  In turn, it’s become more important to produce updates to web page relating to specific areas of interest.  Blogs are a great tool for this and you may be asked to write the occasional article to feed new, relevant content up for the search engines consumption.

I’ll re-iterate that Google isn’t the only engine out there, but it’s certainly the most successful at this point. If you optimize for Google, you’re likely to check most of the boxes for the other one’s too.

For further reading and a great overview of increasing site ranking on Google, I’d recommend the following as further reading:

Getting Noticed on Google in Easy Steps –  by Ben Norman 

Overview of SEO for Google

• Always do what you say you will.

By adhering to this simple edict you will earn the trust of not only your customers but also your partners, managers and colleagues. Let’s expand on the following core values and see how they are relevant to your pre-sales activities:

• Honesty
• Integrity
• Respect
• Dedication

Honesty

The day of the shifty used car salesman is well and truly over.  Picture this situation… You head to a car show room to buy a new car.  You are approached on the forecourt by a rather smartly dressed salesman who captures your attention and strikes up a conversation.  He asks you if there is anything in particular you are looking for and you explain that you’re looking for a 4 wheel drive.  He takes you around the selection of 4 wheel drives but nothing is really hitting the mark or feeling quite right.  He proceeds to bamboozle you with technical terminology and every question you ask about the car the answer is “yes, it does that”.  The process of assessing your buying signs and pushing through the sale is carefully managed, down to how many cups of coffee you’re offered in the office. You eventually sign the papers and are handed the keys with a smile and a wave from the salesman. Was this a successful sale?

Ten minutes later, you are half way home in your shiny new car and still a little unsure it was a good buy.  You’re looking around for the controls for various features and realise that the car doesn’t actually have 3-4 of the features the salesman was adamant it had. They’re not show-stopping features but would you buy from the same salesman again? In fact, would you buy from the showroom again?  This style of sales can produce very short term results, but loses you a future stream of orders every time a sale is made.

An old commercial colleague of mine recently told me that sometimes I’m “too honest”. Another more technically focussed colleague said that he didn’t realise that honesty wasn’t a binary trait. i.e. You are either honest or you are not.  You can see the perspective of both these points of view.

When asked specific questions about what your solution can do, give accurate answers. Be honest about your capabilities.  What this does not mean is that if you have a list of 20 requirements and your product is particularly weak on 5 of those requirements, that you go into your customer and talk at length about how bad your solution is at delivering that functionality.  If there are things that you definitely can’t do and you are specifically quizzed on those things, acknowledge that the functionality isn’t currently available.  This will give the customer confidence that you’re not just saying “yes” to everything. Expand on this, you may find that it’s not a show stopper and the customer doesn’t really fully understand why it’s been listed as a requirement. There may be a way to meet the business need by using a different function of the solution. Think Laterally.  If it is a show-stopper then look at the possibility of adding the feature.  With enough time, money and effort, anything is possible.  Maintain your honesty and the customer will develop their trust in you.  This will ultimately lead to them preferring to choose you over other suppliers.

Integrity

Definitions of Integrity:

1. Steadfast adherence to a strict moral or ethical code.

2. The state of being unimpaired; soundness.

3. The quality or condition of being whole or undivided; completeness.

When referring to integrity, I’m referring to the quality of the information you provide and the commitments you make. It takes a long time for a customer to build an understanding of your integrity, but once they do again they will trust you.  You can speak to a customer 100 times. 99 of those times the information you provide is accurate and one time it is not. The problem here is that the one time you tell it wrong, will cast a massive shadow of doubt on the 99 other assertions.  Genuine mistakes should be acknowledged and explained to restore the customer’s confidence.

It’s easy to find yourself pressured by over-zealous sales people who fail to see the bigger picture when they’re focussed on getting this quarter’s commission.  I was once on a business trip to Rio De Janeiro, Brazil. I was assisting our American sales team with various meetings, the objectives of which was to sell a GSM operator billing solution.  We met two mobile operators in the morning and the presentations went well. In the afternoon, I was sharing a taxi with one of the salesmen. He told me that the next meeting we had was with a water utility company.  Furthermore, he’d already told this company that we had several water utility customers across Europe.  He wanted me to confirm this and “make up” some details about how they were using our system.  I politely told him to call the customer and cancel the meeting.  There was no need to waste our time as the sale would never happen and I certainly wasn’t willing to risk my reputation or that of the company or such a poorly qualified situation.

Maintain your integrity; it’s hard to build but very easy to lose.

Respect

A common mistake I’ve seen throughout my career is to believe that it’s possible or even easy to get something past a customer without their knowledge. I’ve seen reams of material on how to manipulate customers into making purchases. “Use NLP, Hypnotism, Mind Control, etc”.  What the advocates of these kinds of sales tactics seem to miss, is that the customer will probably have an awareness of the tactics too.  This is especially true in environments where multimillion dollar decisions are being made. I’d always assume they do, if a customer realises your trying to dupe them using some of these approaches, you may as well pack up and move on instead of wasting your time.  Respect your customers, assume that they are astute and experienced enough to be aware of underhanded tactics.

Dedication

None of these core values described above are revolutionary new values you can acquire to change the face of business.  They provide a basis for your interactions with customers which will enrich your ability to build long term mutually beneficial relationships.  Successful sales and pre-sales people adhere to them on a daily basis and they should be considered a pre-requisite for any kind of positive performance in business. What you can add here is your own personal dedication to your field.  Work hard to understanding your customer’s changing needs and envision new, more efficient solutions to fulfil those needs.  Not only will you assist your business in pushing ahead of the curve, but you’ll also be able to sustain that performance for the long term.

Thank you for reading.

The linear spectrum of pre-sales activity.

 My loose definition of Pre-Sales: Pre-sales provides the medium to bridge the gap that exists between a customer’s business needs and the functional capabilities of the products and solutions provided a supplier organisation.

Through-out this article I will explore the traditional views of the two camps at each end of the spectrum; The commercial view that pre-sales resources are essentially sales people who should know about the features of the offering and the technical view that pre-sales resources are technical people who focus on functional activities and attend customer meetings simply to answer technical questions.

Who performs pre-sales activity and what do they do?

The following is a list of titles/roles which fall within or at the very least overlap with pre-sales activity:

• Pre-Sales Consultant
• Pre-Sales Account Manager
• Technical Sales
• Technical Account Manager
• Sales Engineer
• Systems Engineer

So, what does a pre-sales person do? Here are some examples of some pre-sales activities and responsibilities:

• Make the technical sale.
• Build relationships with peers in partner and customer accounts.
• Manages accounts from a technical perspective.
• Requirements gathering.
• Assess business as well as functional needs.
• Respond to RFP,RFI and RFQs
• Write proposals.
• Design, build and demonstrate products and solutions.
• Write, review and deliver presentations.
• Research and create whitepapers.
• Deliver training courses for partners, resellers and end customers.
• Review and provide content for marketing collateral (Datasheets, Websites, etc)
• Solutioneering – design, communicate and propose multilevel, complex system solutions to customer problems.
• Product evaluations.
• Provide pricing for quotations.
• Support Direct Sales force to assist in implementation of sales strategy.
• Write, review and deliver training courses.
• Attend industry conferences and events.
• Diplomatically liaise and broker understandings between the internal sales and delivery stakeholders in an organisation.
• Bid management.
• Design and install PoCs (Proof of Concept).

The list above it starting to look exhaustive but is far from complete.  The wide variety of activities which may fall under the scope of pre-sales can make it difficult to pigeon hole exactly where it should fit in an organisation. Furthermore, how do you find someone who can carry out such a wide variety of activities?

Pre-Sales Personalities

People who can comfortably sit at either end of the technical to commercial spectrum can be considered a rarity. Technical activities require a logical, detail orientated, process focussed mind set and work in discrete terms with little ambiguity.  Commercial activities although still process focussed, reside in a considerably greyer area where a less than black and white approach to relationships, negotiation and winning the business are required.

There isn’t an abundance of individuals who can reside in both camps and this generally leads organisations to push people in one direction or the other.  It also fosters the opinion that someone can be either a technical person or a people person, but not both.  I challenge this assumption and believe that it is possible to have the ability to sit at both ends of the spectrum.  By hiring, training and directing pre-sales with a balanced and open-minded approach, you can strengthen the role and its ability to deliver for your organisation.

Three Dimensional Pre-Sales

I’d like to suggest a different model for pre-sales and pre-sales activity.  My definition above simply states that pre-sales is the medium to understand customer problems and facilitate the design and delivery of solutions to those problems.

By taking the commercial approach of focusing on the development of business skills, it’s possible that your understanding of true capabilities may be lost. By neglecting technical skills you could find yourself or your presales resources talking a lot, but a lot of rubbish. Taking a heavily focused technical approach could can lead to a deep understanding of complex technical systems, but you will find little use for that knowledge if you can’t communicate your ideas effectively.  It’s is true to say that you have to work on both and find a balance between technical and commercial abilities.

Once we have decided where in the spectrum our pre-sales activity should reside we can work on improving our commercial skills and also building our technical skills accordingly. One thing I believe is missing from the equation is psychology (or a focus on soft skills). Soft skill development is often neglected or is bundled as secondary set of skills which fall under the commercial skill set.  Through-out these blogs I’d like to bring more focus to this area as well as exploring the other traditional ends of the spectrum.  By bringing this additional element into play and focusing on a balance between the three, we can operate much more effectively. We could even say that we’re introducing a third dimension to pre-sales.

Three Dimensional Pre-Sales

In future articles, I’ll explore aspects of all of these areas.  Developing an awareness of all of these areas will strength you as an individual and may even help your organisation re-think it’s approach to using pre-sales.  Pre-sales has the potential to be the glue that holds an organisation together and drives it into the future.  Let’s find out together how and why that can work.  I won’t be preaching or telling how pre-sales should be done, just presenting my views and hopefully some helpful information. I hope you enjoy the journey.  Thank you for reading.

In reality, I bought the book several years ago around 2006.  On my first attempt to read, I got most of the way through the first chapter and rapidly lost interest.  The introduction was heavily peppered with Big Brother references and I got the distinct impression that there was some cashing in occurring on Geoffrey’s part, given his new found exposure as the widely renowned Big Brother body language expert.  I expected the remainder of the book to essentially re-iterate descriptions of some of the events occurring in Big Brother, which wasn’t really what I was expecting or interested in. The book soon found a quiet corner in my study and began gathering dust.

I recently found the book again and thought I’d give it a second chance. To my surprise, I persevered into the 2^nd chapter and found that my initial assessment of the book was in fact wrong.  The book contains some solid theories, challenges some of the historical conclusions of body language research and describes some of the empirical testing carried out to prove the hypothesized shifts in theory.  This article reviews the book and summarizes the ideas and conclusions presented by Geoffrey.  In particular, I focussed on some key factors worth understanding to assist in pre-sales interactions with customers.

As you delve into the book, you find that historical psychological researchers assumed verbal and non-verbal channels performed separate functions in the process of communication. Verbal communication was thought to present detailed information (objects, sizes, speed, etc) whereas non-verbal communication is believed to cater for the interpersonal exchanges between participants of an interaction (e.g. display mood and temperament in a primitive animalistic fashion). 

The theory of visible thought challenges this assumption and explores the deeper connections between the verbal and non-verbal behaviours displayed during communication.  The book focuses on the relationship between gestures and speech. Gestures are defined as hand and arm movements displayed during communication.  Posture, vocalisation and facial expressions are outside of the scope of the book.

The book goes on to describe several empirical tests which do seem to indicate that the linguistic and non-verbal channels are closely tied.  The tests show that the inclusion of gestures in different attempts to communicate the same message deliver a much richer breadth of information about the subject matter discussed.  Where unaccompanied speech may give some basic detail of a message, including gesturing can introduce much more information.

For example, a speaker says “The boy bounced the ball”. In the first instance, the experiment participants (or listeners) just hear the words.  A second set of participants are shown a video of the speaker repeating the same sentence, but this time the speaker uses an iconic gesture by mimicking the act of bouncing a ball. Each of the groups of participants are asked various questions about the message, such as “how big is the ball?” and “how fast is it bouncing?”.  The results clearly showed that the participants who observed the message with gesturing got a much richer set of information than those who just heard the words.

What can be applied to pre-sales?

Listening with your eyes and ears

A key message to take away from a pre-sales perspective is that you can be more effective if you take the time to look for and perceive the extra information that gesturing provides. During your opportunity assessment activities, you may find information about the real pains and needs of your customer which you can’t always get from RFI or RFP documents.  It’s worth reiterating that it’s not just what you’re seeing that’s important, it’s what you are hearing too.  Speech and gesturing are complimenting each other to give you the overall rich understanding of your customer’s thoughts.  Dissonance between the vocal and non-verbal message, may also give you clue to deceptive messages.  Manipulators or deceptive gestures are not easy to fake as genuine gestures are usually done on an unconscious level.

Delivering your message with more than just your voice

In turn, an understanding of the relationship between these two channels of communication can also help you effectively deliver your messages to your customer.  By understanding your own gestures and using them to reinforce and supplement your verbal message, you can provide your customers with a clear understanding of your ideas, solutions and what exactly you are proposing.

It may be tempting to utilise conscious gestures to misrepresent or dupe your customer into a false belief about your capability or how appropriate your solution may be.  I’d strongly advise against this, false gestures (or manipulators) are not easily acted and can usually be spotted. By doing this you will undermine your credibility and your relationship with the customer.  I’ll be doing a blog later in the series focused on ethical approaches to pre-sales.

Summary

I’ve not gone into much depth here but highly recommend reading this book to jump deeper into the specifics.  There’s a lot I’ve not covered in the review, for example the effect of character viewpoint gestures vs observer viewpoint gestures, so I encourage you to read the entire book.  It’s not overly complex and can provide a basis of knowledge for further research into and understanding of this field.  My only criticism is the format of the examples given.  At lot of the gestures are described alongside the text of the speech in a textual format. Sometimes this can be a little difficult to follow and using illustrations or photos may have been more effective.

I’ll be exploring communication and different aspects of both verbal and non-verbal behaviours in later articles. My interest in this area has recently been revived, I think primarily by the TV series “Lie To Me” (Google it to find out more).  Thank you for reading.

The power of these technologies has brought opportunity, where opportunity didn’t exist before. Opportunity comes hand in hand with Risk. The challenge that all organisations face today is striking the right balance between retaining availability of information while ensuring confidentiality of that same information. The right information in the wrong hands can have a devastating affect on individuals, organisations and even nations. Information managed, secured and governed incorrectly can cause immense damage. This is why we need Information Security, Information Assurance and Information Governance.

InfoSec and Beyond explores Information Security with related  industries, technologies and happenings.  Not only will it be assess technical control tools and software, but also higher level considerations around standards, compliance and administrative process.  There’s a wealth of information out there and I’ll be exploring all areas of Security, Assurance and Governance.  This blog will be a place to gather my thoughts, notes and findings.

The beyond part of InfoSec and Beyond will include general IT, Pre-Sales and business blogs for area that may or may not be related to Information Security.

DEFINITIONS:

I’ll be taking my definitions from these starting points (wikipedia):

Information Security(InfoSec) -  means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Information Assurance(IA) -  is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.

Data Governance - is an emerging discipline with an evolving definition. The discipline embodies a convergence of data quality, data management, business process management, and risk management surrounding the handling of data in an organization.