Thursday, October 31, 2019

Denial of the Right to Rescind a Contract Based on he Finding of Essay - 1

Denial of the Right to Rescind a Contract Based on he Finding of Misrepresented Facts - Essay Example A misled party is normally allowed to rescind for justifiable reasons, for example, a misrepresentation. Misrepresentation here refers to a false statement of fact made by one of the contract partners to the other and in effect, it induced the second party to enter into the contact. It, therefore, stands that the representee was cheated into it (Collins, 2004). The remedy to misrepresentations normally comes in terms of payment for damages or refund of money offered by the represented, the person who has been cheated. However, under some circumstances, a court cannot allow a party to rescind on the realization of misrepresented facts which induced them to enter into the contract. An example of business-law matter which can lead to denial of rescission is the realization of misrepresentation involving the sale of goods, after the lapse of reasonable time. Atiyah (1994) states that in business, a buyer accepts and receives goods in the performance of a contract. According to the contract law, a represented cannot be given a chance to rescind from a contract if they discover a misrepresentation yet they do not take the necessary steps to avoid such a contract within a reasonable time (Cartwright, 2007). The time limit is given to represent to make such steps normally varies from one type of misrepresentation to another. For example, if it is a fraudulent misrepresentation, the representee has until when the misrepresentation should have been discovered. International galleries also claimed that the item (a painting) was truly a Constable (Leaf v International Galleries [1950] 2 KB 86). In this case, the term of the contract was the painter’s name, that is, John Constable and a breach of this allowed the rejection of the painting.   Leaf paid  £85 for the item and after five years he wanted to auction it. To his surprise, he was told the item was not a constable as earlier stated by International Galleries. Leaf claimed a rescission of the contract so as to get a refund of his money but was denied.

Tuesday, October 29, 2019

Developmental Psychology and Expressive Arts Essay Example for Free

Developmental Psychology and Expressive Arts Essay An explanation of each of the areas of learning and development and how these are interdependent. There are 7 areas of development in the learning and development for children as described in development matters in the early years foundation stage 2012 DFE Cheshire. There are 3 prime areas of development and 4 specific areas of development. The prime areas area personal, social and emotional development, physical development and communication and language development. The specific areas are literacy, mathematics, understanding the world and expressive arts and design. Personal, social and emotional development: The areas of personal, social and emotional development is about how a child makes relationships, has self-confidence and self-awareness and manages behaviour. For example, a child of 26 months will demonstrate to their parents that they can be independent and they could show this by saying ‘no’ if they don’t want to do anything. Physical development: Physical development is about how children can move around and handle things by themselves and health and self-care. For example, a child who is 10 months will pull themselves up to help them stand and they will hold onto someone they know or a piece of furniture for support. Communication and language: Communication and language is about how a child can listen and pay attention, to understand others and be able to speak. For example, a child who is 5 months will make their own sounds in response when someone who is familiar is talking to them. Literacy: Literacy is about a child who is learning to read and learning to write. For example, a child who is 16 months will be interested in books and rhymes and could also have a favourite. Also the could draw/write with their finger in the sand. Mathematics: Mathematics is about children learning about numbers, shapes, space and measures. For example, a child who is 40 months could be able to separate a group of 3 or 4 objects indifferent ways, and begins to recognise that the total is still the same. Understanding the world: Understanding the world is about how children see people and communities, how they see the world and technology. For example, a child who is 30 months could ask a question or comment on the aspects of the world, such as where they live or where a different family member lives. They might ask why they live in different places then them. Expressive arts and design: Expressive arts and design is about exploring and using media and materials, and being imaginative. For example, a child who is 60 months will be able to understand different media and combine them to make a new effect. These 7 areas of learning and development are all interdependent. An activity that shows this is playing play dough and basing this activity on the book postman pat. Personal, social and emotional links into this activity because they are all talking to you and each other about what they are doing with the play dough. This is interdependent with communication and language because they are speaking to each other while they are doing the activity. Communication and language is interdependent with physical because when they are making play dough people to do with postman pat they are using their fine motor skills to hold the cutter and rollers properly. Physical is interdependent with maths because when the children make the people, they can count how many people of objects they have made. Also they can be making different shapes which will help them learn. Maths is interdependent with literacy because they could make their names out of the play dough with the cutters and there could be some alphabetical letters they can also use. Literacy is interdependent with understanding the world because they will be using their senses and their knowledge to understand the book and be able to complete the play dough. Understanding the world is interdependent with expressive arts and design because using play dough is a type of media so they will gain skills. This is also helping the children learn more effectively and to be more creative. Early learning goals: Each aspect of the areas of learning and development have early learning goals. Most children will achieve most of these by 60 months. The outcomes have been reduced in the EYFS 2012. ‘Children play co-operatively, taking turns with others. They take account of one another’s ideas about how to organise their activity. They show sensitivity to others needs and feelings; and form positive relationships with adults and other children. This is from the personal, social and emotional: making relationships ELG 40-60+ months. For example, if a child was playing with lots of toys and another child was sitting alone with nothing to do, the child would share their toys with them so they become happy. This will help for them to build a relationship and become better friends.

Saturday, October 26, 2019

Penetration Testing Of General Hospital Information Technology Essay

Penetration Testing Of General Hospital Information Technology Essay Penetration testing PeT appendix B has always been an important first-step in any security life cycle. By doing penetration testing, the Hospitals IT team can obtain many invaluable information about the Hospitals newly developed security system. Basically the process of penetration testing will be involved with gathering information. Using these information to identity and then try to exploit the security vulnerabilities. 1/ Why do we need to perform penetration testing: Penetration testing is one of the oldest and effective method to evaluate the security of a computer system. Nowadays many organizations are using penetration testing in order to discover and fix security weakness before the get exposed. And for General Hospital after the process of creating a new security system, it is important that we do penetration testing, not only to find out about any potential vulnerability, but also to demonstrate the effectiveness of the new system, these are just a few points on why General Hospital should do penetration testing: The main purpose still for greater understanding of the current security system and finding any gap in security. This help the Hospitals IT team to have proper action plans to minimize the threat of attack or misuse. The penetration test will be documented carefully (more information on this bellow), and these well documented results will help the managers in making a strong business case to the Hospital board, explaining, justifying all the budget had been use for creating this new security system. Security is not a one-time solution, its actually a long process of maintaining and upgrading along the way, as new threads are being discovered. This pen-test maybe the first that SGH have, but itll definitely not be the last. By doing a proper pen-test, the result will act as a good foundation for future testing. 2/ Quality of the test: Like any big project, before we actually committed to complete the task, we have to have a very clear picture of the final product as well as the strategy, and every steps of the way, committing without planning is one way to ensure to achieve failure (more information on planning in the next part). As we go on later in this document, well see that the Hospital will cooperate with a security partner in order to carry the testing, the more reason for two party to sit down and agreed on the standard quality of this test. So, what makes a good penetration testing? Scope of the test: defying a clear scope, that will be most suitable for the Hospital that will be the first and most important task, for a good scope will help to prevent wasting of resource at the same time able to cover every potential vulnerability (the scope defying will be in the next section, the planning stage). Reliable partner : after the planning, sketch out a good strategy, its the security partner job to implement, launch the test, thats why we have to chose a skilled and experienced partner, the one who know what they are doing, in the fourth section, we will chose a partner that: Legally capable. Technically capable Can abide the non disclosure agreement, and this is especially important, for we a hospital, working with highly sensitive information. Choosing correct and adequate series of test, this depends heavily on the scope that we decide on. Also the executing of the test must follow strict methodology, every test must be planned carefully, followed the plan, and the well documented. This is very important because if we treat the test just like a guessing game, to see where the weaknesses are, its very likely that we are going to miss something, and that alone make the purpose of doing penetration testing completely voided. Result oriented: the only thing we care for its the result of the test, thats why the results should be well documented, the team should pay attention also to make the result understandable, so that the Hospital board can easily understand the problems, the consultant of the security partner company should also be ready to present and explain the results. With that set of quality in mind, we are going to proceed to the planning and further steps accordingly. However, because we are not going to actually perform the test, so we are only going through: planning, defying scope, chose a strategy, choosing the tests, and lastly defying methodology and standard for these series of test, we are going to explain what do we chose and why, as for the definition and how to execute please refer to the appendix. II/ The planning stage: In this part, we will cover the planning, defying scope, that lead to a strategy plant, which will be the back bone guide line for any further tests to follow. The security priorities of different target are different, for a service net work it is important to have a high stability, availability, or in case of an e-business network, it requires high authenticity. However none of that can be apply to SGH, for a hospital the utmost priority are confidentiality, data integrity, we are dealing with patients data here, there is no point in taking the Hippocratic Oath to keep the patients information confidential while on the other hand slacking off In putting effort to protect those information. Not only that we are dealing with much higher stake game here, which involve humans lives. This is no longer just protecting data for data mean money. When I were young, I remember a movie where a patient with a broken jaw put back together by metallic platting, years latter he has cancer, and his doctor without knowing about the platting still send him to the MRI machine (highly magnetic), and lead to his gruesome death. All of which cause by lack of de ntal documentation in his medical history. So in a nut shell, SGH highest priority is data Integrity and confidentiality, but in the mean time we still have to do minimum checking on every other aspect, leave out nothing. The second as part of SGH network system is the personnel, which in this case are doctors and nurses mostly. They are among the most highly trained employees, however not in IT. Nowadays almost every hospital in Singapore has been completely digitalized, dealing with database instead of paper files, also with many medical devices are being monitored by computer programs. The combination of high tech with unexperienced user leads to a very high chance of application misuse, data input wrongly. That put application security testing (appendix B application security testing) priority a bit higher than normal. So as a conclusion for the strategy of this penetration test: we are going to do a penetration test follow Blind Testing strategy (Bind testing strategy Appendix B) to stimulate the action like a real hacking attempt by hacker to obtain confidential data, or to modify, deleteà ¢Ã¢â€š ¬Ã‚ ¦etc. In the same time we will combine with certain Internal testing (Internal testing strategy), mostly focus on application security, misuse..etc, and of course a few basic test again common threat however we are not going to deep in that. After decided on a plan and testing strategy, the next step will be vulnerability assessment III Vulnerability assessment (VA): Why should we do VA (VA appendix B)? In fact there are some confusion between VA and pen-test, sometime people lable them as the same. Pen-test mostly consis of VA, but then take one step futher, find out the weak spot then attack it. So basically before we do pen-test, the first step would be VA. For the detail of how to do VA please refer to VA Appendix A . But basically we are going to series of techniques that can be considered as research before attack. Passive research: learn as much as we can about SGH, from out site point of view. Open source monitoring: utilizes Internet meta-searches focus on specific keywords, or sensitive information to see if there are any leaking. Network mapping and OS fingerprinting: from out side view, figuring out the structure of the network, even able to draw out a network diagram from the information gatherd through different tools Spoofing: trick the targeted computer in side the Hospital, sending out packets pretending that they are from trusted source. Network sniffing: capture data as it travel in and out the network, especially we have the different site between Clinics and Hospital, this can be a good check to see if our VPN is working properly. Trojan attack: and yes the traditional, butter and bread Trojan attack, Even though its basic, but because its so popular, itll be a mistake to think that our fire wall can do all the job, when Trojans combine with social engineering can be devastating. Brute force attack: this can be optional as we mention before the availability of the network may not be our highest priority, however if the resource allow, we can still do it, as a better safe than sorry. Vulnerability scanning: finally we can use automated tools to scan the whole database looking for potential vulnerability (the how, and what tool can be found in VA appendix A) After all those test, its very likely that we may able to discover a few holes in our security system. However in order to make sure that in all those vulnerabilities weve just discover none are false positive we will go to the next step is exploit testing, meaning actually attack to see if any got through. IV penetration testing, different types of test: Exploit testing (exploit testing appendix B) normally is the final stage in the whole process of penetration testing. There are many type of test, each with different level of commitment. We have to chose which test, and how far do we want to push. This decision is based on two aspects. One is the predefined scope that everybody agreed on earlier, we will conduct the test accordingly to that scope, to the strategy. The second is based on the result of VA, attack on every potential vulnerability that weve just found. In this scenario, because we have not actually performed the test, so we are going to chose based on the scope only. 1/ Database Integrity: As we discussed in the previous section, the integrity and confidentiality of SGH database is our highest priority. The fact that in the process of VA, we have done many test and checking, sniffing, mapping, Trojan, brute force, those are not only VA testing but actually a part of testing the confidentiality and integrity level of the data base also. Thats the fine line between VA and penetration testing as many of the assessment can actually be consider as exploitive. In the same manner in this stage of exploitive testing there still are test that could be done that may very well have been a part of VA like: War dialling: (war dialling appendix B): by calling a wide range number of telephone inside SGH, we may catch a modem, remote access devices, and maintenance connection that may leave an open on the hospital network. Why do we even consider this method? The fact that nowadays not only user, but even IT staff have very high ignorance when considering the phone network, while in fact they are the very primate assess point that possible for hacker to exploit, you dont actually need to be ignorance, just careless is enough, like leaving an open modem on a critical node of the network is enough to create an opening. There are many tools we can use for war dialling: ToneLoc from Minor Threat and Mucho Maas, or its alternative ModemScan , they both can be use for Microsoft window platform. TeleSweep for Microsoft also, and its free. For Macintosh use Assault Dialer. Unix try PAWS, THC-SCAN NG, Telescan, IWAR (intelligent war dialler), or ShokDial (from: http://www.tech-faq.com). 2/ Social engineering testing: Social engineering test (appendix B SE) is part of the blind strategy testing. The environment we are working on is SGH, where most of the employee dont have in-depth training in IT, an other point is the helpful nature, answering question is kind of comes with the job description, all in one word: gullible nurses. For any cunning hacker, this is a big fat moving target for social engineering attack. For that reason, basic training in social attack is required, in the same time several test can be conduct, mainly in two forms: Non face-to-face: the test can be done over mail, or phone, pretending to be somebody who have authority, or who needs help to tricks the user to use account, password, or giving out sensitive information. Face-to-face: this is a more advance kind of social engineering, by posting as an employee of authorized personnel , gaining physical access to restricted areas getting information, from intercepting mail to dumpster divingà ¢Ã¢â€š ¬Ã‚ ¦etc Social engineering maybe no as technical as other test, but it has equal importance if not more, for the fact that there are actually no fool proof method to prevent social engineering attack other than out smart the attacker, which Is ironically we dont usually put the smartest people of the organization to the reception desk , the only thing we can do is to raise the level of awareness of the employee (there are books on this matter like: the art of deception, the art of intrusion both by Mitnick Simon ) . 3/ Application security testing: The second point from the scope as we discussed earlier is Application security: there are a series of test for application security (technical detail on appendix A AppT): Code view, Authorization testing, Input validation, cookie security, Lockout testing, there are also some test for the functionality of the application as well like: input validation, Transaction testingà ¢Ã¢â€š ¬Ã‚ ¦etc For why we need application testing we have discussed above, but then again, do we really need to do all those test? Yes, we do. The objective of doing so many test on Application alone is to fully evaluate the control we have over our application (medical application, network applicationà ¢Ã¢â€š ¬Ã‚ ¦). The focus of those test still focus mainly on protecting the confidentiality and integrity of information, how to authenticate user, and also on the using of cookies (appendix B cookies) 4/ other test: There are some other test like: denial of service testing, resource..etc but as we mention above, these are not compulsory, not that they are not important, but there are higher priority test that need to be done. But since these are common attack and easy to carry out, its recommended that if the resources allow, we should go ahead and perform the tests, even at basic level. (the detail of the test can be found at DoS testing appendix A). V Other detail of a penetration test: 1/ methodology and standards: Methodology actually is a very important factor of a penetration test. A test that acts without a formal methodology has no real meaning, just poking around. But on the other hand, methodology should only acts as a framework, a discipline guideline to follow, we should not restrict the tester rather than let him/her fully explore his/her intuitions, while acting accordingly to the guideline. There are several methodology and standards, as for their technical detail, please refer to appendix A Metho 2/ Security partner: The reason why we needs to pay money for a third party to perform the test for us is : Un unbiased point of view: like a beta tester, sometime the programmer, or in this case the SGH IT team, cannot see ones own mistake clearly, so we need to hire trained professional to look for us. Highly experienced and highly trained: for the member of the IT team, some may have done a penetration test before, some may not. But for a company that specialize in penetration testing. They have done it hundreds of time, even done it for some big organization, thats why with the experience and the training, its more likely that they can discover things that the IT team cannot. Certified result: a Certified penetration testing company will have to satisfies certain level of standards (refer to appendix A Metho). If a test done by a Certified party, it can become a potential strong legal argument for future conflicts (for example: Insurance conflicts). With all those reason weve decided to hire a security partner to perform the test for us. In Singapore there are many company that have the certification and standards to perform such test, most trustworthy must be: Cisco IBM (with the express penetration testing service) Obtechs Certified penetration testing specialist 3/ Risks in doing penetration testing: While doing penetration testing, there are certain risks that we should consider and be careful for: Risk of exposure: there are many sensitive data in the hospital, sometime these data can be expose during a pen-test it can be unintentionally or intentionally, we have to have strong agreement of the conditions and responsibility of the security partner. Time delay: Pen-test take time, and for Hospital environment we cannot simply lock down our data base for testing, thats why a strict time-frame. For the size of our Hospital system, the testing should not take more than a month. VI Conclusion: As we all know security is continuum, no absolute. Through the penetration tests we should be able to not only find out there are flaws in the security system, but we have to go further to understand the process failures that lead to those flaws. Through the test, we can see that even a brand new developed security system can have many vulnerability, its a reminder to us so that we never have a false sense of security!. Appendix A: 1/ VA (Vulnerability assessment): As documented by SANS, Vulnerabilities are the gateways by which threats are manifested. In other words, a system compromise can occur through a weakness found in a system. A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise. How do these weaknesses occur? There are two points to consider:  · This newly developed security system for SGH were born with it, means while underdeveloping by mistake the developing team creat the weakness.  · Many vulnerabilities occur as a result of misconfigurations by system administrators. Misuse by user, all can lead to the result of making a hole in the security system. There are many ways to search for vulnerability, however in our scenario, it is best to do it as a out side hacker would do it, before attacking a system, the hacker also have to perform a vulnerability assessment test on the system, only different would be we are going to do it on full scale, not only from outside looking in but also from the insider view. There are however certain number of technique that could effectively point out the weaknesses if the system have one. Passive research: As the name suggests, a passive research is a method used to gather as much information about an organizations systems configuration from public domain sources such as: o DNS (domain name service) o RIPE (Rà ©seaux IP Europà ©ens) o USENET (newsgroups) o ARIN (American Registry for Internet Numbers) Passive research is generally performed at the beginning of an external penetration test. Open source monitoring: This service is an associated technique that utilizes Internet meta-searches (multiple searches of Web sites, newswires, newsgroups and other sources) targeted on keyword that are important to the organization. The data is collected and discoveries are highlighted to the organization. This helps identify whether organizations confidential information has been leaked or whether an electronic conversation involving them has taken place. This enables an organization to take necessary measures to ensure confidentiality and integrity. Network mapping and OS fingerprinting: Visualization of network configuration is an important part of penetration testing. Network mapping is used to create a picture of the configuration of the network being tested. A network diagram can be created which infers the logical locations and IP addresses of routers, firewalls, Web servers and other border devices. Additionally, this examination can assist in identifying or fingerprinting operating systems. A combination of results from passive research and tools such as ping, traceroute and nmap, can help create a reasonably accurate network map. An extension of network mapping is Port Scanning. This technique is aimed at identifying the type of services available on the target machine. The scan result reveals important information such as function of a computer (whether it is a Web server, mail server etc) as well as revealing ports that may be serious security risks such as telnet. Port scans should include number of individual tests, including: o TCP (Transmission Control Protocol) scan o Connect scan o SYN (or half open) scan o RST (or Xmas-tree) scan o UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) scans. Tools such as nmap can perform this type of scan. o Dynamic ports used by RPC (Remote Procedure Call) should be scanned using tool such as RPCinfo. Spoofing: Spoofing involves creation of TCP/IP packets using somebody elses Internet addresses and then sending the same to the targeted computer making it believe that it came from a trusted source. It is the act of using one machine to impersonate another. Routers use the destination IP address in order to forward packets through the Internet, but ignore the source IP address. The destination machine only uses that source IP address when it responds back to the source. This technique is used in internal and external penetration testing to access computers that have been instructed to only reply to specific computers. This can result in sensitive information be released to unauthorised systems. IP spoofing is also an integral part of many network attacks that do not need to see responses (blind spoofing). Network sniffing: Sniffing is technique used to capture data as it travels across a network. Sniffing is an important information gathering technique that enables capturing of specific information, such as passwords and also an entire conversation between specific computers, if required. To perform sniffing, the network card of computer needs to be put in promiscuous mode, so that it captures all data being sent across the network. Sniffing is extensively used in internal testing where the sniffer or the computer in promiscuous mode is directly attached to the network enabling capturing of a great deal of information. Sniffing can be performed by a number of commercial tools such as Ethereal, Network Associates SnifferPro and Network Instruments Observer. Trojan attack: Trojans are malicious programs that are typically sent into network as e-mail attachments or transferred via IM chat rooms. These programs run in stealth mode and get installed on the client computer without the users knowledge. Once installed, they can open remote control channels to attackers or capture information. A penetration test aims at attempting to send specially prepared Trojans into a network. Brute force attack: A brute force attack involves trying a huge number of alphanumeric combinations and exhaustive trial and error methods in order find legitimate authentication credentials. The objective behind this time consuming exercise is to gain access to the target system. Brute force attacks can overload a system and can possibly stop it from responding to legitimate requests. Additionally, if account lockout is being used, brute force attacks may close the account to legitimate users. Vulnerability scanning/analysis: Vulnerability scanning/analysis is an exhaustive examination of targeted areas of an organizations network infrastructure aimed at determining their current state. The targets range from a single system or only critical systems to scanning the entire network. It is usually performed using automated tools that test for a multitude of potential weaknesses in a system against a database of known vulnerabilities and report potential security holes. And although they dont actively prevent attacks, many scanners provide additional tools to help fix found vulnerabilities. Some of the commonly used vulnerability scanners include: the open-source Nessus Projects Nessus, ISS Internet Scanner, GFI Softwares GFI LANguard Network Security Scanner, eEye Digital Securitys Retina Network Security Scanner, the BindView RMS vulnerability-management solutions and Network Associates CyberCop. 2/ application testing ( AppT ) For the purpose of application testing there are several test that can be done: * Code review: Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application. * Authorization testing: Involves testing the systems responsible for the initiation and maintenance of user sessions. This will require testing: o Input validation of login fields bad characters or overlong inputs can produce unpredictable results; o Cookie security cookies can be stolen and legitimate sessions can be used by an unauthorised individual; and o Lockout testing testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked. This is performed to discover whether the login system can be forced into permitting unauthorised access. The testing will also reveal whether the system is susceptible to denial of service attacks using the same techniques. * Functionality testing: This involves testing the systems responsible for the applications functionality as presented to a user. This will require testing: o Input validation bad characters, specific URLs or overlong inputs can produce unpredictable results; and o Transaction testing ensuring that the application performs to specification and does not permit the user to abuse the system. 3/ DoS testing: Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the targets resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats; those that are important to test for are listed below: * Resource overload these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds. * Flood attacks this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via: ICMP (Internet Control Message Protocol), known as smurf attacks UDP (User Datagram Protocol), known as fraggle attacks * Half open SYN attack this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started. * Out-of-band attacks these attempt to crash targets by breaking IP header standards: o Oversized packets (ping of death) the packet header indicates that there is more data in the packet than there actually is. o Fragmentation (teardrop attack) sends overlapping fragmented packets (pieces of packets) which are under length. o IP source address spoofing (land attack) causes a computer to create a TCP connection to itself. o Malformed UDP packet header (UDP bomb) UDP headers indicate an incorrect length. 4/ Methodology and standards (Metho): The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics. According to Pete Herzog, The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their preys already meager security budget; those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers. The OSSTMM covers the whole process of risk assessment involved in a penetration test, from initial requirements analysis to report generation. The six areas of testing methodology covered are: * Information security * Process security * Internet technology security * Communications security * Wireless security * Physical security The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated. The National Institute of Standards and Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing. NISTs methodology is less comprehensive than the OSSTMM however it is more likely to be accepted by regulatory agencies. Standards in penetration testing Lets take a look at some of the standards and guidelines available: Standards for Information Systems Auditing (ISACA): ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACAs cornerstone certification. CHECK: The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. CHECK consultants are only required when the assessment for HMG or related parties, and meets the requirements above. In the absence of other standards, CHECK became the de-facto standard for penetration tests and penetration testing in the UK. Companies belonging to CHECK must have employees that are security cleared and have passed the CESG Hacking Assault Course. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. OSSTMM: The aim of The Open Source Security Testing Methodology Manual is to se

Friday, October 25, 2019

Social Networking: The Death of Privacy? Essay -- Social Media, Facebo

  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Social networks have become an increasingly popular way for people to communicate over the last decade. Whether it is through a wall post, a picture, a video, or a link, users are able to share stories and details about their lives through social networks such as Facebook, Twitter, MySpace, and YouTube. Mark Zuckerberg, a Harvard student who hacked the university’s network to obtain photos and information about other students on campus, created Facebook in 2004. Today, Facebook has more than one billion weekly active users. According to information found on Facebook’s website, â€Å"[M]illions of people use Facebook every day to keep up with friends, upload an unlimited number of photos, share links and videos, and learn more about the people they meet.†Ã‚  Ã‚  However, if the man behind all of this was a hacker himself, what might this say about the security of the website itself?  Ã‚  Just how safe is this site and others?   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  The truth of the matter is social networking sites are only as safe as a user makes them.  Unfortunately, many of the free privacy settings available for users on the internet are not the default. To protect themselves, users must be sure to censor what they post online and activate the appropriate privacy settings to secure their information. Individuals who share their personal information online must realize that anything they post has the potential to be viewed by millions of people online, not just their friends. As authors Dianne Timm and Carolyn Duven suggest,â€Å"[W]hen an individual shares information on a social networking site, he or she is sharing that information with the rest of the world even if the intent was to share with only a select group of people† (Timm and Duven 90). The reality o... ...Premier. Web. 25 Apr. 2015. Marsico Jr., Edward M. "Social Networking Websites: Are Myspace And Facebook The Fingerprints Of The Twenty-First Century?"  Widener Law Journal  19.3 (2010): 967-976.  Academic Search Premier. Web. 28 Mar. 2015. Miller, Robert, Kristine Parsons, and David Lifer. "Students And Social Networking Sites: The Posting Paradox."  Behaviour & Information Technology  29.4 (2010): 377-382.  Academic Search Premier. Web. 19 Apr. 2015. Teclehaimanot, Berhane, and Torey Hickman. "Student-Teacher Interaction On Facebook: What Students Find Appropriate."  Techtrends: Linking Research & Practice To Improve Learning 55.3 (2011): 19-30.Academic Search Premier. Web. 25 Apr. 2015 Timm, Dianne M., and Carolyn J. Duven. "Privacy And Social Networking Sites."  New Directions For Student Services  124 (2008): 89-101.  Academic Search Premier. Web. 29 Feb. 2015.

Wednesday, October 23, 2019

A Leader Essay

Leaders can be seen in a variety of ways such as a president, a soldier, an athlete. But does a lieutenant only lead his men into combat? Or does a president just send the military off to war in one command? Leadership has a far different meaning than one man giving orders. Being a leader, one must understand that you cannot carry every single thing upon your hands. Sometimes, even a leader can find themselves tied up in a knot and not realizing what they’ve done or are doing. Therefore, in a leadership position there must always contain a group so that way the leader will not rule over everything and actually be seen as an inspiring person; one who sacrifices themselves for others, and one who searches for the best outcome. Throughout my life of experience, I have come across â€Å"leaders and leadership†. There also have been many leaders way before my time came about. For example, somebody like John. F. Kennedy. This man was seen as very inspiring to the American peo ple at the time. His speeches and commitment drove not only the people in the right path but the country as well. Currently, our country is being run by Barak Obama which is actually really good. He is a great example of a leader. He has helped our country in the past few years get a lot out of this huge dept we have and are actually still having. He’s also has helped us with this welfare and also is giving a bit more benefits for illegal immigrants. In addition, the outcome of his work shall inspire the people of America. Currently my most favorable experience of leadership is actually taking place as we speak. I came across a book by the one and only great baseball player Josh Hamilton. It is called â€Å"Beyond Belief†. Josh Hamilton is a great example as a leader and is a man who inspires many ball players. Although he was drug tested and came out positive for cocaine and also suspended from the major leagues, he fought his way back to where he belonged in the majors. From a very young age he we always seen upon as the leader of the team. At the age of only six years old he obtained the skills to play with the older kids. Even then he was better than the older kids. He was always leading his teams in hits, average, and home runs. He carried this through high school. Although he was doing all these great things at once, being that type of leader is far different from being a leader for the team. He  would always care for his teammates as if they were brothers and always lightened up situati ons when they would be down a couple of runs or lost a game. He would sacrifice himself when needed and was always one for helping out his team before powering his skills onto the field. He was not a selfish person at all and never bragged about anything he did. He did it for the love of the game that he cherished so much. That’s what really defines a true leader. When one does not become selfish and truly believes in the good of things whether it is an athlete or a president. Therefore, the outcome will not only inspire teammates or the people of America, but maybe even inspire them self to do more and be greater. A leader always does what is best for the outcome. Overall for the country, or for their teammate. Within a leader, there is always something unique about them. There are reasons, facts, and details on why they seem so inspiring to many people and that is why they are chosen to be the leader or even simply be seen as a leader. Although a leader may have the drive to do something right it is not always the right or best thing. Groups will play an important role for the leader and back them up with opinions of their own. Furthermore, a leader must play along or they will not be seen as a one who sacrifices or inspires anything. Overall, the true greatness of a leader will only show when one is tested. It really can be at any moment. Josh Hamilton was tested for drugs and came out positive unfortunately. But the real test was whether he would be able to get back on his feet from this. Which in the end he did and fought his way all the way back to the top. Leaders do not vary simply off of how many people know them, how many votes, or how many home runs are hit. They’re leadership shows when they are in the toughest moments that seem they cannot get across but actually can. As long as there is a contained group within leadership, more often than not everything will be fine. Things will not turn into a dictatorship and one man will not lead his team to the world series. Therefore, the group within will help their leader realize what they are doing and they will in fact sacrifice, inspire, and search for the best outcome.

Tuesday, October 22, 2019

Code Noir Essays

Code Noir Essays Code Noir Paper Code Noir Paper Le Code Noir (The Black Code) The Code Noir was a decree passed by King Louis XIV of France in 1685 and ended in 1848. It had a great impact on the sugar industry and trade involving French colonies and territories. The Code Noir contains 60 articles each with its own right and specification. The Code contained rights on slavery, restriction of the freedom of black people, banishment of Judaism, rejecting African cultures and that Catholicism should be the only religion of the colonies. Background The document was encouraged by a favorite minister in the King’s court, Jean Baptiste-Colbert. However, the document remained unfinished due to the minister’s death. Nonetheless, his son succeeded him in completing the source. It was modified and accepted by Louis XIV but rejected by the government. Nevertheless the King’s successor, Louis XV appointed the Code and authorized the law to be passed in the West Indies. The code was considered as a very racial document due to discrimination of colour and culture. By banning the African traditions, the Mauritian arts such as â€Å"Sega† were created. Layout and Perspective The arrangement of the article is based upon 60 laws. The first decree consisted of Jews being banned from every French region, due to the belief of Jews being the enemy of Christianity. The second law passed was that there should be no other religion other than Catholicism and every resident should be baptized. The documentations continue with the rules of race and eventually come to a point of slavery. The context of this contains the restrictions of black people and slaves. The last article on the document declares laws on taxes and fees. The original script was printed in French and translated into English. The script’s sixty articles are based upon life and death, purchase, religion and treatment of slaves by their lords. The slaves had little benefit from the code namely: * being clothed and fed, * to not work during Sundays and religious holidays * should be baptized in Catholicism * Should be educated in the religion. However the detriments of the verdict were greater, stating that slaves were prohibited from owning any property and had no legal capability. It also oversaw their marriages, deaths, religious traditions, punishments and the extent they had to go to for their freedom. The Code Noir in Mauritius The Code Noir in Mauritius was supposed to act as a justification to the slaves but ended being a Bible claiming the rights of lords over slaves. The punishments were very severe and brutal even abnormal. If a runaway slave was found, his/her ear would be cut off and for the second time they do something wrong, a thigh was chopped off. But the third penalty was the most ruthless of all; they would be stabbed with a hot iron mark on their body namely the Fleur de Lys. The treatments of slaves were that of dogs. Their masters did not give a care if something bad happened to them. Their nutrition was limited and therefore the slaves themselves had to cultivate their own food in secret. However, not all masters were like that to their slaves. Some did care for their workers and gave them a proper living by gifting them appropriate clothing and food. Abolishment Slavery was abolished in France in 1794 and a few decades following that, the Code Noir was also eradicated in 1848. The Code Noir had remained intact for 163 years. Although slavery was obliterated in 1834, the Code Noir stayed for 14 years and then stopped. The slaves who will continue to work would not be referred to as slaves but as apprentices. The Code Noir only had two goals that was: To give slave owners rights to their slaves To boost the morality of the slaves Although the Code Noir was not always obeyed and followed, it remained a very important aspect to French Colonies. Legacy Even if the code was removed, the phase of this period was adopted into many books and documentaries. A few of these books have been published in Mauritius specifically, â€Å"Gorges† by Alexandre Dumas. The Code Noir remains a legacy of the French Revolution in Mauritius; nonetheless it depicts the suffering and torture of slaves while working. It also reflects the pain of Mauritius’ ancestors and toilers. The Code Noir serves as an example to our people and a dedication to all those who gave their time and effort into making this island what it is today.