Common Quantatative Analysis Questions and Answers.

Below are common Quantitative Analysis related Questions and solutions

What is the nature of causation and what are the criteria for assessing causation?

The nature of causation is often to show that causes differ in significance and thus warrant further investigation and examination in details. This investigation often falls in three distinct categories to determine the necessary cause, sufficient cause and contributory cause. To show causation it must be obvious that the variables are statistically related. Causation cannot be prove with complete certainty.
Causation also differs in the timing of their influence.

The major criteria for assessing causation are whether the conditions for the cause do exist in the first place. Causation always makes it possible to conduct further investigation on correlation between variables.
It is important to know whether the causation is linear in nature or reciprocal in order to assess it. The linear causality assumes causal influence is in one direction. While reciprocal depict the causal influence is bidirectional or sometimes circular.
In quantitative research analysis, correlation can never in its entirety show causation because it does not imply causation.

Discuss the difference between experimental and correlation research?

Experimental researches involve processes that clearly define the design approach used in conducting the research in question. In a way, it emphasized how data is collected for final analysis. In experimental research, the researcher can manipulate his or her experiment and check the effect or results of the initial manipulation.
While correlation research involves analysis tools used in conducting the research. Variables are not influenced but only the relationship between them is measured and show by the researcher. In addition, sometimes there is correlations in experimental research but typically one of the variables is manipulated.

Finally, experimental research is only about experiment while correlation research is common in archival research, naturalistic observation, survey research, and even in case study.

 

How can surveys be designed to elicit the most valuable responses?

Surveys generally accomplish two main purposes to know new thing about the research and to be able to generalize from the survey data. Therefore in order to elicit adequate and most valuable responses from respondents, it is essential to use a design approach that is consistent with the following:
-The quality of survey questions must be well tailored to the focus group.
-The questions should be well designed, meaningful and sample size manageable.
- Appropriate survey techniques such as mailing, email, telephone must be employed and used in the circumstance under consideration.
- Appropriate language of communication that is comfortable with the audience especially during face to face encounter must be used.
- Survey questions must be devoid of ambiguity. It is important to test the questions.
- A face to face encounter with survey respondents often provides more tenable answers.
- The researchers must provide enough clarification being asked by survey respondents.
- There is no basis for being bias because a biased sample will produce biased results.

When do ethical issues become important in experimental research?

The ultimate aim of any experimental research work is to advance and contribute to the body of knowledge. Thus serious ethical issues become concerns when for instance there is glaring abuse in selection process of research participants. A good selection process must be undertaking and encouraged. It must be deemed fair and balance and not tainted to favor a group or set of people.
Informed consent must be afforded to all research participants partly to address any of their concerns as well as afford them the opportunity to know what the research is all about. If otherwise, the experimental research could be said to fail one of the ethical standards recognized worldwide in research projects.
The risks and benefits of the research must be well spell out and clarified to  subjects or research participants in order to alleviate issues that bother on ethical concern. Which I believe can later jeopardize the whole research efforts.

Discuss threats to validity.

Bias will increasingly be recognized as one of the most important threats to validity that must be addressed in the design, conduct and interpretation of research. Not removing bias can in the long run compromised the final interpretation of research result hence its validity.
Also, the low reliability of measures which can be attributed to factors such as poor question wording, bad instrument design or layout, illegibility of field notes are great threat to research validity.
Passing communication among research subjects who are not suppose to know it until the research exercise is over can affect the validity of the research in a negative way. This will greatly reduce the measurable effects of the research program because the information so obtain indirectly cast doubt on the true validity of the research results.

How can computer output for t-tests and confidence intervals be interpreted?

The t-tests output can be interpreted in the context of regression analysis whether a regression coefficient (b) is significantly different from zero. However, in the context of experimental work, it is used to test whether the differences between the two observed means are significant different from zero. For instance, SPSS provides the exact probability that the observed value of “t” would occur if the value of “b” in the population were zero. In this regard, if the observed significance is less than .05 (p <0.05), we may conclude it reflect a genuine effect from the population.
Confidence intervals can be interpreted from means by looking at the range of values that contain with some probability (95%) of the true value from the population. In a computer output, it represents the 95% of the difference between the lower and upper limits by estimate. This mean that the true value of the difference in population is somewhere between the limits and we can be 95% confidence of this value.

Are regression and ANOVA antagonistic methods.

The answer is affirmative no and undoubtedly, Regression and ANOVA are both based on the general Linear model (GLM). The techniques are recognized as two most useful statistical analysis tools be it in business, psychology or sociology circles. In fact, they are complementary tools and are not antagonistic as some school of thoughts argued. For instance and in most researches, when it is desirable to test a multiple regression equation for the statistical significant factors or measureable variables, it is imperative to start with ANOVA.
In the same token, when using ANCOVA for analysis the degree of covariance and in order to improve on an ANOVA technique it is usually incumbent on the researcher to use regression methods. The regression method applied in this way enable on the spot adjustment for a control variable before embarking on ANOVA. Reliability of statistical analysis and results in such research undertaking are further reinforced. So I submit to this forum that it depends on what the statistical research want to achieve and the information the researcher wants to convey to the public.
It is important to stress that for any statistical output to be considered validated when using ANOVA or regression techniques; certain assumptions must be fulfilled and tested. For example in ANOVA, measurable independent variables must be categorical.

Reference:

Field P.A. (2009). Discovering Statistics Using SPSS, 3rd edition.  Thousand Oaks, CA: Sage.

Vogt, W. P. (2007). Quantitative research methods for professionals. Boston: Pearson Education, Inc.

Type 1 error and Type 11 error in Quantitative analysis

Type 1 error and Type 11 error

A type 1 error occurs when it is infer that a hypothesis is true when in actual sense is false. In other word, an experimental research is considered falsely successful to support a hypothesis. Example is when a patient is wrongly told that he or she has a highly infectious disease when in actual fact is not.  Also a driver is punished for no fault according to eye witness reports. In both cases, this in statistical parlance is a false rejection of the null.

Whilst the type 11 error is committed when it is deduced that a hypothesis is false when in actual sense is true. For example, a group of white Caucasians are wrongly classified as Orientals in an ethnic study. Also a negative pregnancy test when in reality the woman is says two months pregnant. This is a false acceptance of the null hypothesis

Privacy and Security Issues in Social Networking

                            

Project Paper: Privacy and Security Issues in Social Networking

Dr. Brian Pankau

                   Submitted in Partial Fulfillment of the Requirements for EM835

Information Accountability and Web Privacy Strategies

(Winter 2011)

Abstract

Most online social networking sites share a core of features that are completely absent in their offline counterpart. The relation between privacy and a person’s social network is multi-faceted. In certain occasions we want information about ourselves to be known only by a small circle of close friends, and not by strangers. In other instances, we are willing to reveal personal information to anonymous strangers, but not to those who know us better. In this paper, I highlight the privacy issues as well as digital security problems the rapid growing online social networking sites are facing. I also put forward a set of recommendations that makes social networking safer and promote healthy web interactions.

Introduction

The online social networking goes like this, an interested individual with an internet connection visit the social site. The individual creates a profile of themselves which includes names, sex, age, and geographical location to others to peruse, with the intention of contacting or being contacted by others or to meet new friends or dates.

Gross R. et al (2005) observed that “While social networking sites share the basic purpose of online interaction and communication, specific goals and patterns of usage vary significantly across different services.

The most common model is based on the presentation of the participant’s profile and the visualization of her network of relations to others - such is the case of Friendster”. The model varies and is completely different in some social network sites like match.com, salon and others while it is absolutely compulsory to have a profile for you to interact with other members. In some, the creation of a profile is secondary for instance on Livejournal.com. Therefore the patterns of online personal information revelation are quite variable as you transverse one social networking site to another. For instance, the use of a person real name to represent an account profile is encouraged on some sites like facebook.com but is the opposite in some sites.

Social networking sites like facebook tend to connect participants’ profiles to their public identities. This has its own demerits as well as privacy problems. A site like Friendster doesn’t encourage the use of real names in fact there are filters that shield the public identity of a person and his or her online persona by making only the first name visible to others and not the last name. “Notwithstanding the different approaches to personal identity, most sites encourage the publication of personal and identifiable personal photos (such as clear shots of a person’s face” (Gross R. et al (2005). It has been reported that online social networks are vaster and have weaker ties, on the average, than the offline social networks.

Trust in and within online social networks may thus be assigned differently and could therefore have different meaning than their offline counterparts. Consequently, the degree of privacy evasion is more in online networks because of the loose relationship within such communities. In essence, trust decrease within online social network.

1. 0 Privacy implications

The privacy implications associated with online social networking in this technology age are manifolds and depends to large extent on the level of identification of the information provided, its possible recipients and uses. In a study conducted by Gross R. (2005), it was discovered that “Even social networking websites that do not openly expose their users’ identities may provide enough information to identify the profile’s owner. This may happen, for example, through face re-identification”. Identifiable information is often available to the hosting sites of some of the notable social networks. These sites may on their own use the information knowingly or sometimes revealed the information to third party thereby contradicting their own privacy or user agreements.

            The easiness of joining and at the same time of extending one’s network on most of these social networking sites makes it easy for hackers to access online the community users’ data. 

Newitz A. (2003) reported that “LiveJournal used to receive at least five reports if identification hijacking per day”. Some unscrupulous persons and con artists often navigate online social web sites and have been using stolen identities to commit frauds and other crimes. With stolen identities, hackers sometimes entice unsuspecting social network members in chat rooms into parting with money, peddle traditional business opportunity scams. It was reported by the Federal Trade Commission the con artists are contacting social networking site community members through email with false promises about earnings through day trading. Also hijacking unsuspecting members' modems and cramming hefty long-distance charges onto their phone bills.

Some online social networking community members do not care about the amount of information they reveal online. This is because the type of information they revealed often include such things as

■Hobbies and interests,

■ Information about current and previous schools

■ Employment history or information and name of employers

■ Private information such as drinking, smoking and drug habits

■ Sexual preferences and orientation

■ Age

■ Marriage status

■ Geographical location.

            The information stolen from social networking sites and communities can be used for various purposes depending on the type of information or data retrieved. Some of the information can be somehow intimate or extensive. The risks include online and physical stalking, personal embarrassment, price discrimination and more so blackmailing. Privacy is virulently at risk but who is to blame if you realize that most information on social networking sites is freely given by member themselves. Hence privacy expectations may not be matched by privacy reality. Facebook for instance, is straightforward about the usage of personal information it collects from members even on the one unknowingly provided for example the IP address of login members.  Facebook detailed its privacy policy as follows:

1. Introduction

2. Information We Receive

3. Sharing information on Facebook

4. Information You Share With Third Parties

5. How We Use Your Information

6. How We Share Information

7. How You Can Change or Remove Information

8. How We Protect Information (adapted from facebook.com/policy.php)

 1.1 Embarrassing Digital Dossier  

Social networking sites build a digital dossier of the information they received from participants judging from the low and decreasing costs of storing digital information nowadays. So it is possible to continuously monitor user’s profiles on these social networking sites which currently are consider insignificant but may become public information as time goes on. Views that are considered privately expressed may become an embarrassing nightmare in the future when the data currently mined are freely available. Only time will tell as technology of online networking is unbelievable dynamic.

1.2 Stalking and Cyber-Stalking

            A rather dangerous side effect of privacy evasion from online social networking sites is the tendency of being stalked by online acquaintances. It is very common to socialite with online friends within same geographical areas. For example, Facebook have recently introduced a new relationship based on user location. In fact profiles on the site contain information about residence location, sometimes class schedule and location of last login. A completely derail person who has previously obtained or have a knowledge of someone location due to an online association can stalk that person.  In the same token, a potential stalker can take advantage of its prey because the resident location information is available to him or her with easy.

            Privacy evasion is becoming more apparent on social networking sites with instant messenger services and those that offer chat room for participants. For example, AOL instant messenger has a feature called buddies list. But unlike other messaging services, AIM allows members to add buddies to buddies list without their knowledge or confirmation. Once the attacker is a buddies list, the victim can be tracked as soon as he or her logon to the social networking site. The notoriety is called cyber-stalking.

1.3 Fake Email address for Account creation

            The process of verifying a user registration on most social networking sites takes minutes, therefore a hacker can quickly join an online social site also within a couple of minutes.

The social networking site will verify the hacker as a legitimate user by sending a confirmation email to the fake email address he or she quickly created to login to the site. So the process of account creation and verification on social networking sites is an added incentive to hacker’s detective mission to steal and retrieve genuine user information.

1.4 Manipulation of Users

            It has been reported that obtaining confidential information from social networking sites has taken a new dimension. Social engineering antics are now being employed to retrieve personal information from unsuspecting online socialite. According to Jump K. (2005), “thirty percent of Facebook users are willing to make all of their profile information available to a stranger and his network of friends”.

1.5 Cyber Bully

The privacy concerns have also resulted in a number of reported cases of online bully especially among young teenagers in our education systems mostly in primary and high schools. Many factors have since been identified as contributory factors to online bully on social networking sites and in order to reduce such incidents the following have been recommended.

○ Raise awareness of safety education messages and acceptable use policies on all social          

   networking sites frequent by kids for instance Facebook.

○ Ensure that services are age-appropriate for the intended audience.

○Empower users through tools and technology to be able to block any one that bullies from                            

  many direct contact with them.

○ Provide easy-to-use mechanisms to report illicit conduct or improper content.

○ Promptly respond to notifications of illegal content or conduct.

○ Enable and encourage users to employ a safe approach to personal information and privacy,

○ Assess the means for reviewing illegal or prohibited content and bullying conduct.

1.6 Single sign on promotes dynamic privacy

            Just recently, Facebook launched its “Facebook connect” service to try to solve a major ache of online computing especially among social networkers. According to Harris S. (2009),

“it saves visitors from having to fill out yet another tedious registration form, upload another profile picture and memorize another username and password. Instead, visitors can now sign into other sites using their existing identity on Facebook”. The Facebook connect service is helping to promote dynamic privacy by aiding profile sharing amongst various online destinations.

2.0 Security Implications

        It is reasonable to expect that security issues of online social networking sites far outweigh its offline social forum.

The social network sites most likely to suffer from privacy and security issues are the popular ones. Privacy issues most often involve the unwarranted access of private information and may not be directly due to security breaches. A crafty and determined individual may through shoulder peeking watch you type your password and consequently use it to obtain confidential information from your computer at a later time.

According to Brendan Collins (2008), “a security issue occurs when a hacker gains unauthorized access to a site’s protected coding or written language” There is a clear distinction between privacy and security issues that most social networks faces due to rapid popularity and its profitable financial importance. There is a tremendous amount of information and data that most social network sites processes every day.  Thus there could be lapses in security on those sites making it possible for would -be-hacker to exploit flaws in the systems.

The following features on network social sites which involve mass participation of people are targeted by hackers or site attackers:

• Chat rooms

• Messages

• Invitations

• Photos

• Open platform applications.

It has been reported that the aforementioned features are avenues to gain unprecedented access to some privacy information of unsuspecting individuals. A recent case in mind is the one that shows a devastating hole in the framework of a third party application programming interface on Facebook. This programming flaw allows hackers to gain unrestricted access to private information. The developers of those applications failed to follow sound programming techniques thereby exposing more information than necessary to run the application in the first place. This glaring consequence of over-sharing of user data is not new because security of social network sites has not been taking seriously until just recently. To mitigate against such security problems, some sites introduce users privacy controls at all levels within profiles. But such increase privacy settings does not in all ramifications guaranteed adequate privacy and security issues. Most social network sites do not have a streamline way to test third party applications where users’ data and information can be retrieved without consent. Such application flaws can allow criminal minded developers to sell users data to advertising companies for financial gains.

The online social security issues incorporated its entire offline counterpart and include risks that are growing daily. Some of these include:

●Identity Theft

● Email spamming to propagate malware

● Use of false profiles

● Social Engineering tactics to retrieve information

● Targeted attacks through botnets

● Vulnerability to Cross-site scripting e.g. MySpace.                                                                                  ● Source of releasing confidential or proprietary information

● Phishing Attacks

Data and Information

Gross R. et al (2005) found that “across different sites, anecdotal evidence suggests that participants are happy to disclose as much information as possible to as many people as possible. It is not unusual to find profiles on sites like Friendster or Salon Personals that list their owners’ personal email addresses (or link to their personal websites), in violation of the recommendation or requirements of the hosting service itself”.

Most internet based companies hold large volume of personal data which are unregulated and includes:

1. Processing of the data

2. Analyzing data

3. Transmitting data

4. Collection of data.

In the light of mass database in various data centers around the world, one can categorically agree with the assertion that “data processing technology and the creation of mass databases inevitably erode privacy” (Landy K., 2008).

We all know that there’s need for well-conceived privacy policies to take care of the unprecedented digital privacy issues, but leadership is lacking both in government and in private settings.

Due to the explosive use of online social networks, various notable businesses have been building applications to target such users. There are increased efforts for communicating with people using those sites and is been intensified. Most companies are using targeting marketing strategy to:

● Monitor their habits and views

● For influencing their opinions and

● Direct their spending powers

Among the menace of the social networking sites are:

○ Data safety – frequent visitors are continuously hit by identity theft and frauds.

○ Minors are expose to improper content or faces indecent exposure online

○ People entering into dangerous relationships

○ Elderly are lured in risky financial dealings.

The exponential growth in the number of users using social networking sites is not a surprise.  In 2008, the total number was put at 200 Million, now the number as reported by various online Watchers put the figure roughly at 700 million users with facebook only having a total of 500 million registered users and is still growing by the hour.  Hofer F. (2010) observed “Given these figures it’s definitely no surprise that companies from various industry sectors are keen on trying to develop potential business applications with a specific focus on social network

users”. The notion is online social networking users are potential customers in all indications.

In fact, social networking sites are regarded as the new business environment and a lot of

companies are building application to specifically target social-networkers using various

marketing tactics available in their arsenals.

Lack of Social network Policies:

It was observed during the international conference on data protection and improper use of private information posted by users on social networks that some golden rules be observed.

These are categorized in term of users and online service providers. Users were advised to:

• Carefully select which personal data (if any) to be posted on a social network.

• Bear in mind other individuals’ expectation to privacy when publishing information

  about them.

• Always be cognizant that security of their information online is not 100 percent guaranteed.

• Users’ information can be mined and use for various marketing purpose by online marketers.

The online social networking service providers were reminded among others to (adapted from Harris S. (2009):

■ Comply with privacy standards in place and as per regulatory authorities.

■ Inform users adequately about use of posted data, possible consequences of their

    publishing and security risks.

■ Favor to a maximum extent users’ control on their data and profiles.

■ Offer users privacy-friendly default settings.

■ constantly improve systems’ security in order to prevent fraudulent access.

■ Granting users’ right to access control and correct their personal data.

■ Offer suitable means for deleting personal profiles and information once membership

     is terminated.

■ Enable the creation and encourage the use of pseudonyms.

■ Prevent uncontrolled third party access and practices such as spidering and bulk

    harvesting.

■ Allow external crawling only on users’ informed, specific and in-advance consent.

Recommendations and Solutions to social network privacy/security issues

◊Don't share your password with anyone.

◊After you type your login credentials into the login page, make sure you uncheck box

  “remember me”.

◊Always log out when you're finished using any social networking site.

◊ Try to avoid to put sensitive information on social web sites, choose what kind of information you share with the site and how much.

 ◊ Choose to put just the essential things, for example if you deal with hobbies (music etc.) don't add non-essential work information.

◊.Customize your privacy settings

◊ Blocking accesses and eventually report privacy violations.

◊. Limit your online social activity and online presence

◊. Don’t post anything that you are ready to divulge to a complete stranger

◊. Be sure of the identity of who you add as an acquaintance online

◊ Read the privacy disclosure of the site before you join

◊. If possible, verify that adequate privacy settings are allowed on the site

CONCLUSION:

            Humans by their nature are social animals thus online social networks are genuine avenues to exercise more interactions. Social networks are not threats but they are created to offer more opportunity for social interactions universally. A common sense approach is needed to guide against unsolicited friendship and information dissemination in online social networking forum.  The false of security makes people on social sites to divulge so much information about themselves. Geolocation services being offered on some sites keeps a record of where online participants visit and go. The security implication is grave and alarming because the information that is leaked online can undoubtedly used against the person divulging the information. What hitherto is considered private is no longer private. Also, constantly update profile information with your whereabouts could open a flood gate for criminals to target your house and burgled it.

            To avoid identity theft, the use of secure credentials is recommended on social networking sites.  A weaker password for example could compromise a participant’s account and hackers can use it to spam all your contacts. There is also need for industry regulation and policy on the social networking sites

Reference

Acquisti, A., Gritzalis, Stefanos, Lambrinoudakis, Costas, De Capitani Di Vimercati, Sabrina (2008). “Digital Privacy, Theory, Technologies, and Practices”. Auerback  Publications. Taylor & Francis Group, LLC

Gross R. (2005). Re-identifying facial images. Technical report, Carnegie Mellon University, Institute for Software Research International, 2005. In preparation.

Gross R., Acquisti A. and John Heinz H. III. Information Revelation and Privacy in Online Social Networks. Retrieved 03/12/2011 from,

http://dataprivacylab.org/dataprivacy/projects/facebook/facebook1.pdf

Collins B. Privacy and Security Issues in Social Networking. Retrieved 03/12/2011 from,

http://www.fastcompany.com/articles/2008/10/social-networking-security.html

Harris S. (2009). Security Issues of Social Network Sites. Retrieved 03/12/2011 from,

http://www.informit.com/blogs/blog.aspx?uk=Security-Issues-of-Social-Network-Sites

Hofer A. F. Privacy issues in social networking: the European perspective1. Retrieved 03/15/2011 from, http://www.gala-marketlaw.com/pdfs/Privacyissuesinsocialnetworking.pdf

Jump K. (2005). A new kind of fame. Retrieved 03/15/2011 from,

http://www.columbiamissourian.com/stories/2005/09/01/a-new-kind-of-fame/

Newitz. A. (2003). Defenses lacking at social network sites. Security Focus, December 31, 2003.

Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 33-61). Beijing: O’Reilly Media

Zorz M. (2009). Social networking privacy issues. Retrieved 03/13/2011 from,

http://www.net-security.org/article.php?id=1331

Facts for Consumers.  Retrieved 03/16/2011 from

http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec09.shtm

Social Networking Sites: A Parent’s Guide. Retrieved 03/16/2011

http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec13.shtm

The Facebook. Privacy policy. Retrieved 03/16/2011 from,

http://facebook.com/policy.php, August 2005.

SECURITY BY DESIGN - Overall Security Is Beautiful

                              It is always a good information security strategy to treat security as a critical aspect of system development during early stages of system design lifecycle. The author went on a memory lane and identified many information system and design projects that failed because risk-based security programs that address security at all phases of system development cycle were not followed. According to the author, system security is interwoven with system quality, reliability, availability, maintainability and usability. We can only have a secure software or system if all vulnerabilities are curtailed and all system functionalities are devoid of security problems in all phases of the system lifecycle. Shortcuts in system and software development lifecycle must be avoided.
Due to network interconnects postures of most environments, it is imperative to guide all access points against attacks and reduced the overall systems exploits to such abuses. Perimeter security model often failed to accomplish the desire security goals because systems are exposed to risks they are not protected against in the initial stage of development.
Security metrics should be measured at the component levels to fully address all security concerns in system architecture. It is equally important to embark upon quality test and system integration testing in order to account for all key security issues at the developmental stages. Security metrics should not be based on just quality but security roles in cost reduction, safety and speed of system delivery must also be considered.
System testing is an essential requirement to gather modest system security metrics. Testing should be done at component levels. It is also important that integration testing must be conducted. Unit testing is a must.
The author found to his dismay that system development and engineering, robust system architecture, security procedures, and sound deployment methodologies are sacrificed on the altar of quick product turnaround and race to the market. Solid system engineering practices are thrown to the winds. Thus many systems have serious architectural and programming flaws that ultimately undermine their security.
The book showed that consistent software design and development best practices are being achieved through:
 * Standard configuration management
* Good product quality, security and reliability controls
* Good testing procedures
* Deployment of standard foundational elements for determining operational metrics, project management and training
* Risk management
A system development lifecycle that lacks proper security elements and integrations during all the phases of design is bound to fail and the resulting final product is always:
1. Fragile in nature
2. Difficult to operate
3. Difficult to maintain.
In conclusion, to have a good secured system all component parts must be tested using various test scenarios, risks analyzed,  and system performance test for reliability, availability and usability.
Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 171-182). Beijing: O’Reilly Media

Privacy, Profiling, Targeted Marketing, and Data Mining - Trust is needed

The technology revolution has provided unlimited possibilities for collecting and storing personal data and information. Most of this information is mined from interviews, surveys and other sources with no attention to privacy. To be successful in their marketing endeavor, companies are very proactive and can predict what a customer needs through various targeted marketing campaigns.

To many businesses, the benefits of customer profiling include:
• Personalized marketing campaigns enable them to find and keep more customers, as well as give them better service.
• Maximize revenue from each existing customer and use that marketing data to target new prospects.
• Segment their customers to ensure that they send the right message to the right audience, maximizing limited marketing dollars.
• Dynamic, real-time groups ensure that each campaign addresses key markets, and that target groups always receive the most current, accurate information.
The author recognized that privacy- preserving profiling is something that can be achieved through cryptographic means. But an efficient solution by it requires some element of trust. According to the author three distinct and conflicting privacy and security requirements that must be met in order to adequately perform privacy-preserving profiling are:
* the data must not be revealed
* the classifier must not be revealed
* the classifier must be checked for validity.
A number of classification models for privacy-preserving profiling without revealing it have been proposed. The methods used have the following properties:
* the classification result is only reveal to designated party.
* no information about the classification result is revealed to anyone else.
* rules used for classification can be checked for the presence of certain conditions without revealing the rules e.g. no race is being used.
It is important to note that privacy-preserving profiling is possible by using commutative encryption protocol. This encryption protocol can be used on data item enciphered with multiple encryption keys in any arbitrary order.
Ensuring privacy in Targeted marketing:
It is important to adequately ensure privacy while at the same time perform targeted audience marketing. We should also be mindful that customers are either static or mobile. So the best approach is to combine methods that meet the different requirements for each class. More so, when the identification of the right target audience is the essence of effective marketing. To achieve this, we can comfortably use clustering and cluster analysis.
The cluster analysis consists of 4 distinct critical implementations as illustrated by the author:
* Segmenting the market – consists for example of consumers who are homogeneous in term of the benefits they derived.
* Understanding buyer behavior – works well if consumers are group together in term of common behavior.
* Identifying new product opportunities – set the tone for a highly competitive market
* Selecting test materials- allows for testing various marketing strategies.
?Reducing data – a good representative can easily be identified in homogenized clusters.
Ensuring privacy of mobile users:
The significant use of mobile devices has raised a lot of privacy and security issues especially at it relate to commerce. Marketing on mobile devices are based on what the author called location-based services (LBS). The following are attributes of the location-based services:
* It is to a request usable
* personalized information are delivered at the point of need
* targeting of customers based on advanced knowledge such as profiles and preferences or
* perhaps using their locations
The security and privacy concerns in location based service are
- It may be possible for an adversary to physically locate a person of interest.
- Tracking of individuals is possible which can have adverse consequences.
- The profiles of the mobile customer are often retain the during marketing
- It is difficult to maintain confidentiality because the identity of the user can often be traced to the LBS.
Privacy-Preserving Data mining technique. It deals with the problem of mining data without seeing through secure computations. Two known methods are universally used to accomplished privacy-preserving data mining and these are:
- Perturbation: Individuals have access to their data and only care about the privacy of certain attributes. Although, data security have been proved not to be well established because knowing bounds of data can degrade their security.
- Cryptographic Approach: is more secure but less efficient. Mostly used in situations where there are small number of interested parties that owns large amount of data that are analyzed together.
Conclusion:
Profiling provides the basis for starting what marketers or law enforcement agencies call a "dialogue" with customers or suspects but without regard to the privacy of the customers or persons involved. But privacy-preserving profiling needs more data mining approaches in order to be trusted and to  maintain confidentiality.
 
Reference
Acquisti, A., Gritzalis S., Lambrinoudakis C., & De Capitani di Vimercati S. (Eds.). (2008) Digital privacy: Theory, technologies, and practices. New York: Auerbach Publications.
Marketing Automation: Customer Profiling. Retrieved March 8, 2011 from http://www.netsuite.com/portal/industries/wd/marketing_cus_profiling.shtml
Smirnov-M H. (2007) Data Mining and Marketing. Retrieved March 7, 2011 from http://www.estard.com/data_mining_marketing/data_mining_campaign.asp 

Beautiful Security Metrics - Is Beautiful

Beautiful Security Metrics

Review          

Security metrics is a critical methodology that facilitates better system security awareness, decision making and implementation. It helps in the analysis of complex system and application processes and summarized them in a more easily understandable forms. Although security metric usage is still at its infancy, conceited efforts must be made to employ it in IT security management. The author of beautiful security metrics drew a parallel between the system security profession and their medical counterparts.


           The author mentioned the importance of security metric and includes:
- Good for monitoring and performance measurement for controls
- Used for detecting absence of critical controls
- For measuring efficiency and effectiveness.
- Formation of up to date security policies and procedures
- Identity management process for managing user access and entitlements.
- Separation of duties to authorize IT access must be well defined and separated from those that enabled such access.
- Mandatory review should be conducted after an employee’s responsibilities are changed.
- System and application access and processes must be logged in log files.
- Activity log files must be analyzed regularly.
- Regulation, best practices and standards must be thoroughly vetted and complied with.
- Security metrics improves control for identity and access management.
            


                 According to Nichols E (2009), “metric have clearly helped medical practitioners by providing both a framework for quantifying the health of an individual or population and a collection of guidelines to communicate that state to non experts”. The author therefore advised that IT security professionals should use metrics to analysis system vital signs and encourage the sharing of security data across the board. Good security metrics have the following features:
                  
              Cases for acceptable system security metrics and vital signs
- Can be relative
- Subjective
- Measurable
- Probable values could be positive or negative
- Allow for Sharing of data



              The beautiful security metrics shows how two major security breaches could have been prevented if security metric processes have been fully implemented by Barings Bank in UK and TJX group in USA. The lack of security control mechanisms due to internal breaches lead to the demise of the Barings Bank. The identity and access management at Baring was nil and contributed to its failure. TJX lost close to $1 billion because the security breaches. It was perpetrated by outside attackers taking advantages of security vulnerabilities in network and system management protocols used by the company.

                    Beautiful security metrics summarized the events that lead to the system security breaches at Barings bank and attributed them to the followings:
- No clearly defined role for the company personnel
- No separation of duties
- No review process in place
- System controls are lacking


For TJX group, the failures of security lapses are direct results of:
- Inadequate network configuration control
- Inadequate network usage surveillance
- Inadequate server configuration and usage monitoring
- Lack of data protection mechanism
- Access points to connect to the wireless router was not rightly configured and protected. To further worsen the situations, the routers were put in broadcast mode. By using WARDRIVING technique, criminals are able to uncover open wireless networks with a view of stealing customer data and information.
- WEP does not offer adequate protection for wireless network.

Some notable system metrics include but not limited to:
- Comparing two values, one from the authoritative system and the other from the configuration and activity logs can provide the much needed information about secret accounts in the environment.
- Percentage of login accounts that cannot be genuinely accounted for could represent account used for unauthorized access
- Percentage of accounts that have never be justifiable review in the recent past.
- Group of accounts should be well defined and overlap must be prevented



 Conclusion:
There is need to embark on the re-education of system managers and end users on the importance of security metrics in promoting safe computing. Security products should contain manuals about recommended usage, diagnosis and the ways to monitor significant events on systems. Anything out of the ordinary should be analyzed and reported. Auditing of system files, logs, access metrics, and identity management should be part of everyday system management. The interpretation of security anomalies should be simple and devoid of anything complex. Lastly, security metrics facilitates in its entirety, better system awareness, well being and decision making on the part of system managers and support personnel because security metrics improves control for identity and access management




Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 33-61). Beijing: O’Reilly Media  

Open Source Honeyclient: Proactive Detection of Client-Side Exploits

This is review of Chapter 8 "Open Source Honeyclient: Proactive Detection of Client-Side Exploits" from book "Beautiful Security" . Course:  EM835 "Information Accountability and Web Privacy Strategies.

Honeyclient technologies are being developed to focus on the different ways to detect and analyze Web sites hosting malicious code.  Honeyclients are used for detecting and characterizing malicious sites by driving a system in a way that mimics human users (Robert Danford 2006). Among the major reasons and purpose of using honeyclients is to stop attacks that use web servers to exploit unpatched browser vulnerabilities thereby installing unsolicited malware and adware of the computer of unsuspecting web surfers.

According to the author, the first generation of honeyclient development in the open source community was followed by the launched of the Microsoft’s honeyclients called honeymonkeys.

The Open source honeyclient has been developed to proactively detect the client-side exploits.

Most client softwares e.g. web browser and mail client are not protected by firewalls and also most client software applications are not properly developed. They often lack up to date anti-virus software. As part of ongoing efforts to make the web safer, the honeyclient technology also tend to address the problem of using unsuspecting computer or machine as a bot networks and become a part of DOS attack.

The business of software and application vulnerabilities exploits has grown over the years because of financial gains and inducement by organized crime. There is need to develop both server side- Honeypot and client side Honeyclient technologies to curtail the menace of both malware and spyware.

The client-side exploit are important because

1. Security threats are triggered by end-user behavior

2. Web criminal mostly focus on soft targets.

3. Ordinary Web surfers tend to ignore security warnings.

Honeypot: They provide a wide variety of benefits:

·         Traditional honeypots are passive and server-side.

·         Worm detection

·          Insider-abuse detection (also honeytokens)

·          Malware capture (medium-interaction honeypots such as nepenthes are particularly good at this)

·         Security research

·         New exploit detection

Honeyclients: The following are notable characteristics of honeyclients

·         Use advanced and preexisting knowledge to develop tool that proactively protect against vulnerabilities because the way the client was infected or exploited is known.

·         Specialized systems that are used as intended target for attacks so that we can learn detail information about the attack.

·         Monitor the Honeyclients behavior to see if it deviates from the norm e.g. writing an executable file.

·         Abnormal behavior of the Honeyclients is an indication of an infection.

·         Honeyclients are capable of seeking out malicious remote systems

·         Two types of Honeyclients are known – server-side and client-side exploits

Analysis of exploits:

The author discovered that most malware attacks are financially motivated and the following are common:

-          Gaming Trojans

-          Banking Trojans: Able to access victims online banking/account credentials.

-          Politically motivated malware: for propagating political ideologies by using HTML files.

-          From Honeyclients analysis, malware attacks the VMware (virtual platform infrastructures) and proceeds to shutdown the guest operating system.

-         Full packet capture analysis between honeyclient and the remote web server at the time of compromise.

Variants of honeyclients:

·         Capture – A high interactive form of honeyclient that has real-time integrity checking capability.

·         Spybye is a low-interaction honeyclient.

·         Google safe Browsing API is an operational honeyclient that seeks out bad sites and thus create blacklists based on the bad URLs.

·         PhoneyC focuses on the automatic browser script deobfuscation and analysis.

·         MS Strider HoneyMonkey (Microsoft Research)

·         Mitre Honeyclient Project (Mitre)

·         Client-side Honeypots (Univ. of Mannheim)

·         Collapsar/Reverse Honeyfarm (Purdue Univ.)

·         Phileas (Webroot)

·         Websense (Hubbard)

·         SiteAdvisor (McAfee)

Limitations of the Honeyclients Implementation.

·         The insertion of delays by web browser client silent the way the honeyclient detect an attack

·         Honeyclients have difficulties in detecting malware embedded in banner ads on different web sites.

·         Honeyclient works only limited to drive-by malware attacks or downloads and not to interactive executions that need user permission such as clicking on a link or clicking on executables.

Conclusion:

·              Malware mostly targets Microsoft’s IE 6 and other unpatched browsers.

·              Anti-virus products are signature-based.

·              Honeyclient uses traffic analysis to track malware attacks

·              Snapshot comparisons of files and filesystems give an indication of malicious attacks.

·              Integrity checks e.g. Registry key changes provide useful information of malware  

     attacks.

·              Malware often triggered processes execution

Reference

Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 131-146). Beijing: O’Reilly Media

Robert Danford (2006). 2nd Generation Honeyclients. Retrieved February 10, 2011, from

http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf

Strider HoneyMonkey Exploit Detection. Retrieved February 10, 2011, from

http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/