Author: admin

Introducción a Perl

Practical Extraction and Reporting Language.

There is more than one way to do it

Puntos a favor de perl:

  • perl es un lenguaje de alto nivel

  • perl es gratis

  • perl puede escribir y leer archivos binarios

  • perl puede tener múltiples archivos de entra y salida abiertos al mismo tiempo

  • Tiene un generador de reportes

  • Maneja expresiones regulares

  • Maneja arreglos lineales y asociativos

  • Es poderoso y simplifica la programación

  • Puede procesar archivos muy grandes sin limites en el tamaño de registro

  • perl incluye un conjunto amplio y poderoso de instrucciones para manejo de cadenas de caracteres y arreglos

  • Cualquier cosa se puede realizar de múltiples formas

Ejemplo de programa en Perl:

# Este sencillo programa copia registros de un archivo
# y agrega un prefijo a cada línea con un numero en secuencia
while (< >){
# while () {} genera un lazo de control que continua mientras el
# enunciado en paréntesis es verdadero.
# la instrucciones en el lazo están dentro de los corchetes {}
# < > es un símbolo especial
# Le dice a Perl que busque en la línea de comando y vea si se
# especificaron algunos archivos.
# Si es el caso, entonces se lee cada uno en turno.
# Si no se especifica ningún archivo entonces se lee de
# la entrada normal (standard input)
# Cualquiera que sea el caso los caracteres que se leen se guardan
# en la variable especial $_
# Cuando <> llega al fin de archivo (end-of-file), regresa un valor de falso,
# lo cual termina el lazo.
print STDOUT ++$i, $_;# print es un método simple sin formato de impresión
# STDOUT es una referencia de archivo normal (standard filehandle)
# para la salida normal (Standard Output).
# Filehandles se especifican en MAYUSCULAS en perl.
# ++$i indica incrementar el valor de $i y dejar el valor disponible
# para la instrucción print
# Todos los valores escalares ( es decir cualquier cosa menos una instrucción,
# un arreglo lineal, un arreglo asociativo, filehandle, o nombre de procedimiento)
# empieza con $ en perl # $_ es el operador de default de cualquier instrucción
# en este caso, $_ contiene el último registro que leyó la instrucción<>
# ; termina cada instrucción en perl
}

Breve revisión de la sintaxis de perl

  • En perl es significativo el caso de los caracteres y se diferencia entre mayúsculas y minúsculas

  • No utilice nombres que empiezen con un numero, ya que estos comúnmente son símbolos especiales para perl, por ejemplo $1, $2, etc.

  • Todas las instrucciones en perl terminan con punto y coma ;

  • Comentarios se pueden insertar en un programa con el símbolo #, y cualquier cosa después de # hasta el fin de línea será ignorado

  • perl identifica cada tipo de variable o nombre de dato con un prefijo. Estos caracteres son:

    Tipo Carácter Comentario
    Escalar $ Un numero o cadena de caracteres
    Vector lineal @ Un arreglo referenciado por un numero índice.
    Subí­ndices entre paréntesis cuadrados [].
    @cosa se refiere al arreglo completo.
    $cosa[1] se refiere al escalar que ocupa la segunda posición en el arreglo
    Vector asociativo % Un vector referenciado por una llave de texto, no necesariamente un número.
    Subí­ndices entre{}.
    %cosa se refiere al vector completo.
    $elemento{“x”} se refiere al escalar que corresponde a la llave “x”
    filehandle UC Los apuntadores se archivo se escriben en mayúsculas
    Subrutina & Una subrutina
    Etiqueta xx: Objeto de goto

  • Valores entre paréntesis () son listas. Las listas se usan frecuentemente como argumentos para una subrutina o llamada a función. No es necesario usar paréntesis si solo se usa un argumento o el programa conoce el limite de la lista.

  • Las variables $x, @x. %x, y &x, no necesitan estar relacionadas entres si, sin mencionar $X, @X, %X y &X.

  • Existen variables especiales, las más importantes son:
    $_
    Es el valor escalar de default. Si no se especifica un nombre de variable en una función donde se usa una variable escalar, se usa $_. Esto se usa bastante en perl
    @_
    Es la lista de argumentos a una subrutina
    @ARGV
    Es la lista de argumentos especificada en la línea de comando cuando el programa se ejecuta

Instrucciones básicas y control

Los corchetes {} se usan para contener un bloque de enunciados. Es posible tener variables locales dentro de un bloque. Bloques se usan como los objetos de la mayoría de los comandos de control

Asignación simple:

  • Asignación escalar

  • Listas de escalares

  • Lista a vector

  • Vector a lista

  • Vectores asociativos necesitan un llave, pero aparte de eso, funcionan como se espera de un vector

  • Al asignar un vector a un escalar se obtiene el numero de elementos del vector

Operaciones aritméticas

if-then-else

  • if( condición ) {  rama verdadera  }  else  {  rama falsa  }

    		 

  • if (condición) {instrucciones}  elsif (condición) {instrucciones}

    elsif (condición) {instrucciones}

    		 

  • unless (condición)  {  rama verdadera  }

  • La condición tiene una gama amplia de operadores comparativos. Es importante observar la diferencia entre operadores numéricos y de cadenas de caracteres.

    Numérico Cadenas Significado
    = = eq igual
    != ne no igual
    > gt mayor que
    < lt menor que

  • Cadenas de caracteres. que no están compuestas por números tienen un valor de cero.

  • perl cuenta con un conjunto extenso de pruebas de archivo:

    • -T cierto si archivo es de texto

    • -B cierto si archivo es binario

    • -M regresa el número de días desde la última modificación

    • -A regresa el número de días desde el último acceso al archivo

    • -C regresa el número de días desde la creación del archivo

Lazos de control
Los lazos más comunes son for y while

  • for ($i = 0; $i < 10; $i++) { instrucciones }

  • foreach $i (@items) { instrucciones }

  • foreach $i ($first .. $last) { instrucciones }

  • while (condición) { instrucciones }

  • until (condición) { instrucciones }

  • Las instrucciones next, last, redo, y continue se usan para escapar de un lazo.

Entrada/Salida
Abrir
Como en Unix, los tres primeros manejadores de archivos se abren automáticamente y son STDIN, STDOUT, y STDERR. Otros archivos se deben abrir explícitamente. La forma de la instrucción open es la siguiente:
open (FILEHANDLE,XFY);
donde X y Y son caracteres opcionales

X = <
Para abrir archivo F solo lectura
X = >
Para abrir archivo F solo escritura
X = > >
Para agregar datos al final de archivo F
X = |
Para escribir a un tubo (pipe) hacia programa F
Y = |
Para leer a un tubo (pipe) desde programa F

Si solo se da el nombre F, el archivo se abre de lectura/escritura

Lectura
La forma más básica de lectura es poner el manejador de archivos dentro de <>. Si no se provee una variable escalar para el registro, este se guarda en $_.
Escritura
La mayor parte de la escritura se hace usando la instrucción print o printf. Estas instrucciones se utilizan aún si el resultado no se va a imprimir realmente.
Cerrar
perl cierra automáticamente cualquier archivo al salir. Cuando se necesita cerrar un archivo se puede hacer con un cierre explicito.
Mensajes de error:

  • die se usa para imprimir un mensaje de error y terminar la ejecución

  • warn se usa para imprimir un mensaje de error pero continuar

Manejo de cadenas de caracteres:

  • split se usa para extraer fichas (tokens) o campos de una cadena a un vector.

  • sort ordena una lista o vector.

  • study optimiza operaciones de cadenas.

Codificación binaria:

  • pack empaca datos en una cadena usando un machote de formato

  • unpack recupera datos de una cadena usando un machote de formato

  • Existe una larga lista de formatos que se pueden usar

  • Se puede usar más de un formato a la vez

    • l long 32 bit signed integer

    • L long 32 bit unsigned integer

    • s short 16 bit signed integer

    • S short 16 bit unsigned integer

    • f float 32 bit floating point

    • d double 64 bit floating point

    • A ASCII string

    • c char a single byte (character)

Expresiones regulares:

perl añade un conjunto de caracteres al conjunto normal. Uno uso importante de expresiones regulares (RE) es el uso de () para seleccionar subconjuntos de la expresión regular. perl facilita el uso del operador (). Existen dos maneras de usar expresiones regulares en perl: Match y Substitute

Una expresión regular esta contenida en slashes, y el operador =~ evalúa.

Las expresiones regulares son sensitivas a mayúsculas y minúsculas

El operador !~ se usa para detectar diferencias.

Algunos caracteres especiales:

.
Cualquier Carácter menos newline
^
El principio de lí­nea o de cadena
$
El fin de línea o cadena
?
Cero o más del último Carácter
+
Uno o más del último Carácter
[]
Cualquiera de los caracteres dentro de los corchetes []
|
o inclusivo
()
Agrupar
Los caracteres especiales $, |, [, ), , / deben ir precedidos por backslash para usarse en expresiones regulares
$` $& $’
$` , $& y $’ se pueden usar para ver cuales fueron los caracteres que se encontraron antes, durante, y después de un empate

Referencias

Active State

Active Perl

Live tutorials

Distribuciones binarias

Open Perl IDE

Documentación.

Introduction to Perl

Stuxnet

Israel y Estados Unidos desarrollaron técnicas para atacar sistemas de control industrial con el propósito de fastidiar a Irán,pero el secreto es saber que se puede y ahora el genio se salio de la lampara

SAN JOSE, Calif. (AP) — When a computer attack hobbled Iran‘s unfinished nuclear power plant last year, it was assumed to be a military-grade strike, the handiwork of elite hacking professionals with nation-state backing.
Yet for all its science fiction sophistication, key elements have now been replicated in laboratory settings by security experts with little time, money or specialized skill. It is an alarming development that shows how technical advances are eroding the barrier that has long prevented computer assaults from leaping from the digital to the physical world.
The techniques demonstrated in recent months highlight the danger to operators of power plants, water systems and othercritical infrastructure around the world.
“Things that sounded extremely unlikely a few years ago are now coming along,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that helps the U.S. government prepare for future attacks.
While the experiments have been performed in laboratory settings, and the findings presented at security conferences or in technical papers, the danger of another real-world attack such as the one on Iran is profound.
The team behind the so-called Stuxnet worm that was used to attack the Iranian nuclear facility may still be active. New malicious software with some of Stuxnet’s original code and behavior has surfaced, suggesting ongoing reconnaissance against industrial control systems.
And attacks on critical infrastructure are increasing. The Idaho National Laboratory, home to secretive defense labs intended to protect the nation’s power grids, water systems and other critical infrastructure, has responded to triple the number of computer attacks from clients this year over last, the U.S. Department of Homeland Security has revealed.
For years, ill-intentioned hackers have dreamed of plaguing the world’s infrastructure with a brand of sabotage reserved for Hollywood. They’ve mused about wreaking havoc in industrial settings by burning out power plants, bursting oil and gas pipelines, or stalling manufacturing plants.
But a key roadblock has prevented them from causing widespread destruction: they’ve lacked a way to take remote control of the electronic “controller” boxes that serve as the nerve centers for heavy machinery.
The attack on Iran changed all that. Now, security experts — and presumably, malicious hackers — are racing to find weaknesses. They’ve found a slew of vulnerabilities.
Think of the new findings as the hacking equivalent of Moore’s Law, the famous rule about computing power that it roughly doubles every couple of years. Just as better computer chips have accelerated the spread of PCs and consumer electronics over the past 40 years, new hacking techniques are making all kinds of critical infrastructure — even prisons — more vulnerable to attacks.
One thing all of the findings have in common is that mitigating the threat requires organizations to bridge a cultural divide that exists in many facilities. Among other things, separate teams responsible for computer and physical security need to start talking to each other and coordinate efforts.
Many of the threats at these facilities involve electronic equipment known as controllers. These devices take computer commands and send instructions to physical machinery, such as regulating how fast a conveyor belt moves.
They function as bridges between the computer and physical worlds. Computer hackers can exploit them to take over physical infrastructure. Stuxnet, for example, was designed to damage centrifuges in the nuclear plant being built in Iran by affecting how fast the controllers instructed the centrifuges to spin. Iran has blamed the U.S. and Israel for trying to sabotage what it says is a peaceful program.
Security researcher Dillon Beresford said it took him just two months and $20,000 in equipment to find more than a dozen vulnerabilities in the same type of electronic controllers used in Iran. The vulnerabilities, which included weak password protections, allowed him to take remote control of the devices and reprogram them.
“What all this is saying is you don’t have to be a nation-state to do this stuff. That’s very scary,” said Joe Weiss, an industrial control system expert. “There’s a perception barrier, and I think Dillon crashed that barrier.”
One of the biggest makers of industrial controllers is Siemens AG, which made the controllers in question. The company said it has alerted customers, fixed some of the problems and is working closely with CERT, the cybersecurity arm of the U.S. Department of Homeland Security.
Siemens said the issue largely affects older models of controllers. Even with those, the company said, a hacker would have to bypass passwords and other security measures that operators should have in place. Siemens said it knows of no actual break-ins using the techniques identified by Beresford, who works in Austin, Texas, for NSS Labs Inc.,
Yet because the devices are designed to last for decades, replacing or updating them isn’t always easy. And the more research that comes out, the more likely attacks become.
One of the foremost Stuxnet experts, Ralph Langner, a security consultant in Hamburg, Germany, has come up with what he calls a “time bomb” of just four lines of programming code. He called it the most basic copycat attack that a Stuxnet-inspired prankster, criminal or terrorist could come up with.
“As low-level as these results may be, they will spread through the hacker community and will attract others who continue digging,” Langer said in an email.
The threat isn’t limited to power plants. Even prisons and jails are vulnerable.
Another research team, based in Virginia, was allowed to inspect a correctional facility — it won’t say which one — and found vulnerabilities that would allow it to open and close the facility’s doors, suppress alarms and tamper with video surveillance feeds.
During a tour of the facility, the researchers noticed controllers like the ones in Iran. They used knowledge of the facility’s network and that controller to demonstrate weaknesses.
They said it was crucial to isolate critical control systems from the Internet to prevent such attacks.
“People need to deem what’s critical infrastructure in their facilities and who might come in contact with those,” Teague Newman, one of the three behind the research.
Another example involves a Southern California power company that wanted to test the controllers used throughout its substations. It hired Mocana Corp., a San Francisco-based security firm, to do the evaluation.
Kurt Stammberger, a vice president at Mocana, told The Associated Press that his firm found multiple vulnerabilities that would allow a hacker to control any piece of equipment connected to the controllers.
“We’ve never looked at a device like this before, and we were able to find this in the first day,” Stammberger said. “These were big, major problems, and problems frankly that have been known about for at least a year and a half, but the utility had no clue.”
He wouldn’t name the utility or the device maker. But he said it wasn’t a Siemens device, which points to an industrywide problem, not one limited to a single manufacturer.
Mocana is working with the device maker on a fix, Stammberger said. His firm presented its findings at the ICS Cyber Security Conference in September.
Even if a manufacturer fixes the problem in new devices, there’s no easy way to fix it in older units, short of installing new equipment. Industrial facilities are loath to do that because of the costs of even temporarily shutting its operations.
“The situation is not at all as bad as it was five to six years ago, but there’s much that remains to be done,” said Ulf Lindqvist, an expert on industrial control systems with SRI International. “We need to be as innovative and organized on the good-guy side as the bad guys can be.”
___
Jordan Robertson can be reached at jrobertson(at)ap.org

Articles on Writing

Whenever you feel stuck with your article writing and are facing the typical writer’s block, you should go with the ‘brain dumping’ method where you write as fast as possible without thinking twice. Just write down everything that comes into your mind, and this will help the break writer’s block that you may be experiencing. As you write down this content, the spelling, grammar and punctuation will not even be considered during this process. You will be utterly astounded by all of the content that you come up with what you have put all of your article content into written format. Later on, you can use re-structure and proof read this article to make it presentable.

Continue reading “Articles on Writing”

Speech synthesis

Speech synthesis is the artificial production of human speech. A computer system used for this purpose is called a speech synthesizer, and can be implemented in software or hardware products. A text-to-speech (TTS) system converts normal language text into speech; other systems render symbolic linguistic representations like phonetic transcriptions into speech.[1]

Synthesized speech can be created by concatenating pieces of recorded speech that are stored in a database. Systems differ in the size of the stored speech units; a system that stores phones or diphones provides the largest output range, but may lack clarity. For specific usage domains, the storage of entire words or sentences allows for high-quality output. Alternatively, a synthesizer can incorporate a model of the vocal tract and other human voice characteristics to create a completely “synthetic” voice output.[2]

The quality of a speech synthesizer is judged by its similarity to the human voice and by its ability to be understood. An intelligible text-to-speech program allows people with visual impairments or reading disabilities to listen to written works on a home computer. Many computer operating systems have included speech synthesizers since the early 1990s.

Overview of a typical TTS system

A text-to-speech system (or “engine”) is composed of two parts:[3] a front-end and a back-end. The front-end has two major tasks. First, it converts raw text containing symbols like numbers and abbreviations into the equivalent of written-out words. This process is often called text normalization, pre-processing, or tokenization. The front-end then assigns phonetic transcriptions to each word, and divides and marks the text into prosodic units, like phrases, clauses, and sentences. The process of assigning phonetic transcriptions to words is called text-to-phoneme or grapheme-to-phoneme conversion. Phonetic transcriptions and prosody information together make up the symbolic linguistic representation that is output by the front-end. The back-end—often referred to as the synthesizer—then converts the symbolic linguistic representation into sound. In certain systems, this part includes the computation of the target prosody (pitch contour, phoneme durations),[4] which is then imposed on the output speech.

Here is a non-exhaustive comparison of speech synthesis programs

Festival offers a general framework for building speech synthesis systems as well as including examples of various modules. As a whole it offers full text to speech through a number APIs: from shell level, though a Scheme command interpreter, as a C++ library, from Java, and an Emacs interface. Festival is multi-lingual (currently English (British and American), and Spanish) though English is the most advanced. Other groups release new languages for the system. And full tools and documentation for build new voices are available through Carnegie Mellon’s FestVox project (http://festvox.org)

The system is written in C++ and uses the Edinburgh Speech Tools Library for low level architecture and has a Scheme (SIOD) based command interpreter for control. Documentation is given in the FSF texinfo format which can generate, a printed manual, info files and HTML.

Festival is free software. Festival and the speech tools are distributed under an X11-type licence allowing unrestricted commercial and non-commercial use alike.

Text to Speech engine for English and many other languages. Compact size with clear but artificial pronunciation. Available as a command-line program with many options, a shared library for Linux, and a Windows SAPI5 version.

eSpeak is a compact open source software speech synthesizer for English and other languages, for Linux and Windows.   http://espeak.sourceforge.net

eSpeak uses a “formant synthesis” method. This allows many languages to be provided in a small size. The speech is clear, and can be used at high speeds, but is not as natural or smooth as larger synthesizers which are based on human speech recordings.

eSpeak is available as:

  • A command line program (Linux and Windows) to speak text from a file or from stdin.
  • A shared library version for use by other programs. (On Windows this is a DLL).
  • A SAPI5 version for Windows, so it can be used with screen-readers and other programs that support the Windows SAPI5 interface.
  • eSpeak has been ported to other platforms, including Android, Mac OSX and Solaris.

Features.

  • Includes different Voices, whose characteristics can be altered.
  • Can produce speech output as a WAV file.
  • SSML (Speech Synthesis Markup Language) is supported (not complete), and also HTML.
  • Compact size. The program and its data, including many languages, totals about 2 Mbytes.
  • Can be used as a front-end to MBROLA diphone voices, see mbrola.html. eSpeak converts text to phonemes with pitch and length information.
  • Can translate text into phoneme codes, so it could be adapted as a front end for another speech synthesis engine.
  • Potential for other languages. Several are included in varying stages of progress. Help from native speakers for these or other languages is welcome.
  • Development tools are available for producing and tuning phoneme data.
  • Written in C.

ISO/IEC 27001

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below).

Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

The key benefits of 27001 are:

  • It can act as the extension of the current quality system to include security
  • It provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to trading partners and clients; acts as a marketing tool
  • Allows an independent review and assurance to you on information security practices

A company may want to adopt ISO 27001 for the following reasons:

  • It is suitable for protecting critical and sensitive information
  • It provides a holistic, risked-based approach to secure information and compliance
  • Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
  • Demonstrates security status according to internationally accepted criteria
  • Creates a market differentiation due to prestige, image and external goodwill
  • If a company is certified once, it is accepted globally.

While other sets of information security controls may potentially be used within an ISO/IEC 27001 ISMS as well as, or even instead of, ISO/IEC 27002 (the Code of Practice for Information Security Management), these two standards are normally used together in practice. Annex A to ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, while ISO/IEC 27002 provides additional information and implementation advice on the controls. The domains covered by ISO 27002 include

Organizations that implement a suite of information security controls in accordance with ISO/IEC 27002 are simultaneously likely to meet many of the requirements of ISO/IEC 27001, but may lack some of the overarching management system elements. The converse is also true, in other words, an ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO/IEC 27001. Furthermore, management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

Other standards in the ISO/IEC 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating an ISMS, for example on information security risk management (ISO/IEC 27005).

The ISO 27001 adopts the process model “Plan-Do-Check-Act” (PDCA) which is applied to the structure of all the processes in ISMS.

BS 7799 was a standard originally published by BSI Group[1] in 1995. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and consisted of several parts.

The first part, containing the best practices for information security management, was revised in 1998; after a lengthy discussion in the worldwide standards bodies, it was eventually adopted by ISO as ISO/IEC 17799, “Information Technology – Code of practice for information security management.” in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.

The second part of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled “Information Security Management Systems – Specification with guidance for use.” BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2. This later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) cycle (Deming cycle), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.

Plan (establishing the ISMS)
Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.
Do (implementing and workings of the ISMS)
Implement and exploit the ISMS policy, controls, processes and procedures.
Check (monitoring and review of the ISMS)
Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.
Act (update and improvement of the ISMS)
Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself.In some countries, the bodies that verify conformity of management systems to specified standards are called “certification bodies”, while in others they are commonly referred to as “registration bodies”, “assessment and registration bodies”, “certification/ registration bodies”, and sometimes “registrars”.The ISO/IEC 27001 certification,[2] like other ISO management system certifications, usually involves a three-stage external audit process:

  • Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
  • Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
  • Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

Asset Management

The asset management domain deals with analyzing and attaining the necessary level of protection of organizational assets. The typical objectives of the asset management domain is to identify and create an inventory of all assets, establish an ownership on all assets identified, establish a set of rules for the acceptable use of assets, establish a framework for classification of assets, establish an asset labeling and handling guideline. Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. It may apply to both tangible assets such as buildings and to intangible concepts such as intellectual property and goodwill.

An asset is anything that has value to the organization. Assets can include infrastructure (e.g. buildings, store houses, towers etc.), physical assets ( computer equipment, communications, utility equipment, heavy machinery), software assets ( applications, software code, development tools, operational software etc.), information (database information, legal documentation, manuals, policies & procedures, organizational documents etc.), services ( transport, air conditioning, communications, utilities etc.), people (management, skills, experience etc.) and imperceptible (reputation, image etc.).

Asset management is a systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively. Organizations need to identify all assets and create and maintain security controls around them. For each asset a designated owner needs to be made responsible for implementation of appropriate security controls. When creating an asset management policy the organization needs to define the scope of the policy (which parts of the organization are covered under the policy), responsibility (who is ultimately responsible for the policy), compliance (is compliance mandatory or not, what are the guidelines to follow), wavier criteria (on what basis can someone ask for a waiver) and effective date (from when to when is the policy applicable).

  • Typical policy statements for Asset Management include:
  * All assets shall be clearly identified, documented and regularly updated in an asset register
  * All assets of shall have designated owners and custodians listed in the asset register
  * All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register
  * All employees shall use company assets according to the acceptable use of assets procedures
  * All assets shall be classified according the asset classification guideline of the company

Asset management comprises of all the activities associated with ongoing management and tracking of assets some of which are as follows: asset discovery (physical & logical), create & maintain conclusive software library, create & maintain conclusive hardware stock, configuration management, physical asset tracking, software license management, request & approval process, procurement management, contract management, assessment on ISO 27001 and PCI controls, supplier/ vendor management, re-deployment & movement, retire & disposal Management, compliance to laws if applicable etc.

Asset Register

The asset register documents the assets of the company or scope in question. Typically all business functions are required to maintain an asset register of their business units. The asset register is required to contain, at a minimum, the following information about the assets: the asset identifier, the asset name, the type and location of assets; the name of the function and process that uses this asset, the asset owner, custodian and user and the CIA (Confidentiality, Integrity, Availability) ratings of the asset. Organizations can choose to additional information into the asset register as necessary for example for IT assets can have IP address as part of them etc.

For all asset registers, a primary person responsible for the asset register needs to be identified. Typically the business unit head or director is the owner of the asset register and recognized functional heads identified are asset custodians. The asset owner is accountable for the comprehensive protection of assets owned by him/her. The asset owner may delegate the responsibility of applying the relevant controls for the maintenance of the assets to an individual/ function referred to as the ‘asset custodian’. It is the responsibility of the asset custodian to implement appropriate security controls that are required for the protection of information assets. It is the responsibility of all employees and third party staff to maintain the confidentiality, integrity and availability of the assets that they use.

Asset Classification

Assets need to be classified in order to provide an appropriate level of protection for a certain category of assets. Information assets need to be classified in terms of its value, requirements and criticality to the business operations of the company. Typical company classification guidelines follow restrictive principles. Some of the common classifications criteria which are used by companies are given below:

RESTRICTED: The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market. Its unauthorized disclosure could adversely impact its business, its shareholders, its business partners and/ or its customers, leading to legal and financial repercussions and adverse public opinion. Examples of restricted information are details of major acquisitions, divestments and mergers, business and competition strategy, sensitive customer, competitor, partner or contractor assessments, intellectual property information, law enforcement and government related information.

CONFIDENTIAL: This category refers to asset information that relates to individuals or is otherwise restricted only to authorized users, but if disclosed outside the company would not harm the organization, its customers, or its partners. This classification applies to any sensitive business information which is intended for use within the company. Examples of confidential information include customer information, negotiating positions, marketing strategy, personnel information, internal company memos and presentations.

INTERNAL This classification refers to asset information that is potentially available to all personnel within the company, but is not public. This can also include information that is restricted to a group or project within the company, but is not designated as “Private” or “Restricted.” Examples of internal information include product design information, system documentation, company employee details, company organizational charts, minutes of department meetings.

PUBLIC This classification refers to asset information that has been published or obtainable from a published source, e.g. the Internet. Example of public information include published marketing material, company public statements or announcements, published company performance information, published job vacancies.

Asset Labeling

All important and critical assets to the company shall be labeled physically / electronically as per the information labeling and handling procedures of the company. The asset owners are required to ensure that their assets are appropriately labeled (marked) for ease of identification. This may exclude information classified as ‘public’. For each classification level, the handling procedures should include the assets introduction; secure processing, storage; transmission and destruction. Classification level must be indicted wherever possible for all forms of physical / electronic information that are sensitive in nature. For example: subject of email stamped with “Confidential” etc.

Por empezar fuerte el curso hoy quiero compartir un enlace de gran interes para los dedicados al mundillo de la gestión de la seguridad entorno a la norma ISO 27001.

Dentro de mis protocolos de seguimiento de las normas 27001, 27002 y las publicaciones o comentarios entorno a ella utilizando las alertas de Google, hoy quiero compartir un par de enlaces que proporciona en un documento PDF una traducción no ofical al castellano de las normas ISO 27001 e ISO 27002.

Aunque los enlaces no aparecen refereciados en ninguna página principal de esta Web, Google la enlaza al buscar sobre controles de la ISO 27002.

Dado que puede ser de interés para el público hispanohablante disponer de una versión en nuestro idioma, comparto la url que Google proporciona por si es del interés de todos.
Ambos documentos aclaran que su uso es autorizado sólo para fines didácticos, objetivo que comparte también este blog.
Las urls donde se encuentran son:

Email clients

04-Apr-2012

POP3 vs IMAP – A Beginners Guide

Should you use POP3 or IMAP? It’s question we’re often asked here at Domainmonster.com, so lets discuss the two protocols and the advantages of each.

The first thing you need to do before making a decision is to understand what POP3 and IMAP are and of course the difference between the two.

What are they?

Both POP3 and IMAP are protocols that email services use to receive email, be it to an email client such as Outlook or a mobile device.

POP3 – Post Office Protocol 3 is a protocol that has been around for decades. It’s the standard way that a mail service will receive email from a mail server.

IMAP – Internet Message Access Protocol is a protocol that is much newer then POP3 and is used by mail products to view your mail as opposed to actually downloading it.

What is the difference to me?

If you decide to configure your email client or mobile device to connect to your mailbox using POP3 then what happens is that the client or device contacts the mailbox and allows them to download the contents of the Inbox to their own local storage. The mail then will only exist on that local storage and would not be available to download via another client or device. It is however worth noting at this point that a number of clients and devices do allow you to enable a setting to ‘keep a copy of the email on the server’ this would then allow them to be download via a second client if required.

When using IMAP with a client or device they will simply connect to the mailbox and display the full mailbox to you without actually downloading the content to local storage. This has the benefit of allowing you to manage your mailbox from multiple clients and devices and seeing the same content.

If you think about your mailbox as a post-box full of letters, and your mail clients and devices as postmen it can become a little easier to understand the basic fundamental differences between the two protocols.

When using POP3 a postman would visit the post-box and empty the contents and take it away with him. If a second postman then arrived he would only have access to the letters that had been placed into the post-box since the first visit.

When using IMAP a postman would visit the post-box and take a copy of the letters and take those copies away with him, then when a second postman arrived he would do the same and still be able to see all of the letters placed into the post-box.

Which one should I use?

Which protocol you decide to use depends mainly on how you will be accessing and managing your email. If you are likely to be viewing your mail from multiple locations, clients or devices then It is usually best to use IMAP. IMAP will allow you to manage your mailbox from all of these different locations and clients while the actual mailbox content remains on the provider’s mail server. If you were to do the same using POP3 with the ‘Keep a copy on the server’ setting enabled then you are in essence simply creating multiple copies of your mailbox and any management of the mail into sub folders would need to be repeated on each individual client.

If you are simply going to be using one email client and do not want to worry about reaching the mailbox size limit, due to the amount of email, then POP3 would be the way to go. This provides a simple service to allow you to download all of your mail to one location managed by you. The mailbox on the provider’s server would always be empty or close to it as a result and so you would never need to worry about reaching the limit.

ConclusionIf in doubt use IMAP, this gives you the ability to manage your mail from a client or device while still giving the peace of mind that there is a backup, on the mail provider’s server, of your mail. However if you are only accessing your mail from one place and need to keep all your mail locally, POP3 may be a better option.

the Stuxnet computer worm

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead’s final target. In a fascinating look inside cyber-forensics, he explains how — and makes a bold (and, it turns out, correct) guess at its shocking origins.

Ralph Langner’s Stuxnet Deep Dive is the definitive technical presentation on the PLC attack portion of Stuxnet. He did a good job of showing very technical details in a readable and logical presentation that you can follow in the video if you know something about programming and PLC’s.

The main purpose of Ralph’s talk was to convince the audience with “100% certainty” that Stuxnet was designed specifically to attack the Natanz facility. He does this at least four different ways, and I have to agree there is no doubt.

Ralph Langner is a German control system security consultant. He has received worldwide recognition for his analysis of the Stuxnet malware.

  • Stuxnet worm hits Iranian centrifuges – from mid-2009 to late 2010
  • Iran complains facilities hit by Stars malware – April 2011
  • Duqu trojan hits Iran’s computer systems – November 2011
  • Flame virus targets computers in PCs across the Middle East, including Iran and Israel – June 2012
  • Iran says Stuxnet worm returns – December 2012

Continue reading “the Stuxnet computer worm”

el ciclo maya de 52 HAAB

(sep.2012) Producción inspirada en la sabiduría maya, ese pueblo tan increíblemente adelantado que aún hoy resulta sorprendente su cúmulo de conocimientos y la perfección que alcanzaron. Muestra de ello es su concepto del tiempo, su sistema especial para contar, de base vigesimal y su relación directa con la manera de medir el tiempo, para lo que usaban dos calendarios básicos (el sagrado y el civil) y tres cuentas diferentes, lo cual no daba posibilidad de error. Estas tres cuentas coincidían cada 52 Haab (años civiles de 365 días fijos), por lo que era un momento de especial y profunda importancia. La vida entera giraba en base a la magia de estas cuentas, dándole a cada día un significado único, por lo que se podían hacer predicciones precisas. Mucho se ha hablado del 21.12.2012. El significado es profundo, pero simple: Termina una importante “cuenta larga”, y con ello se “aniquila todo lo malo del [gran] ciclo anterior” para dar inicio a otra nueva cuenta, con una poderosa fuerza de renacimiento. Todos los calendarios vuelven a comenzar de cero (otro de los geniales “inventos” mayas….!). Producción original: Carlos Rangel

el ciclo maya de 52 HAAB

Hace más de 3000 años, la civilización maya floreció desde el sureste de México hasta Honduras inclusive.

Los mayas fueron una sociedad de grandes hombres: astrónomos, matemáticos, poetas, filósofos, artesanos, constructores, y pensadores. Hablaban 44 lenguas mayas. Su literatura ilustra la vida de su cultura en obras como el Rabinal Achí, el Popol Vuh, y los diversos libros del Chilam Balam.

La poesía, la literatura, y el conocimiento matemático de los mayas, estaban ligados a su cosmovisión. Entre los mayas, la religión siempre influyó en los ritos agrícolas, en el arte y en su cultura.

La casta sacerdotal maya, llamada Ah Kin, era poseedora de conocimientos matemáticos y astronómicos que interpretaba de acuerdo con su cosmovisión religiosa, los años que iniciaban, los venideros y el destino del hombre. La gente común los consultaba para saber si un determinado día era favorable o no para algún asunto familiar o económico. Sin embargo los pronósticos era un asunto de los dioses. En el Libro del
Chilam Balam contempla una lista de días Tzolk´in con sus pronósticos.

La religión maya tenía tres características fundamentales:
Politeísta:
Adoraban a varios dioses a la vez.
Naturalista:
Los dioses eran los elementos, los fenómenos atmosféricos y los cuerpos celestes.
Dualista:
Partía del principio de que el bien y el mal son igualmente divinos, en constante lucha unos con otros, siempre inseparables, como el día y la noche.

Los mayas concebían al cosmos compuesto por 13 cielos, uno sobre otro, siendo la tierra la capa más baja. Sobre cada cielo presidían trece dioses, llamados los Oxlahuntikú.

Bajo la tierra (inframundo) había otros nueve cielos, también en capas, sobre los que presidían los Bolontikú. El último de estos cielos era el Mitnal, el infierno maya,
reino de Ah Puch, Señor de la Muerte.

Creían que, antes que el suyo, habían existido otros mundos destruidos todos por el diluvio. El mundo actual era sostenido por cuatro hermanos guardianes llamados Bacabés,localizados en los cuatro puntos cardinales.

En el centro del mundo maya se encontraba el Yaxché, o Ceiba Sagrada, cuyas ramas se elevaban a los cielos y cuyas raíces penetraban en el inframundo.

Lo que hoy conocemos como el CALENDARIO MAYA, propio de esta civilización, hay investigadores que sostienen que surge de la cultura Olmeca. Las similitudes con el calendario Mexica ofrece evidencias de que en toda Mesoamérica se utilizó el mismo sistema calendárico.

Los mayas tomaban los acontecimientos presentes como señales de los dioses, lo que les permitía vislumbrar el futuro. Por eso era tan importante conocer el movimiento del sol, las estrellas, la luna y los astros como la Tierra y Venus. En función de sus movimientos es que tuvieron la genialidad de hacer el calendario maya.

Inclusive la manera de contar de los mayas está relacionada con el tiempo, pues utilizan un sistema vigesimal en lugar de uno decimal, lo que, sorprendentemente, ofrece mayor precisión.

De acuerdo con el sistema vigesimal, el número 25 arábigo, se representa de la siguiente manera en las posiciones mayas: 0.0.0.1.5

Al igual que el sistema decimal, las unidades van a la derecha, y cada posición a la izquierda equivale al múltiplo de 10. (25) En el sistema maya es igual, pero cada posición equivale a múltiplo de 20. (0.0.0.1.5) 25 = 0.0.0.1.5

CALENDARIO MAYA

Tres cuentas del tiempo, diferentes y complementarias:

1. Tzolk’in o Bucxok:
calendario sagrado de 260 días

2. Haab:
calendario civil de 365 días

3. 20 Ahau:
CUENTA LARGA, combinación de Tzolk’in y Haab de 1’872,000 días

1 Tzolk´in (calendario sagrado)
= 260 kines (días)
= 20 uinales (meses) de 13 guarismos (numerales)

1 Haab (calendario civil)
= 365 kines
= [18 uinales de 20 kines = 1 tun de 360 kines] + 5 Uayeb (días nefastos fuera del registro cronológico, pero fechados como días)

RUEDA CALENDARICA

= siglo maya
= 52 Haab
= 73 Tzolk’in
= 1,460 uinales
= 18,980 kines

En el calendario maya puede advertirse la concepción circular del mundo, pues su
estructura se repite cada 52 años, lo que constituye un ciclo (o siglo). La concepción cíclica del tiempo conlleva la idea de que el futuro ya ha pasado, y el pasado está por venir, así como la existencia de una serie infinita de mundos.

En la Rueda Calendárica de cada persona, cada 18,980 kins (días) coinciden las 3 ruedas: Tzolk’in, Uinal, Haab. La sincronía se manifestaba en un día especial que sin lugar a dudas es un día favorable, y es tan bueno, que aniquila todas las cosas “malas” que hayan ocurrido en el ciclo previo, cubriéndolas con la luz de ese preciso día, para estar en condiciones de renacer a un nuevo ciclo, y es cuando se muestra la deidad particular que corresponde a cada individuo, con un mensaje personal de renovación, justo al momento de sincronizarse las tres ruedas, al llegar a los
73 Tzolk’in (años sagrados) y
52 Haab (años civiles), equivalentes a nuestros
52 años gregorianos.

Cuando una persona cumplía 52 años llegaba a la plenitud de la vida, pues rebasaba la expectativa de vida de la época del México antiguo. Cada 52 años terminaba un ciclo de vida, un siglo maya.

En una ceremonia llamada FUEGO NUEVO realizada en un Temazcal se extinguían sus desalientos y renacía junto con la nueva llama de esperanza.

Gira rueda de ruedas
empápame de la luz
creadora de la vida;
de la luz que devora la sombras
y que encarna el renacimiento
de un nuevo florecer en el tiempo. 

© Guadalupe Meré Alcocer
Septiembre 2012

El 21 de diciembre de 2012 de nuestro actual calendario gregoriano, el sistema calendárico maya conocido como CUENTA LARGA retornará al cero para reiniciar su ciclo de 1’872,000 días (5,125,36 años).

El solsticio de invierno se mueve lentamente hacia el corazón de la galaxia. El 21 de diciembre de 2012 se transformará el mundo al atravesar el sol la “Gran Grieta”, fragmento de la vía láctea que los mayas consideraban la Matriz de la Creación.

Antony f. Aveni
Arqueología Mexicana
mayo-junio 2010

Textos extraídos de Wikipedia y de otros sitios de internet, así como dela revista Arqueología Mexicana, may-jun 2010
Imágenes de libre acceso extraídas de internet con reconocimiento a sus autores
Música: Columa del Cielo © Tribu
Investigación y recopilación de Textos: Guadalupe Meré Alcocer
Concepto general y montaje gráfico original © Carlos Rangel
carlitosrangel@hotmail.com
Se agradece respetarlo sin alteración
Santiago de Querétaro, México, septiembre 2012
otras producciones del editor:
www.slideshare.net/carlitosrangel/presentations

Pasos a seguir para promover el aprendizaje significativo

  • Proporcionar retroalimentación productiva, para guiar al aprendiz e infundirle una motivación intrínseca.
  • Proporcionar familiaridad.
  • Explicar mediante ejemplos.
  • Guiar el proceso cognitivo.
  • Fomentar estrategias de aprendizaje.
  • Crear un aprendizaje situado cognitivo.

La teoría del aprendizaje significativo se ha desarrollado y consolidado a merced de diferentes investigaciones y elaboraciones teóricas en el ámbito del paradigma cognitivo, mostrando coherencia y efectividad. Cuanto más se premie al educando en el proceso enseñanza aprendizaje mayor resultado mostrara al fin del año escolar pero esto será difícil sin la ayuda de los padres dentro del proceso. Debe tener el aprendizaje significativo un nivel de apertura amplio, material de estudio que sea interesante y atractivo y una motivación intrínseca o extrínseca .Además de realizar dos estrategia que son la elaboración (integrar y relacionar la nueva información con los conocimientos previos) y la organización (reorganizar la información que se ha aprendido y donde aplicarla)Como en el caso de las personas que reciben una educación a distancia donde es básico la disposición y auto regulación que tiene el alumno para obtener todo el aprendizaje significativo y que pueda aplicarlo en su entorno personal y social.
El aprendizaje significativo sin duda alguna, contribuye al aprendizaje a larga distancia ya que mediante este proceso se pueden adquirir diversos conocimientos e incluso terminar una formación académica sin la necesidad de acudir presencialmente a un aula y tomar clases. El aprendizaje significatico fusiona las bases del conocimiento previo con el adquirido, incrementando nuestro conocimiento del tema previamente conocido.