Analysis of Intrusion Detection Systems (IDS)

Analysis of Intrusion Detection Systems (IDS) Introduction Intrusion detection systems (IDS) were developed in 1990’s, when the network hackers and worms appeared, initially for the identification and reporting of such attacks. The intrusion detection systems didn’t have the ability to stop such attacks rather than detecting and reporting to the network personnel. The Intrusion Prevention Systems got both characteristics i.e. threat detection and prevention. The detection process analyzes the events for any possible threats while the intrusion prevention stops the detected possible threats and reports the network administrator. Purpose Scope The main purpose of the project is to evaluate the security capabilities of different types of IDPS technologies in maintaining the network security. It provides detail information about the different classes components of IDPS technologies, for example, detection methods, security capabilities, prevention capabilities internals of IDPS. It is mainly focused on different detection techniques responses by these technologies. 1.2 Audience The information can be useful for computer network administrators, network security personnel, who have little knowledge about these IDPS technologies. 1.3 Project Structure The project is organized into the following major structure: Section 2 provides a general introduction of IDPS. Section 3 provides detail information about of IDPS technologies, components architecture, detection methodologies, security capabilities prevention capabilities. Section 4 provides the internals of IDPS incident response. Section 2: Introduction of IDPS This Chapter Explains the Intrusion Detection Prevention Process, Uses, Functions and Different Types of IDPS The modern computer networks provide fast, reliable and critical information not only to small group of people but also to ever expanding group of users. This need led the development of redundant links, note book computers, wireless networks and many others. On one side, the development of these new technologies increased the importance and value of these access services and on other side they provide more paths to attacks. During the past, In the presence of firewalls and anti-virus software, organizations suffered huge losses in minutes to their businesses in terms of their confidentiality and availability to the legitimate clients. These modern threats highlighted the need for more advance protection systems. Intrusion detection prevention systems are designed to protect the systems and networks from any unauthorized access and damage. An intrusion is an active sequence of related events that deliberately try to cause harm, such as rendering system unusable, accessing unauthorized information or manipulating such information. In computer terminology, Intrusion detection is the process of monitoring the events in a computer network or a host resource and analyzing them for signs of possible incidents, deliberately or incidentally. The primary functions of IDPS are the identification of incident, logging information about them, stopping them preventing them from causing any damage. The security capabilities of IDPS can be divided into three main categories: Detection : Identification of malicious attacks on network host systems Prevention: stopping of attack from executing Reaction: Immunization of the system from future attacks. On the basis of location and type of events they monitor, there are two types IDPS technologies, host-based network based. The network-based IDPS monitors traffic for particular network segment and analyze the network application protocol activity for suspicious events. It is commonly deployed at the borders between networks. While on the other hand, host-based IDPS monitors the activity of a single host and events occurring within that host for suspicious activity. There are two complementary approaches in detecting intrusions, knowledge-based approach and behavior based approach. In knowledge-based approach an IDPS looks for specific traffic patterns called Signatures, which indicates the malicious or suspicious content while in the behavior-based approach an intrusion can be detected by observing a deviation from normal or unexpected behavior of the user or the system. What is an IDS? The Intrusion Detection Systems (IDS) can be defined as: tools, methods resources to identify, assess report unauthorized or unapproved network activity. It is the ability to detect attacks against a network or host and sending logs to management console providing the information about malicious attacks on the network and host resources. IDSs fall into two main categories: Host-Based Intrusion Detection System (HIDS): A HIDS system require some software that resides on the system and can scan all host resources for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Network-Based Intrusion Detection Systems (NIDS): A NIDS system is usually inline on the network and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. The basic process for IDS is that it passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent. Figure 1-1 outlines this activity. Response Manager GUI Host System Pre-processing Statistical Analysis Alert Manager Knowledge Base Long-Term Storage Signature Matching Fig 1.1 Standard IDS System What is an IPS? IPS technology has all capabilities of an intrusion detection system and can also attempt to stop possible incidents. IPS technologies can be differentiated from the IDS by one characteristic, the prevention capability. Once a threat is detected, it prevents the threat from succeeding. IPS can be a host-based (HIPS), which work best at protecting applications, or a network-based IPS (NIPS) which sits inline, stops and prevents the attack. A typical IPS performs the following actions upon the detection of an attack: IPS terminates the network connection or user session. It blocks access to target .i.e. IP address, user account or sever. It reconfigures the devices i.e. firewall, switch or router. It replace the malicious portion of an attack to make it benign An IPS typically consists of four main components: Traffic Normalizer: Interpret the network traffic and do packet analysis and packet reassembly traffic is fed into the detection engine service scanner. Service Scanner: Builds a reference table that classifies the information helps the traffic shaper manage the flow of the information. Detection Engine: Detection engine does pattern matching against the reference table. Figure 1.2 outlines this process: Response Manager GUI Traffic Normalizer System Scanner Detection Engine Alert Manager Reference Table Long-Term Storage Signature Matching FIG 1-2 Standard IPS Uses of IDPS Technologies The identification of possible incidents is the main focus of an IDPS, for example, if an intruder has successfully compromised a system by exploiting the vulnerability in the system, the IDPS could report this to the security personnel. Logging of information is another important function of IDPS. This information is vital for security people for further investigation of attack. IDPS has also the ability to identify the violation of security policy of an organization which could be intentionally or unintentionally, for example, an unauthorized access to a host or application. Identification of reconnaissance activity is one of the major capabilities of IDPS, which is the indication of an imminent attack, for example, scanning of hosts and ports for launching further attacks. In this case, an IDPS can either block the reconnaissance activity or it can alter the configurations of other network devices Functions of IDPS Technologies The main difference between different types of IDPS technologies is the type of events they can recognize. Following are some main functions; Recording of information regarding observed events, this information could be stored locally or could be sent to the logging server. Sending of alerts is one of the vital functions of IDPS. Alerts are sent through different methods i.e. email, SNMP traps, syslog messages etc. In case of detection of a new threat, some IDPS do have the ability to change their security profile, for example, when a new threat is detected, it might be able to collect more detail information about the threat. IDPS not only performs detection but it also performs prevention by stopping the threat to succeed. Following are some prevention capabilities: It can stop the attack by terminating either network connection or user session, by blocking access to a target host. It could change the configuration of other network devices (firewalls, routers switches) to block the attack or disrupt it. Some IDPS could change the contents of a malicious IP packet, for example, it can replace the header of an IP packet with a new one. Types of IDPS Technologies IDPS technologies can be divided into following two major categories: Network-Based IDPS Host-Based IDPS Network-Based IDPS Network-based IDPS monitors network traffic for a particular network segment. They analyze the network and application protocol activity to identify any suspicious activity. A network based IDPS is usually sits inline on the network and it analyzes network packets looking for attacks. It receives all packets on a particular network segment, including switched networks. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. They are equipped with facilities to log their activities and report or alarm on questionable events. Main strengths of network-based IDPS are: Packet Analysis: Network-based IDPSs perform packet analysis. They examine headers of all IP packets for malicious contents. This helps in detection of the common denial of service (DOS) attack. For example, LAND attack, in which both the source destination addresses and source destination ports are same as of the target machine. This cause the target machine to open connection with itself, causing the target machine either performs slowly or crash. It can also investigate the payload of an IP packet for specific commands. Real Time Detection Response: Network-based IDPS detects attacks in real time as they are occurring in the real time and provides faster response. For example, if a hacker initiated a TCP based DoS attack, IDPS can drop the connection by sending a TCP reset. Malicious Content Detection: Network-based IDPS remove replaces suspicious portion of the attack. For example, if an email has infected attachment, an IDPS removes the infected file and permits the clean email. Evidence for Prosecution: Network-based IDPS monitors real time traffic and if an attack is detected and captured the hacker cannot remove the evidence. Because the captured attack has data in it but also the information about his or her identification which helps in the prosecution. Host-Based IDPS A Host-Based system monitors the characteristics of a single host and the events occurring within that host for suspicious activity. It require some software that resides on the system and monitors the network traffic, syslog, processes, file access modification and configuration or system changes. It logs any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Some of the major strengths of Host-Based IDPS are as under: Verification of Attack: Host-based IDPS uses logs which contains events that have actually occurred. It has the advantage of knowing if the attack is successful or not. This type of detection is more accurate and generates fewer false alarms. Monitoring of Important Components: Host-Based IDPS monitors key components for example, executables files, specific DDLs and NT registry. All of these can cause damage to the host or network. System Specific Activity: Host-based IDPS monitors user and file access activity. It monitors the logoff or login procedure and monitors it on the basis of current policy. It also monitors the file access for example, opening of a non shared file. Switched Encrypted Environments: Host-Based IDPSs provide greater visibility into purely switched environment by residing on as many critical hosts as needed. Encryption is a challenging problem for network-based IDPS but not a major problem for host-based IDPS. If the host in question has log-based analysis the encryption will have no impact on what goes in to the log files. Near Real Time Detection: A host-based IDPS relies on the log analysis which is not a true real time analysis. But it can detect respond as soon as the log is written to and compared to the active attack signatures. Real Time Detection Response: Stack-based IDPS monitors the packets as they transverse the TCP/IP stack. It examines inbound outbound packets and examines in real time if an attack is being executed. If it detects an attack in real the time then it can responds to that attack in the real time. Section 2: IDPS Analysis Schemes IDPSs Perform Analysis: This Chapter is about the Analysis Process- What Analysis does and Different Phases of Analysis. 2.2 Analysis In the context of intrusion detection prevention, analysis is the organization of the constituent parts of data and their relationships to identify any anomalous activity of interest. Real time analysis is analysis done on the fly as the data travels the path to the network or host. The fundamental goal of intrusion-detection prevention analysis is to improve an information system’s security. This goal can be further broken down: Create records of relevant activity for follow-up. Determine flaws in the network by detecting specific activities. Record unauthorized activity for use in forensics or criminal prosecution of intrusion attacks. Act as a deterrent to malicious activity. Increase accountability by linking activities of one individual across system. 2.3 Anatomy of Intrusion Analysis There are many possible analysis schemes but in order to understand them, the intrusion process can be broken down into following four phases: Preprocessing Analysis Response Refinement 1. Pre-Processing Preprocessing is the key function once the data is collected from IDPS sensor. The data is organized in some fashion for classification. The preprocessing helps in determining the format the data are put into, which is usually some canonical format or could be a structured database. Once the data are formatted, they are broken down further into classifications. These classifications can depend on the analysis schemes being used. For example, if rule-based detection is being used, the classification will involve rules and patterns descriptors. If anomaly detection is used, then statistical profile based on different algorithms in which the user behavior is baseline over the time and any behavior that falls outside of that classification is flagged as an anomaly. Upon completion of the classification process, the data is concatenated and put into a defined version or detection template of some object by replacing variables with values. These detection templates populate the knowledgebase which are stored in the core analysis engine. 2. Analysis Once the processing is completed, the analysis stage begins. The data record is compared to the knowledge base, and the data record will either be logged as an intrusion event or it will be dropped. Then the next data record is analyzed. The next phase is response. 3. Response Once information is logged as an intrusion, a response is initiated. The inline sensor can provide real time prevention through an automated response. Response is specific to the nature of the intrusion or the different analysis schemes used. The response can be set to be automatically performed or it can be done manually after someone has manually analyzed the situation. 4. Refinement The final phase is the refinement stage. This is where the fine tuning of the system is done, based on the previous usage and detected intrusions. This gives the opportunity to reduce false-positive levels and to have a more accurate security tool. Analysis Process By Different Detection Methods The intrusion analysis process is solely depends on the detection method being used. Following is the information regarding the four phases of intrusion analysis by different detection methods: Analysis Process By Rule-Based Detection Rule-based detection, also known as signature detection, pattern matching and misuse detection. Rule-based detection uses pattern matching to detect known attack patterns. The four phases of intrusion analysis process applied in rule-based detection system are as under: Preprocessing: The data is collected about the intrusions, vulnerabilities and attacks and then it is putted down into classification scheme or pattern descriptors. From the classification scheme a behavior model is built and then into a common format; Signature Name: The given name of the signature Signature ID: The unique ID for the signature Signature Description: The description of the signature what it does Possible False Positive Description: An explanation of any â€Å"false positives† that may appear to be an exploit but are actually normal network activity. Related Vulnerability Information: This field has any related vulnerability information The pattern descriptors are typically either content-based signatures, which examine the payload and header of packet, or context-based signatures that evaluate only the packet headers to identify an alert. The pattern descriptors can be atomic (single) or composite (multiple) descriptors. Atomic descriptor requires only one packet to be inspected to identify an alert, while composite descriptor requires multiple packets to be inspected to identify an alert. The pattern descriptors are then put into a knowledge base that contains the criteria for analysis. Analysis: The event data are formatted and compared against the knowledge base by using pattern-matching analysis engine. The analysis engine looks for defined patterns that are known as attacks. Response: If the event matches the pattern of an attack, the analysis engine sends an alert. If the event is partial match, the next event is examined. Partial matches can only be analyzed with a stateful detector, which has the ability to maintain state, as many IDS systems do. Different responses can be returned depending on the specific event records. Refinement: Refinement of pattern-matching analysis comes down to updating signatures, because an IDS is only as good as its signature update. Analysis Process By Profile-Based Detection (Anomaly Detection) An anomaly is something that is different from the norm or that cannot be easily classified. Anomaly detection, also referred to as Profile-based detection, creates a profile system that flags any events that strays from a normal pattern and passes this information on to output routines. The analysis process by profile-based detection is as following: Preprocessing: The first step in the analysis process is collecting the data in which behavior considered normal on the network is baselined over a period of time. The data are put into a numeric form and then formatted. Then the information is classified into a statistical profile that is based on different algorithms is the knowledge base. Analysis: The event data are typically reduced to a profile vector, which is then compared to the knowledge base. The contents of the profile vector are compared to a historical record for that particular user, and any data that fall outside of the baseline of normal activity is labeled as deviation. Response: At this point, a response can be triggered either automatically or manually. Refinement: The profile vector history is typically deleted after a specific time. In addition, different weighting systems can be used to add more weight to recent behavior than past behaviors. Section 3: IDPS Technologies This section provides an overview of different technologies. It covers the major components, architecture, detection methodologies security capabilities of IDPS. Components Following are the major components and architecture of IDPS; Sensor Agents: Sensors Agents monitors and analyze the network traffic for malicious traffic. Sensor:The technologies that use sensors are network based intrusion detection prevention systems, wireless based intrusion detection prevention systems and network behavior analysis systems. Agents: The term â€Å"Agent† is used for Host-Based Intrusion detection prevention technologies. Database Server: The information recorded by the sensors and agents are kept safely in a database server. Console: A console is software that provides an interface for the IDPS users. Console software is installed on the administrator’s PC. Consoles are used for configuring, monitoring, updating and analyzing the sensors or agents. Management Server: It is a centralized device, receives information from sensors agents and manages that information. Some management server can also perform analysis on the information provided by sensor agents, for example correlation of events. Management server can be both appliance based or software based. 3.1 Network architecture IDPS components are usually connected with each other through organization’s network or through Management network. If they are connected through management network, each agent or sensor has additional interface known as management Interface that connects it to the management network. IDPS cannot pass any traffic between management interface and its network interface for security reasons. The components of an IDPS i.e. consoles and database servers are attached only with the Management network. The main advantage of this type of architecture is to hide its existence from hackers intruders and ensure it has enough bandwidth to function under DoS attacks Another way to conceal the information communication is to create a separate VLAN for its communication with the management. This type of architecture doesn’t provide a much protection as the management network does. 3.2 Security capabilities IDPS provide different security capabilities. Common security capabilities are information gathering, logging, detection and prevention. 3.2.1 Information gathering Some IDPS gather general characteristics of a network, for example, information of hosts and network. They identify the hosts, operating system and application they use, from observed activity. 3.2.2 Logging capabilities When a malicious activity is detected by the IDPS, it performs logging. Logs contain date time, event type, rating and prevention action if performed. This data is helpful in investigating the incident. Some network-based IDPS captures packet while host-based IDPS records user ID. IDPS technologies allow log to be store locally and send copies of centralized logging server i.e. syslog. 3.2.3 Detection capabilities The main responsibility of an IDPS is to detect malicious activity. Most IDPS uses combination of detection techniques. The accuracy and types of events they detect greatly depends on the type of IDPS. IDPS gives great results once they are properly tuned. Tuning gives more accuracy, detection and prevention. Following are some the tuning capabilities: Thresholds: It is a value that sets the limit for normal and abnormal behavior. For example, the number of maximum login attempts. If the attempts exceed the limit then it is considered to be anomalous. Blacklists Whitelists: A blacklist is list which contains TCP or UDP port numbers, users, applications, files extensions etc that is associated with malicious activity. A whitelist is a list of discrete entities that are known to be benign. Mainly used to reduce false positive. Alert Setting: It enables IDPS to suppress alerts if an attacker generates too much alerts in a short time and blocking all future traffic from that host. Suppressing of alerts provide IDPS from being overwhelmed. 3.2.4 Prevention Capabilities IDPS offers multiple prevention capabilities. The prevention capability can be configured for each type of alert. Depending on the type of IDPS, some IDPS sensors are more intelligent. They have learning simulation mode which enables them to know when an action should be performed-reducing the risk of blocking benign activity. 3.2.5 Types of Alarms When IDPS detects an intrusion it generates some types of alarms but no IDPS generates 100% true alarm. An IDPS can generate alarm for legitimate activity and can be failed to alarm when an actual attack occurs. These alarms can be categorized as: False Alarms: When an IDPS fails to accurately indicate what is actually happening in the network, it generates false alarms. False alarm fall into two main categories: False Positives: These are the most common type of alarms. False positive occurs when an IDPS generates alarm based on normal network activity. False Negatives: When an IDPS fails to generate an alarm for intrusion, it is called false negative. It happens when IDPS is programmed to detect ck but the attack went undetected. 2. True Alarms: When an IDPS accurately indicates what is actually happening in the network, it generates true alarms. True alarms fall into two main categories: True Positives: When an IDPS detects an intrusion and sends alarm correctly in response to actually detecting the attack in the traffic. True positive is opposite of false negative. True Negative: It represents a situation in which an IDPS signature does not send alarm when it is examining normal user traffic. This is the correct behavior. ARCHITECTURE DESIGHN Architecture design is of vital importance for the proper implementation of an IDPS. The considerations include the following: The location of sensors or agents. The reliability of the solutions the measurements to achieve that reliability. For example using of multiple sensors, for monitoring the same activity, as a backup. The number location of other components of IDPS for usability, redundancy and load balancing. The systems with which IDPS needs interfacing, including: System to which it provides the data i.e. log servers, management softwares. System to which it initiates the prevention responses i.e. routers, firewalls or switches. The systems used to manage the IDPS components i.e. network management software. The protection of IDPS communications on the standard network. 3.3 Maintenance Operation Mostly IDPS are operated maintained by user graphic interface called Console. It allows administrator to configure and update the sensors and servers as well as monitor their status. Console also allows users to monitor and analyze IDPS data and generate reports. Separate accounts could be setup for administrators and users. Command Line Interface (CLI) is also used by some IDPS products. CLI is used for local administration but it can be used for remote access through encrypted tunnel. 3.3.1 Common Use of Consoles Many consoles offer drill down facilities for example, if an IDPS generates an alert, it gives more detail information in layers. It also give extensive information to the user i.e. packet captures and related alerts. Reporting is an important function of console. User can configured the console to send reports at set time. Reports can be transferred or emailed to appropriate user or host. Users can obtain and customized reports according to their needs. 3.3.2 Acquiring applying updates There are two types of updates –software updates and signature updates. Software updates for enhancing the performance or functionality and fixing the bugs in IDPS while the signature updates for adding detection capabilities or refining existing capabilities. Software updates are not limited for any special component but it could include all or one of them i.e. sensor, console, server and agents. Mostly updates are available from the vendor’s web site. New Chapter Detection Methodologies Most IDPS uses multiple detection methodologies for broad accurate detection of threats but following are primary detection methodologies: Signature Based Detection Anomaly Based Detection Stateful Protocol Analysis 3.3.1 Signature Based Detection The term Signature refers to the pattern that corresponds to a known threat. In signature based detection, the predefined signatures, stored in a database, are compared with the network traffic for series of bytes or packet sequence known to be malicious, for example, an email with the subject of free screen savers and an attachment of screensavers.exe, which are characteristics of known form of malware Or a telnet

Compare Shopping Online with Traditional Shopping Essay

Traditional shopping is going directly to the physical stores and purchasing the items whereas online shopping is purchasing the items from merchants who sell on the Internet. Since the emergence of the World Wide Web, merchants have sought to sell their products to people who surf the Internet. Online Shopping is widely perceived as a cheaper and easier way of finding lower prices and bargains in most sectors. However, both online and traditional shopping media are synergy to one another and yet still have several similarities and differences. Shopping online gives the user the opportunity to search for the product they want through endless avenues. Shopping online could be a great option because it can be time effective especially for those who have a busy life style or are just too lazy to get up to go to the store. The world of online shopping can make it easier to price shop. Instead of having to drive from store to store looking at prices only to find that, the best price was at the first store, you could simply switch from window to window on your computer. Also with online shopping, you can have items delivered right to your door. In addition, there is always the possibility of having to pay shipping costs when shopping online. Many online stores that will ship within a certain area free but many times if you are located outside of the city or area you will need to pay immense shipping prices. Companies have been trying to improve this negative aspect of online shopping by making deals like â€Å"spend over $200.00 and get free shipping†, but not all sites offer these deals. Security is another concern when it comes to online shopping. With online shopping, there is no way for you to know if someone is stealing your data. You do not even know if you will actually get the items, you purchase. This renders online shopping a bit more unsecure. By shopping in a traditional store, you can avoid shipping costs because you can simply take your items home with you after you purchase them. Customers can purchase the products directly by making selections by watching, touching, smelling, tasting, etc. They are near and easily available to the customers. Therefore, they can get the items immediately. Customers can get numerous options to purchase anything at lower prices at any time. There is less confusion, because the customer shops directly from physical stores. Customers can save money by getting the products at lower prices and by getting discounts from local storeowners. Generally, storeowners give excellent discounts for regular customers. Shoppers can also compare prices in different stores so that he or she can purchase an item at a lower cost and with good quality. Shoppers can also visit many stores, so he or she has several choices to store in different stores. If the shopper is not satisfied with products in one store then he can move to another store and purchase. Traditional shopping can be a recreational activity and it can be exercise for shoppers. It is easy to return the product, if the customer gets the incorrect product or a damaged product. There is no worry about security, such as fraud and lack of privacy in online shopping. Online shopping has grown to new heights over the last decade and shows no signs of regressing. The internet has brought practically every store in the world to the fingertips of anyone with internet access. Online shopping has grown so large that many companies are not investing in buildings and mall space, but rather in online websites and web advertising. Traditional shopping does have its positives, in terms of reliability and safety. Though online shopping is a global phenomenon, traditional shopping will not evaporate any time soon. In concluding, it is important, as an individual, to research whether online shopping or traditional shopping is effective for you, as both have its own hindrances. Source: Amy, Nutt (2009). Traditional Vs Online Shopping. Retrieved November 28, 2012 from http://EzineArticles.com/?expert=Amy_Nutt Darrell, Rigby (2011). The Future of Shopping. Retrieved November 28,2012 from hbr.org/2011/12/the-future-of-shopping

Love, Hate and Beyond. Emotions, Culture and Practice

When analysing grief in an ethnographic fashion it can be quite difficult as it is such a sensitive issue. My partner and myself worked together to devise a project that could target the issue of grief on a wider scale in Northern Ireland. We decided to address the case of the Omagh bombing in 1998 that killed 31 people (two of those being unborn children). This would allow us to look at personal grief but also enable us to concentrate on the grieving process of a community. On a normal Saturday afternoon at 3:10pm, in the small town of Omagh in Northern Ireland, a 500Ib car bomb exploded on the Market Street. This news reached the whole world as the grief of a small town was presented on every news channel and in every newspaper. Northern Ireland is a place that is used to dealing with tragedy as nearly 4,000 people have been killed as a result of the troubles. The bomb resulted in destroying many people's lives, the community had to pull together to combat what one priest there described as, â€Å"good over evil†. We both interviewed someone from Omagh. Making sure that it was a male and a female in a similar age group. We also made sure that one was Protestant and one was Catholic to gain a fair overview of the situation. Methodology and Ethics The technique that I used to research was an in formal interview with a 23-year Old girl from Omagh, who was there at the time of the bombing. She herself was a Roman Catholic. The interviewing process is one of the most common ways of obtaining information for the anthropologist. It could be seen, as being very flexible as there are set guidelines on how one must interview. However there are different types of questions that can be used according to the sensitivity of the subject that is being addressed. During my interview I wanted to let the conversation flow easily so I asked what are known as semi- structured questions. This allows the person being interviewed to talk away about the subject, â€Å"The interviewer responds using prompts, probes and follow up questions to get the interviewee to clarify or expand on the answers†1. The prompts I used throughout the interview allowed her to say what she wanted to say and was a sensitive approach due to the subject in hand. â€Å"Prompting is an art that has to be cultivated, and a certain amount of effort must initially be put into pump-priming (that is, encouraging informants to speak freely and informatively on subjects that interest you)†2. I could see that during the interview she could start talking about something that was upsetting her but then we were able to move on to another aspect of the question. Drever explains that semi-structured interviews allow one to, gather factual information, collect statements of their preferences and opinions explore in some depth, their experiences. I just tried t o get my interviewee to explain the events in chronological order, getting her to tell me how she felt at all times putting the emphasis on grief and community. As my interviewee was a female friend I think that allowed her to open up to me when she was talking about her experience at two of the victim's wakes. This method of asking questions allowed me to gain high quality information for my research project, I could listen carefully to what she was saying and explore her individual viewpoints. The essential aim to ethnography is to produce knowledge, ‘central to researching the truth: the aim should be to produce accounts of the social phenomena' (Paul Atkinson). When analysing an issue such as the emotion of grief one has to be careful that their pursuit of knowledge does not become offensive to anyone involved. There seems to be five main factors when dealing with the ethics of the interviewing process. 1, Informed consent, the interviewee should know exactly why they are being interviewed and give their â€Å"unconstrained consent†3, it could be seen as being devious or unfair if this is not the case. It seems only fair when addressing the subject of grief to be truthfull.2, Harm, is something that can occur to those being researched if the anthropologists are not careful. For example an interviewee may feel anxious about the publication of the results of an interview if they have said anything controversial. Sensitive issues need careful consideration, as the subject can be harrowing for the interviewee. Finch expresses her feelings on harm and explains that it is difficult even for feminists â€Å"to devise ways of ensuring that information given so readily in interviews will not be used ultimately against the collective interests of women' (1984:83). 3, Exploitation, can occur during a research study as people do not appreciate being used as ‘fodder for research', Beyon (1983). People do not appreciate giving time and effort to take part in research and not be able to get anything out of it, once their job has been done some interviewees can be cast aside. People however do enjoy helping others for a good reason. As my interviewee was a personal friend she was more than happy to talk to me and felt it had helped once again to get some thoughts out in to the open. 4, Consequences for future research, are an important issue as it allows research to carry over years developing our knowledge and understanding. If an anthropologist were to do something so objectionable that it would stop future research then â€Å"ethnographic research would become virtually impossible† (Fred Davis). The researcher has a duty to everyone else not to ‘spoil the field'. Omagh bombing interview with Tracey Donally Tracey first describes where she was at the time of the bombing. â€Å"I was working in a shop in Omagh, about a 1/4 of a mile away from where the explosion actually took place. When we first heard the loud bang, we all thought that it was a controlled explosion. It was quite a bit later when we realised what had happened, the phone lines in Omagh had gone down and nobody really knew what was going on. News soon spread that it was a bomb near the courthouse; at this point the number of people that had died was still unclear. Omagh was just a small town nobody expected this, panic hit everyone straight away, my brother was in the town as well as my boyfriend, thankfully they were fine, however, I knew that someone I knew would be hurt as it is such a small community.† Then we move on to who she knew that was killed and the wakes and the funerals of these people. † It was a couple of days later that the whole death toll was clear, my aunt was a nurse in the hospital and I kept hearing names of my friends that were coming in to the hospital in critical conditions. Samantha McFarland was my friend she had died in the bombing, there was also Lorraine Wilson, Elizabeth Rush and my friends mother Philomena Skelton. I attended two wakes and two funerals, one Church of Ireland and one Roman Catholic. The feeling around Omagh at this time was unbelievable only people that were there or a part of the community will ever understand. Queues of people lined up outside the wake houses to pay respects to the dead and offer their condolences to the family. I stood there and waited in silence, everyone was suffering terrible grief. When I went into Samantha's wake room I didn't really know what to say to her mother or her closest friend who were there with the body, (an open coffin). I offered my sympathy, and her mother was in pure shock sat there saying to people, ‘oh Samantha used to talk about you', or, ‘I remember you being in Samantha's class at school'. The family and friends were all stood outside the wake room, some silent, some regaling stories of Samantha and discussing what had actually happened during the bombing. In true Irish fashion the women ran around with tea and sandwiches for everyone there. I only stayed there for a couple of hours as the house was so full of people, however close friends and family would sit up all night with the body, taking it in turns to try and get some sleep or just rest themselves at least. At Philomena's wake the atmosphere was very much the same, I was there to show my friend support at this time when her Mummy had just died. As this family were Catholic the Priest came round to the wake whilst I was there and everyone inside or standing around the outside of the house said the Rosary, this would happen at several different times throughout the night, (helping the soul of the body reach Heaven). During this report it has become apparent that death has the ability to release the most powerful emotions amongst people that is why it is important to discuss the rituals that follow, ‘There are many emotional dimensions to ritual'4. In this part of the interview Tracey explained about how she attended the waking of two of the victim's bodies. Waking the body is a traditional ritual that occurs all over Ireland. It involves all of the surrounding community. The wake approaches death head on. The wake room is where the body is kept, usually in an open coffin, surrounded by candles and maybe flowers. Any family or friends who wish to come to the house do so to pray for the dead, it is also a great display of support for the grieving family. It helps many grieving family members as they have something to concentrate their grief on. People will stay up all night the body is never left alone. Outside the wake room win the rest of the house is where people will usually run around helping when thy can, women make gallons of tea and feed everyone. People can sit and think about the person they have lost in silence, or talk to many other people that knew them. Talking about the dead helps people to grieve for the dead. During my time researching this report, my partner's cousin died. As an English girl I had never experienced a wake, which is common practice over here. I thought it was a good way of dealing with death and grief as there were always many chances to talk and reflect with others. Having the body in the house was also a positive thing as the family were not ready to say goodbye suddenly they wanted to look at him, remember him and pray for him, although they were praying for his soul to go to heaven (saying the rosary several times, led by the priest or leading family members) throughout the wake the body was of great importance also. When looking at other death rituals and grieving processes, the Dagura people in Africa have some thing similar to a wake. The women of the village are allowed to grieve first however this must be in silence. It is this way until the men have found a ‘sacred space' in which they announce the death and invite the whole village to come and grieve. The men are forbidden to show any signs of grief until this ritual space is created. The journey of the soul is of great importance after death â€Å"The invoking of the spirits is partly designed to elicit enough grief from the mourners, to allow the dead person to move into the world of the ancestors. The Dagura believe that the soul's journey into the next world is dependant in some ways upon the grief expressed by the mourners.† Tom Golden5. This does relate to the Catholic waking practice of saying the Rosary and other prayers to help the soul enter the kingdom of heaven, (the soul could be in a place called Purgatory where it would have to spend some time before moving on into Heaven, only saints go straight to Heaven). This gives both these groups of people a purpose for their grief. Grief is a state where one may not know what to do with themselves some may even go off the rails. Dagura people keep two women elders with the body at all times collecting the grief from the rest of the community around them that come to visit. This displays an example of coping behaviour within both of these societies. As both cultures appreciate the rebirth of the soul, one is left to think about thee relationship of the biological and the social collectivity. â€Å"Bloch and Parry hold a particular view of ritual, seeing it basically as a form of social control. One aspect of this is that society actively shapes the emotions of its m embers through ritual†6. The funerals of these two people were on different days, both had the Guard of honour before they reached the church. I have never experienced such a feeling of pure sadness amongst so many people in all my life. They were both very hard days. At both, the churches were so packed I had to stand outside. I could hear the service through the speakers outside, I could also hear horrible cries of agony from inside the church of close family. This was the most painful thing for me, openly hearing and seeing the physical grief of the people. Both bodies were buried in Omagh in the different graveyards of the different churches. Although it was the last goodbye to these two women it was only the start of the grieving process for their family and friends†. I asked what the communities did do then to help the families and what they did to display their sorrow to the rest of the watching world. â€Å"One week later at exactly the same time as the bomb had happened there was a memorial service in Omagh town. We stood there in complete silence as a mark of respect. Thousands of people came, including politicians from all the Northern Irish parties, the Irish Prime Minister, Tony Blair, Bill Clinton and the Northern Irish secretary at the time Mo Mowlam. Prayers were said, different leaders stood up and spoke about how evil and wrong the bombing was. It was comforting to have outside support at this time, however it was still too painful for some of the victims family members to attend, their own personal grief and suffering was still too hard to cope with at this time. The whole community supported the families of those directly affected, it really brought the whole community together as everyone in Omagh was grieving for someone they has lost, it was such a close community, everyone knows or knows of nearly everyone there. The police and the army were major helpers after the bomb erupted this brought the community closer as there had always been a lack of trust between the Catholic community and these two organisations. Catholics and Protestants of all denominations came together to rebuild Omagh as both sides were suffering greatly. 31 people died both Catholic and Protestant, we all mourned together†. My aim during this research was to find out how the community dealt with such a tragic event. It is apparent that there was a sense of mass grief, not just the grief of family and friends but also people from surrounding areas. Irish people place a big emphasis on family and community. The Omagh bombing brought the community of Omagh together in a collective disgust at what had happened as well as a collective grief. Memorial services were organised so the community could demonstrate their solidarity. Both interviewees explain about the continuous memorial services that occurred after the bombing. Everyone showed their solidarity and deep sadness at the services it even provoked visitors from around the world to come. â€Å"Sharing affects provide relief. Grief resolution through collective mourning / healing creates positive group identity. Commitment to community† Meline Ottenbacher7. There has also been a memorial garden created for anyone to come and reflect, pray, or just to be in a quiet place. Catherine Sheehy wrote about the importance of a place like the memorial garden in Omagh. Talking about the grief after September the 11th she states, â€Å"When loss is collective, grief requires public support. People need space to grieve and often create physical sites to recognise collective grief8. I wanted to try and find out if any blame for the disaster and loss of life was placed in Omagh. â€Å"Yes, there was blame. It was revealed that certain people within Omagh were involved in a terrorist organisation called, '32 County Sovran', a wing of the Real I.R.A. One man called Mackey was given a hard time by the rest of the town, as it was known that he was involved. The truth and justice is still to be revealed yet as the case is still in court, six years later. People blamed themselves for the members of their family dying, saying things like, ‘I should have gone into town myself now they wouldn't be dead'.† Blame is an issue that would play on some people's minds. Allowing themselves to figure out why it happened. Having someone of something to blame gives them something to focus their instant anger on. What about people in Omagh now how are they all this time later? â€Å"Some are emotionally scared for life. It is still hard to talk about in front of some people who took it very badly. I know people that still have to go to therapy and see councillors to cope with their grief. Even now the family and friends have yearly anniversaries for those that died and there is a group memorial service that the whole town attends yearly. Together the people of the town have created a memorial garden in Omagh to always remember the lives lost on that horrible day. It's a quiet place where anyone can just go and sit and think and pray. People in Omagh will always remember as long as they live, some will always feel the pain. Something nobody else can understand if they did not go through this with us. It is completely different from when you watch it on the telly and think that will never be you. It really makes you realise your own mortality†. Whilst researching this case I spoke to Johanna Thompson, a barrister in Northern Ireland who has dealt with some of the Omagh bomb law suits. Many of those people that had survived the bombing suffered from Post Traumatic Stress. This would not allow them to sleep and would cause them to keep reliving the events. Many would feel a great sense of guilt that they were able to claim compensation when others had died. This would make them dumb down their injuries. â€Å"Many people have suffered a great psychological trauma, grief plays a large part in this. It could take a very long time for some of these people to go back to living anything nearly like their old lives†9. Conclusion Bloch and Parry stress the importance of the â€Å"Individual's identification with society† and of the â€Å"relationship between the biological individual and the social collectivity†. They see ritual as a method of social control. However it seems to be that the ritual is a great demonstration of the emotion, and can indeed help people throughout the grieving process. Grief can be a very private thing however this does not always help those that are suffering. Having something to focus ones grief on can stop people from going into complete emotional turmoil. The community in Omagh strived to help everyone whose lives had been affected. They showed great solidarity and unity. It can be seen that sharing the pain can definitely provide some kind of relief. Dr Sheila Clark, from the University of Adelaide states that, â€Å"Without appropriate support, grief and trauma can lead to depression or lead to an increase in illness†. I have learnt a great deal about interview techniques. If I could improve on this piece of work I would have interviewed more people using different techniques. The triangulation that occurred during this research report was helpful. I would also like to thank my partner for working with me on this project I think that we came up with some good ideas together it was enjoyable.

Private Prisons Are They The Criminal Justice Systems...

Private Prisons: Are They the Criminal Justice Systems’ Savior or Destroyer? As of 2005, there are over 107 privately operated secure facilities contracting to hold adult criminal offenders in the United States (Seiter, p. 164) According to Richard P. Seiter (2011), â€Å"A private correctional facility is any correctional facility operated by a nongovernmental agency and usually in a for-profit manner that contracts with a governmental entity to provide security, housing, and programs for offenders† (Seiter, p.93) However, there is much controversy over whether private prisons are helping to have more cost effectiveness and efficiency than a public prison system. Private prisons at first seemed to be a well-rounded idea. Despite, the initial†¦show more content†¦One of the key elements for a private correctional facility or prison is to provide security (Seiter, p. 93) Private prisons do provide this element, but how well do they. In 2010, three murders escap ed from a minimum to medium security prison in Arizona called Kingman Prison. This prison was operated by MTC (Management and Training Corporation) (Levine). These three murders reaped havoc among many states after their escape until they were finally captured. Private prisons and the Kingman Prison are designed to provide the maximum security for inmates and the public too. However, this escape just shows how unequipped private prisons are, as well as, under staffed and not properly trained. Arizona Attorney General Terry Goddard said, â€Å" I believe a big part of our problem is that the very violent inmates , like the three that escaped, ended up getting reclassified [as a lower risk]quickly and sent to private prisons that were just not up to the job† (Levine). Not only are private prisons unequipped for the job, but the lower staff levels and lack of training for the staff suggest more incidences of violence and escapes. From a study, there is evidence that guards ar e assaulted 49 percent more than in a public prison and the assault of inmates against one another is 65 percent more than in a