A discussion in Contrast

The Wiki definition of contrast is “Contrast is the difference in luminance or colour that makes an object (or its representation in an image or display) distinguishable. In visual perception of the real world, contrast is determined by the difference in the color and brightness of the object and other objects within the same field of view.”.  Adobe defines it through the use of the tools as “The difference in brightness between light and dark areas of an image. Contrast determines the number of shades in the image….A low-contrast image (left) retains detail but tends to lack dimension and looks soft. An image with normal contrast (center) retains detail and dimension, and looks crisp. A high-contrast image (right) loses detail especially in areas with gradated tones, and can look cartoony or posterized.”

This is the warm and fuzzy answer that visual people see.  The truth behind it is that there is an enormous amount of math surrounding the manipulation of images as we are still dealing with discrete non-analog  information.  If you are good at following math, here are some articles
Image Processing and More Image processing

But I wasn’t the best at calculus and was fair at algebra and trig.  But since I use Adobe’s LightRoom, quite a lot, I don’t have to be good at math. This stupid blog is to demonstrate the effect of Contrast on images using one of my favorite subjects..my neighbor’s dog.

This was the original image as shot from my Canon EOS Digital Rebel Xt.  1/250 @ f4.0.  this image was shot in the Canon RAW format.


You can see that the original image is not really engaging.  It’s blah.  so lets try some things.  Lowering the contrast, lowers the “difference in luminance or color that makes an object (or its representation in an image or display) distinguishable”.  You can see it below.  Everythign looks muted and unappealing.


So lets increase contrast the other direction.


Now everything “pops”  The colors look more vibrant.  I’m showing the entire develop panel to show that no other adjustments were made.    One simple adjustment can take your images from zero to hero and you don’t need a ton of money and new gear to do it.

The GREAT thing about Adobe LightRoom is that if you like this look, then you can save this as a “User Preset”.  then when you import images, you can apply your own “user Presets” to all images when you import them or apply them after imported.

After mucking about with some more of the sliders and adjustments here is a candidate for a final image.


The Before/After




Timing is Everything

Whether you have a professional, prosumer, entry level or phone based camera, you know that there is a slight delay in from the pressing of the shutter to the actual image being recorded.  This is the timing, the groove, the “it” factor.  When you have reached the point that your intimate knowledge of the equipment is so adept that your timing is instinctive.

Consider the impact of the photo of a batter hitting a baseball.  We have all seen images where we don’t know if the ball is coming toward the batter or the batter has just hit it

In this shot we can see the ball compressing against the bat.bat

The message is that the batter has connected and that ball will soon be travelling very far.

This is a more compelling image.

Or Beyonce when she is gorgeous at a concert.

The eyes are connecting with the viewer,

The hair catching the wind from the fans below

She looks powerful and in control in this image.

But concert photography is VERY difficult to do correctly.

Because the smallest expression can become magnified and in interpreted.


While this is not the most flattering of images, she is a performer and became a victim of unfortunate timing.

If you have ever seen any singer/performer these days, they are putting on elaborate shows and this one picture has led to much unfair criticism of her performances.

Then there are times that the image tells the story of you know what is just about to occur and it needs no caption or setup.

Water all over and a ball in the face.


There are web sites devoted to just showing these images.


The pictures tell the story.

The point I’m trying to make is that the gear doesn’t matter.  Your knowledge of the gear does.




Or just go to Google images and enter this text “right before an accident”


Dictionaries define compliance.  Business define compliance.  We have our personal interpretations of compliance.  To me, it means:

Following what is recommended to achieve a similar result.

In life, there are always people willing to tell you what to do and how to do it. IT security is no different, so get over it.  You may think you know everything, but for once, please be humble enough to just listen.  In this topic, I will be writing about the Department of Commerce, the division known as NIST (National Institute of Standards and Technology) and why they are one of the most relevant organizations in our lives.

Step #1:  Perform your own internet search on NIST and its history


Step #2: Be very glad that they exist.

OK, all kidding aside.  NIST was created to maintain standards.  How long is a foot, a mile?  What does the official pound weigh?  What is the correct Time?  This stuff really matters as it is the cornerstone of all society.

In their computer division, they also created a series of security standards.  But it’s not all about computers, security starts with people.  In this series of articles I’m going to attempt to explain the computer security standards as laid out by NIST and the compliance models that are associated to them and why they are relevant.

So as  Bette Davis said, “Fasten your seatbelts, it’s going to be a bumpy night.”



The IT Guy

NIST. A nerd’s dream come true.


Welcome back.  The next part of the series will be about the organization of the NIST site and what to look for.  The fact to keep in mind is that Cyber Security is ever-evolving.  threats change constantly and to combat (or mitigate) those threats and risks, the responses have to change too.  This is VERY similar to biology and viruses, consider them the same.


The NIST site is organizated along different publication types and yes, I’m taking the following directly from their site.

  • Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA).
  • Special Publications (SP)
    • SP 800, Computer Security (December 1990-present):
      NIST’s primary mode of publishing computer/cyber/information securityguidelines, recommendations and reference materials
      (SP 800s are also searchable in the NIST Library Catalog);
    • SP 1800, NIST Cybersecurity Practice Guides (2015-present):  A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity;
    • SP 500, Computer Systems Technology (January 1977-present): A general IT subseries used more broadly by NIST’s Information Technology Laboratory (ITL), this page lists selected SP 500s related to NIST’s computer security efforts. (Prior to the SP 800 subseries, NIST used the SP 500 subseries for computer security publications; seeArchived NIST SPs for a list.)
  • NIST Internal or Interagency Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.

Sounds scary?  Like a mountain of documents in government speak about security?

Navigating the documents

There is a path to this madness, but there is also a shortcut that will get you to the same place.  First of all all the documents are in a PDF format and you don’t have to pay for them.  The US taxpayers already did that.  Security guidelines are and should be free as these are just guidelines.

First of all navigate to the NIST SPECIAL PUBLICATIONS (SP) and download 3 PDF files.

  • SP800-53 Rev 4.  Security and Privacy Controls for Federal Information Systems and Organizations
  • SP800-53 A rev 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
  • SP800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

These 3 publications contain over 90% of what is needed to establish and maintain an effective cyber security program.  Hundreds of pages, months of work.


Using SP171 as a starting point, everything is considered to be NIST Moderate (due to high water mark principle).  Design you own security controls around the NIST Moderate level.  800-53 will instruct you what to do and 800-53 A (A is for audit) will give you the guidelines on how to measure your control to determins if they are effective in design and implementation.

A security program

The traditional program of project management to implementation won’t work in Security.  NIST is designed around “Control Families”, 18 in all.  In the NIST site, there are specific SP docs that relate to a control family.  Don’t get too hung up about the specifics of the control family as there are a lot of overlap in the SP documents and 1 SP doc may relate to all control families.

800-53 R4 has references to consult witht he FIPS -199 doc when implementing a RMF (Risk Management Framework) process.  Simply the RMF process is like the PMO (plan, Do, check, Act) approach or any other SDLC process.  RMF just formalizes the steps and documents to follow at each step.  Again THIS IS A GUIDELINE!

The end goal for all of this is to ensure that NOTHING IS DONE IN SECRET, implementations, updrages, and patch management is ALWAYS done with management knowledge and approvals.  This goes down to the code reviews, testing plans and implementation schedules.

  • is it cumbersome? yes!
  • is it a ridicilous amount of approvals? yes!
  • and it needs to be.

Because if you have implemented the Moderate NIST guidelines and have management approvals at each step, you can demonstrate that you have effective controls over your computer systems.  Make the bad guy work harder, don’t just hand them the keys.


An outlet


I’m writing this more for an outlet than anything else.  I’m an IT Guy with over 30 years in the field.  I earned an B.S. in Computer Science, an MA in Information Systems Management and certificates of (ITIL, CISSP, and CISA), so I have a general understanding of what I ‘m talking about.  Early on I had to make a choice between a creative or technical path.  I chose the technical, but always stayed in touch with the creative.  Today I don’t regret the choices I’ve made, just question them as in “What the heck was I thinking”?

Today I work for a fortune 100 company with specific responsibilities in IT Security and regulatory compliance, specifically with NIST and other federal agencies.  My function is sort of Rosetta stone of translation.  Translate Fed-Speak into policies, procedures and action.

I hate the modern-day auditing function.  It is not helpful at all and effectively allows summary judgements to be levied by without reproach.  The management functions are punitive and fearful that passing an audit is all they really care about.  Business management are scared and generally feel that having a box checked as ‘complete’ is some magic shield from which no harm will come.

My own opinion is that the Internal Audit function should be a partner to the business and act in a consultant capacity instead of judge, jury and executioner.   They should be the teacher and the strategic leader from which new and better cyber security initiatives rise from.  That’s what I do.


Before 2002 every Federal agency had their own IT staff, policies, procedures.  It was a huge waste of money but it worked at the time.  In 2002, the FISMA (Federal Information Security Act) was signed into law.  This authorized the branch of the Department of Commerce known as the National Institute of Standards and Technology as the sole source of US Federal computer security guidelines.  This wasn’t something that was created overnight, NIST developed computer security guidelines since the 1970’s.  The law was the way that the US went from a patchwork of independent practices to one way to do it.  This quietly did somethign that was rarely done before.  It streamlined a government process.

Within NIST, there are many departments and divisions.  The one that I am going to write about is the “Computer Security Division”.  Keep in mind that you will not learn something super secret here, just how to do things better.  Within the Computer Security Division there is the Computer Security Resource Center which I have linked to their website.  This is where we will continue from the next time.