Tags: Chris Mark, corporate espionage, cyberespionage, cybersecurity, Dupont, InfoSec, mark consulting group, San Francisco Chronicle, security
add a comment
Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft. In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government. Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide. What is TD used in? Titanium Dioxide is the ingredient in many white products that makes the products white. Products such as paint, toothpaste, and Oreo cookie filling! Stealing the ingredients to Oreos shows just how low cyberthieves will go! According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”
I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest. Make no mistake. If your company has a unique process, technology, or product, it IS of interest to many companies. Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.
photo from: http://www.titaniumexposed.com
Asymmetric Warfare 101 July 21, 2015Posted by Chris Mark in Risk & Risk Management, weapons and tactics.
Tags: asymmetric threats, asymmetric warfare, Chris Mark, guerrilla warfare, mark consulting group, risk management, security
1 comment so far
With the current state of affairs I thought it appropriate to ‘republish’ this blog post from 2012. You can also read the article from Secure Payments Magazine on the same topic applied to InfoSec.
Asymmetric Warfare can be described as the strategy of using weapons, tactics, and methods to render the asymmetry that exists between two adversaries as moot. Consider the US Military for a moment. Since the end of World War II, which is arguably the start of US hegemony, the United States has fielded what many believe is the most powerful conventional military in the history of the world (or at least modern world). In spite, of this fact the US, and her allies) have struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser-trained, relatively ill-equipped insurgents that created significant challenges to the US military. By applying guerilla tactics, and employing IEDs and other technologies, the adversaries were able to balance the perceived asymmetry between the might of the US and their own capabilities.
The US is not alone in this dubious distinction of struggling with conventionally weaker adversaries. The Soviet Union was defeated in Afghanistan in the 1980s, and a much weaker France, led by Napoleon, defeated the powerful Prussian Military. France, in turn, lost French Indochina with the coup-de-grace coming in the surrender at Dien Bein Phu in 1954. If each of these countries were militarily superior to their foes, how did they end up losing their respective wars? These examples outline the effectiveness of asymmetric warfare.
While there exist a number of different definitions of Asymmetric Warfare, in a basic sense it applies to the strategies and tactics employed by a militarily weaker opponent to take advantage of vulnerabilities in the stronger opponent. As an example, few military forces on the planet would face the US military and her allies in open combat either on land or the sea. Doing so would be certain suicide. A look at the Persian Gulf War in 1991 shows the result of taking on the military might of the Western World in open combat. The Battle of Medina Ridge is a prime example. In this battle between the US 2nd Brigade, 1st Armored Division against the Iraqi, 2nd Brigade of 2nd Medina Luminous Division the US recorded 1 killed, and 30 wounded while recording 4 tanks as being damaged. The Iraqis, meanwhile, reported “heavy manpower losses” while reporting 186 tanks destroyed and 127 Armored Fighting Vehicles destroyed.
If a militarily inferior opponent cannot face the US, or Western powers in open combat, how do they fight? It is fair to day the days of Mahanian sea battles are behind us. Quite simply, they employ strategies that render the superior military might irrelevant or at least less relevant. Guerilla warfare is an example of an asymmetric strategy against a militarily superior foe. As stated in the military classic “On Guerrilla Warfare” by Mao Tse-Tung:
“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.
At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. ..Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will occupy a previously prepared ambush.”
This is warfare today. Unfortunately, the US, and her allies have learned that technology alone cannot win a war against a determined, creative enemy.
As discussed earlier the concept of Asymmetric Warfare is a field of some debate. When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of Asymmetric Threats posited by C.A. Primmerman. Without going through too much of the math, and modifying Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:
- Adversary A could & would attack Adversary B by doing X
- Adversary B could & would respond to Adversary A by doing X.
Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.
As an example of this concept working in practice, consider the following:
1a. Adversary A would attack Adversary B by using terror tactics against the civilian population.
2a. Adversary B would respond to Adversary A by terror tactics against the civilian population.
If statement 2a is false then the threat in 1a is asymmetric.
According to Pimmerman, an Asymmetric Threat must meet three criteria. These have been modified for our purposes and include:
- It must involve a weapon, tactic or strategy that the adversary both could and would use against another adversary.
- It must involve a weapon, tactic, or strategy that the would not or could not be be employed by one adversary.
- It must involve a weapon, tactic, or strategy that, if not countered, could have serious consequences. If a threat meets these three criteria, it would be considered asymmetric.
As any student of military strategy can attest, being in a purely defensive mode is a losing proposition. Unfortunately, in many instances asymmetric threats place one adversary in an almost purely defensive position. One of my favorite quotes that appears appropriately relevant now is by Julius Ceasar:
“There is no fate worse than being continuously under guard, for it means you are always afraid.”
While not intended to be a comprehensive discussion of Asymmetric Threats the basic concepts are relevant in today’s world.
Tags: compliance, Dr. Heather Mark, ESPN, Ethics, HIPAA, Jason Pierre Paul
add a comment
“HIPAA does not apply to news organizations” – ESPN Statement
Last night, a news story broke that combined two of my favorite things; compliance and American football. This is a rare occurrence, indeed. It seems that Jason Pierre Paul was celebrating the 4th of July, when he had a fireworks mishap, resulting in a major injury to his hands. As a football player that had recently been franchise-tagged, this is major news. Understandably, the sports reporters were anxious to get the story, as JPP, as he’s called, hadn’t yet signed his $14.8M dollar contract. One reporter, though, went so far as to tweet a copy of the player’s medical record, as proof of the procedure.As you can imagine, compliance professionals immediately hopped on this broadcast of Protected Health Information (PHI). This is an unscrupulous invasion of privacy, but does the tweet constitute a HIPAA breach? READ MORE.
Chris Mark in the National Review (Smearing Snipers) July 2, 2015Posted by Chris Mark in Uncategorized.
add a comment
Someone called me out for ‘not finishing SEAL training’ (I was injured and discharged on a disability)..I am still proud to be able to say I was an Active duty Marine Corps Scout/Sniper and Recon Marine…BUDS didn’t work out as I was hurt but at least I got a Combat Action Ribbon (CAR) as a Marine…;)
Originally posted on Global Security, Privacy, & Risk Management:
I was asked to write a review of the movie American Sniper. The National Review asked for a ‘sniper’s’ perspective on the movie. I asked if I could write a larger piece on how snipers are maligned as ‘hate filled killers’ and ‘murderers’. I am excited that I was given the opportunity to tell a story that is not often told. I am grateful to the National Review for providing the opportunity to give insight into the dangerous job of being a sniper. The name o the article is “Smearing Snipers; What Many Americans Don’t Get About Our Warrior Elite” If you are so inclined, please consider donating to the R&S Foundation. We are a group of volunteer former Reconnaissance Marines and Scout Snipers who work to support our brothers in need. You can donate here. Thank you for anything you can give!…
Tags: 2nd amendment, bloomberg, causality, control, correlation, everytown, firearms, giffords, gun, south carolina, violence
add a comment
It is now June 2015 and with yet another shooting in the news, the debate is again raging about gun control.
I personally believe these are healthy debates but I am often frustrated by the seemingly illogical positions taken on both sides of the debate. Last year I wrote a post titled “A Perspective on Killing from a Marine and His Rifle” in which I provide personal as well as third party information on what is required to create a ‘killer’. Adding to this I am including information that should help people better understand causality and point to the ‘actual’ cause of an event in which a firearm is used. This is taken from the research brief titled: “Failed State of Security II; Victim Blaming in CyberCrime”
With each shooting or killing the relevant question is certainly asked as to “what caused the action?” and “how could it have been prevented?” We all want to stop crime and violence but we must balance a number of issues. Irrespective of political leanings or other aspects, to get to the heart of the issue it is important to understand the “cause” of the event. Many gun control advocates posit that guns are the ’cause’ of the murder. With this in mind let’s take a look at the concept of causality.
The simple term “cause” can be deceptively complex to understand and apply. The application becomes much more difficult when applied to social issues and events where ambiguity, subjectivity, and moral and ethical aspects must be considered. While the concept of cause and causality has been studied and debated by philosophers for millennia a commonly accepted definition is still not found. It was Virgil who, in Georgics 2 in 490 said: “Felix qui potuit rerum cognoscere causas” or “blessed accomplishment theirs, who can track the causes of things”.[i] The difficulty of defining the concept of “cause” is familiar to those with an interest in philosophy or science. Without becoming a primer on the intricacies of the debate, suffice it to say that cause, like security, is necessarily contextual in nature. Within the context of Victimology, it is important to understand the distinction between identifying what a person emotionally or philosophically believes is a ‘cause’ of an event that impacts a victim and the philosophical and legal concepts of ‘cause’ as they applies to a crime.
People often ascribe blame or identify a cause of an event based upon their internal logical calculus or emotional belief as to what ’caused’ the event. Within the context of firearm violence, this is particularly true. Firearm control advocates often state that “firearms cause” violence. While not always explicit even the argument that “if they did not have a gun, this would not have happened” is an implicit nod to the idea that the firearm was the causal agent of the event. For this reason, it is important to understand the philosophical underpinnings of reasoning and how they apply to determining ‘cause’. As important is the understanding of errors in logics. Within logic, errors in either reasoning or structure are known as fallacies. With an understanding of the common fallacies that pertain to identification of cause, it is easier to understand and identify the true, or actual cause of an event. (more…)