jump to navigation

Chris Mark speaking at Secura Risk Management Fall Forum (Oct 28-29) October 24, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
add a comment

SecuraIf you are a bank, credit union, or work for one and want to listen to me (Chris) speak and are looking for a reason to go to beautiful Charleston, South Carolina..check out the Secura Fall Risk Management Forum!  Yours Truly will be speaking on CyberCrime and the DarkNet as well as EMV “Chip & PIN” (a misnomer but…I will not discuss here).  Should be a great event and will be in one of my favorite US cities…Charleston, South Carolina!..I have not had an opportunity to speak at a Secura event yet but they appear to be very well put together and the agenda looks very compelling.  Also, if you didn’t have a chance to attend the AT&T Cyber Security Conference in NYC, you can watch a replay of the event here!  You can see me on the ‘big stage’ talking with Jamie Wallace on Mobile Security.  It was a great event with top shelf speakers…(notice that I am rocking my Recon Jack to represent the USMC Recon Community!)

Dupont’s Titanium Oxide Color Recipe- Stolen for Chinese Advantage July 22, 2015

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Oddly (to me anyhow) this is the 2nd most  popular post on my blog!  It was written over 3 years ago but since it gets so much traffic I thought I should re-post.  Here it is in 2015!

Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft.  In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government.  Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide.  What is TD used in?  Titanium Dioxide is the ingredient in many white products that makes the products white.  Products such as paint, toothpaste, and Oreo cookie filling!  Stealing the ingredients to Oreos shows just how low cyberthieves will go!   According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”

I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest.  Make no mistake.  If your company has a unique process, technology, or product, it IS of interest to many companies.  Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.

photo from: http://www.titaniumexposed.com

Asymmetric Warfare 101 July 21, 2015

Posted by Chris Mark in Risk & Risk Management, weapons and tactics.
Tags: , , , , , ,
1 comment so far

With the current state of affairs I thought it appropriate to ‘republish’ this blog post from 2012. You can also read the article from Secure Payments Magazine on the same topic applied to InfoSec.

Asymmetric Warfare can be described as the strategy of using weapons, tactics, and methods to render the asymmetry that exists between two adversaries as moot.  Consider the US Military for a moment.  Since the end of World War II, which is arguably the start of US hegemony, the United States has fielded what many believe is the most powerful conventional military in the history of the world (or at least modern world).  In spite, of this fact the US, and her allies) have struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan.  In each of these theaters it was groups of lesser-trained, relatively ill-equipped insurgents that created significant challenges to the US military.  By applying guerilla tactics, and employing IEDs and other technologies, the adversaries were able to balance the perceived asymmetry between the might of the US and their own capabilities.

The US is not alone in this dubious distinction of struggling with conventionally weaker adversaries.  The Soviet Union was defeated in Afghanistan in the 1980s, and a much weaker France, led by Napoleon, defeated the powerful Prussian Military.  France, in turn, lost French Indochina with the coup-de-grace coming in the surrender at Dien Bein Phu in 1954.  If each of these countries were militarily superior to their foes, how did they end up losing their respective wars?  These examples outline the effectiveness of asymmetric warfare.

While there exist a number of different definitions of Asymmetric Warfare, in a basic sense it applies to the strategies and tactics employed by a militarily weaker opponent to take advantage of vulnerabilities in the stronger opponent.  As an example, few military forces on the planet would face the US military and her allies in open combat either on land or the sea.  Doing so would be certain suicide.  A look at the Persian Gulf War in 1991 shows the result of taking on the military might of the Western World in open combat.  The Battle of Medina Ridge is a prime example.  In this battle between the US 2nd Brigade, 1st Armored Division against the Iraqi, 2nd Brigade of 2nd Medina Luminous Division the US recorded 1 killed, and 30 wounded while recording 4 tanks as being damaged.  The Iraqis, meanwhile, reported “heavy manpower losses” while reporting 186 tanks destroyed and 127 Armored Fighting Vehicles destroyed.

If a militarily inferior opponent cannot face the US, or Western powers in open combat, how do they fight?  It is fair to day the days of Mahanian sea battles are behind us.  Quite simply, they employ strategies that render the superior military might irrelevant or at least less relevant.  Guerilla warfare is an example of an asymmetric strategy against a militarily superior foe.  As stated in the military classic “On Guerrilla Warfare” by Mao Tse-Tung:

“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes.  Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.

At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree.  Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. ..Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will occupy a previously prepared ambush.”

This is warfare today.  Unfortunately, the US, and her allies have learned that technology alone cannot win a war against a determined, creative enemy.

As discussed earlier the concept of Asymmetric Warfare is a field of some debate.  When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of Asymmetric Threats posited by C.A. Primmerman.  Without going through too much of the math, and modifying Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:

  1. Adversary A could & would attack Adversary B by doing X
  2. Adversary B could & would respond to Adversary A by doing X.

Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.

As an example of this concept working in practice, consider the following:

1a. Adversary A would attack Adversary B by using terror tactics against the civilian population.

2a.  Adversary B would respond to Adversary A by terror tactics against the civilian population.

If statement 2a is false then the threat in 1a is asymmetric.

According to Pimmerman, an Asymmetric Threat must meet three criteria.  These have been modified for our purposes and include:

  1. It must involve a weapon, tactic or strategy that the adversary both could and would use against another adversary.
  2. It must involve a weapon, tactic, or strategy that the would not or could not be be employed by one adversary.
  3. It must involve a weapon, tactic, or strategy that, if not countered, could have serious consequences. If a threat meets these three criteria, it would be considered asymmetric.

As any student of military strategy can attest, being in a purely defensive mode is a losing proposition.  Unfortunately, in many instances asymmetric threats place one adversary in an almost purely defensive position.  One of my favorite quotes that appears appropriately relevant now is by Julius Ceasar:

“There is no fate worse than being continuously under guard, for it means you are always afraid.”

While not intended to be a comprehensive discussion of Asymmetric Threats the basic concepts are relevant in today’s world.

超限战 – “Warfare without Bounds”; China’s Hacking of the US June 11, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment


“Pleased to meet you…hope you guessed my name…But what’s puzzling you is the nature of my game.”
– The Rolling Stones; Sympathy for the Devil

With the recent US Government’s acknowledgement of China’s hacking of numerous government websites and networks, many are likely wondering why China would have an interest in stealing employee data?  To answer this question, we need to look back at the 1991 Gulf War. You can read my 2013 Article (WorldCyberwar) in the Counter Terrorist Magazine on this subject.

In 1991, a coalition led by the United States invaded Iraq in defense of Kuwait.  At the time Iraq had the 5th largest standing army in the world.  The US led coalition defeated the Iraqi army in resounding fashion in only 96 hours.  For those in the United States the victory was impressive but the average American civilian did not have an appreciation for how this victory was accomplished.

The Gulf War was the first real use of what is known as C4I.  In short, C4I is an acronym for Command, Control, Communications, Computers, and Intelligence. The Gulf War was the first use of a new technology known as Global Positioning Systems (GPS).  The Battle of Medina Ridge was a decisive tank battle in Iraq fought on February 26, 1991 and the first to use GPS.  In this 40 minute battle, the US 1st Armored Division fought the 2nd Brigade of the Iraqi Republican Guard and won decisively. While the US lost 4 tanks and had 2 people killed, the Iraqis suffered a loss of 186 tanks, 127 Infantry Fighting Vehicles and 839 soldiers captured.  The Chinese watched the Gulf War closely and came away with an understanding that a conventional ‘linear’ war against the United States was unwinnable.

After the Gulf War the Chinese People’s Liberation Army tasked two PLA colonels (Qiao Liang and Wang Xiangsui) with redefining the concept of warfare.  From this effort came a new model of Warfare that is published in the book “Unrestricted Warfare” or “Warfare without Bounds”.  Unrestricted Warfare is just what it sound like.  The idea that ‘pseudo-wars’ can be fought against an enemy.  Information warfare, PR efforts and other tactics are used to undermine and enemy without engaging in kinetic, linear battle.  Below is a quote from the book:

“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”

“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”

It further stated: “… a single rumor or scandal that results in fluctuation in the enemy country’s exchange rates…can be included in the ranks of new concept weapons.”

On April 15, 2011, the US Congressional Subcommittee on Oversight and Investigations conducted a hearing on Chinese cyber-espionage. The hearing revealed the US government’s awareness of Chinese cyberattacks. In describing the situation in his opening remarks, subcommittee chairperman Dana Rohrbacher* astutely stated:

“[The]United States is under attack.”

“The Communist Chinese Government has defined us as the enemy. It is buying, building and stealing whatever it takes to contain and destroy us. Again, the Chinese Government has defined us as the enemy.”

Given the Chinese perspective on Unlimited Warfare, it becomes much more clear that what we are seeing with the compromises are examples of ‘pseudo wars’ being fought by the Chinese.  It will be interesting to see how or if the US responds.

*thank you to the reader who corrected my referencing Mr. Rohrbacher as a female.  My apologies to Chairman Rohrbacher!

Getting into Information Assurance Careers June 2, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

March coverI have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested.  In 2001, I landed in InfoSec by pure luck and I have never looked back.  It is an amazing field and a great career path.  First..for some marketing.  According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year.  In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them.  In short, it is a very high demand field.

InfoSec?  CyberSecurity? Information Assurance?  WHAT?

It is even confusing to me sometimes.  At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data.  This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization).  While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.

What types of Jobs are Out There? (more…)


Get every new post delivered to your Inbox.

Join 303 other followers

%d bloggers like this: