Getting into Information Assurance Careers June 2, 2015Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, CIPP, CISSP, Consulting, cybersecurity, InfoSec, privacy, SANS
add a comment
I have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested. In 2001, I landed in InfoSec by pure luck and I have never looked back. It is an amazing field and a great career path. First..for some marketing. According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year. In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them. In short, it is a very high demand field.
InfoSec? CyberSecurity? Information Assurance? WHAT?
It is even confusing to me sometimes. At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data. This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization). While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.
What types of Jobs are Out There? (more…)
Chris Mark in February 2014 SC Magazine “The Need & the Challenge” February 14, 2014Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, cybercrime, information security, InfoSec, SCMagazine, security
add a comment
Chris Mark’s (this author) article “The Need and the Challenge” has been published in the February, 2014 edition of Secure Computing Magazine. The article focuses upon the need to define the term ‘security’ and the challenge associated with denoting such a term. Here is an intro “While used every day, the term “security” can be deceptively difficult to define and may contain various meanings to different people in divergent contexts. The industry at large seems to have adopted a stance of “I know it when I see it,” as opposed to objectively defining the concept. Unfortunately, this creates numerous problems for those who have a need to ‘secure’ data, or any other asset.” Continue reading here!
“Do as I say, Not as I do”…General Services Administration (GSA) Exposes Personal Data March 16, 2013Posted by Chris Mark in Uncategorized.
Tags: cyber security directive 23, cybersecurity, data breach, data security, GSA, InfoSec, SAM
add a comment
The infamous GSA, who in 2012, was identified for gross fraud, waste, and abuse, sent an email today disclosing to me, and every other company that has participated in Government contracting that the System for Award Management (SAM) system had a vulnerability that exposed sensitive data. Here is a copy of the email I recieved today: (bold is my emphasis)..Before I go into more detail, I would personally like to thank the GSA for exposing my bank account data and SS# through their blind incompetence. At least they “apologized” in their email.
Dear SAM user
The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.
The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.
Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.
In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.”
Interestingly, the FAQ posted on their website does not indicate how long the data was exposed. Since SAM went into effect over a year ago, I am guessing that the vulnerability had been in place for at least a year.
Maybe, just maybe, instead of sending GSA employees to ‘cooking class’, and funding parties in Hawaii, the Federal Government should focus on protecting the data to which it is entrusted. The Federal Government recently passed a CyberSecurity directive…again, maybe they should focus on cleaning their own house.
“SpyGames” – Global Cyber Espionage Ring Discovered January 15, 2013Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, cyberespionage, information security, InfoSec, Kaspersky, mark consulting group, Stuxnet
add a comment
In an article published today in RT Magazine, it was disclosed that recently Russia’ Kaspersky labs uncovered. “A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries…” “The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,” Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland. Kaspersky is also the company that identified Stuxnet, Flame, and Duqu malware.
According to the article: “The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.”
In August, 2012, I published an article in The Counter Terrorist Magazine titled: “The Rise of CyberEspionage” which outlines the International efforts to steal data from Western nations. Unfortunately, while many companies are busy trying to protect NPI, PII etc. advanced efforts are being undertaken to steal their intellectual property. Stay tuned for a February 2013 article in The Counter Terrorist, as well!
Chris Mark in Jan 2013 TransactionWorld: “Only Certainies are Death, Taxes, and PCI DSS.” January 2, 2013Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, data breach, Heather Mark, InfoSec, mastercard, PCI DSS, security, transactionworld, TSYS, visa
add a comment
Chris Mark (this guy with two thumbs) is in the January 2013 edition of TransactionWorld Magazine. You can read my article titled: “In 2013 the only certainties are Death, Taxes, and the PCI DSS” in which I opine about the need for PCI DSS and other security standards as we enter 2013. The bio on the article is not accurate and still references an old position I had at ProPay. That being said, ProPay is a great company for which I was fortunate and proud to have worked, a company at which my illustrious wife, Dr. Heather Mark still works, and a company who deserve a big Congrats for being acquired by TSYS!..all in all…no harm, no foul.