Thank You for 1,000,000 Views! January 26, 2016Posted by Chris Mark in Uncategorized.
Tags: 1 million views, Chris Mark, InfoSec, PCI DSS, security
1 comment so far
I was just notified that the GlobalRiskInfo blog just had it’s 1 millionth view with over 850,000 visitors! I want to give a big “Thank You!” to everyone that has taken the time to read my inane drivel and for those who take the time to comment! This is simply a labor of love and I am grateful for the support. This started 4 years ago and I have published 404 blog posts. While some have been big hits others have not. Regardless..thank you!
Tags: Chris Mark, corporate espionage, cyberespionage, cybersecurity, Dupont, InfoSec, mark consulting group, San Francisco Chronicle, security
add a comment
Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft. In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government. Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide. What is TD used in? Titanium Dioxide is the ingredient in many white products that makes the products white. Products such as paint, toothpaste, and Oreo cookie filling! Stealing the ingredients to Oreos shows just how low cyberthieves will go! According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”
I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest. Make no mistake. If your company has a unique process, technology, or product, it IS of interest to many companies. Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.
photo from: http://www.titaniumexposed.com
Getting into Information Assurance Careers June 2, 2015Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, CIPP, CISSP, Consulting, cybersecurity, InfoSec, privacy, SANS
add a comment
I have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested. In 2001, I landed in InfoSec by pure luck and I have never looked back. It is an amazing field and a great career path. First..for some marketing. According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year. In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them. In short, it is a very high demand field.
InfoSec? CyberSecurity? Information Assurance? WHAT?
It is even confusing to me sometimes. At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data. This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization). While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.
What types of Jobs are Out There? (more…)
Chris Mark in February 2014 SC Magazine “The Need & the Challenge” February 14, 2014Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, cybercrime, information security, InfoSec, SCMagazine, security
add a comment
Chris Mark’s (this author) article “The Need and the Challenge” has been published in the February, 2014 edition of Secure Computing Magazine. The article focuses upon the need to define the term ‘security’ and the challenge associated with denoting such a term. Here is an intro “While used every day, the term “security” can be deceptively difficult to define and may contain various meanings to different people in divergent contexts. The industry at large seems to have adopted a stance of “I know it when I see it,” as opposed to objectively defining the concept. Unfortunately, this creates numerous problems for those who have a need to ‘secure’ data, or any other asset.” Continue reading here!
“Do as I say, Not as I do”…General Services Administration (GSA) Exposes Personal Data March 16, 2013Posted by Chris Mark in Uncategorized.
Tags: cyber security directive 23, cybersecurity, data breach, data security, GSA, InfoSec, SAM
add a comment
The infamous GSA, who in 2012, was identified for gross fraud, waste, and abuse, sent an email today disclosing to me, and every other company that has participated in Government contracting that the System for Award Management (SAM) system had a vulnerability that exposed sensitive data. Here is a copy of the email I recieved today: (bold is my emphasis)..Before I go into more detail, I would personally like to thank the GSA for exposing my bank account data and SS# through their blind incompetence. At least they “apologized” in their email.
Dear SAM user
The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.
The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.
Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.
In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.”
Interestingly, the FAQ posted on their website does not indicate how long the data was exposed. Since SAM went into effect over a year ago, I am guessing that the vulnerability had been in place for at least a year.
Maybe, just maybe, instead of sending GSA employees to ‘cooking class’, and funding parties in Hawaii, the Federal Government should focus on protecting the data to which it is entrusted. The Federal Government recently passed a CyberSecurity directive…again, maybe they should focus on cleaning their own house.