Tags: active, active response, Chris Mark, cybercrime, cybersecurity, data breach, data security, deterrence, fight, InfoSec & Privacy, PCI DSS, response, security
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.” (emphasis added) (more…)
Tags: causality, cause, Chris Mark, compromise, crime, cybercrime, data breach, deterrence, hack, PCI DSS, security, Target, theft, victim blaming, victimization
add a comment
I am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security. In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity. You can download the article on IDGA’s website or on my own website here. This paper is part II of the “Failed State of Security” series. Started after the Target data breach, this topic is one that has always been close to me. In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.
Victim blaming is common in sexual assault, as well as other types of crimes. A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized. When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization. Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers. Did the company “cause” the breach? Were they somehow complicit in the attack? What do we mean when we say “cause”? What is a causal fallacy? These, and many more topics, are discussed in Part II of the “Failed State of Security” series. I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime. As always, I welcome any comments or debate on the topic…
CyberEspionage (Again)…The Counter Terrorist Magazine February 19, 2014Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, cybercrime, cyberespionage, cybersecurity, PCI DSS, risk management, security
add a comment
In light of the continuing attacks against companies by Eastern European organized criminal groups, I thought it appropriate to remind everyone that state sponsored attacks are still a major issue. Here is a link to an article I wrote in The Counter Terrorist Magazine on the topic of CyberEspionage. “The economics of cyber-theft is simple: Stealing technology is far easier and cheaper than doing original research and development. It is also far less risky to the spy than historic cloak and dagger economic espionage.”
Update on Blogging and New Articles in TransactionWorld March 8, 2013Posted by Chris Mark in cyberespionage, cybersecurity, Industry News.
Tags: AT&T, Chris Mark, cyber security, data breach, Heather Mark, Network Exchange Blog, PCI, PCI DSS, requirements
add a comment
I want to apologize for not blogging as frequently. My new job has me hopping at the moment and I am writing extensively for AT&T’s Networking Exchange Blog. You can check out my blog posts at AT&T’s Networking Exchange Blog . In addition to my own articles, there are a number of other valable posts from other contributors. Finally, Heather Mark and I both have articles in the March edition of TransactionWorld Magazine. You can read Heather’s article here and Chris’ article here.
New Role – AT&T Consulting PCI Practice Lead! January 4, 2013Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, Consulting, credit card, PCI DSS, QSA, security
add a comment
I am proud to announce that as of January 3, 2013 I have accepted and started a new position with AT&T Consulting. I am the new PCI Practice Lead directing the PCI DSS auditing and consulting efforts within AT&T. I am excited to work with the most experienced, professional PCI DSS experts and QSAs in the industry. I have had frequent opportunity to interact with the AT&T PCI team over the years and have been consistently impressed with their technical expertise and professionalism. Their industry leading services are testament to the quality of the team and the leadership that preceded me in this role. Please feel free to contact me if you have any PCI DSS needs!