“We Can’t Live in Castles” – FBI Official Concedes; CyberSecurity Policy is a Failure March 28, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Laws and Leglslation.Tags: Chris Mark, cybersecurity, deterrence theory, fbi, InfoSec, risk management, US CyberSecurity Policy
add a comment
In my Google alerts today was an article from Foxnews titled: “Retiring FBI Official Says Current US CyberSecurity Strategy ‘Unsustainable'” Shawn Henry, the FBI’s Assistant Director for CyberSecurity refers to the increasing cyber attacks on government and corporate targets and says: “We are not winning”. All I can say at this point is…WOW..again we are beating a dead horse! In 2010, I said the same thing at an InfraGard event in Salt Lake City, and RSA has said the same thing. We sound like broken records at this point. This post will likely be a bit more pointed and blunt than most but my frustration is mounting on the subject. For a shameless plug on my own research brief, please read: “A Failed State of Security” now published by IDGA.
CyberAttacks against corporates, committed by individuals are crimes. Crimes are human acts undertaking by living, breathing, thinking human beings. CyberSecurity, at its core, is about more than building castles to keep the princess protected. It is also about changing human behavior to deter the criminal behavior.
“deterrence is ultimately about decisively influencing decision making. Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[1] (more…)
Now Data Thieves Steal…Credit Reports? March 27, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, credit report, cybercrime, cybersecurity, identity theft, InfoSec, MSNBC, PCI DSS, privacy
2 comments
A great story on MSNBC outlines yet another method being used by data thieves to monetize private information. According to the story, data thieves are stealing credit reports and then reselling to identity thieves. The process works like this. A data thief steals credit reports from the credit reporting agencies. Depending upon the score (higher the better) the data thief then resells the report to an identity thief who uses the report to get credit in the user’s name. Because the credit report has so much information, it makes the process of assuming someone else identity very easy. Remember, full credit reports have social security number, banks, loans, mortgages and other information. Much of authentication being used today relies upon the additional personal questions such as: “which is a bank at which you have had an account?” Most of the sites hosting the stolen reports have an .su domain which was used for the Soviet Union. According to the report, the hackers brag about how easy it is to hack into certain sites such as: AnnualCreditReport.com or CreditReport.com. Depending upon the score on the report, each report can command as much as $80 (for higher scores) or have that amount for lower scores.
This adds yet another wrinkle for people to fear.
Risk 102: “Security Ain’t Safefy”; Putting Risk In Context March 26, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.Tags: airline safety, Chris Mark, cybersecurity, mark consulting group, risk, risk management, safety, security
add a comment
In reading through the volumes of blogs, and Linkedin comments on security and risk management a common theme appeared. When talking about risk management at it applies to security there appears to be a temptation to use the same models and methodologies as those used in safety risk management. Make no mistake, safety risk management is critical and both aspects may overlap from time to time. Whether analyzing auto accident risks, designing industrial equipment or other aspect, it is important to understand and analyze the risk of the activity. The difference lies in the catalyst for the events in question. (more…)
UPDATE “Just Say No!”- to Facebook Login Request for Employment March 23, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: cybersecurity, facebook, InfoSec & Privacy, mark consulting group, privacy, security
add a comment
UPDATE: Kudos to Facebook for weighing in on this subject. Facebook says that not only is the practice wrong, but it is a violation of Facebook’s terms of service. Echoing what I (and others) have said, logging into someone’s FB page could expose the employer to a lawsuit. “(W)e don’t think it’s right the thing to do,” she said. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”
I find myself posting on this subject occasionally because a neighbor, friend or other person will inform me that during an interview or application they were asked to provide their Facebook or other ‘social media’ login. This topic seems to arise again, and again and was again highlighted on msnbc.com. So, for those who are asking or saying: “Chris, if you have nothing to worry about, then why do you care?” Valid question. Let me answer. First, if you are looking for a job, as a responsible professional person you should take care to not post inflammatory, racist, hateful or other items on your social media. If you are a proud member of a hate group, you may want to keep that info private. Pictures of you doing drugs, or being arrested in New Orleans is also probably a bad idea. (more…)
Risk 102- Lose “A” Match but Win “THE” Game March 23, 2012
Posted by Chris Mark in Risk & Risk Management, weapons and tactics.Tags: Chris Mark, decision, force recon, mark consulting group, recon marine, risk, risk management, security, USMC
add a comment
Risk management is about decisions. Given certain information, people then make decisions that they hope will minimize the risk of a particular outcome. This post is about risk and decisions.
Years ago I was a young Marine attending the USMC’s Amphibious Reconnaissance School (ARS). Upon successfully passing the school I would be conferred with the coveted Military Occupational Specialty (MOS) of 0321- Reconnaissance Marine. Recon Marines operate in very small teams conducting various reconnaissance missions to provide intelligence to the commander. The last phase of ARS training is known as “patrolling phase”. This is where all the students put their skills to use and run back to back patrols for a week while begin graded by the instructors.
During one of the final patrols we came upon a road known in military speak as a “linear danger area” and were considering a “two man bump” and other techniques to safely cross the danger area. After having not slept for the better part of a week my mind was a bit foggy. I asked the instructor: “SSGT, if we apply these techniques can we be confident that we will cross safely?” He looked at me and said: “Mark, you can do everything by the book and exactly right and still get your entire team killed. All you can do is make tactically sound decisions and hope for some luck.” Certainly without meaning to do so, this Marine Staff Sergeant articulated the idea of risk and risk management as well as any academic. (more…)
