jump to navigation

“August 2012 TransactionWorld Magazine” – Chris & Heather Mark’s Articles August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News.
Tags: , , , , , , , ,
add a comment

Chris and Heather Mark both have articles in the August 2012 issue of TransactionWorld Magazine.  Chris’ is titled: “The Impact of the Fortress Mentality  & Today’s Compliance Strategies” while Heather’s is titled: “After the Compromise; Security Incident Response and Mitigating the Damage”

One note.  I apparently forgot to update my bio with the Editor in Chief so the article erroneously references me as the Executive Vice President of Data Security and Compliance for a payment processor.  You can visit Mark Consulting Group at the following: www.MarkConsultingGroup.com

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

Posted by Chris Mark in cybersecurity, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.

“I know it’s true because I got it from the Internet!” – Reuters Hacked by Pro-Assad Group to publich Propaganda August 6, 2012

Posted by Chris Mark in competitive intelligence, cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

Reuters acknowledged that on August 3rd, their blogging platform was hacked and a false, pro-Assad post was published.  “Reuters.com was a target of a hack on Friday,” the company said in a statement. “Our blogging platform was compromised and fabricated blog posts were falsely attributed to several Reuters journalists.”  Additionally, Reuters Twitter account was hacked and used to tweat several false, and pro-Assad messages.   While this type of propaganda has been going on for as long as news has been published, the ease of which a person or group can publish on the Internet coupled with the speed at which it can spread creates new challenges for companies.  Imagine a situation in which a company is hacked and fraudulent financial data is released before an IPO?  As the US Presidential elections ramp up, we are seeing increasing numbers of stories and claims that can only be categorized as propaganda.  In fact, unless you clicked on the links above and checked the underlying domains, you have no real confidence that this particular post is true, or accurate. 😉

It is important for companies to monitor the news that is being distributed about the organization.  I have worked at an organization where we found someone who had intentionally published misleading and malicious information in an attempt to promote a competitor.  While it did not require hacking a news system to publish the story, it is yet another area that exposes companies to unnecessary risk.

“The Rise of Cyber Espionage” – The Counter Terrorist Magazine August 5, 2012

Posted by Chris Mark in cyberespionage, cybersecurity, terrorism.
Tags: , , , , , , , , , , , ,
2 comments

UPDATE:  I want to thank The Counter Terrorist magazine staff for including attribution to the article.  They quickly corrected a mistake and the inaccuracy.  Kudos!

Chris Mark (that is me;) has an article in the June/July 2012 issue of The Counter Terrorist Magazine.  The article is titled: “The Rise of Cyber Espionage” and provides an overview of the current cyber espionage issues being faced by US businesses today.  The article covers the breach at RSA to the subsequent attacks at Lockheed Martin, General Dynamics and others as examples of the types of attacks being faced by state sponsored cyber espionage groups. While this magazine may be new for some readers of this particular blog, it in its 4th year and is filled with great information for military, law enforcement, first responders, and even businesses.  This particular issue is 76 pages of information covering Iran’s Nuclear Objectives, Cyber Espionage, First Responder Intelligence, Intelligence for Terror, and a number of great product reviews and other information.  The magazine is subscription based but if you are interested in a copy of this particular issue, leave a comment with your email and other contact information and I can forward a free ezine.

“The Fortress Mentality & Data Compromises” – Chris & Heather Mark in August 2012 TransactionWorld Magazine July 31, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , ,
add a comment

This month’s TransactionWorld magazine includes an article by me (Chris Mark) titled: “The Impact Of the Fortress Mentality and Today’s Compliance Strategies”.  The article discusses, among other things, the Global Payments breach, PCI DSS compliance, and provides an overview and opinion on today’s focus on compliance with static standards as opposed to risk based information security.  One important note. I neglected to send an updated BIO to the editor so it still references my position at ProPay.  I have not worked at ProPay for over a year 😉  You can read more about my company Mark Consulting Group at www.MarkConsultingGroup.com.

Heather Mark is also in this month’s TransactionWorld with an article titled: “After the Compromise: Incident Response Plans and Mitigating the Damage”  Heather speaks about data compromises and provides good insight into strategies companies can employ to minimize the impact of such breaches.