“The Rise of Cyber Espionage” – The Counter Terrorist Magazine August 5, 2012
Posted by Chris Mark in cyberespionage, cybersecurity, terrorism.Tags: chinese hackers, Chris Mark, Counter Terrorist Magazine; RSA, cyberespionage, data security, deterrence theory, Homeland1, InfoSec, IP Theft, Rise of CyberEspionage, risk management, SSI, terrorism
2 comments
UPDATE: I want to thank The Counter Terrorist magazine staff for including attribution to the article. They quickly corrected a mistake and the inaccuracy. Kudos!
Chris Mark (that is me;) has an article in the June/July 2012 issue of The Counter Terrorist Magazine. The article is titled: “The Rise of Cyber Espionage” and provides an overview of the current cyber espionage issues being faced by US businesses today. The article covers the breach at RSA to the subsequent attacks at Lockheed Martin, General Dynamics and others as examples of the types of attacks being faced by state sponsored cyber espionage groups. While this magazine may be new for some readers of this particular blog, it in its 4th year and is filled with great information for military, law enforcement, first responders, and even businesses. This particular issue is 76 pages of information covering Iran’s Nuclear Objectives, Cyber Espionage, First Responder Intelligence, Intelligence for Terror, and a number of great product reviews and other information. The magazine is subscription based but if you are interested in a copy of this particular issue, leave a comment with your email and other contact information and I can forward a free ezine.
“The Fortress Mentality & Data Compromises” – Chris & Heather Mark in August 2012 TransactionWorld Magazine July 31, 2012
Posted by Chris Mark in cybersecurity, Data Breach.Tags: Chris Mark, compromise, data breach, data theft, Heather Mark, mark consulting group, mastercard, PCI DSS, transaction world, visa
add a comment
This month’s TransactionWorld magazine includes an article by me (Chris Mark) titled: “The Impact Of the Fortress Mentality and Today’s Compliance Strategies”. The article discusses, among other things, the Global Payments breach, PCI DSS compliance, and provides an overview and opinion on today’s focus on compliance with static standards as opposed to risk based information security. One important note. I neglected to send an updated BIO to the editor so it still references my position at ProPay. I have not worked at ProPay for over a year 😉 You can read more about my company Mark Consulting Group at www.MarkConsultingGroup.com.
Heather Mark is also in this month’s TransactionWorld with an article titled: “After the Compromise: Incident Response Plans and Mitigating the Damage” Heather speaks about data compromises and provides good insight into strategies companies can employ to minimize the impact of such breaches.
“NSA Says – Largest Transfer of Wealth…EVER”; CyberAttacks rose 44% in 2011 July 10, 2012
Posted by Chris Mark in cybersecurity, Industry News.Tags: cybersecurity, data breach, data security, deterrence theory, Keith Alexander, mark consulting group, NSA, PCI DSS, risk, security
add a comment
Parroting what many in the payments industry have known for years, the NSA released a statement about the dire state of cybersecurity. According to the head of the National Security Agency cyberattacks increased 44% in 2011 and now account for the largest “transfer of wealth in history”. According to FoxNews:
“NSA chief Keith Alexander was speaking Monday at an American Enterprise Institute event in Washington, D.C. He said that for every company that knows it has been hacked, another 100 do not know their systems have been breached. (emphasis added) The warning came on the same day that thousands of computer users were at risk of losing Internet access, due to malware that spread more than a year ago. Citing public and unclassified statistics, Alexander said Monday there are now 75 million unique pieces of malware on the loose.”
Those of use who have been in the industry for years have said that we are ‘losing the war’. I have personally been chastised for making such doom and gloom statements. The facts are the facts however. Hiding our head in the sand will not change the fact that “The criminals are absolutely ripping us to shreds,” and that “We’re losing the battle…That’s the reality of it.” (Chris Mark quoted in Salt Lake Tribune...pic at top). In yet another push at self promotion..you can read one reason we are losing the battle in the IDGA research brief: “A Failed State of Security”.
“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012
Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.Tags: compliance, cybersecurity, data breach, Global Payments, mark consulting group, PCI DSS, PII, risk management, security
add a comment
Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS. Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.
According to reports, it seems that the Global Payments data breach may have exposed more than payment card data. n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.
“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”
Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.
This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security. I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard. Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.” As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard. As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.
As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data. Surely some are going to say that the PCI should be applied across all systems etc.etc. This is great in theory but does not happen in practice. Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.
I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.
“Let’s Talk Data Security” – Heather Mark in July 2012 Greensheet & TransactionWorld July 9, 2012
Posted by Chris Mark in cybersecurity, Data Breach, Laws and Leglslation, News, PCI DSS.Tags: cybersecurity, data breach, data security, greensheet, Heather Mark, mark consulting group, security, transactionworld
add a comment
Heather Mark is interviewed in the July 2012 issue of Greensheet in the article titled: “Expert Advice on Security Defense and Planning”. The article discusses strategies for preventing and dealing with data breaches with the payment card industry. Additionally, Heather has an article in TransactionWorld titled: “New School vs. Old School: Security and Emerging Technologies”. You can catch Heather’s articles every month in Transaction World Magazine.
Global Security, Privacy, & Risk Management 