Rant Alert- Security Neophytes January 30, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, information assurance, Maritime Security, Piracy & Maritime Security, security
add a comment
Like others who read this blog, I have worked in several areas of security over the years including physical security and information assurance. Irrespective of the domain of security in which you work, the underlying principles are similar. Risk management, defense in depth, and incident response are common principles in all areas of security though the implementation may differ. Security is a discipline that, like any discipline, requires study and experience to become proficient. Physical security is about more than holding a gun and information assurance is about more than having a firewall.
I recently came across a the website of a company that states in uncertain terms that that they are experts in cybersecurity (and several other domains). To demonstrate their “industry leading” expertise they state that they can manage ‘various firewalls’ and that they have experience with ‘intrusion detection systems’. Really? This is expertise? While we shake our heads at their approach, some company will hire them because they can offer services at lower rates (due to the lack actual expertise) and there will be the inevitable incident. It is this amateur approach to security that results in companies being hacked in the information assurance business and people being arrested or killed in the maritime security arena.
For what ever reason every tom, dick or harry (or sally) that has ever carried a rifle or worked for the government believes that he or she is now a “security professional”. Unfortunately, these companies make their way into the various industries and create issues for those professional organizations that have actual expertise borne of hard earned experience and have paid their dues to understand the issues and understand their discipline.
Completing the puzzle; Part 2- Checking on people January 28, 2012
Posted by Chris Mark in Risk & Risk Management.Tags: Chris Mark, google, mark consulting group, security
add a comment
OK..in part one we talked about how to research companies a bit. Now we move on to people. Once you have taken a look at the company, you will find the principals. You want to ensure the principals are on the up and up. Here is a way to start your search….
1) Check civil records. In the US all lawsuits etc. are public record. Do a google search and you will find a number of places that list civil lawsuits. Many states will provide access for free while some states are more difficult to access and you are better served to use a third party. Either way, it is worth the effort. Start with the state in which the company is incorporated OR where it has its headquarters. In the US many companies incorporate in Deleware (don’t ask…another blog post). check the state in which the principal either resides or where they list the HQ.
2) Check military records. Some people are surprised to find that you can actually get military records on people that have been discharged. It is completely legal and is your right under the US Freedom of Information Act (FOIA). Any US Citizen can request a DD214 for ANY former military member and it will be provided. Here is a link. Unfortunately there are always those Walter Mitties (Thank you Will McManus for the phrase) that will embellish their military records or flat out lie about what they claim to have done. In the US, it is relatively easy to check. Under the FOIA you can get a redacted DD214 (discharge paperwork) that shows, units served, dates, occupational specialties, schools attended, and awards. If they claim to have a Navy Cross, you can check to see if they are lying.
3) Monster.com and Linkedin. I am always amazed at how many people will not cross reference their own linked in or monster resume. Find their profile on linkedin and monster.com AND take a screenshot. Why? Experience shows that when people find someone is snooping, they will “update” their profiles to remove any references in which they were less than truthful. By taking a screenshot, you have the evidence.
4) Check corporate records. Like I outlined in the first part of the post, check company records. If someone claims to have owned a company since 1988 and you find that the dates overlap with their linkedin profile showing they were working at McDonalds, you have to question how they could both work at Mickie D’s and own a business?
5) Google, Google, and Google some more 😉 See the previous post.
It is amazing what you can find on individuals with a little work. All of the information shown above is in the public domain. Very easy to find and it can provide some very valuable information on the companies you are considering for security work.
Completing the Puzzle: Verifying Company Claims & Information January 27, 2012
Posted by Chris Mark in Risk & Risk Management.Tags: Anti Piracy, Chris Mark, globalrisk info, InfoSec, mark consulting group, security
add a comment
I have received a few emails over the past several weeks on how companies can have assurance that the security provider they are evaluating is on the up and up. Sometimes a little due diligence goes a long way. Here is a quick and easy start to your verification.
1) Check business formation dates. In the US (and I am sure many other countries) business data such as incorporation dates, etc. are public record. Companies need to be registered in a particular state or states. If you do a quick Google search on the particular state you can find where the records are kept. For example, in Utah you simply go the the following website: https://secure.utah.gov/bes/action . In Nevada you would visit: http://nvsos.gov/sosentitysearch/corpsearch.aspx in New York you would visit: http://www.dos.ny.gov/corps/bus_entity_search.html If a company claims to have been doing business since 2001 and there are only records from 2005, you know that they are likely not telling the truth. Additionally, you can find if the business license was ever revoked, dissolved etc.
2) Check the WayBack Machine. http://www.archive.org The Internet archive is very familiar to geeks but many others are not aware it exists. Here you can see what a company’ website looked like at a very particular point in time. A word of caution. Some sites are not archived and some are only periodically archived. That being said, if there is a snapshot of a company’s website from a particular date you can learn quite a bit. For example, if a company claims to have provided maritime security services since 2008 and their website snapshot from 2009 shows no indication of such a service it should raise red flags. Often, companies will ’embellish’ or change information on their website without realizing that the snapshot exists. Like #1 above, if a company claims to have been in business since 2001 but their snapshot from 2008 shows a founding date of 2004, you have to question the validity of the 2001 date.
3) Google, Google, Google some more. Google is an extremely powerful search tool. It can use Boolean logic to conduct searches. What is Boolean operators to make your searches more precise? Here is a link to using boolean operators in Google searches. Boolean operators are things like the use of quotes to have Google search for a complete phrase such as “Chris Mark” instead of Chris Mark which would result in a search for Chris, and Mark, and Chris Mark. You can also use the AND or a + sign to narrow the searches. For example: “Chris Mark” + security will pull up all links to Chris Mark and Security. You can search within a specific website with the Site: such as “Chris Mark” Site: NYTimes.com Within Google don’t forget you can use the advanced search function on the left hand side of the page to search by specific dates. Again, if a company claims they have been around since 1990, you would expect to see some searches returned for the dates 1990. Unless told, Google will provide the most relevant links first. If you tell it to search by date it will provide very specific information on dates.
4) Search blogs, and forums. Often people with publish their opinions in blogs and forums. While the information should be taken with a grain of salt it certainly can give you information on companies and the perception within a particular group. Find forums relevant to the industry and search for the principals of the company or the company.
While this is not an exhaustive list of techniques to verify company information, with some practice these four steps will provide a laundry list of information that can be used to verify whether claims are accurate or not. Companies that change their claims and contradict themselves should be looked at very carefully.
InfoSec 101: Technology doesn’t fail, People do… January 27, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: access control, Chris Mark, data security, InfoSec & Privacy, Maritime Security, mark consulting group, policies, risk management
add a comment
As research indicates that pirates are beginning to engage the services of data thieves to steal data from shipping companies, it is important that the maritime industry begin looking at securing not only their vessels but their data assets, as well. In my past life as a data security professional, I have had the opportunity to work with some very, large complex organizations. As a consultant I was often involved in the remediation and after action of companies that had experienced a data theft or major compromise (hack). After reviewing about 3,000 data compromise cases I can say with confidence that it is not the technology that fails in data compromises, it is the people. I have yet to ever see a firewall decide to stay home from work or decide to change its own ruleset to open a port. I have seen a number of instances where a firewall administrator forgot to close a port or bypassed the firewall for “just a minute” and forgot about the change. I have never seen an intrusion detection system (IDS) decide to turn itself off because it was tired, I have seen many instances where the IDS was tuned incorrectly, or where it was turned off because it was sending too many alerts. The scenario repeats over, and over. Technology doesn’t get tired, it rarely fails (statistically modern airliners are as reliable as toaster ovens) and it doesn’t complain, or make mistakes.
Human beings aren’t so fortunate. We are lazy by nature. I say this because we all will take the path of least resistance in everything we do. We are also fallible, which means we make mistakes. It is simply human nature. Unfortunately, in security this characteristic is why security breaches occur. A guard falls asleep. A firewall admin opens a port and forgets to close it. A janitor doesn’t lock a door after leaving a building. An employee forgets one step in a calculation. The list goes on and on. So how do we minimize the mistakes and mitigate the risk associated with human nature? The answer is simple but the implementation is difficult. Established processes and procedures documented in policy and…here is the hard part….. enforced.
I cannot tell you how many clients when asked if they have a security policy will say: “Well, we don’t have a documented policy…but we have an ‘informal policy’.” Wrong answer! If it is not formalized and approved by the appropriate authority (CIO, BOD, etc.) then it is NOT a policy…it is an informal practice. When I hear this answer I always ask: “How confident are you that the informal policy you describe is being followed?” The answer is inevitably: “well…probably not as frequently as it should be.” This describes the vast majority of companies I have worked with. Why? The answer is again simple. First, policies are difficult and time consuming to develop and implement. Second, we don’t like to step on other people’s toes. We want to trust our co-workers and employees. By establishing an onerous policy we are saying to them: “you are not trusted.” Lets call a spade a spade. None of us like being told we can or can’t do something or being treated like we are not trusted. Unfortunately in security it is absolutely imperative that we establish and enforce policies. Defined policies which are effectively enforced give us the only confidence that tasks are being conducted: “consistently, and repeatedly.” This is the key.
How do you develop policies and procedures? That topic is much to deep for this blog post but here is a high level process to follow.
1) Take an inventory of assets and prioritize those assets. (intellectual property, human resources records, financial data). You need to know what it is you are trying to protect before you can find a way to protect it.
2) Identify the who, what, where, why, when, and how of data access. Using the access control reports/system (Windows Active Directory, LDAP, etc.) and application information, identify the following: Who has access to the data (include applications, services and people), what data they can access, where the data is stored, why they have access (and whether they actually need access), when they have the ability to access (and whether it should be restricted) and how they access the data (direct SQL queries, applications, etc.) Develop a matrix with all info included.
3) Develop a dataflow diagram. Using the matrix above, and an existing logical network diagram, create a diagram that logically shows where all sensitive data (as identified in #1) is located and how it flows through the network (including all applications and devices). This process will be enlightening. Experiences suggests there will be a number of ‘ahaa’ moments where you find that people with no business need have access to very sensitive data.
4) Develop a ‘data control policy’ using model of least privilege and ‘need to know’. This is the first policy. Classify the types of data and decide who (people, applications, services) should be able to access which type of data, under what conditions (time, location, etc.) and provide a justification. This should be based on a ‘need to know’. For example, a system administrator (system level access) should not have access to the financial accounting database nor be able to see financial accounting data unless his/her job requires.
5) Update your access control mechanism to reflect the data control policy. Update user privileges and rights in Active Directory, or LDAP to reflect the data control policy. The Access Control Policy is another step that will be covered in another blog post.
By using the 5 steps above, you will be well on your way to controlling and protecting your sensitive data assets. Remember, policies are simply paper documents unless they are documented, approved by management, disseminated, and enforced. Although enforcement is often difficult, employees need to understand that violating information security policies can be met with punishment up to, and including, termination, OR prosecution.
The Geopolitical Context of Piracy by Dr. Heather Mark January 3, 2012
Posted by Chris Mark in Failed States, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management.Tags: Dr. Heather Mark, geopolitical context of piracy, mark consulting group, Piracy & Maritime Security, Somalia
add a comment
This is a guest post by Dr. Heather Mark. This is a short article of a larger whitepaper titled “Understanding Modern Piracy: Geopolitical and Regulatory Considerations” which is found here.
“Executive Summary
The scourge of modern piracy is often unrecognized by the general public. However, those involved in the Maritime industries are all too familiar with the danger, both physical and economic, posed by pirates. Modern pirates hearken less to the romantic imagery of the swashbuckling adventurer than they do to the violent, mercenary gangsters that they more closely resemble. Such imagery, however, does little to explain the pirates’ motivations, their impact on shipping and the reaction of the governments whose economies are threatened by their actions.
The following paper will provide a brief analysis of the current impact of piracy on shipping, and the geopolitical context that allows these criminals to thrive. Further, the paper will provide an overview and analysis of some of the international efforts to curtail piratical activity and their effectiveness.
“Absolute freedom of navigation upon the seas, outside territorial waters, alike in peace and in war…”
-Woodrow Wilson, The 14 Points
Introduction
Modern piracy can best be described as a hidden plague on the economies of the world. While most are unaware of, or perhaps simply do not understand, the pervasiveness and impact of piracy on international shipping lanes, the phenomenon is very real and has a tangible impact, not only on the maritime industry, but also on the global economy. As the global economy struggles with worldwide recession, failing and failed states are acting as a breeding ground for organized piratical activity – from “muggings” at anchor to armed hijackings while underway.
The lack of awareness of the piracy issue, however, does not mean that this is a victimless crime or even one that has little to no impact on the public. There are very tangible costs to the crime wave for which everyone pays. For example, should a ship be the victim of a pirate attack, the owner can choose to report the incident to the appropriate authorities. If the owner does so, it must absorb not only the cost directly associated with the attack (delays and interruptions to name just a few) but must also bear the legal costs that are associated with the attack investigation.[1] This also invariably leads to higher insurance premiums, as well.
Given the costs associated with choosing to report acts of piracy, it should come as no surprise that as many as 50% of incidents are unreported. Over the last five years, incidents of piracy have grown increasingly common. In 2009 alone there were over 400 incidents of reported piracy. According to statistics from the International Maritime Bureau, acts of piracy are growing more and more violent as pirates learn from their experience, re-invest their ill-gotten gains to strengthen their criminal enterprise and widen their area of operations.
It is important that these criminals and their intentions not be underestimated. There is an apparent tendency to discount the sophistication of modern pirates. The fact that they often attack in traditional fishing vessels, dhows and skiffs often belies the shrewd organization and violent intentions of those orchestrating the attacks. In order to better understand the phenomenon of modern piracy, one must understand the origins of the crimes. What may have begun as a desperate turn by individuals seeking to supplement their dwindling incomes has become a serious plague on the international Sea Lines of Communications (SLOC).
Despite the growing impact of piracy on the shipping industry, the general public has yet to demonstrate a sustained interest in combating piracy on an ongoing basis. American public opinion has been singularly focused on issues of terrorism since the attacks of September 11, 2001. Though many scholars have theorized about a connection between piracy and terrorism there has yet to arise a substantive, tangible relationship between the two criminal acts. At their core, the two acts have very different aims – piracy is undertaken for purely economic reasons and requires secrecy and anonymity so that the criminals can continue their activities, while terrorism is undertaking for ideological reasons requires an audience to be effective[2].
Looking at the activities of piracy only tells part of the story, however. In order to understand the phenomenon of modern piracy, one must understand the underlying causes. These individuals and, in many cases, organizations, do not exist in a vacuum and are a product of the environment in which they exist. There are certainly variables that give rise to conditions favorable to crime. This paper will examine some of those conditions, including the geopolitical and economic contexts that may give rise to piracy.
Geopolitical Context
There are a number of factors that must be addressed when examining modern piracy from a geopolitical perspective. Not only must one examine the constraints facing states in fighting piracy, but one must also examine the features that allow piracy to thrive. There is a discussion of law enforcement that cites three critical elements in the prevention of crime. Of the three elements deterrence is perhaps the most important. In other words, the criminals must perceive greater danger to themselves in perpetrating the crime (ie. getting caught, wounded or killed in the act)than they see reward in committing the crime and escaping. In geopolitical terms, the deterrence of crimes becomes increasingly complex, particularly when dealing with issues of sovereignty and failed, or failing, states. For the sake of brevity, this paper will not attempt to examine every possible cause of international piracy, but will simply highlight those issues that best demonstrate the roots of the issue and the complexity associated with combating piracy.
State Sovereignty
Efforts to address international issues often give rise to conflicts of state sovereignty. The very existence of the United Nations still leads to heated debate in a variety of circles. While it is certain that international cooperation is beneficial for a number of reasons, there are those that feel that belonging to the cooperative necessarily results in the dilution of sovereignty. If countries cannot, or are at least discouraged from, taking unilateral action, one must question the degree to which they are maintaining their sovereignty in light of the communal pressures.
Contrast the need to maintain state sovereignty with the need for collective security agreements, however. Collective security agreements remain a fact of international life, the driving notion being that there is safety in numbers, for states as well as individuals. Alliances are necessary to mitigate the threat of hostility. Security and sovereignty are two fundamental requirements for the longevity of the state. These two competing needs require states to master the delicate balance of maintaining their independence and sovereignty while cooperating with neighboring states to the extent necessary to achieve stability and security.
Inis Claude describes the challenge of collective security: “Collective security requires the relinquishment of the sovereign free hand in the most vital issues of foreign policy, the abandonment of national biases for and against other states, and a consequent willingness to follow the lead of organs of the community in taking action in opposition to any aggressor, on behalf of any victim[3].” With this description in mind, one can begin to see the struggles that face the collective efforts to combat piracy, particularly in littoral regions bordered by states that are taking pains to project themselves as a strong, sovereign power. One of the most piracy prone areas in the world, the Malacca Straits, provides ample illustration.
The Trilateral Coordinated Patrol, introduced in 2004, was a joint effort among Indonesia, Malaysia and Singapore to patrol the littoral waters along the coast in an effort to deter piracy. However, in its initial implementation, the Patrol failed to produce a significant reduction in piratical acts in the area. This was at least partially attributed to the fact that the Patrol failed to allow for cross-border pursuit[4]. Issues of state sovereignty discouraged the presence of foreign navies in state waters, even in the pursuit of dangerous criminals and for the purposes of collective security.
Recent reports, from the Indonesian embassy, estimate that the Trilateral Coordinated Patrol has succeeded in reducing piracy in the area by 70%[5]. That being said, the International Maritime Bureau still cites the Malacca Straits as one of the most piracy prone areas in the world and advises ships to use extreme caution when moving through the region. Indonesia and Malaysia in particular are wary of international assistance for the Trilateral Coordinated Patrol, while Singapore has been is more welcoming.
Issues of state sovereignty are further involved due to the fact that most acts of piracy occur within the “12 nm territorial seas or the 200nm exclusive economic zones (EEZ) claimed by most states, according to Richard O’Meara. O’Meara ascribes the complications in deterrence and prosecution of pirates to the fact that they must be dealt with according to the “vagaries of local criminal codes, administration processes, resource allocation, and corruption[6].”
Consider that piracy takes place in stages, many of which begin on land. Planning, supplying and orchestrating the attack are often carried out on land. In addition, the pirates may attack domestic ports or steal ships at port with which they can then use to carry out their operations at sea. These domestic issues fall under the jurisdiction of the local governments and law enforcement agencies. For many states, allowing international law to determine the extent of deterrence and enforcement that takes place domestically is akin to sacrificing sovereignty. For that reason, anti-piracy conventions and collaborative efforts are necessarily constrained to the activities at sea. While international cooperation and regulations may be prescribed, and will be discussed later, there is no enforcement mechanism by which states can coerce others into abiding by those regulations.
Failing and Failed States
Failing states, those defined by the Failed States Index as “vulnerable to collapse” are understandably more sensitive to issues of state sovereignty than others may be. These states may act in a manner such that the international community continues to perceive them as being capable of projecting their power both domestically and abroad. In fact, the Failed States Index the definition of a failed state is one in which the state has lost physical control of its territory[7].
Using that definition in the context of piracy, one can easily see why states like Indonesia might be reluctant to accept assistance from foreign powers in dealing with the domestic components of piracy. Using the Malacca Straits and the Trilateral Coordinated Patrol as an example, one could likely have predicted the reluctance to accept foreign assistance by simply looking at the failed states index. Indonesia has a “failure” index score of 83.1 while Malaysia scored a 69.2. Both of these states fail solidly into the “warning” category and both are resistant to taking on a great deal of direct foreign assistance in fighting piracy in their littoral waters. Contrast that with Singapore, a state that has been more willing to accept such assistance. Singapore scores a 160 on the Index, which places it almost in the “sustainable” category[8].
Adam Young also concludes that weak states often exacerbate conditions that may lead to piracy. According to Young, “ these problems are in part created, and exacerbated, by weak state control of political hegemony, i.e. the means of a state’s legitimacy: the monopolistic control over violence within defined territorial borders. Numerous gaps in this control have allowed piracy the operational space to re-emerge…[9]”
The Gulf of Aden provides ample illustration of how failing and failed states have allowed piracy to take root and flourish. Somalia is a failed state. In fact, it ranks at number one on the Failed States Index. Its governmental organs are non-existent. There is no recognized law, nor is there any means to enforce that law if it did exist. Somali pirates often claim to be members of the Somali Navy or Coast Guard enforcing fishing rights in the region. Since no actual Somali Navy or Coast Guard exists, there is no one to prevent such acts from occurring. One might suggest then that regional collective security arrangements might be beneficial in taking on the problem of piracy. An examination of the surrounding states, however, once demonstrates why collective security arrangements would fail.
Dijbouti, Somalia’s neighbor to the north, is considered a “failing” state. Yemen, the state directly across the Gulf of Aden is a “failed state.” Eritrea, the Sudan, Ethiopia – all of these states bordering either Somalia or the Gulf of Aden itself top the list of Failed States. They have little or no means of enforcing laws within their own borders, let alone attempting to work together to stem the tide of Somali pirates.
The Fall of the Soviet Union
The fall of the Soviet Union provides another illustration of the ways in which the failure of a state can have impacts on a global scale. Despite the ever-present tension between the United States and the Soviet Union, the Cold War served to establish and maintain a balance of power throughout the world. As the two countries divided the world and fought wars by proxy, the support of the two powers served to contain large-scale aggression.
Several authors cite the end of the Cold War as a factor in the rise of piracy. “The proliferation of small arms among transnational criminal syndicates since the end of the Cold War who are now able to take advantage of a huge array of sophisticated weaponry left over from past wars in Afghanistan and Cambodia as well as from the former Red Army…[10]” is just one example of the widespread impact of Russia’s fall from power.
When the Cold War ended, it created a power vacuum – a uni-polar world that is too large for one power police, but in which no other power has been able fill the void. The United States, understandably, projects its power into those places that hold the most strategic importance. To date, piracy has not been a strategic concern of the United States, but has most affected those countries that were on the fringes of the power struggle between the two superpowers.”
Global Security, Privacy, & Risk Management 