Security, Exploits & Vulnerabilities- Security is Never 100% February 16, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, DES, Exploits, InfoSec, mark consulting group, markconsultinggroup.com, security, security theory, vulnerabilities
add a comment
In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post. One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits. They are concepts that are critical in the fields of information security, risk management and other areas of security. In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS. So what are exploits & vulnerabilities and why are they important?
First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist. Given enough time, effort, and the right tools, any security control can be circumvented. Security should be viewed as a function of time and effort. (this will be discussed below) Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. (more…)
Part 2: Vetting Security Companies & Their Principals February 15, 2012
Posted by Chris Mark in Risk & Risk Management.Tags: Chris Mark, Maritime Security, mark consulting group, markconsultinggroup.com, Navy SEALs, POW, Purple Heart, USMC
2 comments
As I read Kevin Doherty’s questions for vetting security companies, I felt compelled to add some additional commentary. It is important to really do your due diligence on the principals of security companies. It is the leadership that will define the ethics, and attitude of the organization. If the owner is prone to dishonesty or misrepresentations then the staff is likely to follow their lead. Unfortunately, in the high risk world of maritime security (and other security) the fallout can cost more than money. In a very real sense, lives can be lost.
“Pick your poison” – Security or Convenience February 15, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: access control, armed security, Chris Mark, mark consulting group, markconsultinggroup.com, risk management, security, security policy
3 comments
I have discussed the challenges of security & convenience for some time. The latest news regarding the 10 year breach of Nortel gave me new fodder for the discussion.
Whether we are discussing information security, physical security, operational security (to name a few) the concepts of security & convenience are diametrically opposed. When we talk of convenience we can include operational efficiency in the discussion. Consider a companies like Nortel with a large IT infrastructure. One one side of the discussion is the IT department. They are constantly hearing about how they need 99.999 uptime and faster systems. In the payment card industry where transaction times are critical additional latency can be problematic. They also hear over and over about how someone needs more access to more data. (more…)
Nortel Network Compromised for a Decade; Chinese Suspected February 14, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: armed security, Chris Mark, cybersecurity, data breach, InfoSec, InfoSec & Privacy, mark consulting group, markconsultinggroup.com, nortel breach
1 comment so far
According to MSNBC, Nortel’s network was open to hackers since at least 2000. It is suspected that the hackers are Chinese. The data thieves appear to have had nearly “unfettered access” to the network and were able to download: ” “technical papers, research-and-development reports, business plans, employee emails and other documents.” How did they access the network? Simple. (more…)
Vetting Armed Security Providers February 13, 2012
Posted by Chris Mark in Risk & Risk Management.Tags: armed security, kevin doherty, maritime piracy, Maritime Security, nexus consulting, Piracy & Maritime Security, risk management, Somalia
1 comment so far
Nexus Consulting’s CEO, Kevin Doherty was kind enough to let me post a questionnaire his company developed specifically for companies considering the use of armed security on ships. Nexus has conducted hundreds of transits through the Gulf of Aden and is one of the original maritime security companies and currently one of only 3 companies in the US that work with US Flagged vessels. Please download the document here.
Global Security, Privacy, & Risk Management 