Quantifying CyberRisks- Solving the Riddle (per AT&T CyberSecurity Blog) March 11, 2021
Posted by Chris Mark in Uncategorized.Tags: AT&T, Bayes, Chris Mark, cybersecurity, data breach, hacker, risk
add a comment
I recently published a new article on the AT&T CyberSecurity blog titled Quantifying CyberRisks- Solving the Riddle. Below is an excerpt. Click ‘read more’ to read the entire piece.
In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI. Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment.
Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”. In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss? If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident? It simply did not work, as it was mathematically flawed.
Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure. The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?”
This is a complex question but to attempt an answer it is first important to have a working definition of several terms.
Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.). In short R=fPI. Click Here to Read More!
Holiday Shopping Safety! Debit or Credit? PIN or Pen? Check or Cash? November 18, 2020
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, credit or debit, durban amendment, mark consulting group, PCI DSS, PIN
1 comment so far
With the holidays around the corner, it is a hot time for criminals to steal from us all! CyberCriminals are specifically after your money and cards. There is ongoing confusion about whether cards are better than checks are better than cash. While we all have our own opinions, I think the argument is pretty clear that payment cards are the most secure options for consumers. Read below!
For some background, I am a payment card security professional. I have worked at both MasterCard and with Visa, as well as the other card brands. I now work at a major telco overseeing the payment security program. 2020 marks the 15th consecutive year someone has stolen my card at least once (17 times in 15 years) BUT…I wasn’t worried…read below to find out why! (more…)
Covid19: “The War God’s Face Has Become Indistinct” – China’s Unlimited Warfare Strategy April 14, 2020
Posted by Chris Mark in cybersecurity, Risk & Risk Management, terrorism.Tags: china, Chris Mark, coronavirus, covid19, cyber espionage, Foxnews, PLA, Unrestricted Warfare, War, Warfare, Wuhan
add a comment
UPDATE- Today (April 15, 2020) Fox News published an article supporting what has been proposed in this post. Titled“Sources believe coronavirus originated in Wuhan lab as part of China’s efforts to compete with US the article lays out compelling evidence that China was attempting demonstrate that China’s “…efforts to identify and combat viruses are equal too or greater than capabilities of the United States.” The article states that evidence comes from classified, and open source sources and documents. It further states that:
“…(China) blaming the wet market was an effort by China to deflect blame from the laboratory, along with China’s propaganda efforts targetting the US and Italy.”
For those who have not read Unrestricted Warfare referenced in this post, I would strongly suggest you consider reading. The Fox News article is directly in line with China’s 1999 strategy of unlimited warfare against the US and European countries.
In 2013, I wrote an article for The Counter Terrorist Magazine that identified the Chinese strategy of CyberWarfare. You can read the article here.
This followed a seperate article I wrote for the same magazine called “CyberEspionage” that identified China’s efforts to infiltrate the US. Both identify the Chinese focus on unlimited warfare discussed below.
Today, while reading the news, I came across an article that stated that stated that the US State Department cables (read CIA and Intelligence) has stated that the Covid19 Virus may have originated the Wuhan Viral Lab (WVL) who were testing the Coronavirus in bats. According to the Washington Post:“
“As many have pointed out, there is no evidence that the virus now plaguing the world was engineered; scientists largely agree it came from animals. But that is not the same as saying it didn’t come from the lab, which spent years testing bat coronaviruses in animals, said Xiao Qiang, a research scientist at the School of Information at the University of California at Berkeley.”
No “Evidence” is distinctly different than “They did not do it”. Keep in mind that in February, 2020, the US Government charged 4 Chinese Military members with the 2017 Equifax breach.
The question should be: “why would the Chinese launch viruses (if they did) and why would they hack US companies?” The answer is actually pretty straightforward. If you read the article from 2012, you will get much more information than in this blog post.
In 1990 the US engaged the Iraqi military in the Gulf War. The Russians (then Soviets) 
and Chinese watched closely as the US went literally “toe to toe” with the World’s 5th largest standing Army (Iraqi). 96 hours later, the Iraqi Army was soundly defeated. In particular was the Battle of Medina Ridge (also called the Battle of 73 Easting) fought on Feb 27, 1991. It was an absolute route. This convinced the Chinese that a “linear/kinetic war” with the US was unwinnable.
For this reason they embarked upon a new policy called “Unlimited/Unrestricted warfare”.
This is documented in the book called Unrestricted Warfare. In first reading the document, I was shocked at what it contained. In 1999, two Chinese Peoples’ Liberation Army (PLA) Colonels were tasked to write a document titled: Unrestricted Warfare that outlines China’s approach to war with the West. In short, the document articulates a new definition of warfare that includes using all economic, political, and PR means to fight ‘sub wars’ and ‘pseudo wars’.
While we sit in the US laboring under our definition of warfare, our adversaries are redefining the battlespace. Here are some quotes from the document:
“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”[i]
“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”[i]
In short, the Chinese manipulating currency, or the press or even paying a Harvard Professor to be an agent can arguably be considered a ‘pseudo war’ consistent with their strategy of unlimited warfare. As more information becomes available, I would not be surprised to see that this is much more than an “accident” in a lab in Wuhan. Look at the financial toll it has taken on the World and positions the Chinese to be much larger players.
[i] House of Representatives. (Kindle Locations 325-327). Kindle Edition.
[i] Wiangsui Qiao Liang and Wang. Unrestricted warfare. Beijing: PLA Literature and Arts Publishing House; 1999.
How to publish your first Article in a Magazine! April 5, 2020
Posted by Chris Mark in Uncategorized.Tags: articles, Chris Mark, counter terrorism, data breach, national review, publishing, security, sniper
add a comment
As we are all spending time at home, I thought I would publish a quick video on how to write and publish an article. I have published scores of articles and frequently get asked how to identify a topic, research, write and then publish an article. This is about a 40 minute discussion of what has been successful for me! I hope you enjoy! Would love any feedback anyone has!! Here is where you can download the actual preso with narration. Easier to watch. https://maritimerisk.files.wordpress.com/2020/04/publishing-your-first-article.ppsx
New Article: Exploits, Vulnerabilities & Threat Adaptation March 17, 2020
Posted by Chris Mark in cybersecurity, InfoSec & Privacy.Tags: adaptation, AT&T, Chris Mark, cybersecurity, Exploits, privacy, threats, vulnerabilities
add a comment
AT&T CyberSecurity published my new blog post. You can read it here!
“Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners. There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits. These basic underpinnings are critical in all security domains.
What are exploits and vulnerabilities and why are they important to the study of security?
First, security cannot be considered a binary concept such as: “secure” or “not secure”. The appropriateness of any security strategy is relative to the controls implemented to address to identified risks. One cannot say: “my house is secure”. The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks. One can say: “My house has been secured in a manner that is commensurate with the identified risks”. Second, security should be viewed as a function of time and resources. Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security. The reason is simple. Technologies change and human threats are adaptive. According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:
“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle. In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls. As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections. This cycle continues ad infinitum until there is a disruption.” Read the whole article!
Global Security, Privacy, & Risk Management 