jump to navigation

Completing the puzzle; Part 2- Checking on people January 28, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , ,
add a comment

OK..in part one we talked about how to research companies a bit.  Now we move on to people.  Once you have taken a look at the company, you will find the principals.  You want to ensure the principals are on the up and up.  Here is a way to start your search….

1)  Check civil records.  In the US all lawsuits etc. are public record.  Do a google search and you will find a number of places that list civil lawsuits.  Many states will provide access for free while some states are more difficult to access and you are better served to use a third party.  Either way, it is worth the effort.  Start with the state in which the company is incorporated OR where it has its headquarters.  In the US many companies incorporate in Deleware (don’t ask…another blog post).  check the state in which the principal either resides or where they list the HQ.

2) Check military records.  Some people are surprised to find that you can actually get military records on people that have been discharged.  It is completely legal and is your right under the US Freedom of Information Act (FOIA).   Any US Citizen can request a DD214 for ANY former military member and it will be provided.  Here is a link.  Unfortunately there are always those Walter Mitties (Thank you Will McManus for the phrase) that will embellish their military records or flat out lie about what they claim to have done.  In the US, it is relatively easy to check.  Under the FOIA you can get a redacted DD214 (discharge paperwork) that shows, units served, dates, occupational specialties, schools attended, and awards.  If they claim to have a Navy Cross, you can check to see if they are lying.

3) Monster.com and Linkedin.  I am always amazed at how many people will not cross reference their own linked in or monster resume.  Find their profile on linkedin and monster.com AND take a screenshot.  Why?  Experience shows that when people find someone is snooping, they will “update” their profiles to remove any references in which they were less than truthful.  By taking a screenshot, you have the evidence.

4) Check corporate records.  Like I outlined in the first part of the post, check company records.  If someone claims to have owned a company since 1988 and you find that the dates overlap with their linkedin profile showing they were working at McDonalds, you have to question how they could both work at Mickie D’s and own a business?

5) Google, Google, and Google some more 😉  See the previous post.

It is amazing what you can find on individuals with a little work.  All of the information shown above is in the public domain.  Very easy to find and it can provide some very valuable information on the companies you are considering for security work.

Completing the Puzzle: Verifying Company Claims & Information January 27, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , ,
add a comment

I have received a few emails over the past several weeks on how companies can have assurance that the security provider they are evaluating is on the up and up.  Sometimes a little due diligence goes a long way.  Here is a quick and easy start to your verification.

1) Check business formation dates.   In the US (and I am sure many other countries) business data such as incorporation dates, etc. are public record.  Companies need to be registered in a particular state or states.  If you do a quick Google search on the particular state you can find where the records are kept.  For example, in Utah you simply go the the following website: https://secure.utah.gov/bes/action .  In Nevada you would visit: http://nvsos.gov/sosentitysearch/corpsearch.aspx  in New York you would visit: http://www.dos.ny.gov/corps/bus_entity_search.html   If a company claims to have been doing business since 2001 and there are only records from 2005, you know that they are likely not telling the truth.  Additionally, you can find if the business license was ever revoked, dissolved etc.

2) Check the WayBack Machine.  http://www.archive.org   The Internet archive is very familiar to geeks but many others are not aware it exists.  Here you can see what a company’ website looked like at a very particular point in time.  A word of caution.  Some sites are not archived and some are only periodically archived.  That being said, if there is a snapshot of a company’s website from a particular date you can learn quite a bit.  For example, if a company claims to have provided maritime security services since 2008 and their website snapshot from 2009 shows no indication of such a service it should raise red flags.  Often, companies will ’embellish’ or change information on their website without realizing that the snapshot exists.  Like #1 above, if a company claims to have been in business since 2001 but their snapshot from 2008 shows a founding date of 2004, you have to question the validity of the 2001 date.

3) Google, Google, Google some more.  Google is an extremely powerful search tool.  It can use Boolean logic to conduct searches.  What is Boolean operators to make your searches more precise?  Here is a link to using boolean operators in Google searches.  Boolean operators are things like the use of quotes to have Google search for a complete phrase such as “Chris Mark” instead of Chris Mark which would result in a search for Chris, and Mark, and Chris Mark.  You can also use the AND or a + sign to narrow the searches.  For example:  “Chris Mark” + security will pull up all links to Chris Mark and Security.  You can search within a specific website with the Site:   such as “Chris Mark” Site: NYTimes.com  Within Google don’t forget you can use the advanced search function on the left hand side of the page to search by specific dates.  Again, if a company claims they have been around since 1990, you would expect to see some searches returned for the dates 1990.  Unless told, Google will provide the most relevant links first.  If you tell it to search by date it will provide very specific information on dates.

4) Search blogs, and forums.  Often people with publish their opinions in blogs and forums.  While the information should be taken with a grain of salt it certainly can give you information on companies and the perception within a particular group.  Find forums relevant to the industry and search for the principals of the company or the company.

While this is not an exhaustive list of techniques to verify company information, with some practice these four steps will provide a laundry list of information that can be used to verify whether claims are accurate or not.  Companies that change their claims and contradict themselves should be looked at very carefully.

InfoSec 101: Technology doesn’t fail, People do… January 27, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As research indicates that pirates are beginning to engage the services of data thieves to steal data from shipping companies, it is important that the maritime industry begin looking at securing not only their vessels but their data assets, as well. In my past life as a data security professional, I have had the opportunity to work with some very, large complex organizations.  As a consultant I was often involved in the remediation and after action of companies that had experienced a data theft or major compromise (hack).   After reviewing about 3,000 data compromise cases I can say with confidence that it is not the technology that fails in data compromises, it is the people.  I have yet to ever see a firewall decide to stay home from work or decide to change its own ruleset to open a port.  I have seen a number of instances where a firewall administrator forgot to close a port or bypassed the firewall for “just a minute” and forgot about the change.  I have never seen an intrusion detection system (IDS) decide to turn itself off because it was tired, I have seen many instances where the IDS was tuned incorrectly, or where it was turned off because it was sending too many alerts.  The scenario repeats over, and over.  Technology doesn’t get tired, it rarely fails (statistically modern airliners are as reliable as toaster ovens)  and it doesn’t complain, or make mistakes.

Human beings aren’t so fortunate.  We are lazy by nature.  I say this because we all will take the path of least resistance in everything we do.  We are also fallible, which means we make mistakes.  It is simply human nature.  Unfortunately, in security this characteristic is why security breaches occur.  A guard falls asleep.  A firewall admin opens a port and forgets to close it.  A janitor doesn’t lock a door after leaving a building. An employee forgets one step in a calculation.  The list goes on and on.   So how do we minimize the mistakes and mitigate the risk associated with human nature?  The answer is simple but the implementation is difficult.  Established processes and procedures documented in policy and…here is the hard part….. enforced.

I cannot tell you how many clients when asked if they have a security policy will say: “Well, we don’t have a documented policy…but we have an ‘informal policy’.”  Wrong answer!  If it is not formalized and approved by the appropriate authority (CIO, BOD, etc.) then it is NOT a policy…it is an informal practice.  When I hear this answer I always ask: “How confident are you that the informal policy you describe is being followed?”  The answer is inevitably: “well…probably not as frequently as it should be.”   This describes the vast majority of companies I have worked with.  Why?  The answer is again simple.  First, policies are difficult and time consuming to develop and implement.  Second, we don’t like to step on other people’s toes.  We want to trust our co-workers and employees.  By establishing an onerous policy we are saying to them: “you are not trusted.”  Lets call a spade a spade.  None of us like being told we can or can’t do something or being treated like we are not trusted.  Unfortunately in security it is absolutely imperative that we establish and enforce policies.  Defined policies which are effectively enforced give us the only confidence that tasks are being conducted: “consistently, and repeatedly.”  This is the key.

How do you develop policies and procedures?  That topic is much to deep for this blog post but here is a high level process to follow.

1) Take an inventory of assets and prioritize those assets. (intellectual property, human resources records, financial data).  You need to know what it is you are trying to protect before you can find a way to protect it.

2) Identify the who, what, where, why, when, and how of data access. Using the access control reports/system (Windows Active Directory, LDAP, etc.) and application information, identify the following: Who has access to the data (include applications, services and people), what data they can access, where the data is stored, why they have access (and whether they actually need access), when they have the ability to access (and whether it should be restricted) and how they access the data (direct SQL queries, applications, etc.)  Develop a matrix with all info included.

3) Develop a dataflow diagram.  Using the matrix above, and an existing logical network diagram, create a diagram that logically shows where all sensitive data (as identified in #1) is located and how it flows through the network (including all applications and devices).  This process will be enlightening.  Experiences suggests there will be a number of ‘ahaa’ moments where you find that people with no business need have access to very sensitive data.

4) Develop a ‘data control policy’ using model of least privilege and ‘need to know’.  This is the first policy.  Classify the types of data and decide who (people, applications, services) should be able to access which type of data, under what conditions (time, location, etc.) and provide a justification.  This should be based on a ‘need to know’. For example, a system administrator (system level access) should not have access to the financial accounting database nor be able to see financial accounting data unless his/her job requires.

5) Update your access control mechanism to reflect the data control policy.  Update user privileges and rights in Active Directory, or LDAP to reflect the data control policy.  The Access Control Policy is another step that will be covered in another blog post.

By using the 5 steps above, you will be well on your way to controlling and protecting your sensitive data assets.  Remember, policies are simply paper documents unless they are documented, approved by management, disseminated, and enforced.  Although enforcement is often difficult, employees need to understand that violating information security policies can be met with punishment up to, and including, termination, OR prosecution.

Realities of Precision Marksmanship from a Ship… January 26, 2012

Posted by Chris Mark in Piracy & Maritime Security, weapons and tactics.
Tags: , , , ,
2 comments

This is an excerpt from the post Realpolitik, Piracy and Armchair Quaterbacks.  It is intended to supplement the previous post Snipers on Ships…

The article was referring to piracy within the Gulf of Aden and specifically off of the coast of Somalia.  In the article, the author writes:

“All we need to do (emphasis added) is declare that for ships on the high sea, a 300-yard radius around the vessels is a limited access zone. Anybody closing in farther without permission will be assumed to be hostile. First, warning shots will be fired across their bow; if this will not do, shoot to kill.

True, this means that merchant ships will need some armed marshals, as do many flights. However, given that the ships are tall and the pirates need to mount them from their small boats, a few armed guards can do the job.”

Here is where theory and practice diverge and armchair quarterbacking takes over.  It is easy to be an armchair quarterback (or in this case ship’s crew) when it is not your own very expensive ship on the line or your own life on the line when the RPGs start flying. I can say from personal experience that it is less fun  being shot at in real life than the movies may suggest.  Additionally, the article ignores the much larger socio-political aspects of piracy.

To understand the feasibilityof what the author suggested let’s dissect what he is saying a little more closely.  He states that a 300 yard radius should be imposed around the ships.

In Somalia pirates are attacking ships using small skiffs that often travel over 40 knots (~46 mph).  Their skiffs are small, lightweight and agile.  The pirates attack ships using multiple boats and primarily carrying RPG-7 rocket propelled grenades, PKM machine guns, and AK-47 assault rifles.  They have little fear and are very aggressive.  In short, these guys are armed to the teeth and very capable.

On a 30ft x 8ft target moving at 9 mph the US Army gives the RPG 7 a hit probability of 22% at 300 meters, 51% at 200 meters, and 96% at 100 meters.  If one considers that the bridge or rudder of ship is the target and doubles the size of the target listed in the Army study, it is fair to say the hit probability doubles, as well.  This means that at 300 meters, the pirates have a 50/50 chance of hitting the bridge or rudder and doing serious damage to the ship.   If a pirate gets within 200 meters of the ship, their chance of a hit increases statistically to 100%.  The answer, according to the author, is to “…fire warning shots across their bow; if this will not do, shoot to kill.”- If they get within 300 meters.   The author then goes on to say that: “a few armed guards can do the job.” 

As a former Marine sniper with combat experience,  I would consider myself competent with a number of different weapons systems.  I also have experience guarding ships in Somalia.  I can say with absolute confidence that firing: “…warning shots across their bow..” and then: “…shoot(ing) to kill…” at a moving target on the open ocean 300 meters away is a lot easier for action stars like Matt Damon or Sylvester Stallone in thier movies than it is for real people in real situations.  In fact, what the author is proposing is very difficult.  To demonstrate some of the challenges, let us take a quick look at what is involved.

Consider that you are on a ship which is travelling 10 knots (creating a wind that affects the shot that this article will not address).  Consider that you now also have to keep your sights on a very small skiff travelling at 50 knots at 300 meters all while the ship and the boats are bouncing on the ocean swells. Assuming the skiff is traveling parallel with your own boat its relative speed is 40 knots.   At 40 knots, the skiff is travelling at almost 67.5 feet per second or the length of a football field every 4.4 seconds.  This means that with a .300 Winchester  Magnum  round travelling 3050 feet per second, a shooter would need to lead the boat 24.25 feet on a stable platform to account for the speed of the boat and the .36 seconds it takes the bullet to traverse the 300 meters (accounting for decease in velocity for you math geniuses).  This basic calculation does not account for the vertical movement of the ship or boat or the relative movement between the ship and the boat nor does it account for any wind that may be present.  Assuming your target is a person and is 1.2 feet across it is in the ‘hit zone’ for only .013 of a second when travelling at 40 knots.  This means that your lead ‘cushion’ is only .9 feet or 10.8 inches.   In short, if you lead more 25.04 feet or less than 23.36 feet, you have missed your target completely.  If your lead is perfect and you have miscalculated the distance of your target by only 10 meters, you have also missed your target.

Suffice it to say that shooting at a small, high speed target while on a moving platform is more than difficult.  It is extremely difficult.   Couple this with the fact that the pirates are masquerading as fishermen and you have compounded the issue because nobody wants to make a mistake and hurt an innocent person.

Snipers on Ships….Good Idea…or Overkill? (Pun Intended) January 26, 2012

Posted by Chris Mark in Piracy & Maritime Security, weapons and tactics.
Tags: , , , , ,
add a comment

I was reading a website today of what appears to be a new entrant into the maritime security world.  It is clear that they are trying to differentiate their services by offering ‘Maritime Marksmanship’ services.  According to the website, their former Royal Marine Snipers can add protection to 900 meters by adding precision, long range fire.  As a former US Marine Sniper I am very familiar with, and have great respect for the Royal Marines’ sniper course and while we like to argue and debate with each other over whose course is superior, the truth is that the discussion is academic.  Whether you believe it is the USMC or our UK brethren, the reality is that they are both arguably the most rigorous sniper courses in the world. We will continue to argue 😉  So back to my post.

While I don’t disagree that having trained snipers onboard provides a level of precision shooting, the question that must be asked is “how much is good enough?”  The truth is that not a single armed vessel has been successfully hijacked to date.  Many of the vessels are armed with M4s (or varients), AK 47s, G3s, FALs etc.  Is there truly at need at this juncture for a trained sniper on board?  A more fundamental question, I think, is whether you increase liability by placing a sniper onboard.  If a pirate is approach a vessel at high speed and shooting then there is a threat.  Using the force continuum it is expected that first evasive maneuvers are taken, followed by warning shots etc.  If they approach close enough then, possibly, you need to take more direct action and fire at the assailants.  International law is still somewhat unclear as to when you can and cannot use deadly force on a suspected pirate.  I question what would happen to the shooter if he shot a pirate out of a boat at 900m.  It would be extremely difficult to justify such a shooting as ‘defensive’.  (I suspect such a shot would be nearly impossible for any trained shooter…see next post as to why).

I believe at this point that having trained Commandos, US Marines (with appropriate background), or other well trained military members provides sufficient protection against pirate attacks.  Any Commando, US Marine, Ranger etc. with an M4, or similar weapon system can engage a target to 300 meters with relative ease.   Extending this range to a theoretical 900 meters does not, in my mind, reduce risk but may actually increase the risk should a suspected pirate be engaged at that distance.

For companies considering maritime security, it is suggested that the following be considered before considering the more esoteric aspects of armed services.

1) Are the company’s leaders experienced in maritime security and have they established and documented operating procedures consistent with the rules of force and international law?  You do NOT want a bunch of gunslinging cowboys on your ships.  Consider BlackWater as an example of what happens when undisciplined people with weapons are unleashed.

2) Are the armed guards appropriately vetted and trained?  As much as I love my USMC, the fact remains that in the USMC, we have a number of Marines that are cooks, mechanics, etc.  In the UK, all Marines are Commando trained.  The point being that just because someone has a particular title, does not mean they are right for the job.  Ensure that the company is selective and vets their personnel.  Additionally, ask about following on training.  Are the guards taught the rules of force?

3) Are the guards provided with appropriate kit and weapons?  I have heard horror stories of guards being deployed with Moisan Nagant rifles, and other ‘pre WWII’ weaponry.  While the debate over whether .50 sniper rifles provide good fodder for arguments, at a minimum the guards need to be armed with effective, modern weapons in working order.  M4s, G3, FAL, M14s, AK 74, AK 47 are probably all sufficient to rappel an attack by Somali pirates.  I personally do NOT believe that a shotgun is sufficient.  A shotgun is great for close quarters fighting but does not have the range or accuracy to defend against an attacker with an RPG or AK 47.

4) Does the company’s principals have experience with maritime traditions, rules, and communications?  It is imperative that the guards understand how to work on ships and how to interact with the ship’s officers and crew.  Ultimately, it is the ships captain that has responsibility for the vessel and her crew.  The guards need to understand how to integrate into the ship’s plans to ensure effective protection of the vessel.