jump to navigation

New Article: Exploits, Vulnerabilities & Threat Adaptation March 17, 2020

Posted by Chris Mark in cybersecurity, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

AT&T CyberSecurity published my new blog post.  You can read it here!

“Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners.  There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits.  These basic underpinnings are critical in all security domains. 

What are exploits and vulnerabilities and why are they important to the study of security?

First, security cannot be considered a binary concept such as: “secure” or “not secure”.  The appropriateness of any security strategy is relative to the controls implemented to address to identified risks.  One cannot say: “my house is secure”.  The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks.  One can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Second, security should be viewed as a function of time and resources.  Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security.  The reason is simple.  Technologies change and human threats are adaptive.  According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle.  In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption.”  Read the whole article!

I am back ;) “The Markerian Heptad and Understanding Attacker Motivations” February 24, 2020

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , , ,
add a comment

It has been a bit of time since I have posted.  I am back with a blog post I wrote for AT&T CyberSecurity Blog. Titled, “Understanding CyberAttacker Motivations”  It discusses what I call the “Markerian Heptad” (Yes..I named it after myself 🙂 and describes the 7 basic motivations that underpin why an attacker would target a particular person, company, organization, etc.

“Implementing a risk based security program and appropriate controls against adaptive cyber threat actors can be a complex task for many organizations. With an understanding of the basic motivations that drive cyber-attacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks.  This article will discuss the Rational Actor Model (RAM) as well as the seven primary intrinsic and extrinsic motivations for cyber attackers.

Deterrence and security theory fundamentally rely upon the premise that people are rational actors. The RAM is based on the rational choice theory, which posits that humans are rational and will take actions that are in their own best interests.  Each decision a person makes is based upon an internal value calculus that weighs the cost versus the benefits of an action.  By altering the cost-to-benefit ratios of the decisions, decisions, and therefore behavior can be changed accordingly. 

It should be noted at this point that ‘rationality’ relies upon a personal calculus of costs and benefits.  When speaking about the rational actor model or deterrence, it is critical to understand that ‘rational’ behavior is that which advances the individual’s interests and, as such, behavior may vary among people, groups and situations.”..READ MORE HERE!

HR 4036, the “Hack Back Bill”; Understanding Active & Passive Deterrence and the Escalation of Force Continuum. October 22, 2017

Posted by Chris Mark in cybersecurity, Uncategorized.
Tags: , , , , , , , , , ,
2 comments

SMallPirI wrote this original post several years ago but it seems to be more relevant now.   As CNN reports HR4036…”…formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.”

This is a bill that is sound in theory and terrible in practice.  According to the Bill, (named ACDC) it would enable a company to take “..active defensive measures..” to access an attacker’s computer.  This is only applicable in the US…Think about this for a minute.  What is the evidence that I was the attacker of company A?  Maybe (quite possibly…almost certainly) a hackers is using my system as a proxy.  So some company can now attack my personal computer?  What happened to “due process”?.  If company X simply believes I am a hacker, they can access my personal data without a court order or any due process.  More profoundly, the issues it raises pose very real and very direct risks to employees of the company who ‘hacks back’.  This, I think, is unacceptable.

Having performed physical security in very real and very dangerous environments, I can personally attest to the fact that physical threats are real and difficult to prevent.  By allowing a ‘hack back’ the company faces a very real risk of escalating the situation from the cyber domain into the physical domain.  There is NO corporate data that is worth risking a human life.

Too often cybersecurity professionals forget that they are SECURITY professionals first and the  same rules of deterrence, escalation of force and other aspects apply.  Given this new Bill,  I felt this was a good time to again discuss deterrence (active and passive) and once again talk about the Escalation of Force Cycle.  So, what is deterrence? (warning…long post)..pic of the author off the cost of Somalia doing anti-piracy operations)

The History of Deterrence Theory:

The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper.  Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1]  In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2]  While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3]

The application of deterrence during WWII was the beginning of understanding that an internal value calculus drives human behavior and that behavior could be formally modeled and predicted with some degree of accuracy.  (more…)

Chris Mark to speak at 2016 TASSCC Annual Conference June 3, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

I wTASCCas excited to receive a call yesterday evening in which I was informed that my presentation abstract was accepted for the 2016 TASSCC Annual Conference being held in August in Galveston, TX!  If you are not familiar TASSCC is Texas Association of State Systems for Computing and Communications.  They host a great event every year and are pretty selective about choosing speakers.

My topic will be a variation of my dissertation study related to adversarial analysis.  As opining on Bayesian Inference, Proximate reality, and apophasis as they relate to security events would likely put the crowd to sleep I am going to cover some important topics at a high level and then provide a live demonstration of the dark web.  People are always shocked to see in real time where they can hire a hitman, or have a Kilo of Cocaine delivered to their door using only BitCoins.

Chris Mark Speaking at OpenEdge 2016 Partner Advisory Board May 27, 2016

Posted by Chris Mark in cyberespionage, cybersecurity, Uncategorized.
Tags: , , , , , ,
add a comment

OpenEdgeI am honored to have been asked to present as the keynote speaker at the OpenEdge 2016 Partner Advisory Board on June 6th, in Chicago, Il.  I will be speaking on the state of cybercrime today and provide a live demonstration of the Dark Web as well as a description of how cyber thieves steal and use payment card data.  It should be a fun event for everyone!  If you are an OpenEdge Partner please consider attending!

%d bloggers like this: