jump to navigation

UPDATE “Just Say No!”- to Facebook Login Request for Employment March 23, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , ,
add a comment

UPDATE: Kudos to Facebook for weighing in on this subject.  Facebook says that not only is the practice wrong, but it is a violation of Facebook’s terms of service.  Echoing what I (and others) have said, logging into someone’s FB page could expose the employer to a lawsuit.  “(W)e don’t think it’s right the thing to do,” she said. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”

I find myself posting on this subject occasionally because a neighbor, friend or other person will inform me that during an interview or application they were asked to provide their Facebook or other ‘social media’ login.  This topic seems to arise again, and again and was again highlighted on msnbc.com.  So, for those who are asking or saying: “Chris, if you have nothing to worry about, then why do you care?”  Valid question.  Let me answer.  First, if you are looking for a job, as a responsible professional person you should take care to not post inflammatory, racist, hateful or other items on your social media.  If you are a proud member of a hate group, you may want to keep that info private.   Pictures of you doing drugs, or being arrested in New Orleans is also probably a bad idea.  (more…)

“Failed State of Security”- Published by IDGA March 21, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

The Institute for Defense and Government Advancement (IDGA) has published the whitepaper “Failed State of Security”; A Rational Analysis of Deterrence Theory & Its Effect on Cybercrime. Check it out!

Abstract  “In reviewing the literature on criminology and information security it appears that, while they share many common themes, there is a disconnect between the criminological theory and its application in information security.  Information security, as a field, is focused on the protection of information assets.  Criminology is focused on the prevention of criminal behavior.  As most information security practitioners will likely attest, there is little overlap between the two fields and there has been little research or focus on the use of crime theories on the prevention of cybercrimes.   This paper attempts to bridge the gap between the fields and highlight the deficiencies in the current approach of compelling victims to prevent cybercrime as opposed to deterring the criminals from committing cybercrimes.” 

The Carpenter, Not the Hammer, Builds the House March 8, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, weapons and tactics.
Tags: , , , , ,
add a comment

I was in a discussion yesterday with a friend of mine who happens to be the Editor in Chief of The Counter Terrorist Magazine.  Chris and I served together long ago and I always enjoy talking to him as he is one of the most insightful people I know.  He mentioned what he felt was the over reliance on technology in CT operations and how it was causing people to lose sight of the fact that it is the people that matter and not the tools.

I find this particularly relevant in all areas of security but especially in information security.  In a past life I operated as a Marine Scout/Sniper.  When my civilian friends learn of this, it is not uncommon for me to hear the question: “What is the best rifle to use?”  (more…)

Turncoat Rolls on Anonymous March 7, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , ,
add a comment

This is a post I struggled to write. I struggle because I do not personally agree with LulzSec’s or Anonymous’ objectives and tactics but this post is not about their tactics or views.  Rather it is a discussion in ethics and honor between people and lessons to be learned about human behavior.  The links have some very interesting stories of how “Sabu” turned on his own group.

As a young Marine I remember an old salty Gysgt. telling us: “Courage is not a lack of fear.  That’s what we call crazy.  Courage is when you are afraid and still being able to act in the face of your fear.” (more…)

“A Failed State of Security”; Deterrence Theory & CyberCrime (Research Brief) March 5, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

Expanding on the concept of Rational Deterrence and its effect on crime, we have published a research brief on Deterrence Theory and Its Effect on CyberCrime.  The brief outlines the failing strategy of compelling companies to prevent breaches without deterring those who commit the crimes. You download the brief (all 25 pages) here. Below is a short excerpt:

“At RSA’s annual security convention, the head of the Federal Bureau of Investigation, Mr. Robert Mueller stated, on February 28th, 2012, ominously: “There are only two types of companies. Those that have been hacked and those that will be.”[1]  At the same event, the CEO of RSA, told the audience:  “Our networks will be penetrated. We should no longer be surprised by this.”  He further stated: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”[2] The comments, while accurate, are late in coming.  RSA, one of the worlds’ largest security vendors, was breached in 2011.  The breach was more than a simple theft of customer data.  The breach was a theft of intellectual property that compromised the infrastructure of RSA’s 2-factor authentication system known as SecureID.  This potentially exposed thousands (if not more) of companies to a bypass of their own access control mechanism.  

RSA’s CEO then continued: (more…)