jump to navigation

Chris Mark speaking on PCI at a Business Process Outsourcing (BPO) event 2013 June 29, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
2 comments

I was privileged to be able to speak at an AT&T BPO event in 2013.  In Feb 2014 AT&T Marketing published the videos.  I found one but was unaware they had published all 3. I hope you enjoy. (remember…the camera adds 10 lbs! 😉

”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
1 comment so far

“Everyone has a plan until the’ve been hit” – Joe Lewis

PiratePicGRIHaving spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28th, 2013 there was an online discussion in which an author of the upcoming book:  The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)

“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , , , ,
add a comment

PartIIfailedStaetI am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security.  In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity.  You can download the article on IDGA’s website or on my own website here.  This paper is part II of the “Failed State of Security” series.  Started after the Target data breach, this topic is one that has always been close to me.  In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.

Victim blaming is common in sexual assault, as well as other types of crimes.  A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized.   When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization.  Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers.  Did the company “cause” the breach?  Were they somehow complicit in the attack?  What do we mean when we say “cause”?  What is a causal fallacy?  These, and many more topics, are discussed in Part II of the “Failed State of Security” series.  I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime.  As always, I welcome any comments or debate on the topic…

“Do as I say, Not as I do”…General Services Administration (GSA) Exposes Personal Data March 16, 2013

Posted by Chris Mark in Uncategorized.
Tags: , , , , , ,
add a comment

Brian Miller, Martha Johnson, Jeff Neely, Michael Robertson, David FoleyThe infamous GSA, who in 2012, was identified for gross fraud, waste, and abuse, sent an email today disclosing to me, and every other company that has participated in Government contracting that the System for Award Management (SAM) system had a vulnerability that exposed sensitive data.  Here is a copy of the email I recieved today: (bold is my emphasis)..Before I go into more detail, I would personally like to thank the GSA for exposing my bank account data and SS# through their blind incompetence.  At least they “apologized” in their email.

Dear SAM user

The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA.  Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.

Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure.  As a precaution, GSA is taking proactive steps to protect and inform SAM users.

The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.

In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity.  If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.

We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.”

Interestingly, the FAQ posted on their website does not indicate how long the data was exposed.  Since SAM went into effect over a year ago, I am guessing that the vulnerability  had been in place for at least a year. 

Maybe, just maybe, instead of sending GSA employees to ‘cooking class’, and funding parties in Hawaii, the Federal Government should focus on protecting the data to which it is entrusted.  The Federal Government recently passed a CyberSecurity directive…again, maybe they should focus on cleaning their own house.

Update on Blogging and New Articles in TransactionWorld March 8, 2013

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News.
Tags: , , , , , , , ,
add a comment

March coverI want to apologize for not blogging as frequently.  My new job has me hopping at the moment and I am writing extensively for AT&T’s Networking Exchange Blog.  You can check out my blog posts at AT&T’s Networking Exchange Blog .  In addition to my own articles, there are a number of other valable posts from other contributors.  Finally, Heather Mark and I both have articles in the March edition of TransactionWorld Magazine.  You can read Heather’s article here and Chris’ article here.