“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017
Posted by Chris Mark in Uncategorized.Tags: Breach, compliance, Data, Ethics, Heather, Mark, PCI DSS, security, technology
add a comment
The incomparable
Dr. Heather Mark (my wife…and compliance expert) has a new blog post…
“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people. Firewalls don’t just randomly open ports. Email clients don’t just decide to send proprietary and sensitive information to third parties. These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information. Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted. Of course, we can implement technology to mitigate the risk presented by human nature. But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent. And to a very large extent, it’s correct. But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like. My favorite, though, is Dateline when the story is presented by Keith Morrison. He has a way of telling a story. Don’t believe me? I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!
The Danger of Biometrics for Personal Use – Limited Legal Protection October 17, 2016
Posted by Chris Mark in Uncategorized.Tags: 4th amendment, 5th amendment, biometrics, Breach, Chris Mark, Data, fingerprint, hack, privacy, security
1 comment so far
I have never been a proponent of using Biometrics and have frequently made jokes about not wanting “the man” to have my finger prints. Well, it looks like my position may have been well founded.
Recently, it was reported in Forbes.com that on May 29th, 2016 the US Government had filed a motion for the court to require residence in a Lancaster, California home to provide their fingerprints to open an iPhone. More disturbingly, the motion called for: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” In short, they didn’t just want the finger prints they wanted to force the residents to actually ‘use their finger’ to open the phone. The warrant was not available to the public, nor were other documents related to the case. Like many people, I asked “how can the courts do this?” It would seem to me like an invasion of privacy (among other things). Marina Medvin of Medvin law said: ““They want the ability to get a warrant on the assumption that they will learn more after they have a warrant. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.” Unfortunately, it was indeed permitted.
Is it legal? According to the article in Forbes:
“In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.”
It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).
As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.”
We do know that the warrant was served. It does appear that you cannot be forced to give up a passcode as it could amount to Self Incrimination under the 5th Amendment however you do not have the same protections for biometrics. This is another instance where the law has not kept pace with technology. For this reason, and others I will not use biometrics for personal security.
Dear OPM – Thanks for exposing my data!…”Clean up your own backyard!” (Elvis) October 20, 2015
Posted by Chris Mark in Uncategorized.Tags: Breach, Chinese, compromise, cyber, Data, Elvis, FISMA, hack, Menendez, OPM, SF86, Target
add a comment
Let me start with Elvis’ “Clean up your own Backyard”
“Back porch preacher preaching at me
Acting like he wrote the golden rules
Shaking his fist and speeching at me
Shouting from his soap box like a fool
Come Sunday morning he’s lying in bed
With his eye all red, with the wine in his head
Wishing he was dead when he oughta be
Heading for Sunday school
Clean up your own backyard
Oh don’t you hand me none of your lines
Clean up your own backyard
You tend to your business, I’ll tend to mine”
Today I received a letter from the United States Office of Personnel Management or OPM informing me that my personal data had been stolen in a data breach. As a quick reminder the OPM was the victim of a major data breach in which over 22.4 million current and former federal workers and military members’ personal information was stolen by the Chinese Government although the Obama administration did not formally accuse Beijing.
The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen? According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more! This information is much more personal and sensitive than just a social security administration.
I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability. This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed. According to OPM spokesperson Samuel Shumach: (more…)
Chris Mark speaking at COMTEC 2014 by TouchNet August 27, 2014
Posted by Chris Mark in Uncategorized.Tags: AT&T, Breach, cardholder, Chris Mark, compromise, COMTEC, Data, data security, education, higher, PCI, TouchNet
add a comment
Chris Mark will be presenting at the 2014 COMTEC TouchNet Client Conference on PCI DSS and data security within the payment card industry. The title of the presentation will be Hitting the PCI Bullseye. COMTEC is the premier conference for Higher Education organizations. I was invited to speak in 2012 but found myself delayed returning to teh US as I was in the Gulf of Aden providing maritime security. Below is a description from the TouchNet website.
“Join us for the COMTEC pre-conference PCI Workshop: Hit the Bullseye on November 10th. This power-packed day of PCI and security training is vital for business, security, compliance, audit, and IT professionals who want to stay on target with changes in payment security rules in the coming year. You’ll get real-world advice on compliance and best practices from industry experts and campus leaders who are dedicated to information security.”
Chris Mark in May 2014 TransactionWorld Magazine May 4, 2014
Posted by Chris Mark in Uncategorized.Tags: AT&T, Breach, Chris Mark, Data, data compromise, information, mastercard, PCI, Practice Director, QSA, security, visa
add a comment
You can Chris Mark’s (my) latest article in May, 2014’s edition of TransactionWorld Magazine. Titled “5 Common Security Practices that Put You At Risk” This particular article is about how common errors companies make in security and compliance and how to reduce the risk of compromise. By now we all recognize that 100% security can never be achieved. By following well established security practices you can can minimize the risk to which your organization is exposed.
Global Security, Privacy, & Risk Management 