jump to navigation

“A Rose by Any Other Name…” – Selecting the Right InfoSec Professional August 22, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , ,
add a comment

Last week I had an experience that left me chuckling and shaking my head at the same time. I had been approached by a company that had some infosec needs.  According to the person with whom I spoke, they had found me on LinkedIn and wanted to talk.   This company had recently settled with some regulators over some privacy and other regulatory practices and were looking to beef up their security and compliance.   I spoke to one person for about an hour and a half and was asked to send more info.  Later that week I received a call from the person with whom I had spoken an was informed that the company was looking for someone with INFORMATION SECURITY experience.  I (likely not so politely) asked what they thought I did for a living?  His response was that the company was looking for someone with a computer science degree.  It was curious that they did not say an information assurance degree, or cybersecurity degree…or…list an certifications or skills…simply computer science.  Well then…there you have it.  Apparently, this company feels the only real qualification for ‘infosec’ is a computer science degree.   Considering their previous issues, you would think they would have a better handle on info sec and their needs.

When looking for an infosec professional understand that there are technical skills which are certainly important (encryption, configuring firewalls, devices, systems, app layer security etc., etc., etc.)  There are other aspects which are important, as well.  Understanding the compliance mandates as well as the various regulatory requirements and regimes is critical in today’s world.  While not specifically defined as ‘infosec’, an understanding of privacy issues (how data is used) is also important.  While understanding technology is critical, being a skilled infosec professional is about more than simply understanding technology and about more than computer science.  While I may not have been right for that particular engagement for other reasons, the company’s laser focus on a ‘computer science’ degree at the exclusion of the other aspects suggests this company may be focused on the wrong areas.  Maybe they should question why they had issues to begin with.

“Gauss What!?” – Another CyberWeapon Discovered August 14, 2012

Posted by Chris Mark in cyberespionage, Risk & Risk Management, terrorism.
Tags: , , , , , , , ,
add a comment

According to Kaspersky labs, yet another cyberweapon was discovered last week.  On August 9, 2012 Kaspersky labs released a press release stating that they had identified another cyber-weapon dubbed Gauss.  According to the press release:

“…‘Gauss’, a new cyber-threat targeting users in the Middle East. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.” (more…)

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

Posted by Chris Mark in cybersecurity, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.

“Experts Around Every Corner; Part Deux” -Safes, Security, Expertise and Ignorance July 16, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

“There is nothing so stupid as an educated man. If you get him off the thing he was educated in.” – Will Rogers

This weekend I was reading a major news source and I was struck by an article on Safes.  As I have a gun safe, and other safes, I thought it would be interesting to read. I have written posts before on expertise (Experts in every room).  Various ‘expert’s are interviewed in the article.  One in particular stood out.  He said: People need to wake up. They think they are protecting themselves, but they may actually be putting themselves at more risk,”  As this was a very pointed statement (People need to wake up!)…I immediately thought that my own strategy of securing my valuables was mis directed.  I continued reading to see who this expert was…He then said: “Sure you want to have some cash at home, but more than a little feels unsafe,” (I have added the bold)…the expert was a man named Michael Cresh…what is his job?  You are probably thinking police officer, security expert, safe expert, or something similar.  You would be mistaken.  He is a Certified Financial Planner.  If I were asking for financial planning, this is the person that I would turn to. If I am considering the purchase of a safe, I can safely say (pun intended) I could not care less what a CFP has to say unless he has some other level of expertise.  His statement belie his ‘expertise’ and demonstrate he has little understanding of physical security or risk analysis as it pertains to physical security. (…feels unsafe).

When considering a security professional that proclaims expertise, take a very close look.  Whether maritime security, information security, personal security, or any other area of security there are more than a few self proclaimed experts walking the halls.

Last year I wrote a paper for companies to use when evaluating expertise in the maritime security industry.  While focused on maritime security it is relevant to all areas of expertise.  You can read the article here.

“Pinky and the Brain” – Chris & Heather Mark’s Articles in Transaction World Magazine June 21, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

I heard yesterday from the EIC of Transaction World Magazine that they will be publishing one of my articles in their August 2012 issue.  Stay tuned!  I have written for TW numerous times over the past 7 years or so and Heather has written for them consistently since about 2005.  You can read her current article here and see archives of Heather’s articles at this link.  If you are not in the payments industry and want to know about the exciting world of credit card issues, check out TransactionWorld.  It has great articles covering everything from compliance, to security, interchange, and more.  Here are two links to a couple of my previous TW articles..1) Why Regulation Cannot Prevent CyberCrime and 2) Lessons from the Heartland Breach…clearly in this relationship Heather is the Brain and I am Pinky 😉

%d bloggers like this: