jump to navigation

Chris Mark in The Maritime Executive August 30, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

Yours Truly (Chris Mark) was interviewed in the current issue (July – August, 2011) of The Maritime Executive on the topic of Cyber Piracy.  You can read a summary of the issue here. If you are not a current reader, Maritime Executive is a great periodical with volumes of information on the Maritime industry. You can subscribe to the print edition here.

“Jack O’Connell has explored the Internet underworld with his piece, “Cyber Piracy: Clear and Present Danger?” It’s a dangerous cyber world in which we unknowingly tread, so users beware. Both of these article’s are timely and essential reminders of an Internet moving faster than a speeding bullet.”

Pakistan training pirates? August 30, 2011

Posted by Chris Mark in weapons and tactics.
Tags: , , , ,
add a comment

According to an article published on Zeenews India claims to have “material evidence” that Somali pirates are receiving training in Pakastan.  According to the article, the training is intended to support a proxy war against India.  Whether this assertion stands up to scrutiny remains to be seen.  If however, Somali pirates are receiving formal training by foreign governments it would suggest a much deeper problem for shipping companies.  As the story develops we will provide more information.

Somali pirates release vessel after 10 months in captivity August 30, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , ,
add a comment

A Greece based shipping company has spoken of its distress during a piracy experience following the release of its hijacked tanker after 10 months in captivity.While Paradise Navigation, operators and managers of the 72,825 dwt product tanker MV Polar said it was “delighted” with the freeing, they were frustrated that owners and operators have been unaided against piracy.

While faced with many decisions on how to deal with piracy, ultimately shipping companies need to remain proactive in protecting their interests.  The community can’t afford to wait for intervention by international governments.  The message is loud and clear, this is an industry problem and needs to be dealt with by the industry.

Security 101; Defense in Depth August 26, 2011

Posted by Chris Mark in Risk & Risk Management, Uncategorized.
Tags: , , , ,
1 comment so far

This post is a complement to the post Risk101.  In reading a number of articles and positions on maritime security strategies it appears that some of the authors, while well intended, misunderstand or misstate the basics of security.   While this particular post is not a dissertation on security, it will discuss one of the more important concepts- Defense in Depth.

While defense in depth has been widely promoted as an information assurance concept developed by the NSA, it originates from military strategy. To understand how DID works, it is important to understand that security is not, and cannot be absolute.  It is not a binary concept- “secure” or “not secure”.  The appropriateness of a security strategy is relative to the identified risk.  One cannot say: “my house is secure”.  You can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Security should be viewed as a function of time & effort.  Given the skills/tools, a person with sufficient time and effort can theoretically circumvent any control.  As skills/tools improve security controls must also adapt.  Safes are good examples of this concept.  The Safe Source provides US safe ratings.  Safes are rated from B1- simple theft resistant to B6 which is an underwriters certification which includes TRTL-30.  This rating means that a particular safe has been shown to 30 minutes of net working time with a torch and a range of tools including high-speed drills with carbide bits, saws and prybars.  While safe ratings are not the focus of this post, it is a good example of the security continuum.  Notice that none of the safes provide a ‘guarantee’ that it can never be breached.  With tools, and effort it is simply a matter of time.  The goal of any security strategy is to increase the risk/reward calculation to the point where the attackers give up on the effort.

The basic concept behind defense in depth is to give up space to buy time.  By implementing multiple layers of controls with each layer designed to delay the attacker it is possible to move modify the risk/reward calculation to the point where it is simply not a wise investment of time to continue the effort. Remember that security must be implemented commensurate with the identified risk.  As the risk increases the controls must increase proportionally.  Until this past year, many shipping companies were content with using less than lethal technologies to deter pirates.  As ransoms have exceeded $3million US the pirates have greater incentive to assume risk and spend the time/effort on an attack and therefore shipping companies need to increase their security controls.

Defense in Depth strategies require that companies evaluate and implement a number of controls.  In general, security controls can be categorized into detection, prevention,  and responsive controls. There is often a temptation to spend money and effort on preventive controls alone.  This is a dangerous strategy.  A complete defense in depth strategy will employ a number of overlapping controls to include best practices in ship speed, maneuvering, and routes, as well as more dynamic controls such as the use of armed guards, and citadels.  The controls should be included in a force continuum.  In short, the use of force should be the last control employed…not the first.

By ensuring that you evaluate your security needs and controls in the context of the identified risks to which your vessels are exposed you are better able to make decisions regarding the types of controls required.  By implementing the controls using a defense in depth strategy ensuring that you address detective, preventative, and responsive controls you will ensure that you have a comprehensive security strategy designed to provide the maximum defensive value at the lowest possible cost.

Managing online “Reputational Risk” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security.
Tags: , , , ,
add a comment

In today’s world of near instant communication, and social media, it is easier than ever to get information to the world.  Companies would be well advised to consider employing such technologies as they often provide a very good return on investment.  Like many technologies, social media is a double edged sword and must be managed.  Companies can be exposed to many forms of risk including that of “reputational risk”. What is “reputational risk”?  Simply it is a risk to an organization (or person) which derives from a negative association to the brand.  This can be brought on by an executive saying or doing something illegal or an employee voicing a seemingly innocuous statement in what they believe is a private setting that gets forwarded and distributed.  Many Gen X job seekers are learning the hard way that their Facebook pictures of keg stands and Mardi Gras flashing follows them to their interview.  Companies are much more savvy in searching out indiscretions on social media.  The same holds true for companies and their executives.

I am constantly surprised by how little corporate executives seem to understand about the Internet, social media and how easy it is to find information.  In today’s age it is important that company’ have social media policies in place to ensure that 1) OpSec is not being compromised by an employee inadvertently giving away secrets and 2) reputational risk is being managed by ensuring employees understand that everything they do online is publicly available.

All employees should understand that everything they post online is accessible for perpetuity.  While it is certainly every person’s right to have their own views on politics, sexuality, religion, and other topics, posting these views may irreparably harm the very company for which they work.  It should be noted that the level of reputational risk exposure is directly proportional to the person’s role within the company.  A junior level employee that rails on about their views on gay marriage may harm their own reputation in some areas but likely will have less impact than a CEO who rails on about his dislike of women in the workforce.

Recently, I was doing some research on some companies and I found the CEO of a company that listed as his favorite quotation: “F@#K All”.  As a former Marine and Sailor I am not offended by colorful language but I question the professionalism of a CEO publicly listing his favorite quotation as something so patently offensive to so many people.  What is more disturbing is that this quote was not referenced once but many times in various places throughout the Internet (as were other things).  I am sure that this particular person felt his railings had been archived and deleted over time but, as stated previously, it is relatively trivial to find information that is believed to have been long deleted.

To protect yourself and your company from reputational risk follow these simple guidelines:

1) Operate with the belief that anything you post online is there “forever”. While the average user may not be able to retrieve some information, there are some people that can access nearly everything…and can repost.

2) Don’t post anything patently offensive.  While we all have our own political, religious and other beliefs, they may not be in line with our employer’s.  While most companies are tolerant (there are laws that protect expressions) of such beliefs, understand that patently offensive statements can harm the company and your employment.

3) Don’t say anything that is patently offensive.  Remember that this is 2011 and not 1988.  Calls are recorded ‘digitally’ which means they are easy to retain, repost, and republish.  If you are angry at someone, don’t call and record drunken, profane threats.  They are preserved forever (see #1).

4) Be aware that as an officer of a company there are likely people tracking your public online actions in near real time.  This means that if you twitter something and then immediately ‘delete’ it is still captured.   Look at all of the US athletes and actors that have ‘tweeted and deleted’ only to have the press have the original tweet.

Certainly some are reading this post and saying: “this hits close to home”.  It should.  Follow the simply rules above and you can manage online reputational risk for you and your company.