Security 101: The Human Element – “Trust but Verify” August 24, 2011
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Aegenis, Chris Mark, InfoSec, InfoSec & Privacy, Maritime Security, operational security
1 comment so far
As maritime security becomes more lucrative and companies to steps to stop attacks, it is the natural evolution of crime that the pirates will begin looking for new vulnerabilities to support their efforts. Often the most vulnerable element of any security strategy is the human element. People often provide the proverbial ‘weak link’ in the strategy. Often it is not an intentional act by a person that creates and issue. It could be a simple mistake or the person could be deceived into taking action. While these are common aspects of security today I want to talk about people that take direct action with intentions that are contrary to the organization. It not something that any company likes to consider but it is an unfortunate fact of life. People are rational actors and as such a percentage of any population will be inclined to perform actions that are outside the bounds of what are considered by most to be ethical or moral behavior. This is where the idea of “trust but verify” comes in. We all like each other and we all want to believe that we are all honest people. It is irresponsible however, to simply take people at their word. It is responsible and appropriate given my access to information. It is obvious that with increased responsibility comes increased authority. Often this leads companies to believe that these senior “trusted” individuals do not require the same level of monitoring to which more junior level employees may be subject. This is a serious mistake. Increased responsibility and authority comes with increased access to information. It is often these very employees that can do the greatest damage. I will give an example from my own experience.
Recently through some legal proceedings it was discovered that a former Chief Technology Officer of a company I previously owned had taken steps to download every single employee and contractor’s email to his personal system. When confronted at the proceeding, he admitted he had indeed downloaded very email. He then took a number of steps to hide his actions. His actions were only discovered 2 years later through legal proceedings. He has not divulged why he took such action. It should be noted that in many states in the US this is not only a crime but is a felony. This was not a junior level employee who could plead ignorance. This was a person with a graduate degree in information security who, by his own admission, “defines security and risk”. To say I was apoplectic when I discovered his actions would be an understatement. He not only violated the trust of the company and me personally, but potentially committed a serious crime. The point of this example is to demonstrate the need to “trust but verify” what ALL employees are doing.
Operational security, or OpSec, is increasingly important in a hyper-competitive world. Add to that the new threat of information theft by pirates and those supporting piratical acts and the need to protect your information and assets becomes critical. It is not only the junior level staff that should be monitored and ‘verified’, it is all employees. Anyone with a security clearance is used to the fact that every few years the Gov’t decides to crawl through your life and put you through a polygraph to ensure that you are still ‘trusted’. This is a good example of ‘trust but verify’. When developing a strategy to address information security, and operational security, it is important that all areas of the business are considered and addressed. Often it is a single trusted person that cause irreparable harm to the organization.
Somali Pirates attack another tanker in port of Salalah August 22, 2011
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, gulf of aden, InfoSec, Maritime Security, Piracy & Maritime Security
add a comment
A day after pirate hijacked a ship while it was anchored in the port of Salalah a group attacked another chemical tanker in the same location. This ship was able to avoid capture however. As stated by the IMB:
“Pirates in a skiff chased and fired upon a chemical tanker,”…”The pirates made several attempts to board the tanker and finally aborted the attack due to the evasive maneuvers made by the tanker.”
Somali Pirates hijack vessel while at anchor! August 21, 2011
Posted by Chris Mark in Uncategorized.Tags: armed security, Chris Mark, gulf of aden, gulf of aden security, InfoSec, Maritime Security, somali pirates, Somalia
1 comment so far
In what is being described as the first attack of its kind and the most brazen attack yet, Somali pirates hijacked the chemical tanker MV Fairchem Bogey with a crew of 20 Indians and flagged in the Marshall Islands.
She was taken at anchor off Port Salalah, Oman. Boarded at 0530 and forced to heave up and steam toward Somalia. An Omani warship fired across the bow but the Master was forced to call the managers and tell them that the pirates were prepared to kill the crew, all lined up on the bridge, if the pursuit was not called off. The warship shadowed the vessel until out of Omani territorial waters.
This brazen attack demonstrates the tactics used by pirates will evolve and become more sophisticated over time. This year alone there have been many firsts; attacks in the Red Sea, vessels hijacked during Monsoon season, not releasing crews after ransoms were paid and now hijacking vessels while anchored at port.
“Swarming Attacks” suggest new pirate tactics August 19, 2011
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, gulf of aden, InfoSec, maritime piracy, Maritime Security, Piracy & Maritime Security, somali pirates, Somalia
add a comment
On August 7th, 2011 IMB reported an attack on a ship in the Red Sea in which it appeared that pirates were banding together and ‘swarming’ to attack vessels. This wolfpack type attack was brushed off by some in the security industry. On August 18th, 2011 the IMB live reporting system reported another such attack. In this attempted hijacking 7 high speed boats filled with 3-5 men, each armed with automatic swarmed a ship in an attempt to hijack the vessel. As this attack was only 27km from the previous attack the implication is that pirate groups may be operating in distinct areas.
On a more fundamental level this new type should not come as a surprise. Security and risk theory holds that as long as the the perceived payoff exceeds the perceived risk, criminals will continue to attempt to circumvent controls. As controls change, criminal tactics will change in response. Given that the average ransom paid exceeded $3 million in 2010 it is not expected that pirates will give up their attempts at hijackings for farming any time soon. Shipping companies would be well advised to consider that pirate attacks will continue to increase in violence and tactics will continue to evolve in response to security controls being employed.
Somali Pirates release Maltese Bulk Carrier August 15, 2011
Posted by Chris Mark in Piracy & Maritime Security.Tags: Chris Mark, Maritime Security, Piracy & Maritime Security, somali pirates, Somalia
add a comment
So
mali pirates released 52,466-tonne vessel MV Sinin along with its crew of 22 — 12 Iranians and 10 Indians after ransom was paid for the ship. The ship had been hijacked in February, 2011. According to U.S. think-tank One Earth Foundation, the average ransom per ship in 2005 was $150,000. By 2010, it had jumped to an average of $5.4 million per ship, with large cargo vessels and oil tankers a popular targets.
Global Security, Privacy, & Risk Management 