jump to navigation

Chris Mark Speaking at Combating Piracy Week in Hamburg February 2, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I will be speaking at the  Combating Piracy Week in Hamburg, Germany on the topic of CyberSecurity & CyberEspionage The topic will discuss the topics with a focus on who is trying to steal your data and why.  It  will also cover the technologies and tactics of how they can steal your corporate data and what the uses of such data.  You can get a preview of the topic by reading the Maritime Executive article in which I was interviewed.

If you have not attended one of the Hanson Wade Piracy events, it is worth attending.  Hanson Wade’ personnel do a great job of coordinating networking and the speakers are all very professional and very adept.  I have had opportunity to speak at nearly 100 events in the past 12 years or so and I would put the Hanson Wade events in the top 5 in terms of value for the money.  I highly recommend this event for security companies that want to meet decision makers and speak with the people who influence the industry from a security perspective.

Rant Alert- Security Neophytes January 30, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

Like others who read this blog, I have worked in several areas of security over the years including physical security and information assurance.  Irrespective of the domain of security in which you work, the underlying principles are similar. Risk management, defense in depth, and incident response are common principles in all areas of security though the implementation may differ.  Security is a discipline that, like any discipline, requires study and experience to become proficient.  Physical security is about more than holding a gun and information assurance is about more than having a firewall.

I recently came across a the website of a company that states in uncertain terms that that they are experts in cybersecurity (and several other domains).  To demonstrate their “industry leading” expertise they state that they can manage ‘various firewalls’ and that they have experience with ‘intrusion detection systems’. Really? This is expertise?   While we shake our heads at their approach, some company will hire them because they can offer services at lower rates (due to the lack actual expertise) and there will be the inevitable incident.   It is this amateur approach to security that results in companies being hacked in the information assurance business and people being arrested or killed in the maritime security arena.

For what ever reason every tom, dick or harry (or sally) that has ever carried a rifle or worked for the government believes that he or she is now a “security professional”. Unfortunately, these companies make their way into the various industries and create issues for those professional organizations that have actual expertise borne of hard earned experience and have paid their dues to understand the issues and understand their discipline.

InfoSec 101: Technology doesn’t fail, People do… January 27, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As research indicates that pirates are beginning to engage the services of data thieves to steal data from shipping companies, it is important that the maritime industry begin looking at securing not only their vessels but their data assets, as well. In my past life as a data security professional, I have had the opportunity to work with some very, large complex organizations.  As a consultant I was often involved in the remediation and after action of companies that had experienced a data theft or major compromise (hack).   After reviewing about 3,000 data compromise cases I can say with confidence that it is not the technology that fails in data compromises, it is the people.  I have yet to ever see a firewall decide to stay home from work or decide to change its own ruleset to open a port.  I have seen a number of instances where a firewall administrator forgot to close a port or bypassed the firewall for “just a minute” and forgot about the change.  I have never seen an intrusion detection system (IDS) decide to turn itself off because it was tired, I have seen many instances where the IDS was tuned incorrectly, or where it was turned off because it was sending too many alerts.  The scenario repeats over, and over.  Technology doesn’t get tired, it rarely fails (statistically modern airliners are as reliable as toaster ovens)  and it doesn’t complain, or make mistakes.

Human beings aren’t so fortunate.  We are lazy by nature.  I say this because we all will take the path of least resistance in everything we do.  We are also fallible, which means we make mistakes.  It is simply human nature.  Unfortunately, in security this characteristic is why security breaches occur.  A guard falls asleep.  A firewall admin opens a port and forgets to close it.  A janitor doesn’t lock a door after leaving a building. An employee forgets one step in a calculation.  The list goes on and on.   So how do we minimize the mistakes and mitigate the risk associated with human nature?  The answer is simple but the implementation is difficult.  Established processes and procedures documented in policy and…here is the hard part….. enforced.

I cannot tell you how many clients when asked if they have a security policy will say: “Well, we don’t have a documented policy…but we have an ‘informal policy’.”  Wrong answer!  If it is not formalized and approved by the appropriate authority (CIO, BOD, etc.) then it is NOT a policy…it is an informal practice.  When I hear this answer I always ask: “How confident are you that the informal policy you describe is being followed?”  The answer is inevitably: “well…probably not as frequently as it should be.”   This describes the vast majority of companies I have worked with.  Why?  The answer is again simple.  First, policies are difficult and time consuming to develop and implement.  Second, we don’t like to step on other people’s toes.  We want to trust our co-workers and employees.  By establishing an onerous policy we are saying to them: “you are not trusted.”  Lets call a spade a spade.  None of us like being told we can or can’t do something or being treated like we are not trusted.  Unfortunately in security it is absolutely imperative that we establish and enforce policies.  Defined policies which are effectively enforced give us the only confidence that tasks are being conducted: “consistently, and repeatedly.”  This is the key.

How do you develop policies and procedures?  That topic is much to deep for this blog post but here is a high level process to follow.

1) Take an inventory of assets and prioritize those assets. (intellectual property, human resources records, financial data).  You need to know what it is you are trying to protect before you can find a way to protect it.

2) Identify the who, what, where, why, when, and how of data access. Using the access control reports/system (Windows Active Directory, LDAP, etc.) and application information, identify the following: Who has access to the data (include applications, services and people), what data they can access, where the data is stored, why they have access (and whether they actually need access), when they have the ability to access (and whether it should be restricted) and how they access the data (direct SQL queries, applications, etc.)  Develop a matrix with all info included.

3) Develop a dataflow diagram.  Using the matrix above, and an existing logical network diagram, create a diagram that logically shows where all sensitive data (as identified in #1) is located and how it flows through the network (including all applications and devices).  This process will be enlightening.  Experiences suggests there will be a number of ‘ahaa’ moments where you find that people with no business need have access to very sensitive data.

4) Develop a ‘data control policy’ using model of least privilege and ‘need to know’.  This is the first policy.  Classify the types of data and decide who (people, applications, services) should be able to access which type of data, under what conditions (time, location, etc.) and provide a justification.  This should be based on a ‘need to know’. For example, a system administrator (system level access) should not have access to the financial accounting database nor be able to see financial accounting data unless his/her job requires.

5) Update your access control mechanism to reflect the data control policy.  Update user privileges and rights in Active Directory, or LDAP to reflect the data control policy.  The Access Control Policy is another step that will be covered in another blog post.

By using the 5 steps above, you will be well on your way to controlling and protecting your sensitive data assets.  Remember, policies are simply paper documents unless they are documented, approved by management, disseminated, and enforced.  Although enforcement is often difficult, employees need to understand that violating information security policies can be met with punishment up to, and including, termination, OR prosecution.

Snipers on Ships….Good Idea…or Overkill? (Pun Intended) January 26, 2012

Posted by Chris Mark in Piracy & Maritime Security, weapons and tactics.
Tags: , , , , ,
add a comment

I was reading a website today of what appears to be a new entrant into the maritime security world.  It is clear that they are trying to differentiate their services by offering ‘Maritime Marksmanship’ services.  According to the website, their former Royal Marine Snipers can add protection to 900 meters by adding precision, long range fire.  As a former US Marine Sniper I am very familiar with, and have great respect for the Royal Marines’ sniper course and while we like to argue and debate with each other over whose course is superior, the truth is that the discussion is academic.  Whether you believe it is the USMC or our UK brethren, the reality is that they are both arguably the most rigorous sniper courses in the world. We will continue to argue 😉  So back to my post.

While I don’t disagree that having trained snipers onboard provides a level of precision shooting, the question that must be asked is “how much is good enough?”  The truth is that not a single armed vessel has been successfully hijacked to date.  Many of the vessels are armed with M4s (or varients), AK 47s, G3s, FALs etc.  Is there truly at need at this juncture for a trained sniper on board?  A more fundamental question, I think, is whether you increase liability by placing a sniper onboard.  If a pirate is approach a vessel at high speed and shooting then there is a threat.  Using the force continuum it is expected that first evasive maneuvers are taken, followed by warning shots etc.  If they approach close enough then, possibly, you need to take more direct action and fire at the assailants.  International law is still somewhat unclear as to when you can and cannot use deadly force on a suspected pirate.  I question what would happen to the shooter if he shot a pirate out of a boat at 900m.  It would be extremely difficult to justify such a shooting as ‘defensive’.  (I suspect such a shot would be nearly impossible for any trained shooter…see next post as to why).

I believe at this point that having trained Commandos, US Marines (with appropriate background), or other well trained military members provides sufficient protection against pirate attacks.  Any Commando, US Marine, Ranger etc. with an M4, or similar weapon system can engage a target to 300 meters with relative ease.   Extending this range to a theoretical 900 meters does not, in my mind, reduce risk but may actually increase the risk should a suspected pirate be engaged at that distance.

For companies considering maritime security, it is suggested that the following be considered before considering the more esoteric aspects of armed services.

1) Are the company’s leaders experienced in maritime security and have they established and documented operating procedures consistent with the rules of force and international law?  You do NOT want a bunch of gunslinging cowboys on your ships.  Consider BlackWater as an example of what happens when undisciplined people with weapons are unleashed.

2) Are the armed guards appropriately vetted and trained?  As much as I love my USMC, the fact remains that in the USMC, we have a number of Marines that are cooks, mechanics, etc.  In the UK, all Marines are Commando trained.  The point being that just because someone has a particular title, does not mean they are right for the job.  Ensure that the company is selective and vets their personnel.  Additionally, ask about following on training.  Are the guards taught the rules of force?

3) Are the guards provided with appropriate kit and weapons?  I have heard horror stories of guards being deployed with Moisan Nagant rifles, and other ‘pre WWII’ weaponry.  While the debate over whether .50 sniper rifles provide good fodder for arguments, at a minimum the guards need to be armed with effective, modern weapons in working order.  M4s, G3, FAL, M14s, AK 74, AK 47 are probably all sufficient to rappel an attack by Somali pirates.  I personally do NOT believe that a shotgun is sufficient.  A shotgun is great for close quarters fighting but does not have the range or accuracy to defend against an attacker with an RPG or AK 47.

4) Does the company’s principals have experience with maritime traditions, rules, and communications?  It is imperative that the guards understand how to work on ships and how to interact with the ship’s officers and crew.  Ultimately, it is the ships captain that has responsibility for the vessel and her crew.  The guards need to understand how to integrate into the ship’s plans to ensure effective protection of the vessel.

Experts in Every Room and One Dunce in a Corner January 25, 2012

Posted by Chris Mark in Piracy & Maritime Security.
Tags: , , , ,
add a comment

The influx of new companies within the maritime security industry has increased competition.  In response, some companies have given in to the temptation to embellish the experience or expertise of individuals or companies in an attempt to differentiate themselves from the crowd.  It is an unfortunate reality of business.  In an effort to help shipping companies evaluate the vendors selling “today’s solution to tomorrow’s problem”, I have put together a quick paper on ‘expertise’.  Below is an excerpt of the paper you can read here:

“Introduction

The current market for maritime security and anti-piracy has resulted in the creation of a cottage industry of self-proclaimed experts speaking on the subject of anti-piracy and selling maritime security and anti-piracy services.  A review of some of these “experts’” comments and the services being promoted suggests that the expertise espoused is a rarer trait than one would be led to believe.  This paper is intended to provide information to allow prospective clients to separate the experts from those that claim expertise to capitalize on the current market for maritime security services.   For brevity’s sake, this paper will use the generic term Maritime Security to refer to both anti-piracy and maritime security services.

 Author’s Note

While knowledgeable on the subject, I do not consider myself an expert in maritime security.  I am a payment security expert and probably have expertise in a number of other areas but have not achieved a level of experience or education that would allow me to call myself an expert by any means.

Expertise Defined

To understand how to identify those with actual expertise from those who simply call themselves experts it is important to have a definition of the term ‘expert’. Webster’s dictionary provides the following definition for the noun ‘expert’:

Noun:

“…one with the special skill or knowledge representing mastery of a particular subject”

 Within the context of maritime security, expert, as a noun would be applied as follows:

“Joe is an Expert in maritime security.” 

Making this statement implies that Joe possesses a special skill or knowledge representing mastery of a particular subject.  In this case, the subject is maritime security.  The focus of this statement should be the word “mastery”.  This suggests that Joe possesses an intimate knowledge rather than a passing familiarity with the topic.

Webster’s dictionary provides the following definition for the adjective ‘expert’:

Adjective:

“…having, involving, or displaying special skill or knowledge derived from training or experience”

Within the context of maritime security the term expert, as an adjective, would be applied as follows:

“Joe’s expertise in maritime security is derived from his formal training and experience.”  

Making this statement indicates that Joe has a special skill or knowledge derived from training or experience.  Within this context, the key is “training or experience”.  Without relevant or appropriate training or experience (or both, in most cases), it is difficult to see how a person could be defined as an ‘expert’.

Consider the example of a Doctor that has passed her medical boards.  While the doctor may be a general practitioner and not considered an expert in neurosurgery, she would arguably be considered an expert in medicine relative to those who have not attended similar training or passed the medical boards.  The doctor’s expertise is qualified by training (medical school) and experience (residency), as well as quantified by passing medical school boards.  If a person were to sit at home and read anatomy and medical books they could certainly attain some level of medical knowledge but it is extremely difficult to see how a person such as the one described would be considered an ‘expert’ in medicine.

While it is not suggested that becoming an expert within the maritime security industry is similar to that of becoming a neurosurgeon, the complexity of the industry and the maritime security challenges should not be underestimated since valuable resources and human lives are at stake.  The maritime security industry is complex and the ever-changing regulatory landscape coupled with the changes the pirates’ tactics increase the complexity.  In his popular book, Outliers, Malcolm McGladry references Neurologist Daniel Levetin who says:

“The emerging pictures from such studies is that ten thousand hours of practice is required to achieve the level of mastery associated with being a world-class expert-in anything.””

You can read the full paper here.