CyberSecurity & Piracy December 17, 2011
Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Uncategorized.Tags: Chris Mark, combating piracy week, hanson wade, InfoSec, maritime piracy, Maritime Security, mark consulting group, risk management, security, somali pirates
add a comment
This past summer I was interviewed by Maritime Executive on the topic of CyberPiracy. The article discussed the need for increased information assurance practices among shipping companies. As shipping companies increasingly turn to armed guards and ships increasingly adopt BMP4, hijackings have decreased. In response the pirates, and those who fund and support the pirates, are looking for new ways to increase their likelihood of successfully hijacking a ship while minimizing the risk to the pirates. Increasingly, pirates are turning to high tech, and not so high tech, solutions. It is an established fact that pirates are using information found on the AIS system as well as GPS and satellite phones to locate and coordinate attacks. Now information is coming forward that the pirates groups are using sources within ports, and shipping companies to identify those vessels that they want to attack. It has been reported that hackers are being employed to steal data related to cargo as well as the user of armed guards. While this topic is too broad to discuss in a blog post, I will begin posting a series of articles on cyber security and steps shipping companies can take to minimize the risk of their data being compromised.
This past Fall, I had the opportunity to speak at Hanson Wade anti-piracy event in London. If you have not attended a Hanson Wade event, they are very worthwhile. I have spoken at literally scores of events over the past 10 years and few, if any, were as well organized. The next event is scheduled for April, 2012 in Hamburg Germany. As luck would have it they have a section on CyberSecurity. Take a look and see if it is worth attending..
InfoSec 101: Social Engineering December 17, 2011
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, InfoSec, mark consulting group, risk management, security
add a comment
I just received a call from a friend of mine who wanted to talk about a phone call they had received. A person with an Indian accent called their house from 999-901-3307 and explained that he worked with Microsoft and that their computer: “was infected with a number of viruses.” He asked them to visit a few screens and verify some ‘warnings’. He then asked them to allow him to access their computer to fix the issues. Luckily my friends were savvy enough to hang up the phone and not provide access. This is a classic example of what we call Social Engineering. Many people mistakenly believe that the easiest way to ‘hack’ or compromise a computer system is through technical means. In reality, it is often quicker and easier to simply have someone ‘invite’ the hacker into the system. If you ever receive a call, email, letter or any other communication from someone professing to be from Microsoft or some other vendor, you are well served to hang up. They will not call you directly, and without your request, to ask for access to your computer system.
New Domain! www.GlobalRiskInfo.com December 17, 2011
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, GlobalRiskInfo, gulf of aden security, InfoSec, Maritime Security, Piracy & Maritime Security, risk management, security, somali pirates, Somalia
add a comment
Starting tomorrow (Sun, Dec 18th, 2011), the blog will have a new domain. You can find us at the current wordpress subdomain of https://maritimerisk.wordpress.com or you can simply type www.GlobalRiskInfo.com (not case sensitive). The blog will be expanding into other areas of risk including information assurance, physical security, and financial risk.
Don’t be “pwned”- InfoSec 101 November 7, 2011
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, InfoSec, risk management
add a comment
pwned is a term that originated in online gaming and has been adopted by hackers. It is pronounced ‘owned’ and the origin of the misspelling is not important but you can read about it here. At a high level to be pwned means to be controlled. If your 15 inch MacBook Pro laptop is infected with a backdoor program it is fair to say you have been pwned. Back Orifice (a play on MS’s Back Office) is one of the original backdoor programs. Whey is this important?
Companies and people are often under the mistaken belief that cyber criminals are only interested in servers that contain sensitive data. In truth, user systems often contain information which is valuable. Users often store usernames and passwords on their desktops and laptops. Additionally, users often use their email to freely discuss information that can provide significant value to an adversary. Consider a situation where an executive is discussing new product plans for an upcoming iteration. Competitors (unethical competitors) would value this information. It is estimated that intellectual property theft costs the UK 27 billion Pounds annually.
On another note, law enforcement may also have an interest in what is on a personal computer. While laws vary, under the right circumstances, law enforcement can also track activity on personal computers. While EU laws are much more strict in this regard, some US companies also track user behavior. Installing tracking software that can record screenshots, key strokes, and email is a relatively simple process. While being lawfully monitored and pwned are not the same, the technologies used are similar.
How do you know if you have been pwned? Well…most of the time you won’t unless the other side wants you to know to send a message. Often, anomalous activity on your system can be an indication that your system is infected with some form of malware. BlueCoat estimated in 2010 that 48% of systems were infected with malware. Recent estimates have put the estimates as high as 80%.
So what to do? Ensure that you use your work system for work and are careful about emailing sensitive info on an ‘untrusted’ system. Ensure that you keep your system updated with malicious software protection. Ensure you use a firewall with appropriate rules. Use complex password. It is important to remember that once your system is ‘owned’ it is very difficult to repair and have confidence in the system’s security.
Against The Gods. The Remarkable Story of Risk October 14, 2011
Posted by Chris Mark in Uncategorized.Tags: against the gods, Chris Mark, InfoSec, peter bernstein, risk management
add a comment
As I am preparing for my presentation next week I was reminded of a book that I recommend all risk managers and security professionals read. It is a book by Peter Bernstein called Against the Gods. The Remarkable Story of Risk. You can get it at Amazon.com here. While the book sounds dry, it is really a very fascinating look at the history of risk in humanity. One of the examples is that of the title. Before people really understood the concept of probability they had no real way of making calculated decisions such as when to sail across the seas. In essence, you would pray to the gods that you would make it across the north Atlantic and…if the Gods were on your side you made it…if not…you didn’t. Then one day someone said: “Hey…it seems like the gods are against us more often during certain times of the year than others…” This was the origin of probability theory. As you can imaging probability theory really came into fashion when people were trying to win at ‘games of chance’ which, as we know now, we are not really random rather based upon probability. Overall, it is a great read and I highly recommend for the library.
Global Security, Privacy, & Risk Management 