jump to navigation

Chris Mark Speaking at 2014 AT&T CyberSecurity Conference August 25, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

ATTCyberSecurityConferenceAt 10 am on September 3rd, 2014 Chris (that is me) will be speaking at the 16th annual AT&T CyberSecurity Conference in New York City.  My particular discussion will be on the Human Element of Security.  From providing armed force protection in Mogadishu to unarmed security in a psychiatric ward through information security and anti-piracy work in the Gulf of Aden, I have learned that the underpinnings of security transcend all security domains.  My presentation will hit on the concepts of rationality, Knightian uncertainty, parallax, proximate reality, change blindness, deterrence, and threat adaptation to provide tools CSOs can use to make more informed decisions about security.

Chris Mark speaking on PCI at a Business Process Outsourcing (BPO) event 2013 June 29, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,

I was privileged to be able to speak at an AT&T BPO event in 2013.  In Feb 2014 AT&T Marketing published the videos.  I found one but was unaware they had published all 3. I hope you enjoy. (remember…the camera adds 10 lbs! 😉

New Security Reference Blog…The Security HOG June 13, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

PiratePicGRISecurity HOG  is a complement to the GlobalRiskInfo site but is solely focused upon providing insight and education on the concepts of security, risk and compliance.  Having worked in numerous security domains for over 20 years has provided me with valuable insight into the concepts and underpinnings of the science and art of security.   Whether we are talking about physical security, operational security, information security or cybersecurity, the basic concepts remain the same.  This blog will focus on the more esoteric, yet important, concepts of proximate reality, deterrence & compellence, parallax and convergence, threats & vulnerabilities, risk, and more.

Some might wonder what, if any significance, HOG has to the discussion of security? Within the USMC a person who is not a Scout/Sniper is known as a Professionally Instructed Gunman or PIG while a trained Scout/Sniper is known as a Hunter of Gunman or HOG.  As a former Marine Corps Sniper I am a HOG and this is the reason the site is called Security HOG. Not too creative, I am afraid but it seemed to have a ring to it…

“…our own policies were not followed…”; Apple and Amazon Hacks August 8, 2012

Posted by Chris Mark in Data Breach, InfoSec & Privacy.
Tags: , , , , , , , , , ,

This past week, tech writer Matt Honan (of Wired) had his Amazon and Apple accounts hacked and his “…digital life destroyed”.  You can read his first hand account here.  The hacker did not use any special technology rather was able to hack the accounts using a basic social engineering and knowledge of who the systems worked.  Here is a description of the hack from CNN.com:

“At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.

Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address — a tip-off that Honan had an AppleID account. (more…)

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

Posted by Chris Mark in cybersecurity, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.

%d bloggers like this: