jump to navigation

“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

The incomparableYATWL Dr. Heather Mark (my wife…and compliance expert) has a new blog post…

“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people.  Firewalls don’t just randomly open ports.  Email clients don’t just decide to send proprietary and sensitive information to third parties.  These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information.  Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted.  Of course, we can implement technology to mitigate the risk presented by human nature.  But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent.  And to a very large extent, it’s correct.  But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like.  My favorite, though, is Dateline when the story is presented by Keith Morrison.  He has a way of telling a story.  Don’t believe me?  I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!

Security, Risk, and Bayes…oh my! January 6, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
add a comment

bayes-and-hus-theory(this is an excerpt of some research I conducted for a paper)

According to Dr. Giovanni Manunta, the term security does not yet have a commonly accepted definition and evokes numerous connotations among practitioners. Although often not well defined, the relationship between security and risk is well accepted among business, government, and security professionals (Department of Homeland Security, 2008). While providing fodder for debate to those tasked with the security of information assets, the ambiguous definition of security and the differences in risk analysis techniques create significant challenges to effectively protecting assets.

The practical relationship between security, risk, and decision making is articulated well by the US Department of Homeland Security as it is described as an approach for making and security decisions (DHS, 2008).  This is further established in the NIST 800-37 Risk Management Framework:

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…” (NIST, 2010. p. 3). (emphasis added) (more…)

3,000,000 visitors to GlobalRiskInfo.com!! October 27, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

HeadshotChris2013_COMPI want to personally say “THANK YOU!” to everyone who has taken the time to visit and read this blog.  Today we officially passed 3,000,000 unique visitors!  Considering that in January, I had just passed 1 million, this is a big milestone!.  I have published nearly 500 posts and some odd posts get real traction.  RPR Review is over 100,000 (a review of a rifle!)…Chinese stealing of Titanian Dioxide is over 100,000.  Sometimes you just don’t know what will resonate!  Again, Thank You!!

The Danger of Biometrics for Personal Use – Limited Legal Protection October 17, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
1 comment so far

iStock_000006910296XSmall 2I have never been a proponent of using Biometrics and have frequently made jokes about  not wanting “the man” to have my finger prints.  Well, it looks like my position may have been well founded.

Recently, it was reported in Forbes.com that on May 29th, 2016 the US Government had filed a motion for the court to require residence in a Lancaster, California home to provide their fingerprints to open an iPhone.  More disturbingly, the motion called for: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” In short, they didn’t just want the finger prints they wanted to force the residents to actually ‘use their finger’ to open the phone.  The warrant was not available to the public, nor were other documents related to the case.  Like many people, I asked “how can the courts do this?”  It would seem to me like an invasion of privacy (among other things).  Marina Medvin of Medvin law said: ““They want the ability to get a warrant on the assumption that they will learn more after they have a warrant. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”  Unfortunately, it was indeed permitted.

Is it legal?  According to the article in Forbes:

“In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.”

It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).

As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.”

We do know that the warrant was served.  It does appear that you cannot be forced to give up a passcode as it could amount to Self Incrimination under the 5th Amendment however you do not have the same protections for biometrics. This is another instance where the law has not kept pace with technology.  For this reason, and others I will not use biometrics for personal security.

Threat Adaptation and Guns – Security 101 June 14, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

PirateSmallLet me start by saying that I, like everyone, am horrified by the events in Orlando. That being said, it is important to understand some concepts inherent to security and why the argument of gun control to prevent attacks like those in Orlando is flawed.

Before I delve into my post I want to give some of  my own background. I started my professional career in the US Marine Security Forces providing armed physical security for a critical national asset.  I have provided Force Protection in a combat zone, was a Marine Scout/Sniper, and I have provided unarmed security in a level 3 psychiatric ward. I have conducted anti-piracy operations in and around the Gulf of Aden and finally, I have been an information security professional for nearly 20 years.  I am also working in a Doctorate in CyberSecurity.  I have written scores of articles and spoken at many dozens of security events.  I may not know much in life but I understand security.

I read a letter from a mother of a Sandy Hook victim.  In the letter she said:

“I am sorry that our tragedy here in Sandy Hook wasn’t enough to save your loved ones,”

While I feel for the mother and understand her very normal and appropriate response to losing her child, the argument simplifies the issue.  Unfortunately, what we are dealing with is not a gun issue…it is a people issue. (more…)

%d bloggers like this: