jump to navigation

“The Weakest Link”- Insider Foils Underwear Bomb Plot May 8, 2012

Posted by Chris Mark in Risk & Risk Management, terrorism, Uncategorized.
Tags: , , , , , ,
add a comment

I have written extensively about the weakest link in any security program being the actual people responsible.  While we understand this point from a “good guys” perspective, it is just as true for our adversaries.   MSNBC reported today that the underwear bomber who was supposed to blow up a jet liner this month had been working for US and our Allies since day one and was a paid informant.  As stated on MSNBC: “An insider who worked with the United States and an allied security service to thwart an al-Qaida bomb plot hatched in Yemen was the man picked to carry out the suicide attack on a U.S.-bound airliner, U.S. and Yemeni officials tell NBC News. An unidentified Yemeni  government official, speaking on condition of anonymity, said the supposed suicide bomber was working for Western intelligence “from day one.”

The interesting point of this story is that it does not matter whether we are talking about nuclear facilities, cybersecurity, or counter terrorism, the human element always plays a role and is always the most unpredictable.  While the group that sent the man on his suicide mission clearly believed he was a ‘true believer’ willing to give his life for their cause, it appears that he had another agenda.  This is the challenge with security.  Trust but verify is a mantra that rings true in all aspects of security.  Thank goodness the group that tried to blow up the airliner acted on faith and not solid security principles.

“CyberSecurity Cold War” – Spending ourselves into Oblivion May 8, 2012

Posted by Chris Mark in competitive intelligence, cybersecurity, Industry News.
Tags: , , , , , , , , ,
1 comment so far

A recent report published by Bloomberg outlines the challenges of securing critical infrastructure against cyber attacks in the 21st century.  According to a survey of 172 companies in six industries, current security measures are only stopping 69% of cyber attacks against banks, utility companies and other ‘critical assets’.   To stop 95% of attacks, companies would need to spend 7 times more than they are today.  This would increase spending from $5.3 billion$30.8 million average) to $46.6 ($270.9 million average).  This, it is estimated, would still only prevent 95% of attacks.  While not a consistent increase, it could be calculated that for every 1% increase in protection, another $1.588 billion would need to be spent by the group.  This amounts to roughly $9.23 million per company…for each 1% increase in protection.  If this is indeed accurate, it is clear that the current perspectives and strategy of cybersecurity is fatally flawed.

During the 1980’s the US and Soviet Union were fully engaged in a Cold War.   With the election of President Ronald Reagan, the US’s strategy changed.  A major component of Reagan’s strategy was to exploit the inherent inefficiencies in the Soviet Union’s command economy. By increasing spending, and forcing the Soviets to match spending on an arms race, the theory held that the SU could be bankrupted.  This has become known as the “Reagan Victory School” and while not completely responsible for the collapse of the Soviet Union, can be credited as hastening their demise. As outlined in a Stanford piece: “A central instrument for putting pressure on the Soviet Union was Reagan’s massive defense build-up, which raised defense spending from $134 billion in 1980 to $253 billion in 1989. This raised American defense spending to 7 percent of GDP, dramatically increasing the federal deficit. Yet in its efforts to keep up with the American defense build-up, the Soviet Union was compelled in the first half of the 1980s to raise the share of its defense spending from 22 percent to 27 percent of GDP, while it froze the production of civilian goods at 1980 levels.” (more…)

“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , , ,
add a comment

For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system.  According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days.  It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.  This effectively renders the encryption useless as the keys (the passwords) are not secure.  While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger.  Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.”    Key management and password security continue to be the weakest link in most encryption implementations.

ALERT: CyberAttack Underway Against US Gas Piplines May 6, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
1 comment so far

According to stories on MSNBC, CNN, and other major outlets, “A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.”   On March 29th, 2012 the US Department of Homeland Security issued 3 confidential Amber Alerts warning that the US was facing a: “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies.  The attacks, which began 4 months ago, are ongoing today.  The Industrial Control Systems Cyber Emergency Response Team (ICS CERT), which is responsible for helping secure the nation’s industrial control systems said: (more…)

Random Thoughts On Piracy Summit (I have to talk about guns a little ;) May 1, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In reflecting upon the Piracy Europe even in Hamburg that I attended last week, I was struck by a few things that were said and proposed.   The speakers were generally very good although the material is getting a bit old at this point.  With piracy at near 2007 levels, security vendors are scrambling to convince shipping companies that they are still needed.  Selling on Fear, Uncertainty, and Doubt (FUD) seems to be the new way of business development.

With regard to the security vendors, there appeared to be two distinct perspectives on how to stop pirates.  Neither seemed appropriate.  One company had a rep get up and show a picture of himself with a Barrett .50 cal SASR (special application scoped rifle) (shown in the pic above with the very skilled, handsome and smart USMC Sniper..yeah its me).  The intimation was that if you have larger guns, you have more ‘firepower’ and thus better security.  This is a very simplistic way of thinking about security and demonstrates one of the challenges of maritime security.  Security is not about technology…it is about people, strategies, and tactics.  Tools (such as weapons) are useful but only if employed correctly.  You can read the whitepaper “weapons and tactics in the prevention of piracy” here. This “goons with guns” approach was not well received and quite frankly, I felt it perpetuated what the attendees think of American security…knuckle-dragging, goons with guns. Blackwater is alive and well in the minds of most of those who attended the event. (more…)