jump to navigation

Foriegn Security Team to Face Trial in Somalia February 6, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

SomaliaReport published a story today which said that six men arrested in May, 2010 for bringing $3.6 Million into Somalia as a ransom payment for a hijacked vessel will be in Banadir Court on Thursday to face charges.  The six, one American, three Britons, and two Kenyans have been held at the airport since their arrest 9 months ago.  According to the story, the money was to be used for the release of two vessels, the MV Suez and MV Yuan Xiang.

Chris Mark Speaking at Combating Piracy Week in Hamburg February 2, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I will be speaking at the  Combating Piracy Week in Hamburg, Germany on the topic of CyberSecurity & CyberEspionage The topic will discuss the topics with a focus on who is trying to steal your data and why.  It  will also cover the technologies and tactics of how they can steal your corporate data and what the uses of such data.  You can get a preview of the topic by reading the Maritime Executive article in which I was interviewed.

If you have not attended one of the Hanson Wade Piracy events, it is worth attending.  Hanson Wade’ personnel do a great job of coordinating networking and the speakers are all very professional and very adept.  I have had opportunity to speak at nearly 100 events in the past 12 years or so and I would put the Hanson Wade events in the top 5 in terms of value for the money.  I highly recommend this event for security companies that want to meet decision makers and speak with the people who influence the industry from a security perspective.

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.

Rant Alert- Security Neophytes January 30, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

Like others who read this blog, I have worked in several areas of security over the years including physical security and information assurance.  Irrespective of the domain of security in which you work, the underlying principles are similar. Risk management, defense in depth, and incident response are common principles in all areas of security though the implementation may differ.  Security is a discipline that, like any discipline, requires study and experience to become proficient.  Physical security is about more than holding a gun and information assurance is about more than having a firewall.

I recently came across a the website of a company that states in uncertain terms that that they are experts in cybersecurity (and several other domains).  To demonstrate their “industry leading” expertise they state that they can manage ‘various firewalls’ and that they have experience with ‘intrusion detection systems’. Really? This is expertise?   While we shake our heads at their approach, some company will hire them because they can offer services at lower rates (due to the lack actual expertise) and there will be the inevitable incident.   It is this amateur approach to security that results in companies being hacked in the information assurance business and people being arrested or killed in the maritime security arena.

For what ever reason every tom, dick or harry (or sally) that has ever carried a rifle or worked for the government believes that he or she is now a “security professional”. Unfortunately, these companies make their way into the various industries and create issues for those professional organizations that have actual expertise borne of hard earned experience and have paid their dues to understand the issues and understand their discipline.

Completing the puzzle; Part 2- Checking on people January 28, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , ,
add a comment

OK..in part one we talked about how to research companies a bit.  Now we move on to people.  Once you have taken a look at the company, you will find the principals.  You want to ensure the principals are on the up and up.  Here is a way to start your search….

1)  Check civil records.  In the US all lawsuits etc. are public record.  Do a google search and you will find a number of places that list civil lawsuits.  Many states will provide access for free while some states are more difficult to access and you are better served to use a third party.  Either way, it is worth the effort.  Start with the state in which the company is incorporated OR where it has its headquarters.  In the US many companies incorporate in Deleware (don’t ask…another blog post).  check the state in which the principal either resides or where they list the HQ.

2) Check military records.  Some people are surprised to find that you can actually get military records on people that have been discharged.  It is completely legal and is your right under the US Freedom of Information Act (FOIA).   Any US Citizen can request a DD214 for ANY former military member and it will be provided.  Here is a link.  Unfortunately there are always those Walter Mitties (Thank you Will McManus for the phrase) that will embellish their military records or flat out lie about what they claim to have done.  In the US, it is relatively easy to check.  Under the FOIA you can get a redacted DD214 (discharge paperwork) that shows, units served, dates, occupational specialties, schools attended, and awards.  If they claim to have a Navy Cross, you can check to see if they are lying.

3) Monster.com and Linkedin.  I am always amazed at how many people will not cross reference their own linked in or monster resume.  Find their profile on linkedin and monster.com AND take a screenshot.  Why?  Experience shows that when people find someone is snooping, they will “update” their profiles to remove any references in which they were less than truthful.  By taking a screenshot, you have the evidence.

4) Check corporate records.  Like I outlined in the first part of the post, check company records.  If someone claims to have owned a company since 1988 and you find that the dates overlap with their linkedin profile showing they were working at McDonalds, you have to question how they could both work at Mickie D’s and own a business?

5) Google, Google, and Google some more 😉  See the previous post.

It is amazing what you can find on individuals with a little work.  All of the information shown above is in the public domain.  Very easy to find and it can provide some very valuable information on the companies you are considering for security work.