jump to navigation

“Slicing the Pie”; Risk Management 101 February 11, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

This is a followup to “Risk 101: an Introduction to Risk” Security, and Risk are interesting topics that lend themselves to endless debate (and the occasional argument).  They are concepts that are bandied about quite frequently but, in my experience, are often not well understood by those using the terms.  I have been asked by clients to describe risk management and security in business terms.  At the risk of over simplifying the concepts, I will explain the concepts in this post.  Security can be described rather simply as the implementation of controls to counter address a vulnerability or address a threat.  Consider your house as an example.  If you install a lock on the front door, you are implementing a control (the lock) to address a vulnerability (an unlocked door) and a threat (that an unauthorized person will enter).

Risk can be described as the function of the likelihood of an event occurring and the impact should it occur.  Risk can be quantified using a simple formula (R=P% x I$) or expressed qualitatively.  In the scenario used above, there is a risk that your house will be burglarized.  Depending upon where you live, and other factors, the likelihood (expressed in terms of probability) will vary from unlikely to more likely to very likely.  The impact of the burglary will be determined by, among other things, the value of the assets that can be stolen.  So how does this relate to security?  The concepts are (or should be) inextricably entwined.

Controls should be implemented commensurate with the identified risk.

This is a very important concept.  Consider the following scenario.  If I were to offer you $1,000 to either 1) install a burglar alarm in your house or 2) install a fence to keep lions out of your yard, which option would you choose?  Likely most readers would respond with the statement; “it depends upon where I live”.  This demonstrates the example of security and risk management.  There are two risks we are considering in this scenario.  First, is the risk of burglary and second is the risk of lion attacks.  If you live in the Kenyan bush, you may be more concerned about Lions as the probability is likely higher of a lion entering the yard then of a burglar.  If you live in New York City you are likely more concerned about burglaries than lions as lions are not found in NYC (at least not legally).    The controls you are considering are either a lock (to address the issues described previously) or a fence to address the threat of a lion entering the yard.  Additionally, when we talk about ‘commensurate with the risk’ it means that the controls should be enough to address the risk but not too great.  You would not put a $1,000 alarm system on a $500 car.  It simply does not make sense and is an inefficient use of your limited resources.

With those topics covered very briefly, how do we discuss risk management from business terms?  Easy.  Consider that the risks to which you or your business are exposed are infinite.  You may not believe there is a risk of being hit by a meteorite but I can assure you that as infinitesimally small as the chance may be, there is a chance (probability) and the impact is likely not very good (injury or death).   If you question the example, read about the Sylacaugqa Meteorite here.

Now consider that the resources at your disposal (man hours, money, expertise, technology, information) is finite.  You may have a huge budget, and world class expertise but the fact remains that you have finite resources to address infinite risks.  The goal of risk management is to slice the pie of resources in a manner that allows you to address the greatest risks in the most efficient and effective manner possible.  There are four primary methods of risk mitigation; Avoidance, Reduction, Sharing, and Retention or Acceptance. Using the burglary example.

Avoidance– You can ensure you don’t own anything that could be stolen. Or you could live in an isolated area where nobody else lives.

Reduction– You can reduce the risk (by reducing probability or impact) by installing locks or using a safe to protect your assets.

Sharing– You can get insurance for your assets to reimburse you if they are stolen.

Acceptance– you can simply accept the fact that burglary is a possibility but one you are willing to accept if the likelihood is remote or you have no assets to steal.

The idea is to allocate the pieces of pie (which represents your finite resources) in a manner to address as much of the risk as possible.  It should be noted that there will always be residual risk and the possibility of Black Swan events.

Why Regulation Cannot Prevent CyberCrime (TransactionWorld) February 6, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As the maritime industry is increasingly focused on protection of data assets, I thought it would be beneficial to include an article on the topic.  This article is one I wrote for TransactionWorld in July, 2011.  It is titled: “Why Regulation Cannot Prevent CyberCrime” and is a continuation on the discussion of the impact of deterrence on behavior.

“Data security and privacy regulation have increased significantly over the past 10 years. The U.S. now has 46 state breach notification laws and there have been numerous bills introduced in Congress that propose to regulate personally identifiable information and to dictate security of such data. In spite of this increasing regulation, data breaches continue to plague the industry. Some have proposed that more regulation is the answer. Unfortunately, regulation alone is inadequate to prevent data theft and protect data.

At its core, data theft and network intrusions are crimes. At the risk of oversimplifying the work of criminologists, crime prevention can be summarized as using deterrents to affect protection of assets and prevention of theft. Protection applies to the ‘hardening’ of targets by implementing controls that increase the level of difficulty of perpetrating a crime. A vault is a good example of a protective measure. While no vault is completely impenetrable, vaults do provide significant protective value. Data security controls are protective measures. They are designed solely to limit attempts to obtain the target of value. Without a deterrence effect, criminals are free to attack companies at will without fear of retribution. This article will explore the value of deterrence in the prevention of crime.” (read full article here)

Foriegn Security Team to Face Trial in Somalia February 6, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

SomaliaReport published a story today which said that six men arrested in May, 2010 for bringing $3.6 Million into Somalia as a ransom payment for a hijacked vessel will be in Banadir Court on Thursday to face charges.  The six, one American, three Britons, and two Kenyans have been held at the airport since their arrest 9 months ago.  According to the story, the money was to be used for the release of two vessels, the MV Suez and MV Yuan Xiang.

Chris Mark Speaking at Combating Piracy Week in Hamburg February 2, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I will be speaking at the  Combating Piracy Week in Hamburg, Germany on the topic of CyberSecurity & CyberEspionage The topic will discuss the topics with a focus on who is trying to steal your data and why.  It  will also cover the technologies and tactics of how they can steal your corporate data and what the uses of such data.  You can get a preview of the topic by reading the Maritime Executive article in which I was interviewed.

If you have not attended one of the Hanson Wade Piracy events, it is worth attending.  Hanson Wade’ personnel do a great job of coordinating networking and the speakers are all very professional and very adept.  I have had opportunity to speak at nearly 100 events in the past 12 years or so and I would put the Hanson Wade events in the top 5 in terms of value for the money.  I highly recommend this event for security companies that want to meet decision makers and speak with the people who influence the industry from a security perspective.

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.