jump to navigation

Completing the puzzle; Part 2- Checking on people January 28, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , ,
add a comment

OK..in part one we talked about how to research companies a bit.  Now we move on to people.  Once you have taken a look at the company, you will find the principals.  You want to ensure the principals are on the up and up.  Here is a way to start your search….

1)  Check civil records.  In the US all lawsuits etc. are public record.  Do a google search and you will find a number of places that list civil lawsuits.  Many states will provide access for free while some states are more difficult to access and you are better served to use a third party.  Either way, it is worth the effort.  Start with the state in which the company is incorporated OR where it has its headquarters.  In the US many companies incorporate in Deleware (don’t ask…another blog post).  check the state in which the principal either resides or where they list the HQ.

2) Check military records.  Some people are surprised to find that you can actually get military records on people that have been discharged.  It is completely legal and is your right under the US Freedom of Information Act (FOIA).   Any US Citizen can request a DD214 for ANY former military member and it will be provided.  Here is a link.  Unfortunately there are always those Walter Mitties (Thank you Will McManus for the phrase) that will embellish their military records or flat out lie about what they claim to have done.  In the US, it is relatively easy to check.  Under the FOIA you can get a redacted DD214 (discharge paperwork) that shows, units served, dates, occupational specialties, schools attended, and awards.  If they claim to have a Navy Cross, you can check to see if they are lying.

3) Monster.com and Linkedin.  I am always amazed at how many people will not cross reference their own linked in or monster resume.  Find their profile on linkedin and monster.com AND take a screenshot.  Why?  Experience shows that when people find someone is snooping, they will “update” their profiles to remove any references in which they were less than truthful.  By taking a screenshot, you have the evidence.

4) Check corporate records.  Like I outlined in the first part of the post, check company records.  If someone claims to have owned a company since 1988 and you find that the dates overlap with their linkedin profile showing they were working at McDonalds, you have to question how they could both work at Mickie D’s and own a business?

5) Google, Google, and Google some more 😉  See the previous post.

It is amazing what you can find on individuals with a little work.  All of the information shown above is in the public domain.  Very easy to find and it can provide some very valuable information on the companies you are considering for security work.

Completing the Puzzle: Verifying Company Claims & Information January 27, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , ,
add a comment

I have received a few emails over the past several weeks on how companies can have assurance that the security provider they are evaluating is on the up and up.  Sometimes a little due diligence goes a long way.  Here is a quick and easy start to your verification.

1) Check business formation dates.   In the US (and I am sure many other countries) business data such as incorporation dates, etc. are public record.  Companies need to be registered in a particular state or states.  If you do a quick Google search on the particular state you can find where the records are kept.  For example, in Utah you simply go the the following website: https://secure.utah.gov/bes/action .  In Nevada you would visit: http://nvsos.gov/sosentitysearch/corpsearch.aspx  in New York you would visit: http://www.dos.ny.gov/corps/bus_entity_search.html   If a company claims to have been doing business since 2001 and there are only records from 2005, you know that they are likely not telling the truth.  Additionally, you can find if the business license was ever revoked, dissolved etc.

2) Check the WayBack Machine.  http://www.archive.org   The Internet archive is very familiar to geeks but many others are not aware it exists.  Here you can see what a company’ website looked like at a very particular point in time.  A word of caution.  Some sites are not archived and some are only periodically archived.  That being said, if there is a snapshot of a company’s website from a particular date you can learn quite a bit.  For example, if a company claims to have provided maritime security services since 2008 and their website snapshot from 2009 shows no indication of such a service it should raise red flags.  Often, companies will ’embellish’ or change information on their website without realizing that the snapshot exists.  Like #1 above, if a company claims to have been in business since 2001 but their snapshot from 2008 shows a founding date of 2004, you have to question the validity of the 2001 date.

3) Google, Google, Google some more.  Google is an extremely powerful search tool.  It can use Boolean logic to conduct searches.  What is Boolean operators to make your searches more precise?  Here is a link to using boolean operators in Google searches.  Boolean operators are things like the use of quotes to have Google search for a complete phrase such as “Chris Mark” instead of Chris Mark which would result in a search for Chris, and Mark, and Chris Mark.  You can also use the AND or a + sign to narrow the searches.  For example:  “Chris Mark” + security will pull up all links to Chris Mark and Security.  You can search within a specific website with the Site:   such as “Chris Mark” Site: NYTimes.com  Within Google don’t forget you can use the advanced search function on the left hand side of the page to search by specific dates.  Again, if a company claims they have been around since 1990, you would expect to see some searches returned for the dates 1990.  Unless told, Google will provide the most relevant links first.  If you tell it to search by date it will provide very specific information on dates.

4) Search blogs, and forums.  Often people with publish their opinions in blogs and forums.  While the information should be taken with a grain of salt it certainly can give you information on companies and the perception within a particular group.  Find forums relevant to the industry and search for the principals of the company or the company.

While this is not an exhaustive list of techniques to verify company information, with some practice these four steps will provide a laundry list of information that can be used to verify whether claims are accurate or not.  Companies that change their claims and contradict themselves should be looked at very carefully.

Roque Wave; Secure Payments Article January 11, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , , , ,
add a comment

This is an excerpt from an article I wrote a couple of years ago called “The Rogue Wave”.  It discusses a high level overview of Doctrine, Tactics and Strategy and applying PCI DSS as doctrine…You can read the full article here.

“Recent data compromises have continued to illustrate the challenges of securing data in an increasingly hostile environment.  Companies are faced with securing and protecting their valuable information form a growing number of increasingly sophisticated and organized groups determined to steal valuable data.  Historically, the response to data compromises has been to pass and enforce increasingly strict standards, regulations, and laws detailing the specific steps companies must take to protect data and the required disclosure should data be compromised.  Those companies that are the unfortunate victims of data thieves are criticized and vilified for “losing data”.  In spite of the efforts being focused upon compliance with the various laws and standards, data compromises continue in their steep upward trend seemingly unabated…”

Security 101; Authentication December 27, 2011

Posted by Chris Mark in InfoSec & Privacy.
Tags: , , , , ,
add a comment

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.

While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry and security, in general.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.  The degree of assurance necessary and thus the degree of required authentication is predicated upon the sensitivity of the object to which you require access.  More sensitive requires greater assurance and therefore more rigorous authentication.

Access control is defined as the combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of authentication- “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

Two Leaders Lost; Reflecting on Vaclav Havel and Kim Jong Il December 19, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

In the past few days the world has lost two leaders who could not have more profoundly different.  As leaders of countries have a profound impact on global risk, it seemed appropriate to discuss these two leaders and their differences.

Vaclav Havel (1936-2011) was a Czech writer, dramatist and politician.  He is largely responsible for the Czech revolution which peacefully defeated communism and implemented democracy in Czechoslovakia in what is know known as the Velvet Revolution or Velvet Divorce.  He was the last president of Czechoslovakia and first president of the Czech Republic.  Vaclav was a prolific writer who changed peoples’ perspectives on politics, life, and economics.  One of his quotes is: “We had all become used to the totalitarian system and accepted it as an unchangeable fact and thus helped to perpetuate it”.  You can read more about Vaclav here.

Kim Jong Il, or the “Dear Leader” (1941-2011 ) was the dictator of the Democratic People’s Republic of Korea (DPRK).  This is more commonly known as North Korea.  While many believe, and it is put forth that North Korea is Communist, in truth only their economic system is Communist.  They are a dictatorship.  Preceding Kim Jong Il was his father Kim Il Sung (the Great Leader), and proceding his reign is his son, Kim Jon Un (the Great Successor).  Compare the words of Vaclav Havel above, with those of Kim Jong-Il in the song: “There is no motherland without you”.   You can read more about Kim Jong Il here.

“You pushed away the severe storm.
You made us believe, Comrade Kim Jong-il.
We cannot live without you.
Our country cannot exist without you!”

Vaclav Havel fought his entire life for the values of Democracy, freedom, and prosperity for his people.  He lead the only violent free revolution which resulted in two countries being formed- the Czech Republic and Slovakia.  He was revered throughout the world and will certainly be missed.  Kim Jong Il fought his entire life to maintain an iron clad grip on power by oppressing and imprisoning those who dare speak against him.  North Korea is one of the poorest countries on Earth yet they pursue nuclear weapons with a passion.  He was universally reviled and will only be missed because it is unclear what his successor brings.  Sometimes “The Devil You Know is Better Than The Devil You Don’t.”

Vaclav you will be missed.  Kim Jong Il, God help us if you are missed.