jump to navigation

InfoSec 101: Social Engineering December 17, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
add a comment

I just received a call from a friend of mine who wanted to talk about a phone call they had received.  A person with an Indian accent called their house from 999-901-3307 and explained that he worked with Microsoft and that their computer: “was infected with a number of viruses.”  He asked them to visit a few screens and verify some ‘warnings’.  He then asked them to allow him to access their computer to fix the issues.   Luckily my friends were savvy enough to hang up the phone and not provide access.  This is a classic example of what we call Social Engineering.  Many people mistakenly believe that the easiest way to ‘hack’ or compromise a computer system is through technical means.  In reality, it is often quicker and easier to simply have someone ‘invite’ the hacker into the system.  If you ever receive a call, email, letter or any other communication from someone professing to be from Microsoft or some other vendor, you are well served to hang up.  They will not call you directly, and without your request, to ask for access to your computer system.

New Domain! www.GlobalRiskInfo.com December 17, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

Starting tomorrow (Sun, Dec 18th, 2011), the blog will have a new domain.  You can find us at the current wordpress subdomain of https://maritimerisk.wordpress.com or you can simply type www.GlobalRiskInfo.com (not case sensitive).  The blog will be expanding into other areas of risk including information assurance, physical security, and financial risk.

Tanker pirated while conducting STS operations off West Africa! September 14, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

The IMB has reported that a tanker was pirated off the West coast of Africa and 23 of her crew taken hostage. The attack occurred Wednesday about 62 nautical miles from Benin’s capital of Cotonou. The bureau said the pirates took over the vessel, kidnapped its crew and sailed to an unknown location.

Updated reports indicate that the master sent SSAS alert, the crew locked themselves in engine room and contacted their companies CSO. Sometime later the pirates left the vessel. The crew came out of the engine room and conducted a search for the pirates and found the vessel to be safe. The crew regained control of the vessel.

Attacks off West Africa are becoming more and more common and brazen.  Companies are urged to take proactive measures to ensure that events such as this have less of a chance of occurring.  While the outcome was positive and the pirates ended up leaving the ship, the situation could have been far worse.

3rd Wave of Pirates? Law Enforcement Needed? (really?) September 7, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

According to Jay Bahadur, author of The Pirates of Somalia, a new wave of more younger, more violent pirates may be on the rise.   You can read the interview here.  While I agree with Mr. Bahadur on many of his points, he states that the immediate solution to piracy is ‘law enforcement on land’.  I feel this is a ludicrous statement.  ‘Law enforcement’ in a failed state provides no purpose.  To have effective law enforcement you must first have governance.  Right now Somalia is largely a lawless land.  The per capita income is estimated at around $0.89 US per day.  The incentive for piracy is simply too great to dissuade piracy.  While I applaud Mr. Bahadur for his efforts at writing the book, his suggestion that law enforcement on the land will stop piracy is another example of an arm chair quarterback taking a very linear, simplistic view of a complex situation.  Law enforcement is needed but is simply not possible until there are a number of other pieces put into place.

Security 101; Defense in Depth August 26, 2011

Posted by Chris Mark in Risk & Risk Management, Uncategorized.
Tags: , , , ,
1 comment so far

This post is a complement to the post Risk101.  In reading a number of articles and positions on maritime security strategies it appears that some of the authors, while well intended, misunderstand or misstate the basics of security.   While this particular post is not a dissertation on security, it will discuss one of the more important concepts- Defense in Depth.

While defense in depth has been widely promoted as an information assurance concept developed by the NSA, it originates from military strategy. To understand how DID works, it is important to understand that security is not, and cannot be absolute.  It is not a binary concept- “secure” or “not secure”.  The appropriateness of a security strategy is relative to the identified risk.  One cannot say: “my house is secure”.  You can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Security should be viewed as a function of time & effort.  Given the skills/tools, a person with sufficient time and effort can theoretically circumvent any control.  As skills/tools improve security controls must also adapt.  Safes are good examples of this concept.  The Safe Source provides US safe ratings.  Safes are rated from B1- simple theft resistant to B6 which is an underwriters certification which includes TRTL-30.  This rating means that a particular safe has been shown to 30 minutes of net working time with a torch and a range of tools including high-speed drills with carbide bits, saws and prybars.  While safe ratings are not the focus of this post, it is a good example of the security continuum.  Notice that none of the safes provide a ‘guarantee’ that it can never be breached.  With tools, and effort it is simply a matter of time.  The goal of any security strategy is to increase the risk/reward calculation to the point where the attackers give up on the effort.

The basic concept behind defense in depth is to give up space to buy time.  By implementing multiple layers of controls with each layer designed to delay the attacker it is possible to move modify the risk/reward calculation to the point where it is simply not a wise investment of time to continue the effort. Remember that security must be implemented commensurate with the identified risk.  As the risk increases the controls must increase proportionally.  Until this past year, many shipping companies were content with using less than lethal technologies to deter pirates.  As ransoms have exceeded $3million US the pirates have greater incentive to assume risk and spend the time/effort on an attack and therefore shipping companies need to increase their security controls.

Defense in Depth strategies require that companies evaluate and implement a number of controls.  In general, security controls can be categorized into detection, prevention,  and responsive controls. There is often a temptation to spend money and effort on preventive controls alone.  This is a dangerous strategy.  A complete defense in depth strategy will employ a number of overlapping controls to include best practices in ship speed, maneuvering, and routes, as well as more dynamic controls such as the use of armed guards, and citadels.  The controls should be included in a force continuum.  In short, the use of force should be the last control employed…not the first.

By ensuring that you evaluate your security needs and controls in the context of the identified risks to which your vessels are exposed you are better able to make decisions regarding the types of controls required.  By implementing the controls using a defense in depth strategy ensuring that you address detective, preventative, and responsive controls you will ensure that you have a comprehensive security strategy designed to provide the maximum defensive value at the lowest possible cost.