Chris Mark in July 2014 of TransactionWorld (Proximate Reality) July 1, 2014
Posted by Chris Mark in cybersecurity.Tags: adaptive, Breach, Chris Mark, cyber, decision science, proximate reality, security, threats
2 comments
July’s issue of TransactionWorld Magazine was just released. Click here to read my latest article, “Understanding Proximate Reality to Improve Security” Here is a preview..
“Various reports are published annually that analyze data breaches, opine on the root causes of the data theft and frequently ascribe blame to one party or another. It always invites scrutiny when a well-known security firm or analyst makes a definitive statement such as “X% of breaches could have been prevented through the implementation of basic controls, such as patching.”
This position is not only inconsistent with accepted risk management practices, but also confuses the basic concepts of correlation and causation while ignoring the very human element of adaptation. Unfortunately, companies that subscribe to these simplistic views of the industry and threats are exposing themselves to very real dangers. As supported by the increasing number of breaches identified each year, information security is no longer a domain for amateurs and requires the application of lessons learned from domains such as intelligence, anti-terrorism, and decision science to make effective decisions.
Two important concepts borrowed from the intelligence and anti-terrorism domains can be used to help CSOs and others make relevant decisions related to their risk posture and other aspects of data security. These concepts are known as Proximate Reality and Adaptive Threats.” Read More!
Chris Mark speaking on PCI at a Business Process Outsourcing (BPO) event 2013 June 29, 2014
Posted by Chris Mark in Uncategorized.Tags: AT&T, Chris Mark, compliance, compromise, data breach, DSS, hack, PCI, risk, security
2 comments
I was privileged to be able to speak at an AT&T BPO event in 2013. In Feb 2014 AT&T Marketing published the videos. I found one but was unaware they had published all 3. I hope you enjoy. (remember…the camera adds 10 lbs! 😉
New Security Reference Blog…The Security HOG June 13, 2014
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, compliance, risk, Scout Sniper, secuerityhog, security
add a comment
Security HOG is a complement to the GlobalRiskInfo site but is solely focused upon providing insight and education on the concepts of security, risk and compliance. Having worked in numerous security domains for over 20 years has provided me with valuable insight into the concepts and underpinnings of the science and art of security. Whether we are talking about physical security, operational security, information security or cybersecurity, the basic concepts remain the same. This blog will focus on the more esoteric, yet important, concepts of proximate reality, deterrence & compellence, parallax and convergence, threats & vulnerabilities, risk, and more.
Some might wonder what, if any significance, HOG has to the discussion of security? Within the USMC a person who is not a Scout/Sniper is known as a Professionally Instructed Gunman or PIG while a trained Scout/Sniper is known as a Hunter of Gunman or HOG. As a former Marine Corps Sniper I am a HOG and this is the reason the site is called Security HOG. Not too creative, I am afraid but it seemed to have a ring to it…
”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014
Posted by Chris Mark in cybersecurity, Data Breach.Tags: active, active response, Chris Mark, cybercrime, cybersecurity, data breach, data security, deterrence, fight, InfoSec & Privacy, PCI DSS, response, security
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)
“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014
Posted by Chris Mark in Uncategorized.Tags: causality, cause, Chris Mark, compromise, crime, cybercrime, data breach, deterrence, hack, PCI DSS, security, Target, theft, victim blaming, victimization
add a comment
I am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security. In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity. You can download the article on IDGA’s website or on my own website here. This paper is part II of the “Failed State of Security” series. Started after the Target data breach, this topic is one that has always been close to me. In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.
Victim blaming is common in sexual assault, as well as other types of crimes. A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized. When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization. Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers. Did the company “cause” the breach? Were they somehow complicit in the attack? What do we mean when we say “cause”? What is a causal fallacy? These, and many more topics, are discussed in Part II of the “Failed State of Security” series. I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime. As always, I welcome any comments or debate on the topic…
Global Security, Privacy, & Risk Management 