Chris Mark published in Computing Security Magazine May 21, 2020
Posted by Chris Mark in Uncategorized.Tags: computer security, coronavirus, covid19, cybersecurity, data breach, Exploits, PCI DSS, threats, vulnerabilities
add a comment
Computing Security magazine recently published an article I wrote on COVID19 and Threats, Vulnerabilities and Exploits.
“The suitability of security strategies is relative to the controls implemented to address risks; therefore, security should be viewed as a function of time and resources. Naturally, there can be no guarantee of security when threats are constantly adapting. Adaptive Threats are caused by something that can change its behaviour in reaction to prevention. As defences improve, threat actors adapt and so this cycle continues.
Adaptive Threats react to take advantages of vulnerabilities which are characteristics of design, location, security posture, operation and they render an asset, system, network, or entity susceptible to disruption, existing even if yet unidentified. An exploit is something that takes advantage of a bug or vulnerability and can be used to gain advantage of a susceptibility in a control. However, not all vulnerabilities are of equal risk or severity.
Furthermore, exploits and vulnerabilities are not mutually independent, and one can only exist without knowledge of the other…”.READ MORE!
New Article: Exploits, Vulnerabilities & Threat Adaptation March 17, 2020
Posted by Chris Mark in cybersecurity, InfoSec & Privacy.Tags: adaptation, AT&T, Chris Mark, cybersecurity, Exploits, privacy, threats, vulnerabilities
add a comment
AT&T CyberSecurity published my new blog post. You can read it here!
“Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners. There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits. These basic underpinnings are critical in all security domains.
What are exploits and vulnerabilities and why are they important to the study of security?
First, security cannot be considered a binary concept such as: “secure” or “not secure”. The appropriateness of any security strategy is relative to the controls implemented to address to identified risks. One cannot say: “my house is secure”. The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks. One can say: “My house has been secured in a manner that is commensurate with the identified risks”. Second, security should be viewed as a function of time and resources. Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security. The reason is simple. Technologies change and human threats are adaptive. According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:
“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle. In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls. As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections. This cycle continues ad infinitum until there is a disruption.” Read the whole article!
Chris Mark in July 2014 of TransactionWorld (Proximate Reality) July 1, 2014
Posted by Chris Mark in cybersecurity.Tags: adaptive, Breach, Chris Mark, cyber, decision science, proximate reality, security, threats
2 comments
July’s issue of TransactionWorld Magazine was just released. Click here to read my latest article, “Understanding Proximate Reality to Improve Security” Here is a preview..
“Various reports are published annually that analyze data breaches, opine on the root causes of the data theft and frequently ascribe blame to one party or another. It always invites scrutiny when a well-known security firm or analyst makes a definitive statement such as “X% of breaches could have been prevented through the implementation of basic controls, such as patching.”
This position is not only inconsistent with accepted risk management practices, but also confuses the basic concepts of correlation and causation while ignoring the very human element of adaptation. Unfortunately, companies that subscribe to these simplistic views of the industry and threats are exposing themselves to very real dangers. As supported by the increasing number of breaches identified each year, information security is no longer a domain for amateurs and requires the application of lessons learned from domains such as intelligence, anti-terrorism, and decision science to make effective decisions.
Two important concepts borrowed from the intelligence and anti-terrorism domains can be used to help CSOs and others make relevant decisions related to their risk posture and other aspects of data security. These concepts are known as Proximate Reality and Adaptive Threats.” Read More!
Global Security, Privacy, & Risk Management 