Cyber-attacks against companies, organizations and governments have hit an unprecedented high. The ease with which hackers can launch multiple attacks has also increased.  Hacking has become big business with nation-states, terrorist groups, organized crime and others capitalizing on the theft of information (trade secrets, technology, intellectual property, others) and disrupting businesses they are in competition with. Are the current defenses working?  Unless you live in a shoe box you realize, especially based on daily news reports that the cyber war appears to be one the good guys are currently losing. 

     A change is needed because the problem has gotten out of hand.  Current laws hinder organizations from defending themselves while at the same time facilitating the efforts of hackers.  So, rather than jumping to the conclusion that a

     Over the last year I have been writing and speaking on hacking back in self-defense, and every time I poll an audience as to whether hacking back is legal I get a resounding NO! 

     Then I walk the group through a theory of self-defense in cyberspace and re-ask the question with a slightly different spin. At that moment most agree that based on the manner in which the scenario and theory were presented it does not sound illegal; a ray of hope suddenly appears in their eyes. 

     Is this a play on words? Am I mincing words and definitions with questions like “what is the definition of is?”  No, it is a real and workable theory; a new way of looking at the problem.

     Let’s face it, if the government was going to and could help you they would. But like most companies they too are overwhelmed defending against a daily barrage of cyber-attacks. So, what‘s

Are you a business owner? Do you have any concerns about cyber security, having data lost or stolen?  If yes, we are getting closer.  Is your concern real or just a curiosity?  It should be real, and if it is have you done anything about it?  If you are not concerned then good, keep that attitude and don’t worry about it, until you have to, which may be sooner than you think.  If you are concerned and have not done anything about it are you going to?  If yes, when?  Now, or will you wait until something happens?  Statistically the odds are against you.  Do something now, before an incident and you invest the cost of good security, good policies, peace of mind that you did everything you could, and in most cases, a quick recovery from an incident.  Wait until you suffer a breach and join the thousands of companies who ended up paying much more, about three times as much in investigatio

I recently wrote a post entitled, “Is the US Already Engaged in Cyber War?”  This was published on Fox News early in the week before the NY Times article appeared stated the US and Israel collaborated on Stuxnet under a different code name and disrupted the Iranian nuclear program.  My speculation was that if one nation had attacked the critical infrastructure of another nation using cyber weapons, this would certainly constitute and “act of war,” or properly termed an “act of aggression” allowing the attacked nation to respond in self-defense under Article 51 of the UN Charter.  I still believe this is the case, but, not so much in this particular case.  Why, because of Iran’s apparent lack of any response, except in the media.  So, why is this?  Many articles and reports have already claimed we have seen the first cyber war with attacks like the one’s on Estonia and Georgia, and some even claim that th

  Is the U.S. engaged in a “cyber war?”  Until recently the identity of the perpetrators of cyber-attacks against U.S. networks, infrastructure and the military were clouded in suspicion and not spoken of out loud.  There has been much speculation about cyber war or a cyber-Pearl Harbor, but no official declaration of what constitutes cyber war or naming of names, until now.  In March, General Keith Alexander, speaking before Congress, and in May, Secretary of Defense Leon Panetta, during an interview with ABC News, outwardly named China as the main perpetrator and identified criteria for defining cyber war.  General Alexander, the Director of NSA and CYBERCOM commander, stated, “China is stealing a ‘great deal’ of military-related intellectual property from the United States and was responsible for last year's attacks against cyber security company RSA . .

            It seems lately no one is safe online.  Open any newspaper or just search the Internet for the word “cyber” and you will be inundated with stories of identity theft, online scams, data breach, etc.  Is this where we are now?  Should we just accept it and assume our personal information is going to be stolen and used by hackers and spammers?  I say NO!  Here are six easy to use tips that will help keep your valuable information secure. 

1. When banking online close all windows except for the bank window; and I don’t mean the windows in your house ; - ). Hackers can use a virus to access your secure bank window via an unsecure window like Google, Facebook, etc

     If you are an attorney you need to heed the warnings: lock down and protect client data.  This is not a scare tactic, but good advice in light of recent events.  In 2010 at least seven law firms in Canada were hacked, allegedly by Chinese hackers seeking to derail a $40 billion deal with an Australian mining company and to steal valuable client data resident at the law firms; and just this year the Puckett law firm was hacked by the Anonymous hacker group because the firm represents one of the Marine sergeants accused in the Hidatha, Iraq killings.  Some members of Anonymous were upset that the sergeant was getting a pretty good deal and Bradley Manning, the private who leaked      secrets to WikiLeaks was facing life in prison.  Imagine realizing that your law firm has bee

     I recently spoke at the FISSEA (Federal Information Systems Security Educators' Association) conference in Gaithersburg, Md.  This was a great conference focused on cyber security training for federal and private industry.  One comment that stuck with me made by Lance Spitzer of Sans, was that what a lot of organizations do with regard to their training programs is focus on compliance rather than effectiveness.  If your employees are merely getting through mandatory training by quickly clicking through; flipping the charts; or jumping right to the test to “get it over with,” then they are not being trained.  If you goal is simply compliance then you have probably met the standard.  If your goal is actually training the workforce, getting them engaged in protecting information, reducing the risk of loss or theft of  ]]> Sun, 12 Feb 2012 12:00:00 GMT

     This week the House Energy & Commerce Subcommittee on Communications & Technology held hearings on how to address the cyber security threat and better implement private/public cooperation to mitigate the threat.  A question was raised about current laws and whether they hamper the private sectors’ ability to defend itself.  The Committee recognized the White House commission report on cyber security and its discussion on current law gaps, located at: (White House Cyber Security Policy Review).  At least in my opinion, the laws clearly hamper private sectors’ ability to defend themselves.  Every time I lecture on my article, “Hacking Back In Self-Defense: . . .,” there is at least one or two people in the audience who argue that my theory is illegal.  Is hacking back illegal?  Yes,

Many interesting issues are raised in the scenario contemplated in a recent Fox News Exclusive titled, "WikiLeaks to move servers offshore, sources say."  I am interested since I am quoted numerous times about international law issues; but regardless, this topic could raise some interesting discussion. 

The issue is similar to the concept of Sealand, the man-made platform off the coast of England whose owners claim it belongs to no nation and they are their own sovereign territory.  At one time Havenco placed a server farm on Sealand and offered server space.  The only restriction in the terms of service was no child porn.  Anyone could rent server space and keep anything, other than child porn, on the servers regardless of the data’s legality, e.g. copyrighted material, terrorist info, data related to various criminal activity such as stolen info, money laundering, etc.  ]]> Sun, 29 Jan 2012 22:00:00 GMT

Like many people, I make a lot of assumptions.  Lately, I have made a lot of assumptions about people’s level of knowledge when it comes to cyber security and technology.  This is likely due to my background and training.  If you work in the IT or cyber security or related areas chances are you also make a lot of these assumptions as well. 

Recently I learned that the level of knowledge regarding cyber security and technology amongst the legal profession is not as high as I had assumed.  This is not a knock on my colleagues in the law profession, but my failure to avoid making assumptions.  For instance, when emails are offered into evidence their authenticity must be established, but does this include whether the email address is genuine and was not spoofed, the content is original and was not altered, the date and time was not altered, the location of where the mail

In January I attended and spoke at the FBI & Fordham Univ. ICCS 2012 conference at Fordham Univ.  It was a great conference with more than 30 countries represented.  Most of the speakers were excellent.  This was truly a great collaboration between private industry and law enforcement from all over the world.  I was somewhat apprehensive, though, as to how my lecture, “Hacking Back In Self-Defense: Is It Legal; Should It Be?,” would be received, especially by law enforcement.  To my surprise the response was excellent.  First impression from many when they read the title is that all hack back is illegal, vigilantism, unethical; but, after the lecture numerous people to include many law enforcement personnel approached me to express their interest in the topic and law enforcement in particular was happy to see an attorney trying to push the envelope and move the discussion

The latest buzz word or acronym around the water cooler is BYOD or bring your own device.  Use of mobile devices has sky rocketed over the last year with the iPhone, iPad, tablets, Android, etc.  Everyone wants the latest and the greatest.  But, who wants to carry around two devices, the company’s and your own?  Even if you don’t mind carrying the extra device, how many man-hours do employers lose when employees are exploring and surfing their new mobile devices at work?

It may be better, depending on the business, to just allow employees to use their personal devices for work.  This issue is similar to the controversy over whether to allow employees to use social media.  On that one, cats out of the bag, they are, so put a policy in place to set parameters to benefit and protect the company.  But BYOD, whoa, how many privacy, security and legal issue

In my last blog on “Hacking Back” I asked is it legal, ethical, and do I have a right to defend my network against yours?  Well, I believe it is legal and ethical, and absolutely, I have the right under “self-defense” to defend my network from being attacked by yours, even if you do not know that your network is attaching mine!  Obviously if I know who you are and can contact you I would be obligated to do so.  This scenario assumes I have no idea where the attack is coming from.  When considering hacking, hack back, self-defense in cyber space, etc., you must consider the fact that everything happens literally at the speed of light.  So, saying I must contact law enforcement, collect evidence, and go to court is the same as saying “just accept it, and hope to recover all of your losses from a court, even if your company has since been put out of business.”  So, here is my nex

     As a business owner, do you have a social media policy; a mobile device use policy?  The days of telling employees they cannot use social media at work or bring their mobile devices are over.  During Black Friday of 2011 and the holiday season thus far, employees continued to do the majority of their online shopping at work, but this year rather than using company computers they used personal mobile devices like iPhones, iPads, smart phones, tablets, etc.  The best an employer can do is put well drafted policies in place to capitalize on the new technology and encourage employees to promote the business with their friends and contacts.

     So, what are the issues you need to consider when drafting these policies? 

     ]]> Fri, 25 Nov 2011 12:00:00 GMT

As a business owner, are you managing risk or throwing caution to the wind?  In today’s economy business is tough.  Belts are being tightened, departments and entire organizations are being downsized, people are being laid off, sales and marketing projects are being put on hold.  These actions are being taken to protect the company and stretch revenue.  In many cases a significant negative event to the company could have catastrophic consequences.  An event like getting hacked and then sued for loss of customer information, proprietary information, or even employee personal information, that could have easily been minimized through risk management.  Follow these simple steps to minimize your risk and put your company in a better position to survive the unforeseen! 

1. Do a risk

Hacking? Bots? The bottom-line is we are losing the war. Businesses must be able to defend themselves to prevent the loss of money, technology, and secrets. As new laws are explored, old ones amended, and solutions sought, let's think outside the box and give the good guys the advantage, or at least a fighting chance. This paper explores some of the ways clear, forward, out-of-the-box thinking, and analysis can put us back in the game.

A recent FBI report, titled, “DNS Changer Malware,” outlines the arrest of numerous hackers who compromised DNS servers and infected about a million machines.   Explanation:  When you surf the Internet you type in search terms, like for this blog, Titan Info Security Group.  Your search engine, whether Bing, Google, etc., then displays results for your search in the form of a domain name.  When you click on one of the results it brings up the window and at the top the domain name appears as a word or group of words, like "www.titaninfosecuritygroup.com."  The Internet does not use the domain name but needs a number to function and carry out your request.  For instance, the number or IP address for Titan Info Security Group is 87.246.2.176.  The DNS servers, or Domain Name System servers, which are a part of the Internet structure, convert the domain name or word(s) to an IP address number.  Here is what happened:

   Normally I don't blog about something I am offering, but based on recent conversations I thought this was important.  Don't be the low hanging fruit with your head in the sand.  Take action now against hackers.  Hope this is helpful and gets you thinking:

  Cyber security lately has become a household term or at least a very well-known term in the business and corporate environment.  It seems like almost every week there’s a news story or article about another large company being hacked.  You may ask yourself why; why is hacking becoming so prevalent or at least so widely talked about today.  Simple, the more we rely on technology for our daily lives the more opportunity is presented for hackers (the bad guys) to steal things.  20 years ago if a hacker w

Recently the Wall Street Journal published a spread entitled, "What's a Company's Biggest Security Risk?"

http://online.wsj.com/article/SB10001424053111904836104576556421692299218.html?KEYWORDS=What%27s+a+Company%27s+Biggest+Security+Risk

Here are some things you should take from this set of articles:

1. Security is very overwhelming and unless it is your full-time job, chances are as a business owner or CEO you will not be able to keep up with it. So, you hire a company to do it for you. Great.

2. Can you articulate what security has been implemented, what policies you have in place, etc.?

3. As an owner or CEO you better be able to. After a security incident whether you are liable and to what degree depends on your knowledge of your secu