For enemies today, conquering your territory isn't enough; their new goal is total domination.
—R. Bunker, Networks, Terrorism and Global Insurgency, 2014
Headquartered in Los Angeles, Countercastle helps organizations large and small defend against hacking, fraud, data theft, insider attacks, and espionage.
In medieval warfare, a countercastle was a stronghold built to guard a forward territory from being overrun by the enemy.
Times have certainly changed. In cyberspace, an enemy can now materialize in many places simultaneously — and even the territory itself can be used as a weapon. In order to be effective, today's stronghold must transcend the organization it protects. A countercastle must be everywhere: a multiplicity of defenses propagated throughout data, systems, and human behavior.
This means that security must be tailored to the people, processes, and systems being protected. Generic security isn't effective,1 as proven by the billions of dollars lost each year to cybercrime.2 When the federal government suffered the worst data breach in American history,3 it was due to the dangerous misconception that generic security tools were working. In truth, management had no idea where its gaps actually were.
Defending all fronts requires being able to visualize your organization inside and out:
- Discovering Your Terrain. Where does your most prized data live, and where does it travel? It's hard to protect what you can't see. Amazingly, 43% of companies don't know where their own sensitive data is stored.4 How do business processes, systems, and people interact? Where are the forgotten ingress and egress points — the gaps in castle walls? What defenses exist — and do people actually use them?
- Understanding Your Unique Threats. What are all the ways that outside criminals or rogue insiders could steal, profit, or disrupt — and how can these be prevented without overspending for security features you don't need?
- Right-Sizing. Does security engineering fit perfectly, yet scale in the face of attacks? Can it stand up to rigorous hacker testing? Can security be simplified so it's easier to manage? Are there opportunities to cut costs with Cloud or Open Source tools?
- Enabling People. The best firewall in the world won't stop insecure behavior by insiders. Studies show that awareness is key: people who understand how attacks work become better defenders — and this requires ongoing training.5
Using a think tank approach, Countercastle specializes in transforming businesses
into strongholds where security extends to every corner. Generic defenses simply can't do that.
Learn more about our services, contact us to get started, or follow us on Twitter.
Senior Cybersecurity Consultant & Researcher|
M.S., CISM, CISSP, CEH
Active in security since 1985, Scotch is a cybersecurity consultant, researcher, writer, and speaker.
He has served as a senior security consultant and principal at both startups and Fortune 500 companies alike, with clients such as Cisco/Linksys, Intuit, Sempra, Mitsubishi, Viacom, and more. Strengths include building robust security programs, risk & gap analysis, compliance, manual penetration testing, security architecture, secure coding, fraud & insider attack prevention, counterintelligence, cryptography, business contracts, and training.
Career highlights include 9 years as a security architect, platform engineer, and security coder/developer at Wells Fargo. While helping design the company's fraud detection, 2-factor authentication, E-vault, crypto acceleration, DMZ, cloud, and load balancing schemes, he innovated the use of honeypots to aid FBI fraud investigations.
He also spent 5 years as a Security Principal at Sempra, where he managed the security architecture and penetration testing of over 90 projects, including the massive $1B Advanced Meter (AMI) and $2B Pipeline Safety Enhancement Plan (PSEP) efforts, while following Homeland Security, Department of Energy, and NIST best practices.
A Southern California native, Scotch studied English literature and computer science at the University of California, cryptography at Stanford, and Risk Management at Texas A&M. He is a member of the Upsilon Pi Epsilon (UPE) Honor Society for Computing Disciplines, and received his M.S. in Cybersecurity from the University of Maryland, a NSA Center of Excellence.
Scotch remains an avid security researcher and critical theorist, with a strong focus on security's intersections with virtual spaces, artificial intelligence, espionage, psychology, popular culture, creativity, and the arts. A longtime performance artist himself, his recent paper, "Kidnapping As Art" (MIT Press), explored the economics of "art kidnappings." He also authored the absurdist comedy novel, Two Performance Artists Kidnap Their Boss And Do Things With Him (Freakshow Books), which won the Silver Award for Best New Voice from the Independent Book Publisher's Association in 2015 — and of course, it features plenty of hacking.
- Siponen, M. (2003, July). Information Security Management Standards: Problems and Solutions. In 7th Pacific Asia Conference on Information Systems (pp. 1550-1561). Proc. in PACIS, Adelaide, South Australia. Retrieved from: https://pdfs.semanticscholar.org/f5df/7683b6 51f9a90cb27fc30041a98311504a15.pdf
- Nakashima, E. (2015, July 9). Hacks of OPM databases compromised 22.1 million people, federal authorities say. The Washington Post. Retrieved from: https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
- Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. The Washington Post. Retrieved from: https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
- Worth, D. (2016, March 4). Almost 50 percent of companies do not know where their data is stored. The Inquirer. Retrieved from: http://www.theinquirer.net/inquirer/news/2449713/almost-half-of-firms-do-not-know-where-their-data-is-stored
- Chen, C. C., Shaw, R. S., & Yang, S. C. (2006). Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system. Information Technology, Learning, and Performance Journal, 24(1), 1. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.5945&rep=rep1&type=pdf