Countercastle Cybersecurity
 ARTICLES  //  CONSULTING & TRAINING  //  RESEARCH  //  ABOUT  //  CONTACT 
 
About Countercastle

Headquartered in Los Angeles, Countercastle helps organizations defend against cyber and insider attacks, fraud, and espionage.
 
Countercastle photo by Modris Putns In medieval warfare, a countercastle was a stronghold built to guard a forward territory from being overrun by the enemy.
 
Today in cyberspace, an enemy can now materialize in many places simultaneously — and even the territory itself can be used as a weapon.  In order to be effective, today's stronghold must transcend the organization it protects.  Today's countercastle must be everywhere: a multiplicity of defenses propagated throughout data, systems, and human behavior.
 
This means that security must be tailored to the people, processes, and systems being protected. Generic security isn't effective,1 as proven by the billions of dollars lost each year to cybercrime.2 When the federal government suffered the worst data breach in American history,3 it was due to the dangerous misconception that generic security tools were working. In truth, management had no idea where its gaps actually were.
 
Defending all fronts requires being able to visualize your organization inside and out:

  • Discovering Your Terrain. Where does your most prized data live, and where does it travel?  It's hard to protect what you can't see. Amazingly, 43% of companies don't know where their own sensitive data is stored.4  How do business processes, systems, and people interact? Where are the forgotten ingress and egress points — the gaps in castle walls? What defenses exist — and do people actually use them?
  • Understanding Your Unique Threats. What are all the ways that outside criminals or rogue insiders could steal, profit, or disrupt — and how can these be prevented without overspending for security features you don't need?
  • Right-Sizing. Does security engineering fit perfectly, yet scale in the face of attacks? Can it stand up to rigorous hacker testing? Can security be simplified so it's easier to manage? Are there opportunities to cut costs with Cloud or Open Source tools?
  • Empowering People. The best firewall in the world won't stop insecure behavior by insiders. Studies show that awareness is key: people who understand how attacks work become better defenders — and this requires ongoing training.5

Countercastle specializes in transforming businesses into strongholds where security extends to every corner. Generic defenses can't do that.
 
Learn more about our services, contact us to get started, or follow us on Twitter.

 
 

About Scotch Wichmann

Active in security since 1985, Scotch is a cybersecurity consultant, researcher, hacker, writer, and speaker.
 
Scotch Wichmann, Cybersecurity Researcher A sought-after expert in building security programs, risk and gap analysis, compliance and legal issues, penetration testing, security architecture, secure coding, fraud prevention, counterintelligence, cryptography, and security training, his past clients have included companies like Cisco, Intuit, Sempra, Mitsubishi, and Viacom.
 
Career highlights include 9 years as a security architect and engineer at Wells Fargo, where he helped design the company's fraud detection, 2-factor authentication, E-vault, crypto acceleration, DMZ, cloud, and load balancing schemes, while innovating the use of honeypots to aid F.B.I. fraud investigations.
 
He also spent 5 years as a Security Principal at Sempra, where he managed the security architecture and penetration testing of over 90 projects, some with billion-dollar budgets, while following Homeland Security, Department of Energy, and NIST best practices.
 
A FBI Infrastructure Liason, Scotch currently serves as an on-demand Chief Information Security Officer (CISO) for a variety of Los Angeles area clients.
 
Scotch studied English literature and computer science at the University of California, cryptography at Stanford, and Risk Management at Texas A&M. He is a member of the Upsilon Pi Epsilon (UPE) Honor Society for Computing Disciplines, and received his M.S. in Cybersecurity from the University of Maryland, a NSA Center of Excellence. He holds CISSP, CISM, and Certified Ethical Hacker (CEH) certifications.
 
Scotch remains an avid security researcher and critical theorist, with a strong focus on security's intersections with virtual spaces, artificial intelligence, espionage, psychology, popular culture, creativity, and the arts. A longtime performance artist himself, his paper "Kidnapping As Art" (MIT Press) explored the economics of "art kidnappings." He also authored the absurdist comedy novel, Two Performance Artists Kidnap Their Boss And Do Things With Him (Freakshow Books), which won the Silver Award for Best New Voice from the Independent Book Publisher's Association in 2015 — and of course, it features plenty of hacking.


References
 
  1. Siponen, M. (2003, July). Information Security Management Standards: Problems and Solutions. In 7th Pacific Asia Conference on Information Systems (pp. 1550-1561). Proc. in PACIS, Adelaide, South Australia. Retrieved from: https://pdfs.semanticscholar.org/f5df/7683b6 51f9a90cb27fc30041a98311504a15.pdf
  2. Nakashima, E. (2015, July 9). Hacks of OPM databases compromised 22.1 million people, federal authorities say. The Washington Post. Retrieved from: https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
  3. Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. The Washington Post. Retrieved from: https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
  4. Worth, D. (2016, March 4). Almost 50 percent of companies do not know where their data is stored. The Inquirer. Retrieved from: http://www.theinquirer.net/inquirer/news/2449713/almost-half-of-firms-do-not-know-where-their-data-is-stored
  5. Chen, C. C., Shaw, R. S., & Yang, S. C. (2006). Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system. Information Technology, Learning, and Performance Journal, 24(1), 1. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.5945&rep=rep1&type=pdf