November 2018 – The SECOND Advisories Limited

Access Control #2

30th November 2018 By cliangNo Comments

Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...

The Past

28th November 201821st December 2018 By cliangNo Comments

Earlier, I talked about network anomaly detection. It is the kind of technology based on the past activities to predict if your network is healthy and normal. Key considerations to evaluate for deployment: The "past" activities must be correctly understood by the technology in the first place as the baseline reference Using a typical life cycle management concept, the algorithm must be intelligent enough to manage the entire suite of new, change, delete use cases of network traffic without too much false negative nor false positive Predict "new" traffic deviated from the baseline with different severity level per intention Whether the algorithm is equipped with deep packet inspection (or even better with machine learning capability) to inspect expected connections with different payload from baseline Report missing traffic from baseline that could be sign of malfunctioned field device(s) to the host or controller Challenges are: Competency and capability of the deployment team to understand your environment Criteria to sign off as project completion from...

Automation

26th November 2018 By cliangNo Comments

Everyday, we rely so much on automation ... be seen or behind the scene: rice cooker, temperature control of air conditioner, TV program recorder, garage entry, escalator, fire alarm system, traffic light, public lighting, vehicle, train, vessel, cargo terminal, electric grid, etc. Are we ready to bear with the failure in any of these automation? Or how long we can tolerate with degraded service? These are the basis to derive the alternate processing model to resume service though it might not be up to the expected service quality. Shortening the unplanned outage time or increasing service quality during outage will be materialized into substantial monetary terms. Cybersecurity practitioner can only facilitate the thought process but the ultimate decision is from business - risk taking between optimal or optional investment to meet the business target....

Neighborhood

23rd November 2018 By cliangNo Comments

As if in physical world, mutual support and care are important to maintain safety in the cyber world. Unlike physical world, we might not "see" our neighbors nor their houses. But the merit is that even if we are far away physically, we can still take care of our cyber neighbors. Things like these we can do: Notifying our cyber neighbor when that cyber identity is likely compromised and launch phishing attack Sharing near-miss cyber incident to alert others from falling into the same scam Not forwarding threat info received from untrusted sources in creating unnecessary network traffic or panic ...

Governance

20th November 201820th November 2018 By cliangNo Comments

Last article, I talked about PPTP. With organization policies formally established, the next is the governance to make it work. Otherwise, policies are just slogan in the air. The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to: Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process Approve risk acceptance for deviation from these established policies Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media....

PPT, PPTP

18th November 201819th November 2018 By cliang1 Comment

People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable. Without the last P, it's like a chair with broken leg that will fall (fail)....

Preparedness

16th November 2018 By cliangNo Comments

No doubt, we do have deployed and sustained protection as counter-measure against cyber threats. However, the cyber threat landscape is always evolving - new trick, zero-day exploit, Advanced Persistent Threat (APT) are there and we don't know what we don't know. In this regard, we must assume our system or infrastructure shall be compromised. It is just a matter at what time this happens. To deal with the worst scenario, we have to get well prepared beforehand. Things like: Establish directive to trade off between service resumption or digital evidence preservation Determine dependency of resuming service in alternate facility though in degraded level Streamline philosophy of containment to minimize damage due to cyber attack Maintain contact info as well as reliable and trusted communication channel among key personnel during emergency situation Prepare Line-To-Take templates to simplify the job for PR Most importantly, Human safety and environment protection should be the first priority Regular drill to validate the readiness and find ways to improve ...

Tunnel

14th November 2018 By cliangNo Comments

"Digital" tunnel is common in the cyber world. The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure. Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection. This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive. It's the organization policies, laws & regulations to govern the proper usage. ...

Clock

12th November 2018 By cliangNo Comments

Clock displays time of day. Time is invisible and exists virtually. Everyone of us has the same amount of time, no matter you're rich or not. You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc. Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics. In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination. In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network. There are various considerations: Clock source: National lab, or...

Tracking

10th November 2018 By cliangNo Comments

In cyber world, logging is fundamental to track electronic activities for problem shooting or digital forensics. With device proliferation especially in the IoT domain, substantial logging volume is generated making log review a hard time. The SIEM (Security Information Event Management) technology has surfaced to relax this tedious task. It consolidates and associates event logs and picks out "interesting" scenarios for automated action or human alert. The challenges are: What types (or level, e.g. brief, detail, info, warning, critical) of logging are available and required: platform, infrastructure, application ... Context of log data: time of day, time zone, IP address, user identities, machine names, machine address ... How to ships the logs from different network zones to the central SIEM without breaking network zoning Clock source to sync across all these network zones Algorithm of event correlation (human define or machine learning) Criteria to automate alert with confidence (false negative or false positive will ruin the trust) Most importantly, logging must comply with...