Concealment

Two lanes but 3 traffic signs. Is the middle lane hidden? Information concealment is one of the techniques to hide important content. There are many tools that comes with steganographic processing. Usually, media files are chosen as the host file to store the secret data but their native usage (viewing photo, watching video with associated apps) are unaffected even with secret data injected. Media files are the popular host because photo, audio or video are basically having larger size. The objective is let secret message stored there and staying low profile without being caught. Yet, this technique is aimed at hiding small amount of data (like passcode, geo-location) because too much data might increase the host size that is unproportionable to its original form. ...
Read More

Choke Point

In physical world, it is a geographical critical and strategic passage. Armed force is able to control what is allowed and what is not for passing thru. In cyber world, similar concept is deployed in network perimeter controlling data traffic what is allowed and what is not in reaching the destination node(s). Source ports don't matter. The camera aperture is the good metaphor. Light sources don't matter. What matter is to control the incoming lights from whatever directions to reach the camera senor for composing an ideal photo. I came across a cybersecurity practitioner who is so innovative to request controls of the network source ports in the firewall as well. This involves application logic and configuration changes yet the effectiveness to enhance cybersecurity is really in doubt. ...
Read More

Governance, Risk & Compliance

GRC is the typical jargon when we talk about the cybersecurity posture in an organization. Risks, no matter in terms of cyber, technology, operational, financial or political domains always exist and they are all co-related. There is no zero risk business operation except how to reduce the likelihood effectively and optimally. Then, the compliance part plays. This refers following the organization written policy to run the business reasonably in the risk reduction manner. Finally, the governance is the capability in the organization to adminster and enforce that all the business activities will follow the written policy, or else the policy is just a document in the bookshelf. The entire GRC framework is dynamce. Written policies will need refresh To adopt new way of doing business (e.g. use of social media for point of presence or customer relation in the cyber space)Facilitate changing business environment (say, work from home due to pandemic situation, provide guest Wi-Fi for visitors)And most importantly, address the emerging cyber threat landscape. ...
Read More