June 2022 – The SECOND Advisories Limited

Dynamic Policy

27th June 202227th June 2022 By cliangNo Comments

Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won't stipulate specific protection. Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation. An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder's spending profile, usual spending location, repayment history etc. The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That's why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on...

Unnecessary Control #2

15th June 2022 By cliangNo Comments

Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...

Full Coverage

4th June 2022 By cliangNo Comments

Traffic camera is only deployed at risky locations to detect unsafe driving behavior but not everywhere This time, I talk about auditor instead of cybersecurity practitioner that I have come across. In an ICS audit, auditor has questioned why the deployed anomalies detection does not have full coverage of all devices. This will impose cyber risks due to malicious traffic cannot be detect early. Despite thorough elaboration with the following rationales, auditor is still not satisfied: The ICS is isolated from the Internet and not even any other peer ICSWithin the ICS, the plant units are further zoned in the network such that cyber threats are contained prohibiting lateral movement to compromise the entire ICSThe ICS is hardened with removable media lock downOutgoing process information data to other the repository in the ICS network is thru unidirectional gateway enforcing push out to avoid reverse TCP attack in the case of stateful network firewallFull coverage will have only very a small gain in detection capability...