Administrative Control #2

By cliangNo Comments
SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More

Bunkers

By cliangNo Comments
Bunker at Diamond Head State Monument Bunkers are fortified physical infrastructure to withstand attack. However, there are side channels required for supplies, reconnaissance, defense or attack the attackers. Similarly the firewall in cyber world takes the same analogy. It is a network perimeter device to control network traffic but it requires ruleset management, health check thru the network rather than doing this locally. This will open up side channels that could be vulnerable to cyber attack if configured improperly. Best practices are to review firewall configuration (rulesets), event logs (permitted or dropped traffic) regularly. Automated tool is required as human check is nearly impossible. Log parser via SOC (Security Operation Centre) will associate network traffic from different zones providing a holistic view for better visibility, identify early sign of compromise as threat vectors are conducting reconnaissance to understand the system landscape, vulnerable component before choosing the appropriate attack kit. ...
Read More

Risk Taking #2

By cliangNo Comments
Each one is fully responsible for the consequence by own act no matter in physical or cyber worlds. In physical world, the worst consequence is fatality if waring sign is ignored. In cyber world, it could be files are locked by ransomware, identity theft leading to financial loss or criminal offence if abused by threat actor. The hard part is there won't be obvious warning sign because attacks are stealthy or via deepfake. Education, situation awareness are the essential elements to secure the human aspect. ...
Read More

Tora! Tora! Tora!

By cliangNo Comments
Lightning Attack This historical event is unexpected attack. But in cyber world, unexpected attack is always expected. It ranges from threat actors trying to penetrating into the organization network thru various means like BEC (Business Email Compromise phishing), insecure Internet-facing resources, zero-day exploits to deepfake. We can only protect threats that we know. So, we can't secure every cyber resources? That said, cyber resilience and prompt incident respond are vital to sustain business operations. All these should be the joint development among business and cybersecurity units within the organization in periodic review and drills for improvement. ...
Read More

The Forgotten Place #5

By cliangNo Comments
It is self-explanatory. There are similar faults posted previously. Risk of consequence must be understood before deploying information automation tool. If the display is for information of the mall, failure does not matter much and at most the reputation of the management office. But if the display shows real time high value trading, failure will cause substantial direct and indirect financial impacts. Direct is the loss of opportunity to conduct transaction by the users of the display. Indirect could be claims thru litigation by users of the display causing their direct loss due to this failure. Technically, multi-displays are deployed for resilience. From policy perspective, users must sign usage agreement to undertake consequence due to machine failure and disclaim the service provide for any direct or indirect losses. ...
Read More

Address

By cliangNo Comments
There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...
Read More

Security By Trust

By cliangNo Comments
In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Welcome

By cliangNo Comments
When we establish usage terms, we must consider the consequence and adopt the most appropriate wordings. Similar to other system settings, do not take default even for logon banner. In the past, there was incident threat actor penetrated into FTP server but caught. There is no legal ground to indicate this is unauthorized activity because the FTP server gives "Welcome to xxx FTP server, …" upon logon. There is no explicit wording of unauthorized usage will be prosecuted. So, there is the need to have holistic review what are default settings come with the software or application, review and revise accordingly. ...
Read More

Time

By cliangNo Comments
Time is an interesting phenomenon. It dominates everything both in physical and cyber worlds. All living individual or objects are under influence of time: getting aged. All data traffic are regulated with time as base reference for synchronization and handshaking. Everyone has equal amount of time. Time cannot be borrowed nor saved for later use. Time is abstract that cannot be touched nor felt its existence. That said, how do we deal with time? This is really use case based. In time-sensitive action, time is kept down to micro or nano second. Examples are stock trading transaction and racing. In certain case, "coarse" time reference may be used like the illustration that hour indication is sufficient - morning, afternoon, evening or night time. It all depends how time reference is deployed in the use case, and how time measurement is secure to maintain integrity. Inevitably, a comprehensive risk assessment (not just cyber but the business as a whole) is required to understanding risk...
Read More