Security By Trust

By cliangNo Comments
In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Welcome

By cliangNo Comments
When we establish usage terms, we must consider the consequence and adopt the most appropriate wordings. Similar to other system settings, do not take default even for logon banner. In the past, there was incident threat actor penetrated into FTP server but caught. There is no legal ground to indicate this is unauthorized activity because the FTP server gives "Welcome to xxx FTP server, …" upon logon. There is no explicit wording of unauthorized usage will be prosecuted. So, there is the need to have holistic review what are default settings come with the software or application, review and revise accordingly. ...
Read More

Time

By cliangNo Comments
Time is an interesting phenomenon. It dominates everything both in physical and cyber worlds. All living individual or objects are under influence of time: getting aged. All data traffic are regulated with time as base reference for synchronization and handshaking. Everyone has equal amount of time. Time cannot be borrowed nor saved for later use. Time is abstract that cannot be touched nor felt its existence. That said, how do we deal with time? This is really use case based. In time-sensitive action, time is kept down to micro or nano second. Examples are stock trading transaction and racing. In certain case, "coarse" time reference may be used like the illustration that hour indication is sufficient - morning, afternoon, evening or night time. It all depends how time reference is deployed in the use case, and how time measurement is secure to maintain integrity. Inevitably, a comprehensive risk assessment (not just cyber but the business as a whole) is required to understanding risk...
Read More

Label

By cliangNo Comments
Label is commonly seen and required to identify things especially in cables. Without proper identification, it will be tedious in trouble-shooting. There is always debates on label. On one hand, it eases operation and maintenance tasks but on the dark side, it exposes the usage of the marked item. A mitigation is to assign label ID and mark this is the drawing. This requires resources to sustain the documentation when changes occur and regular inventory check to validate the marking is still correct. For the illustration, it has certain pitfall for insights. It exposes the location is for military purpose, a target for threat actor to penetrate or attack. "No trespassing" is unlikely enforceable especially during political conflict time. Ultimately, this requires the holistic assessment to balance the signage, back-end enforcement mechanism and cater for unexpected scenarios. All these are the attributes of writing a good policy that can be practically achieved. That said, don't just copy textbook knowledge and apply to your organization cybersecurity...
Read More

Responsibility

By cliangNo Comments
I saw certain cyber security awareness poster has stated that keeping cyber secure is a shared responsibility. In certain way, this is true. Each of us plays a different part to protect the assets in the digital world. But "shared responsibility" appears as no one will take accountability and any one will think someone will take the lead to secure. In the illustration, you are responsible to well equip yourself to enter into the wild. You are well informed "You must be properly prepared to meet these hazards on their own terms. This is your responsibility." That should apply to the digital world and "shared" responsibility isn't the proper term and tone. ...
Read More

Search & Destroy

By cliangNo Comments
This is typical blacklisting approach. Anti-malware protection is installed in the computer. It stays resident in the kernel and actively looking for file changes, I/O behaviors against known signature then destroy (or neutralize) the malicious actions. The practice also include periodic search all files in the computers to detect if any malware prior to detection signature release has already resides in the computer. Now, technology has evolved into auto-signature generation from OEM (i.e. upon receipt of malicious sample, new signature will be added), heuristic detection. This sounds comprehensive protection. But we must not forget the signature update must be frequency and its legitimacy. Other than using a fradulent signauture, legitimate signature sometimes will cause system fault. As an organization, anti-malware protection must be centrally managed, i.e. collect event logs, deploy signature update to relax burden of end users. A sandbox will be needed to test new signature before deploy to all computers in order to minimize the risk of service interruption. ...
Read More

Fault Detection

By cliangNo Comments
When using technology, usually there is inherent trust that the outcome is correct because it has been tested before going to market. With competition, time-to-market is squeezed. We have seen examples of vehicle recall for fixing certain faults. Even worst, other factors like insufficient training, lack of comprehensive operation instruction could cause tragedy or fatality. In the illustration, GPS infrastructure is proven but the map data might not be updated or the software to map the GPS signal to the location could have fault. A dual GPSs could mitigate an incorrect navigation if the impact due to incorrect route is significant. That said, the entire principle gets back to risk management - what measures can be controlled to reduce likelihood and what does not. ...
Read More

Trust #5

By cliangNo Comments
For free Internet kiosk like this, will you use? In old days when device is rare for Internet ready and Internet access isn't anywhere, yes, facility like this is welcome. Even at that era, use it with caution and for general web browsing (e.g. searching for information rather than login to web portal like bank account) because your sensitive information might be captured and stored elsewhere behind the scene. With cell phone and data plan generally affordable, such facility will be phased out like public paid phone. That's the expected consequence of technology innovation and advancement. It's just a matter of time when these facilities will be decommissioned. ...
Read More

Orchestration

By cliangNo Comments
One of the pain points in cybersecurity is the protections are always choosing the "best of breed" technology. This is fine except each technology has its own protection management tool, GUI, dashboard. As as result, SOC or IR personnel will need to dive into each cyber protection solution and analyze time of sequence event. Orchestration technology is available to consolidate logs from various log sources to make life easier. However, cautions must be exercised: Are extra investment or recurring operating costs properly funded and ready? The ROI might result into workforce reduction to justify the deployment. That means some one might lose the job. How are the integration done? Will this breach network zoning? Last but not the least, how to validate the solution is successfully deployed as a means of acceptance criteria. ...
Read More

No Direction

By cliangNo Comments
The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...
Read More