ROAM

By cliangNo Comments
Remote Office Access Method (inspired by ISAM, VSAM in old days) has undergone significant changes over the past decades due to technology advancement. The need arises to provide better efficiency for system support especially if expertise is required from overseas. In early days, when remote access is required via dumb terminal with dial up connection, call back is required to authenticate the pre-registered phone number. With routable network, 2-factor authentication via secure token is required to permit the remote session from Virtual Private Network (VPN) connection. This requires complex pre-registration of the user identity associated with the token in generating the one-time password (OTP). The evolution continues into 2-step authentication with OTP in different form factors: SMS, apps in consumer mobile device or designated email. Enrollment becomes easier with guided self-service making admin-less. Access technology is also evolving from full tunnel VPN to split tunnel VPN through Transport Layer Security (TLS) via web browser or apps in workstation with rich desktop experience as if...
Read More

WiFi

By cliang1 Comment
Getting connected to the Internet for various activities (getting updates from email, news, social media, weather, checking maps, traffic condition etc.) becomes an expected living habit due to mature technology and well established infrastructure. This need is even more when travelling around. Free or paid Internet access is available anywhere in library, hotel, airport, café, shopping malls and even inflight. Therefore WiFi cybersecurity is a concern. I have heard criticism from a cybersecurity practitioner on a single workstation (specific business function) in getting system updates via corporate guest WiFi is insecure and the connection should be switched to a 4G/5G data plan but there is no reason behind. This appears as an irrational advice. By default, Internet isn't secure whether it's WiFi or data plan. The recommendation should provide reason why it is insecure and mostly importantly practical measure to secure. If we look at this further, the insecurity from WiFi is likely due to: The infrastructure does not impose...
Read More

Risk Evaluation

By cliangNo Comments
Risk assessment is the approach to identify hazard and implement proper controls to reduce likelihood. When doing so, we should look at the portion that must be function well to support the intended outcome. In the illustration, the vehicle is to transport people or goods from one location to another. The engine and tires must be in good condition with sufficient fuel plus cooling fans to achieve this purpose. Any one of these components fails will affect the intended outcome. Therefore, vehicle (especially commercial) needs to undergo regular inspection and maintenance to keep in good condition. Check the tires and fuel capacity before any trip to reduce the likelihood of break down. Having spare tires or road-side assist contact numbers are the mitigation under assumption that the cellular phone signal coverage is within the trip. Otherwise, a different support model (say, satellite phone) is required.. ...
Read More

Do The Right Thing

By cliangNo Comments
No matter in physical or cyber world, there are facilities built for people using them to achieve certain purposes - whether paid or free. All these facilities are designed per proper usage. That said, if the assumed usage behavior is not exercised, some adverse consequence might be resulted to the facility provider or the facility user. Take Internet banking as an example. Banks always remind people to safeguard their access credential (i.e. password) to avoid account being misused: never disclose the password to 3rd party not even the Bank, mandate 2-step authentication, enforce regular changing of password, never click links from email or from social network shared by others. Further, the Bank will alert account holder via text message or email for any credit card transaction executed with physically wiping the card, impose transaction limit to 3rd parties, etc. So as an user, do the right thing as advised to keep cyber secure. That means in the Internet banking example,...
Read More

Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Vulnerability Management #2

By cliangNo Comments
Vulnerability Management or Scare Your Management Some cybersecurity practitioners conduct vulnerability management (VM) by just using automated vulnerability scanning tool (scanner) to uncover system vulnerabilities and then job is done. Even the worst, the scanner is placed next to the component using the target's administrative credential to probe. Raw results from the scanner is presented to the Management of vulnerabilities detected highlighting how many critical, high, moderate, low risks. This is a totally incorrect approach. The vulnerability scan is only the 1st step of the VM. The raw result gives you the worst scenario. It illustrates the system weakness assuming the adversaries have already gained the network access to that component by evading all the cybersecurity perimeter controls plus system privileges escalated. We must not forget the 2nd step is to evaluate if there are other controls (e.g. network segmentation, anomalies detection, system lock down etc.) implemented in reducing the likelihood of exploitation. This is...
Read More

Information Integrity #2

By cliangNo Comments
The missing Chinese character is "zero", this gives entirely different meaning. Disseminating of informative message appears does not have much of cybersecurity concerns. However, it depends on the usage purpose. If the incorrect information does not impose adverse consequence, then it only cause inconvenience to the target audience. But if it does (like sending out incorrect result of lottery draws, stock price, exchange rates), then the service provider has liability. Usually, a disclaimer is added to relieve the liability and using the service will constitute the acceptance of the usage term implicitly. Bottom-line is to have a comprehensive risk assessment of the digital solution or service offered to other parties. ...
Read More

Insider #2

By cliangNo Comments
Physical access requires substantial resources while visual accessibility is anywhere Industrial Control Systems (ICS) in a plant are now modernized using commodity hardware and software with networking capability to enhance overall efficiency, business analytics and to standardize skillset in plant operation plus support. With network, remote diagnostic and support are also possible to cut down the turn around time without waiting for engineer on site. Some cybersecurity practitioners put focus only on the cyber portion of the plant. This is not wrong provided that the physical aspects are equally considered at the compatible level. This is because the ICS is just a portion of the entire plant. The physical and mechanical plant conditions must also be secured. If background check is deemed necessary for O&M teams to reduce insider threat, this should also extend to the service crews (e.g. delivery, janitor), physical security guard service, contractors, vendors or even management. Most often, management level is by default granted with...
Read More

Onion Approach

By cliangNo Comments
Information protection is usually via layered defence, sometimes refers as the "onion approach". In physical world, protected contents are placed inside secure facility thru multiple control points with access granularity like site level, particular zone(s) in the site, building, equipment room and cabinet before reaching the target. When things are changed accessible from network, reliance on physical access is still required but there are added controls to the cyber portion. Layered protection counterparts are: network firewall, application firewall, middleware gateway, RBAC, multi-factor authentication. Latest concept is zero-trust (ZT): user identity (and the authorized roles), request originated from which device (and platform), via trusted or untrusted network, type of application raising the request, types of contents for access, industry compliance and latest threat intelligence are all the variables in determining the permission for access. The same onion approach applies except more complexity in setting up and maintenance of these dynamic parameters. ...
Read More

Rule or Ruler

By cliangNo Comments
As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...
Read More