Rule or Ruler

By cliangNo Comments
As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...
Read More

Transformation

By cliangNo Comments
Due to rapid technology advancement, business operations are always undergone transformation. A phone kiosk becomes legacy as the use case is approaching to zero. While transformation creates new jobs, it also makes other jobs extinct. Imagine when there is no need to deploy phone kiosk, job functions regarding the manufacturing line, its supply chain, sales, installation, regular maintenance are no longer needed. Therefore, the transformation shall not only viewed at the business model but also the workforce development and the mentality to accept changes are part of life. Transformation also integrates cybersecurity as part of the job function except the demand of scale and skill might be different. Never complain cybersecurity is none of your business. The positive attitude is to look into the appropriate training to adapt and manage such new challenge. ...
Read More

Deep Packet Inspection (DPI) Firewall

By cliangNo Comments
No doubt, the technology is secure. But without assessing the situation holistically, this is inconclusive. Rulesets might be wrongly set or firewall is wrongly configured, then the DPI firewall is insecure. If the connecting components are in a restricted and lock down environment, a DPI firewall is overkill and won't contribute to enhance more security. By the same token, media always exaggerate cyber threats. We must judge if such threat scenarios are likely in our environment rather than blindly doing unnecessary lock down on existing systems. An example is the ransomware attack via inactive user account thru VPN without 2-factor authentication, or authenticated users via PrintNightmare exploit. Something must be done but not to complete today. Security enhancement must be assessed, managed rather than in a piecemeal manner. The latter might even create more problems after blindly applying the counter-measures. Remember - action without plan is nightmare; plan without action is day dream. ...
Read More

Policy #9

By cliangNo Comments
When writing policies, positive logic shall be adopted. It eases readers understand what is allowed rather than spending time to evaluate the allowed exception. In the illustration, the first impression: no entry is applied to the named vehicle types and need a second thought to locate the word "except". A wrongly communicated message might then cause different outcome. This should be avoided in written directives. ...
Read More

Privacy

By cliangNo Comments
We have a lot of personal data exposed in the cyber world in our daily life. To name a few, the "intrusive components" are: Electronic pass for toll road: where you are heading to, or even your entire journey if throughout the itinerary, there are traffic cameras and auto toll collection pointsCCTV: inside building, public areas, dashcam in vehicles nearbyCredit card: traces back to your identify, location, amount consumed, commodity purchasedHealth monitoring device: you wear in your body to capture your health data continuously, share in the technology provider's community if you wishOperating System: sharing the diagnostic data with the technology vendor when problem occurs or during online trouble shootingWeb site cookies: IP address to geo-location of your web surfing location, your web preferenceDigital photo: modern cameras are equipped with geo-tagging The most intrusive device is your cell phone. You carry it almost all the time. It exposes your geo-location from which cell towers your phone is connecting to. What should...
Read More

Declassification

By cliangNo Comments
Confidential information is costly to maintain. Imagine all the 3 data states (data-in-motion, data-at-rest, data-in-use) will require technology and the underlying process to manage the authorized access and usage while denying otherwise. Most often except a few, sensitive information will diminish its value or impact overtime. An example of the "few" is the formula of a soft drink that remains as trade secret to standout the products from its competitors. Other than technical controls like encryption or multi-factors authentication access for digital information, there are simply regulations to protect artist work copyrights, alogrithm patent etc. that are published in public domain. Secret government documents also have expiry date to release for public interests. The declassification together with destruction process are therefore an important stage in the information lifecycle management process. Without these, the burden to maintain secrecy will increase over time and become unmanageable. ...
Read More

Discovery

By cliangNo Comments
This is widely adopted in various process like: Asset discovery: to scan the network and take inventory of the components connected in the networkElectronic document discovery: to scan the network resources for automatic information classification and privacy complianceForensic eDiscovery: to collect cyber activities from the designated equipment uncovering the sequence of events No matter which application, the essential aspect is the correct use of the tool. Otherwise, incorrect or inaccurate information is captured that could incur undesirable consequence where decision will base upon. Training or certification for the competent person running the process will be the key. ...
Read More

100% Cyber Secure #2

By cliangNo Comments
Worry about breaching GDPR or PCIDSS? The most effective means is to avoid capturing these info that need protection. Accepting cash addresses the problem statement. However, the restaurant must not forget if they accept reservation with name and contact number, then it is also a channel of GDPR breach. Accepting cash will introduce risk of being robbed. The is typical pitfall that most security practitioners overlook. Implementing new cybersecurity protection also incurs other new risks. Therefore, holistic assessment is always required in any business risk identification and mitigation. Further, a fresh-eye review is necessary to eliminate any "blind spots". ...
Read More

Enforcement #3

By cliangNo Comments
At certain situations, enforcement of policy relies on administrative control when technical controls are not feasible. But how do we ensure no offender? No, we can't. The only thing we can do is to establish consequence-based deterrent enforced by laws & regulations. The most severe deterrent is death sentence. A traffic sign prohibits vehicle longer than 10m or over 10 tones on left turn as illustrated. There is no stopping you to do so but if your truck exceeds this limit and still turning left, your truck might be trapped in the road curve blocking other road users, crashing vehicle in the opposite lane, or damaging any other third party properties. Then you are fully accountable for civil offence if negligence or criminal offence if deliberately doing so. Similarly, management always talks about how to stop insider threats in dealing with cybersecurity. The same philosophy applies - discrepancy action for employees or contractual obligation for business partners with...
Read More

Enforcement #2

By cliangNo Comments
Durnig pandemic situation, InfraRed body temperature detection technology is great - contactless, accurate, multi-persons processing, seamlessly and transparent to customers. But the illustrated scenario lacks of enforcement - persons with detected abnormal body temperature are still able to go in. A policy statement (notice at entrance) must be established to deny visit of persons with abnormal body temperature. Further, a security guard or so needs to watch the outcome of measured body temperature to enforce such policy. Without enforcement, deploying great technology doesn't make sense. This applies to cybersecurity domain as well. ...
Read More