cliang – Page 14 – The SECOND Advisories Limited

Blind Spot

13th November 202013th November 2020 By cliangNo Comments

Can the bird be detected? When designing controls, we must understand what to protect. There might be blind spot that the intended controls are ineffective or even void. For inherent design weakness, retrofit would be costly and sometimes not possible without rebuilt from scratch. As a good practice, a design review to assess the control effectiveness before build will avoid such pitfall. Either a peer review or engaging independent subject matter expert will help to spot weakness with fresh eyes. ...

Policy #7

4th November 20204th November 2020 By cliangNo Comments

The illustrated directive is unclear. Drone, also known as unmanned aerial vehicle, has different form factors. If the sign comes without the icon, then it's pretty clear. With the icon there, it becomes only this type of drone is not allowed. This happens exactly in typical policy statement for network connection where cybersecurity practitioners have implicit assumptions. The issue has been elaborated in earlier blog for network connection. In nutshell, the precise directive is to secure the network with the appropriate controls of layer 3 to layer 7 data flow. ...

Cyber …

23rd October 202023rd October 2020 By cliangNo Comments

Early days in the industry, we are talking about information security to protect the information so as to minimize the impact due to unnecessary disclosure, unauthorized modification or unplanned downtime. It covers every information taxonomy under the sun. Suddenly, cybersecurity comes into the place. And adding cyber as prefix becomes a fashion. Vendors are trying to convince customers their products or services are addressing the market needs with hi-tech. To me, cybersecurity is a subset of information security. At least the hardcopy information container is excluded from the cyber perspective though hardcopy becomes less and in diminished usage. There are many cyber stuffs: cyber workforce, cyber maintenance, cyber hygiene, cyber insurance, cyber warfare, cyber defense, cyber range etc. Pick cyber insurance as an illustration. This becomes a focus area in the industry and relevant standards are being developed such that work practices are consistent. However, cyber insurance isn't bullet proof. If your infrastructure has weakness, repeated cyber attacks are possible. The sole value of...

Information Integrity

13th October 202013th October 2020 By cliangNo Comments

Why buying 2? Sometimes, a small mistake will invite question if the information processing facilities are producing accurate result without malicious tempering. The illustrated sales price might be just input manually, or generated from system as per scheduled price promotion. No matter which scenario, either a broken business process (lack of review, approval to publish) exists, or automated consistency check is missing. With such small mistake goes into publicity, it will require a lot of PR effort to reassure this is an isolated case and not affecting the other back office application like customer data, staff personal data, financial records etc. ...

Distance #2

3rd October 20203rd October 2020 By cliangNo Comments

Keeping distance on the road avoids accidents causing injuiry or fatality due to sudden situation changes. Keeping social distance avoids pandemic spreading among group of people. Similarly, keeping network distance will be cyber safer as it makes cyber attack harder. Network distance is established via defence layers between untrusted network and the target resources so as to drop or neutralize unintended traffic. The more layers, the more network distance that network traffic has to go thru to reach the destination. Layers, for example, are: Network perimeter (firewall, proxy, IPS, IDS)Application gateway (reverse proxy, DPI)Platform hardening (folder permissiom, white list/black list, no unused modules nor system sevices)System application hardening (change default setting, deny unauthenticated request)Business application hardening (observe good coding practices) While adding layers, don't forget to assess if network latency will be introduced affecting specific applications. Last but not least, all these layers shall have latest version and apply least privilege to combat threat actors as much as possible. ...

Policy #6

25th September 20203rd October 2020 By cliangNo Comments

What and when are allowed? Common pitfalls in writing policies (written directives) are: Embedded assumption by the author that is unknown to other readersFailed to provide clarityMost importantly, failed to listen feedback for adjustment We are hired to make professional judgment. We must not be fraid to challenge if the written directive is clear enough, not just because it has been approved by senior management. We also need to admit policy statement is never 100% perfect as the business environment is changing. An interesting example is the power energy sector. No doubt the power plant and grid are the Critical Infrastructure (CI) assets to secure from cyber-attack in order to maintain reliable supply to customers or comply with regulatory requirements. But we must not forget there are other sources like renewable energy that the "plant" is just a customer own installation outside the CI. How should the policy statement be precise enough to differentiate the cyber protection requirement will be a tough job....

Identify

15th September 202015th September 2020 By cliangNo Comments

Most often, vendors are proposing security solution in a basket of features. They claim for security suite with unified console and dashboard. It is necessary to assess and identify the baseline security in business requirements what are the necessary protection. Otherwise, it will cost more, and more to manage in terms of support, maintenance, skillset, user experience. Some guiding questions are to facilitate the decision. The answers are situation and organization specific. Taking remote access as an illustration here. Who are the users accessing the infrastructure or system: From own organization?From business partners (vendor or contractor)?General public? When is this service needed? This will decide: Resilence arrangementMaintenance windowBusiness continuityDisaster recoveryRecovey Time ObjectiveService level pledge What service needed after connection established Infrastructure (e.g. storage, email, intranet)?Business applications? Where do users access Within organization network (due to network segmentation)From business partners networkInternetOrganization device or any device? Why this remote access is needed This is the business justification, for exampleSpeedy vendor support without traveling to siteEnhancing productivity especially in COVID-19 to keep physical distance How...

Visibility #3

7th September 20207th September 2020 By cliangNo Comments

Below the iceberg, there is a large portion that is out of sight. That's why it is dangerous for vessels when approaching an iceberg. You need to keep a safe distance from it to avoid hitting it. The iceberg is often used to illustrate the dark web. The visible part is WWW (World Wide Web), below is the deep web then further down the dark web. The general perception on dark web is bad or associated with cyber criminals. However like penetration test tools, the tools can be misused to attack other computers but also to serve as a means to uncover infrastructure weakness for cybersecurity enhancement. The difference is between unauthorized and authorized intention. In the case of dark web, the usefulness might be Understand how the underground market business model operate, what are on sales such that you will revisit how to secure these cyber assets in your own environmentUncover if your or corporate information is there for sales ...

Visibility #2

30th August 2020 By cliangNo Comments

Placing a warning sign will avoid facilities being damanged by mistake. But what about the info is misused by threat actor to launch attack? Sometime, deceptions or decoys are used to understand the behaviors of threat actors so that appropriate counter-measures are effectively developed and applied. Ultimately, it is then all about judgment. This is from both attacker and defender perspective Whether the accessed resources are traps, orWhether the unusual activities are camouflage covering other malicious intend. Life becomes harder and harder. ...

Governance #2

20th August 202021st August 2020 By cliangNo Comments

Successful cybersecurity posture in an organization requires effective cyber protection of its cyber assets. There is a broad interpretation on cyber protection. In certain extreme cases, people put focus on technical controls and how are these controls implemented sometimes down to specific technology brand name or even model per personal preference. This doesn't hurt as long as Providing transparency on the rationale of the chosen technology vendorPublishing the standard for reference rather than hiding inside one's mindFacilitating end users to procure those specific brandsCommunicating with Teams involved to raise awareness of the requirement That said, it falls into one of the organization governance roles as cybersecurity standarization. The merits are reducing learning curve to manage the control, partnership with vendor for better support and purchase discount, technology roadmap and life cycle management. Like any other tools, it is subject to misuse and then resulting into internal politics. ...