Landscape

By cliangNo Comments
Some cybersecurity practitioners only drill down to the level of details of network diagram or even wiring diagram to identify adequacy of cyber protection. The system landscape or architecture is no doubt an element to look at but just part of it. The holistic approach shall look like these: What is the purpose of the systemHow is information used - control machine, information for decision making of critical operation or solely display as-isWhat is the consequence if compromisedWhat is the tolerable down timeWhat are options to bring up service within this unplanned down time windowHow to strike the balance for freezing the compromised system for digital forensic vs system recovery in meeting service pledge With these in mind, these diagrams are only useful to assess the attack path and the optimal countermeasures. And don't criticize insufficient information in the diagrams without setting a reference standard - this should be objective rather than subjective. ...
Read More

Taxonomy

By cliangNo Comments
In policy development, it is essential the coverage of the rule is sufficient and precise to avoid ambiguity. A living creature could be animals, birds, fishes, reptiles and human beings for full coverage. A targeted group might be stipulated as non-human living creatures, or even specific as reptiles when certain situations need more precision. Policy maker needs to understand clearly the scenario when formulating the directive just right in meeting practical implementation. ...
Read More

Suspicious

By cliangNo Comments
It is common to see such directive in subway, airport, key facilities, incident respond playbook etc. The problem is different people have different interpretation of "suspicious". Take phishing attack as an example. Email is apparently sent from the one you know. Should it be suspicious? If so, there won't be so many successful cyber attacks originated from phishing to launch ransomware, data exfiltration or remote access trojan (RAT). Therefore, more needs to be done to elaborate what is "suspicious" to raise situational awareness. Of course, it is a challenge to include so many information in a sign board. If the facility is so critical, each personnel (staff, visitor, contractor) should be briefed the threat scenario (like the safety rules before the aircraft departure) while the signage is just a reminder of what has been briefed. ...
Read More

Blind Spot

By cliangNo Comments
Can the bird be detected? When designing controls, we must understand what to protect. There might be blind spot that the intended controls are ineffective or even void. For inherent design weakness, retrofit would be costly and sometimes not possible without rebuilt from scratch. As a good practice, a design review to assess the control effectiveness before build will avoid such pitfall. Either a peer review or engaging independent subject matter expert will help to spot weakness with fresh eyes. ...
Read More

Policy #7

By cliangNo Comments
The illustrated directive is unclear. Drone, also known as unmanned aerial vehicle, has different form factors. If the sign comes without the icon, then it's pretty clear. With the icon there, it becomes only this type of drone is not allowed. This happens exactly in typical policy statement for network connection where cybersecurity practitioners have implicit assumptions. The issue has been elaborated in earlier blog for network connection. In nutshell, the precise directive is to secure the network with the appropriate controls of layer 3 to layer 7 data flow. ...
Read More

Cyber …

By cliangNo Comments
Early days in the industry, we are talking about information security to protect the information so as to minimize the impact due to unnecessary disclosure, unauthorized modification or unplanned downtime. It covers every information taxonomy under the sun. Suddenly, cybersecurity comes into the place. And adding cyber as prefix becomes a fashion. Vendors are trying to convince customers their products or services are addressing the market needs with hi-tech. To me, cybersecurity is a subset of information security. At least the hardcopy information container is excluded from the cyber perspective though hardcopy becomes less and in diminished usage. There are many cyber stuffs: cyber workforce, cyber maintenance, cyber hygiene, cyber insurance, cyber warfare, cyber defense, cyber range etc. Pick cyber insurance as an illustration. This becomes a focus area in the industry and relevant standards are being developed such that work practices are consistent. However, cyber insurance isn't bullet proof. If your infrastructure has weakness, repeated cyber attacks are possible. The sole value of...
Read More

Information Integrity

By cliangNo Comments
Why buying 2? Sometimes, a small mistake will invite question if the information processing facilities are producing accurate result without malicious tempering. The illustrated sales price might be just input manually, or generated from system as per scheduled price promotion. No matter which scenario, either a broken business process (lack of review, approval to publish) exists, or automated consistency check is missing. With such small mistake goes into publicity, it will require a lot of PR effort to reassure this is an isolated case and not affecting the other back office application like customer data, staff personal data, financial records etc. ...
Read More

Distance #2

By cliangNo Comments
Keeping distance on the road avoids accidents causing injuiry or fatality due to sudden situation changes. Keeping social distance avoids pandemic spreading among group of people. Similarly, keeping network distance will be cyber safer as it makes cyber attack harder. Network distance is established via defence layers between untrusted network and the target resources so as to drop or neutralize unintended traffic. The more layers, the more network distance that network traffic has to go thru to reach the destination. Layers, for example, are: Network perimeter (firewall, proxy, IPS, IDS)Application gateway (reverse proxy, DPI)Platform hardening (folder permissiom, white list/black list, no unused modules nor system sevices)System application hardening (change default setting, deny unauthenticated request)Business application hardening (observe good coding practices) While adding layers, don't forget to assess if network latency will be introduced affecting specific applications. Last but not least, all these layers shall have latest version and apply least privilege to combat threat actors as much as possible. ...
Read More

Policy #6

By cliangNo Comments
What and when are allowed? Common pitfalls in writing policies (written directives) are: Embedded assumption by the author that is unknown to other readersFailed to provide clarityMost importantly, failed to listen feedback for adjustment We are hired to make professional judgment. We must not be fraid to challenge if the written directive is clear enough, not just because it has been approved by senior management. We also need to admit policy statement is never 100% perfect as the business environment is changing. An interesting example is the power energy sector. No doubt the power plant and grid are the Critical Infrastructure (CI) assets to secure from cyber-attack in order to maintain reliable supply to customers or comply with regulatory requirements. But we must not forget there are other sources like renewable energy that the "plant" is just a customer own installation outside the CI. How should the policy statement be precise enough to differentiate the cyber protection requirement will be a tough job....
Read More

Identify

By cliangNo Comments
Most often, vendors are proposing security solution in a basket of features. They claim for security suite with unified console and dashboard. It is necessary to assess and identify the baseline security in business requirements what are the necessary protection. Otherwise, it will cost more, and more to manage in terms of support, maintenance, skillset, user experience. Some guiding questions are to facilitate the decision. The answers are situation and organization specific. Taking remote access as an illustration here. Who are the users accessing the infrastructure or system: From own organization?From business partners (vendor or contractor)?General public? When is this service needed? This will decide: Resilence arrangementMaintenance windowBusiness continuityDisaster recoveryRecovey Time ObjectiveService level pledge What service needed after connection established Infrastructure (e.g. storage, email, intranet)?Business applications? Where do users access Within organization network (due to network segmentation)From business partners networkInternetOrganization device or any device? Why this remote access is needed This is the business justification, for exampleSpeedy vendor support without traveling to siteEnhancing productivity especially in COVID-19 to keep physical distance How...
Read More