cliang – Page 18 – The SECOND Advisories Limited

ROI

28th May 2019 By cliangNo Comments

Return On Investment (ROI) is the typical approach to justify the spending to acquire asset. For the sample solar renewable energy illustrated, this is simple: One-off cost like equipment purchase & installation Recurring cost like maintenance, insurance, administrative (if trading to grid is involved) In a 5 or 10 years total cost model, how much energy charges could be saved, or how much revenue is generated if energy is sold back to the grid vs how much expense to paid. However, there are risks that might affect the net gain: Sufficiency of sun light intensity Weather condition at the location Physical security of equipment against theft or sabotage In cyber protection technology, stake holders normally expect cyber-security is the baseline and integrated with the asset. Adding extra cost won't be seen as ROI. A slightly adjusted model is to calculate the avoidance cost of a single cyber-security incident vs investment. Therefore, the justification is to be: If we invest $X, then we could avoid spending...

Network

18th May 2019 By cliangNo Comments

Network exists in both physical and cyber worlds. Both have physical portion and content portion. Even in cyber perspective, both the physical media and the info exchange are required to protect but most focus is on the content part. If the adversary is able to access network equipment physically, then all those secured configuration will become insecure. Therefore, in any security assessment, physical aspect must not be forgotten....

Born or Made

1st May 2019 By cliangNo Comments

Cybersecurity vulnerabilities are broadly categorized into 2 types: [a] Inherent weakness in the component, protocol (e.g. PLC, ftp) that is insecure by design [b] Improper deployment causes a secure component (e.g. FIPS-140-2 Level-4 certified crypto module) into insecure due to lack the required surrounding elements (likely broken business process or human negligence) Type [a] can be overcome at time of procurement to specify requirement. Type [b] can be identified via vulnerability assessment of the deployed solution in people, process and technology perspectives...

Direction

21st April 201922nd April 2019 By cliangNo Comments

Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....

End of Road

13th April 201913th April 2019 By cliangNo Comments

In physical journey, there is always an end such as End of vacation, back to workRoad blocked by obstacle, detour or get back In cyber journey especially digital transformation, it is never-ending. The target is rolling, compliance to new regulations are demanding, expectations from stake holders are uplifting over time. You need to upkeep security protection against emerging threats even if your business or technologies deployed remain unchanged. New solutions or even new protections will bring new risks. Essentially, regular assessment is required the business environment, technologies deployed and threat landscape, and review how much risks are acceptable to run the business. After all there is never 100% secure system. ...

Big or Small

5th April 20195th April 2019 By cliangNo Comments

Cyber assets, no matter big or small, must be managed via the same practice and same maintenance regarding cybersecurity as long as they are hosted in the same ecosystem. Zoning might make certain difference but things could be broken due to many reasons. Defense-in-depth must be adopted. ...

Dormant

29th March 201929th March 2019 By cliangNo Comments

Malware nowadays is getting sophisticated - has small footprint, evade sandbox & detection, determine platform to inject the applicable payload, some even change account password, disable all network interfaces to completely lock you out. Backup is one of the mitigation means for recovery of the pre-victim state at cost of losing certain application data. The challenge is that malware might have already existed in the previous state in dormant form and the backup carries it. What should best be done? In extreme case, no Internet and even standalone with communication, no removable media and all I/O ports sealed, zero-trust of any users with all system privileges locked down, application white-listed, use kiosk mode. Imagine you are working in an organization like this. You won't be working long as the business will soon cease in such environment. And after all, who should be appointed to maintain the system that this inevitably requires root privileges. This is a risk taking consideration....

Deep Packet Inspection (DPI)

23rd March 201923rd March 2019 By cliangNo Comments

As cyber attacks have already moved from network layer to application tier, DPI is a must to examine contents to detect malicious intention. Some technologies (like web proxy) even break the TLS for content inspection incurring cyber threats from user perspective that https is no longer trusted to be secure. In a corporate environment Privacy is not guaranteed via a blanket statement by consent to being monitored when start using the IT facilities, e.g. displayed in logon banner. As an user, check the site certificate if issued by site owner or another party to understand if traffic is being intercepted For network in public Usually connectivity is via WLANYou have no idea what is behind the infrastructure, whether it has been maniuplated for malicious intention. So, follow the OS platform recommended public network profile upon connection -- Don't allow your device being discovered -- Disable folder sharing -- Setup another web browser without login credential saved for general web surfing -- Never use insecure...

Expectation & Limitation

19th March 201919th March 2019 By cliangNo Comments

Every technology has its own limitation. Don't just listen to Sales or look at Product Brochure. Their tactics are to highlight what are the strengths or success stories of the desirable protection scenarios and hide limitations. There are many examples of limitations quoted in previous blogs: Is network anomalies detection able to spot "missing" but not extra among "unusual" traffic from baseline profile?Is company "authorized" USB drive effective for DLP or limiting malware?Is Touch ID really secure,,, etc. Understand the technology what works and what doesn't. Set stake holders expectation for limitations and the required compensating controls. Voice these out before recommending the protection technology if really fit for adoption. ...

Point of Attraction

27th February 201927th February 2019 By cliangNo Comments

Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...