Expectation & Limitation

By cliangNo Comments
Every technology has its own limitation. Don't just listen to Sales or look at Product Brochure. Their tactics are to highlight what are the strengths or success stories of the desirable protection scenarios and hide limitations. There are many examples of limitations quoted in previous blogs: Is network anomalies detection able to spot "missing" but not extra among "unusual" traffic from baseline profile?Is company "authorized" USB drive effective for DLP or limiting malware?Is Touch ID really secure,,, etc. Understand the technology what works and what doesn't. Set stake holders expectation for limitations and the required compensating controls. Voice these out before recommending the protection technology if really fit for adoption. ...
Read More

Point of Attraction

By cliangNo Comments
Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...
Read More

Trust #2

By cliangNo Comments
When Internet is just launched to the consumer market, it's costly. Need to subscribe the service from your local Internet Service Provider (ISP) and connect from home via telephone line with dial-up modem. Both bandwidth and data volume are limited. Technology advancement makes the Internet become a default facility for the community. Free wi-fi hotspots and free Internet kiosks are available. The important thing to note - do you trust these platforms? Even though the providers do not have malicious intend, are these devices secured from planting malicious tools to capture sensitive information? If you need to use Internet like this, limit to just web surfing without login to search information. Always bring your own device as an integral part of your wallet when travelling. Use a VPN gateway service if possible to defeat MITM (Man-In-The-Middle) attack because certain web proxies are able to intercept TLS (Transport Layer Security, or https) traffic for content inspection. You...
Read More

Trust

By cliangNo Comments
When you come across a free USB socket to charge your mobile device, will you trust and use it? You never know what is behind that your mobile device will connect to. Mobile device now contains lots of "useful" information for hacker. The information ranges from personal contact, photo, notes, corporate email to saved credentials. The best is to use own charging device. ...
Read More

Real Image

By cliangNo Comments
Virtualization is great technology deployed in ICT (or even ICS). There are many merits for live system or application development but we must not forget: It is still the same platform subject to regular cyber maintenanceSame cyber protection like removing unused applications, disabling unused system services, using least privilge session to run application etc.Regular backup for recovery provision to minimize unplanned service interruption: whether conventional backup approach or real image of the virtualized environment ...
Read More

Technology

By cliangNo Comments
Technology helps avoiding mistake, operating continuously and enforcing certain outcome. However, technology is designed and deployed by human. There must be faults during the above process (that's why we have patch Tuesday or so). In the illustrated vault, it has thick door and wall. That should be strong to withstand theft, physical attack or natural disaster to secure contents stored there. If the access to vault is not well managed, then the intended protection will be void. ...
Read More

Manual Control – Rare to Find

By cliangNo Comments
Yes, it is and mostly replaced by automation which is everywhere nowadays: Be seen like car park entry/exit control, house hold appliance, lift or escalator in building Behind the scene like cruise control in vehicle, electricity transmission and distribution Automation means controls are managed and executed by components with prebuilt intelligence. Unlike ICT dealing with solely information processing, automation influences physical process or object movement. If such intelligence has fault or being manipulated maliciously, adverse consequence will be resulted. Secure by design, regular cyber maintenance and periodic assurance are necessary to sustain healthiness of the automation system for intended operations. ...
Read More

Policies #4

By cliangNo Comments
In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...
Read More