Governance

By cliangNo Comments
Last article, I talked about PPTP.  With organization policies formally established, the next is the governance to make it work.  Otherwise, policies are just slogan in the air. The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to: Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process Approve risk acceptance for deviation from these established policies Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media....
Read More

PPT, PPTP

By cliang1 Comment
People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable.  Without the last P, it's like a chair with broken leg that will fall (fail)....
Read More

Preparedness

By cliangNo Comments
No doubt, we do have deployed and sustained protection as counter-measure against cyber threats.  However, the cyber threat landscape is always evolving - new trick, zero-day exploit, Advanced Persistent Threat (APT) are there and we don't know what we don't know. In this regard, we must assume our system or infrastructure shall be compromised.  It is just a matter at what time this happens. To deal with the worst scenario, we have to get well prepared beforehand.   Things like: Establish directive to trade off between service resumption or digital evidence preservation Determine dependency of resuming service in alternate facility though in degraded level Streamline philosophy of containment to minimize damage due to cyber attack Maintain contact info as well as reliable and trusted communication channel among key personnel during emergency situation Prepare Line-To-Take templates to simplify the job for PR Most importantly, Human safety and environment protection should be the first priority Regular drill to validate the readiness and find ways to improve ...
Read More

Tunnel

By cliangNo Comments
"Digital" tunnel is common in the cyber world.  The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure.  Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection.  This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive.  It's the organization policies, laws & regulations to govern the proper usage. ...
Read More

Clock

By cliangNo Comments
Clock displays time of day.  Time is invisible and exists virtually.  Everyone of us has the same amount of time, no matter you're rich or not.  You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc.  Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics.  In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination.  In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network.  There are various considerations: Clock source: National lab, or...
Read More

Tracking

By cliangNo Comments
In cyber world, logging is fundamental to track electronic activities for problem shooting or digital forensics. With device proliferation especially in the IoT domain, substantial logging volume is generated making log review a hard time. The SIEM (Security Information Event Management) technology has surfaced to relax this tedious task.  It consolidates and associates event logs and picks out "interesting" scenarios for automated action or human alert. The challenges are: What types (or level, e.g. brief, detail, info, warning, critical) of logging are available and required: platform, infrastructure, application ... Context of log data: time of day, time zone, IP address, user identities, machine names, machine address ... How to ships the logs from different network zones to the central SIEM without breaking network zoning Clock source to sync across all these network zones Algorithm of event correlation (human define or machine learning) Criteria to automate alert with confidence (false negative or false positive will ruin the trust) Most importantly, logging must comply with...
Read More

Aurora

By cliangNo Comments
In physical world, it is beautiful scenery.  In cyber world, Aurora vulnerability refers cyber attack resulting into damage of physical components (the generator) in the electric grid. When the threat actor is able to reach the control network, repeatedly sending command for rapidly open and close a generator's circuit breakers out of phase will cause it explode. For such critical asset with severe consequence when failed, necessary cybersecurity controls shall include but not limited to these measures: Incorporate security at design stage Isolate automation components from external connections Zone components within control system network Apply least privilege principle Control physical access to critical asset Conduct regular cyber maintenance (protection updates Validate incident detection and respond readiness Equip support personnel skill set Execute periodic assessment for assurance Refresh end of life components Manage insider threat ...
Read More

Crowdsourcing

By cliangNo Comments
Landlord: "Tell me your monthly sales amount." Tenant: "No way, this is confidential business information." With a little trick, such confidential information can be collected. Giving certain incentive, customers will queue up and surrender the sales receipts to the concierge of the mall. Free parking is one of the incentive models.  For in-mall spending over certain amount, concierge validates the parking ticket and captures the receipt details.  But this is less granular because not every customer comes to the mall with own vehicle. A more advanced model is to establish royalty membership to earn points per the spending amount in the mall.  This is still not accurate because not every customer will join the royalty scheme but more granular than the free parking model. Then, confidential sales information could be captured from the crowd for analytics....
Read More

Grade of Protection #2

By cliangNo Comments
Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door.  The door is locked with customer chosen numeric digits each time when closing.  This code will then be used to open the safe.  There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk.  The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...
Read More

Resilience

By cliangNo Comments
How much resilience is sufficient: single, dual, triple, quadruple or more? You need to understand what is the consequence of system component failure to the committed service per agreement. It is the kind of balancing risk for optimal investment.  Even if there is penalty clause for breaching the committed service level, the amount paid out might be much less than the TCO (Total Cost of Ownership) of investing a robust infrastructure and the recurring running cost. Nevertheless, intangible loss like brand name or reputation damage need to be considered....
Read More