Bandwidth

By cliangNo Comments
Cloud computing is popular and every organization is migrating into this platform because of almost zero lead time to provision the infrastructure without waiting for delivery, installation, configuration and commissioning. Further, manpower resource to manage the infrastructure is shifted into service provider.  Of course, this refers to using Cloud outside the organization rather than an on-premise private Cloud. While Cloud computing (no matter Iaas, PaaS, SaaS) has many merits, the overlooked layer is the bandwidth from your organization to the hosting site.  This is the most critical infrastructure to maintain survivability in terms of resilience and business continuity plan....
Read More

The Human Factor

By cliangNo Comments
Email becomes part of our life in both cyber and physical worlds.  We execute actions in physical world based on email context in cyber world. Email is an example of mixed information classification because the sensitivity is content driven.  Therefore, applying protection per the highest sensitivity requirement will be the one-size-fits-all solution.  Typical email technical controls are S/MIME, TLS, RMS, 2FA etc. No matter how secure the protections are applied, a negligent but legitimate business user will defeat them all. Educate the consequence of improper usage will uplift the human awareness, and becoming the first line of defense....
Read More

Backup & Recovery

By cliangNo Comments
Service availability expectation is high nowadays.  Customers expect everything is always up and running any time for usability. Backup for recovery becomes challenging: platform & applications, system configuration and application data are changing at different frequencies.  It is necessary to formulate the backup strategy at design stage or be part of the major change to meet the recovery time objective by deploying viable technologies. GFS (Grandfather, Father, Son), or 3 generations, is still considered as the minimum set for full backup to recover the entire system at certain point in time.  It's how frequent this is done and what are other business continuity activities to complement the "outdated" information....
Read More

Masquerade #2 – Mouse Over

By cliang1 Comment
Mouse over on the hyperlink will show you the intended web address to reach. Traditionally, this is used to understand what web site will be visited. However, this “defense” mindset has to be changed. The displayed link should not be trusted because it can be masqueraded. All the demo URL should be non-reachable as there are no such Domain Names registered.  To limit malicious people registering my demo URL to launch real attack, the .gov gTLD is chosen. It is no harm to click below but not in other unknown sources. Click me. Are you reaching the expected "www.trusted-site.gov" as seen via mouse over?...
Read More

Sunrise, Sunset

By cliangNo Comments
You cannot tell because it lacks of reference - time of day taken or more precisely which planet but generally assumed on Earth. Similarly, is the infrastructure/system cyber secure? It needs reference points. The corporate cybersecurity policies, the corporate risk matrix are the reference points to prioritize protection measures for reducing likelihood. Furthermore, a scoping statement is required especially if we are talking about cybersecurity assessment or accreditation.  An ISO standard compliance is meaningless without statement of applicability.  Whether it's just (a) the in/out tray of document handling or (b) the information processing system/infrastructure handling electronic document will make a great difference in terms of operational controls as well as ongoing effort to sustain the accreditation....
Read More

100% Cyber Secure

By cliangNo Comments
Are you kidding?  Yes, there is.  These computers are 100% secure from cyber-attack, but ... What about physical threat? Are they still serving the intended purposes? Once these computers are power up (whether connect to network or not), there will be different degrees of cyber risk imposed. So, never expect a 100% cyber risk free solution....
Read More

Control #3

By cliangNo Comments
Controls are necessary to reduce likelihood of risks.  But excessive controls shall have adverse effects: Degrade productivity Push back from user Circumvent control Risk assessment is required to design optimal and effective controls.  Change (behavior) management and user awareness need to be well established too.  Essentially, Why is the control required What is this meant in daily works (WIIFM for the user) What is the consequence of violation (both organization and the offender) ...
Read More

Privacy

By cliangNo Comments
We all know the importance of privacy and the need to protect it. While protecting privacy, we need to look at regulation requirements in 360 degrees, i.e. we cannot hide something that is supposed mandatory for display. A question for reader: in postal mail, is the window envelop displaying both name and address violating privacy?...
Read More

Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

The Good, The Great

By cliangNo Comments
As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor). The Good auditors are able to pick discrepancy of your operation against the "policies" (written directives, procedures or instructions document) down to minute details.  They regard these are the yardstick ("so it shall be written, so it shall be done") for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.).  How these documents are effectively managed isn't the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents. The Great auditors make a step further.  They will give further thoughts if the written "policies" have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement.  E.g. make reference to revised password setting per NIST SP-800-63-3. The cybersecurity practitioners need to keep abreast of latest...
Read More