Incident Respond #2

By cliangNo Comments
Respond is 1 of the 5 domains under the NIST CyberSecurity Framework along with Identify, Protect, Detect and Recover. It is also generally understood the importance of IR in the industry because "it is not a matter of if but when your system is compromised".  Promptly respond to incident could trigger the required recovery actions to minimize business interruption. The hard part is that you'll never know if the response will work in real life even though there are regular drills to opt for continuous improvement.  This is like the air-bag in your car - you only know if it serves the purpose when triggered....
Read More

Residual Risk

By cliangNo Comments
When deploying protection or counter-measure, it is necessary to understand If new risks are introduced? Will these new risks even exceed the consequence of do nothing? An example is DLP (Data Leakage Protection, not Prevention).  It requires "super" privileges to access every resource being monitored to alert sensitive information being shared improperly.  Even though this might be a system account, mis-configuration or process weakness could exploit the DLP to leak more sensitive information to unintended recipient....
Read More

Incident Respond

By cliangNo Comments
Organizations usually invest substantially to manage and mitigate cyber attack with the detection technologies like log correlation and SOC (Security Operation Center) establishment plus comprehensive process of detailed respond to cyber threat scenarios with surprised drills etc. Not doubt, this will uplift the organization capacity and demonstrate due diligence has been exercised to deal with cyber attacks to stakeholders. On the other hand, cyber is just one of the failure or attack scenarios.  Like fire incident, it might be due to human negligence (left burning cigarette unattended), natural disaster (strike by lightning) or cyber attack (S01E04 Fire Code - vulnerable printer firmware).  No matter how, isolation to contain threat and promptly recovery to resume are required whether cyber or not. Resource (both skill set and manpower) in real life is always limited and should be put on recovery then drive from this end what is required for service resumption meeting recovery time objective.  And don't forget the TCO (Total Cost Ownership) involved to sustain...
Read More

Split Knowledge

By cliangNo Comments
This is usually a means of control normally deployed in key management such that accessing privileged and critical resource requires multiple designated persons to minimize misuse of such privilege by a single person.  The simplest form is splitting a password into tokens and held by different persons. While security control is enforced, there are needs to consider: - Contingency, e.g. key person(s) is(are) not available in the case of split password.  With technology, there is m of n crypto key recovery so that availability of the selected m persons (where m <= n) can regain access - Further, this assumes all these m persons do not collaborate for malicious act...
Read More

Cryptography

By cliangNo Comments
Example in real world for cyber world. There are 2 salient points in cryptography: Algorithm (or how it works) is publicly known, source codes are even published (mechanism of the combination lock is known) Key is secret, this is the only way to access the cipher text (the combination code you have chosen to unlock) Therefore, never invent your own crypto algorithm no matter how much obfuscation you have made in the codes.  It is just security through obscurity. Of course, even a recognized (or certified) crypto will be subject to attack (online or offline) due to technology advancement over time.  Essentially, counter-measures are to increase the time attacker needs to get thru: regular password change, complex password, 2FA, adding salt and pepper in the stored hash etc....
Read More

Misplaced Control

By cliangNo Comments
Security technologies are secure but if deployed incorrectly, the intended protection will be in vain. It is necessary to have a design review and configuration check to minimize this type of issue.  Preferably, this should be done by 3rd party for independence as well as from fresh eyes. Of course, a reasonable scope of coverage has to be defined.  That's why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables....
Read More

Data-at-rest

By cliangNo Comments
This is one of the commonly referred information states among data-in-use and data-in-motion. Within data-at-rest, there should be further taxonomy: offline (backup provision for recovery), archival (kept as historical record and retrieved when needed) and disposal (no longer needed for business operation). Therefore, protection for all these data-at-rest taxonomy is equally important to secure the content....
Read More

Control #2

By cliangNo Comments
Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc. Yes, to some degrees these are true and required.  But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls.  Further, resources are always limited in real world.  We have to deploy optimal controls.  Examples are: Preventive control - building the separation between opposite lanes is costly Detective control - the traffic camera is less costly but requires process to review events Administrative control - the double solid white lines are the most cost-effective control Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....
Read More