cliang – Page 25 – The SECOND Advisories Limited

Data-at-rest

15th September 2018 By cliangNo Comments

This is one of the commonly referred information states among data-in-use and data-in-motion. Within data-at-rest, there should be further taxonomy: offline (backup provision for recovery), archival (kept as historical record and retrieved when needed) and disposal (no longer needed for business operation). Therefore, protection for all these data-at-rest taxonomy is equally important to secure the content....

Control #2

14th September 201821st December 2018 By cliangNo Comments

Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc. Yes, to some degrees these are true and required. But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls. Further, resources are always limited in real world. We have to deploy optimal controls. Examples are: Preventive control - building the separation between opposite lanes is costly Detective control - the traffic camera is less costly but requires process to review events Administrative control - the double solid white lines are the most cost-effective control Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....

Assumption

13th September 2018 By cliangNo Comments

Risk assessment is part of the risk management process to identify exposure, likelihood and business risks so that the necessary protection measures could minimize the impact. The tricky thing is most often controls are implicitly assumed, e.g. the access control to the target application relies on the robustness of the Identity Provider enforcing the defined roles & privileges, the effectiveness of anti-malware protection relies on the backend process to refresh for up-to-date definition, the platform and system applications are regularly hardened from known vulnerabilities, network perimeter controls are defined correctly and so on. Therefore, it is important to align and set the scene what key assumptions are referred in the very first step before assessing risks. If any of these is incorrect, then the exposure will be under-estimated and so for the residual risks....

USB Port Misconception

12th September 2018 By cliangNo Comments

Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now. There are different needs like keyboard, mouse, IP phone device using USB connection. They cannot be blocked as a blanket directive. The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers. This is totally outside technical control. The reality is that file exchange is always legitimate business needs. Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...

Cyber Risk Likelihood #2

10th September 201821st December 2018 By cliangNo Comments

In physical world, public touch points are not hygiene. The more people touch it, the more "dirty" it will be. In cyber world, if a network node has exposured as a public touch point, e.g. accessible elsewhere in the internet, it will become more vulnerable and cyber attack is highly increased. The "distance" to access the network node will influence the cyber risk likelihood rather than prediction based on historical occurrence. The different layers of protection in between will reduce this cyber risk likelihood. Last but not least, don't forget to secure the physical access path....

Limitation

10th September 2018 By cliangNo Comments

Every technology or system must have inherent limitations: no matter itself or its environment. Say, surveillance via CCTV for physical security, there is still the need to deploy guards patrolling the strategic locations to validate what you see if legitimate and augment the "blind spot" of CCTV coverage. Therefore: Unmanaged limitations will develop into vulnerabilities Exploitable vulnerabilities will become risks Neglected risks will impact the business Regular process review or system vulnerability assessment are then required for continuous cybersecurity strengthening....

Blockchain

9th September 20189th September 2018 By cliangNo Comments

Everyone is talking about this great technology and every industry is trying to adopt in the business model. Without going deep into technicality and in nutshell, the digital proof of the transaction is established and guaranteed in this distributed ledger. However, an important element need to think about: how can the digital transaction in the cyber world be enforced for fulfillment in the physical world without any regulation? Think twice: if you have paid ransom via such digital transaction intended to unlock files encrypted by ransomware, how do you ensure that "service" is delivered? Therefore, internal use or limited adoption within closed community enforced with contractual terms are likely the use case in near term....

Myths of DLP

9th September 2018 By cliang1 Comment

The cybersecurity industry commonly names DLP as Data Leakage Prevention. It lacks of qualifier because the technology just tries to detect/prevent human mistake nor broken business process. In that sense, DLP is likely capable. There are always many means to exfiltrate data as there are many "holes" in the infrastructure. The fencing is good to block trespasser but not getting materials thru the fence. Use of DLP or other technology just makes data exfiltration harder, or takes longer time to do so. Imagine, all of us have cell phone that is an effective tool to beat DLP. How many organizations will demand surrendering cell phone before: Coming to attend confidential discussion (e.g. the movie "Salt") Accessing sensitive information at workplace Disabling remote access The term shall therefore be rephrased as Data Leakage Protection and set the proper expectation what can be done and what are limitations....

Least Privilege

8th September 2018 By cliangNo Comments

Another practice in physical world is adopted in cyber world - least privilge principle. However, we must bear in mind that privileges could be elevated or circumvented due to system weakness or unmanaged vulnerabilities. Therefore, regular assessment for assurance is required to validate if controls are still effective....

Zoning

8th September 2018 By cliangNo Comments

Many cyber practices are actually adopted from physical world. Zoning is an example. Main purpose is to isolate object path (incoming / outgoing) to secure the port control. Authentication (immigration) and inspection (security screening) are added measures....