Blockchain

By cliangNo Comments
Everyone is talking about this great technology and every industry is trying to adopt in the business model. Without going deep into technicality and in nutshell, the digital proof of the transaction is established and guaranteed in this distributed ledger.  However, an important element need to think about: how can the digital transaction in the cyber world be enforced for fulfillment in the physical world without any regulation? Think twice: if you have paid ransom via such digital transaction intended to unlock files encrypted by ransomware, how do you ensure that "service" is delivered? Therefore, internal use or limited adoption within closed community enforced with contractual terms are likely the use case in near term....
Read More

Myths of DLP

By cliang1 Comment
The cybersecurity industry commonly names DLP as Data Leakage Prevention.  It lacks of qualifier because the technology just tries to detect/prevent human mistake nor broken business process.  In that sense, DLP is likely capable. There are always many means to exfiltrate data as there are many "holes" in the infrastructure.  The fencing is good to block trespasser but not getting materials thru the fence. Use of DLP or other technology just makes data exfiltration harder, or takes longer time to do so.  Imagine, all of us have cell phone that is an effective tool to beat DLP.  How many organizations will demand surrendering cell phone before: Coming to attend confidential discussion (e.g. the movie "Salt") Accessing sensitive information at workplace Disabling remote access The term shall therefore be rephrased as Data Leakage Protection and set the proper expectation what can be done and what are limitations....
Read More

Least Privilege

By cliangNo Comments
Another practice in physical world is adopted in cyber world - least privilge principle. However, we must bear in mind that privileges could be elevated or circumvented due to system weakness or unmanaged vulnerabilities. Therefore, regular assessment for assurance is required to validate if controls are still effective....
Read More

Zoning

By cliangNo Comments
Many cyber practices are actually adopted from physical world. Zoning is an example. Main purpose is to isolate object path (incoming / outgoing) to secure the port control. Authentication (immigration) and inspection (security screening) are added measures....
Read More

Business Value

By cliangNo Comments
One of the fundamental principles in cybersecurity is to apply necessary controls to reduce business impact. Business value is the catalyst in the risk management. The cyber poker machine is chosen as an illustration here. If this cyber application is deployed in a casino, the bet outcome means money. The result of each bet must be protected against manipulation like session replay, unauthenticated or fraudulent submission to control the coins release valve. But if it is deployed as part of the entertainment system in an aircraft, then it doesn't matter. The bet outcome is just for fun....
Read More

The 4C of cybersecurity

By cliangNo Comments
Cautious - understand cybersecurity is important but need to explore how to execute or manage Conformance - doing things adhere to the cybersecurity requirements Compliance - having 3rd party review and certified for cybersecurity assurance of a selected scope Committment - every aspect takes care of cybersecurity For the illustration, it is solely BS1363 compliance for the scope of the AC plug itself.  Though there is metal earth pin, it is just dummy and cannot achieve the intended protection (end-to-end security)...
Read More

Cyber Risk Likelihood

By cliangNo Comments
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry. In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
Read More

Give and Take

By cliangNo Comments
Cybersecurity and convenience are always contradictory.  The Touch ID is a convenient means to unlock the device and deemed secure because fingerprints are supposed unique. But if we give further thoughts, there are several pitfalls. The Touch ID only protects the data-at-rest scenario. It can't secure your data if your phone is unlocked (data-in-use) nor you submitting sensitive data across the network (data-in-motion). Frequent use of Touch ID will make you tend to forget the text base password, affecting availability in situation you need to provide password Text base password is secure over biometric in a special case: if you are under duress, attacker can force you to unlock your device from your biometric attributes ... even if you are dead; but text base password cannot be extracted from a dead person's mental memory. An example is the locked iPhone from the Boston bomber that evolved into court case to debate national security vs data privacy. This is a matter of expectation...
Read More

Router or DPI?

By cliangNo Comments
One of the roles in cybersecurity practitioner is to share threat intelligence with internal stakeholders to enhance the situation awareness. If you are doing this, don't just share the links of the news. You need to analyze the published threat: Assess the credibility of the threat source Explore what are protection currently deployed in your organization How to avoid similar issues in your organization Prioritize protection investment if not yet deployed with applicable work around to reduce likelihood Essentially, it's WIIFM (What's In It For Me?). If you don't, you don't add value to sharing the threat intelligence. Sadly just a router rather than a smart Deep Packet Inspection....
Read More