People – The SECOND Advisories Limited

Address

2nd November 20242nd November 2024 By cliangNo Comments

There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...

Responsibility

16th August 2024 By cliangNo Comments

I saw certain cyber security awareness poster has stated that keeping cyber secure is a shared responsibility. In certain way, this is true. Each of us plays a different part to protect the assets in the digital world. But "shared responsibility" appears as no one will take accountability and any one will think someone will take the lead to secure. In the illustration, you are responsible to well equip yourself to enter into the wild. You are well informed "You must be properly prepared to meet these hazards on their own terms. This is your responsibility." That should apply to the digital world and "shared" responsibility isn't the proper term and tone. ...

No Direction

22nd May 202423rd May 2024 By cliangNo Comments

The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...

Trust #4

8th May 20248th May 2024 By cliangNo Comments

A machine in the corner of the mall for digital currency exchange. Whether you use it or not is a kind of risk taking because you don't know what is behind the machine, who operates it, any proper business license to protect your money if things go wrong. In digital world, we must not solely put focus just on cyber protection. Every aspect counts towards a secure business model. From the digital currency operator's perspective, secure cyber protection is not enough. Physical security, anti-tampering to manipulate network connection, I/O port interfaces and so on are all attack vectors. From he customer perspective, trustworthy of the machine is the prime concern. ...

Protocol

24th March 202424th March 2024 By cliangNo Comments

Protocol requires proper data format and valid ranges in different preset fields per design to work properly. Threat actors are trying to manipulate the different fields and data ranges in order to exploit weakness of underlying process to handle the protocol. Just like the illustrated locks. It allow dual admins to unlock it where each admin has own access key. If a "malicious" admin who does not follow the protocol to make the locks in series but putting them in parallel, then access is denied to other admin because unlock will require both keys at the same time. Therefore, when we talk about security, there are lots of considerations: robustness of the process enforceable by strong technology with people acting honestly and all driven by laws & regulations (or organization policies). Protection is beyond encryption, firewall, system hardening. These are evadable.Most said human is the weakess link. Yes, this is still true but we must include factors like Incompetent cybersecurity practitioners providing recommendations without...

Freedom

9th March 20249th March 2024 By cliangNo Comments

This is relatively speaking. Freedom is granted to certain extend. In physical world, what stops us doing bad things? It's the laws & regulations that stipulate us behave properly. For religious, there are further moral obligations to follow, say, The Ten Commandments. Then how about in the space of digital world? We are all interacting with others in the metaverse. Cyber crimes are more complex to settle because it is cross jurisdiction. We are free to use many cyber resources but that does mean we can abuse. Network activities are mostly traceable. We have to exercise the proper behaviors, be suspicious of unknown requests, learn from others' incident in keeping us as well as our connected peers safe (secure). ...

Warning Message #2

26th February 2024 By cliangNo Comments

In physical world, warning sign is to alert you in keeping you safe. In cyber world, warning message might be abused as phishing attack or scam because it makes use of general public not able to differentiate if real or fake. What can we do to stay cyber secure? Some tips: Be vigilant to alerts, validate as much as possible or refer to persons with sufficient knowledge what's about Maintain your devices with latest version and necessary security patches Do not install unnecessary tools, or tools from source with doubt (social network, discussion forum, advertisement) Do not bypass system built-in feature, e.g. root or jailbreak the device to run codes from other sources ...

Architect

18th January 202418th January 2024 By cliangNo Comments

In physical world, an architect is "a person whose job is to design new buildings and make certain that they are built correctly", Cambridge. If this definition applies to digital world, the system architect is to ensure the system is built correctly per business requirement. Extending to cybersecurity, the cybersecurity architect is to ensure proper protection is incorporated in the digital landscape. Most often, cyber protections are overkilled. I come across an example that USB thumb drive carrying publicly downloaded security patches requires encryption because company policy only allows encrypted drive. On the IT side, there is no issue because patches are downloaded from IT machine with Internet access. But when transferring files to the OT side, it will create issue because decryption will need running special program in the USB "public" drive where OT environment is lock down. Further, the objective of encryption is to protect sensitive information in the USB because contents could be disclosed when lost. If dedicated USB...

Architecture #2

24th November 202324th November 2023 By cliangNo Comments

Parthenon, 447 BC Some cybersecurity practitioners always mention network diagram to have cybersecurity architecture for review and so-called approval. They know just the term and never grasp the real meaning. Cybersecurity architecture is actually the digital landscape having these core elements: network zoning, electronic perimeter control, cyber protection measures. The last one is an organization-wide issue because protection measures are not solely via technical controls which are the last to consider. Not everything can be technically enforced and if it does, it kills business. Enhancing workforce competency especially cybersecurity practitioners who act as internal subject matter expert to provide reputable and credible opinions rather than just slipping words out of their mouth. Situation awareness is another key player in protection measure. The illustrated architecture is an aged structure with and yet it is still standing there. By the same token we should not solely demand refreshing technology obsolescence because it has entered end of support. It needs a holistic...

Off Grid

10th November 2023 By cliangNo Comments

Our physical world is fully integrated with the cyber world. Some derivatives like privacy, digital asset, cyber protection are of a concern. The extreme approach to get rid of these cyber issues is to stay off grid, i.e. in the wild: no cell phone, no electricity, no tap water supply, no gas, no vehicle, or a complete isolate zone with the outter world. It is easy to just talk about staying off grid but when putting into practice, it's a great challenge to adapt. You need to hunt for food, collect drinkable water, build shelter, source heat to cook or keep warmth and most importantly don't get sick. Even a recycle bin will lead you connected with others in the logistic chain. We can't escape from the cyber world but to manage this to understand and accept the consequence. ...