People – The SECOND Advisories Limited

Integrity

19th August 202319th August 2023 By cliangNo Comments

Here, I am not talking about the fundamental of information security, the CIA aspects. Most often, we trust the policy enforcement is honestly executed. Imagine the parking ticket is issued to vehicle with time expired. How do we ensure this is done unbiased, i.e. the actual time is expired in the meter rather than issuing the parking ticket at wish? We are not yet coming to the point of technology failure (incorrect display, incorrect calculation etc.). Personal integrity is important and that's why human is the success factor in cyber security. I have seen incompetent cybersecurity practitioner raising subjective opinions or manipulate the situation based on a buggy policy without looking in the real situation nor listen to feedback. This is the most biggest risk to an organization. The risk is no longer due to hackers, human error, insecure configuration, lack of cyber maintenance and those typical FUD issues. Therefore, evaluating the competency of the...

ZTNA

8th August 2023 By cliangNo Comments

Zero Trust Network Access (ZTNA) is suddenly becoming eye-catching in ICT. No doubt, this will enhance cybersecurity as untrusted by default. The theory is simple: going thru multiple policies (technical configuration settings) and authentication before gaining access to the designated network resources. The controls are applied on who (access roles), when (time of day), what (network resources), where (network location) & why (what type of transaction or business reason). In a nutshell, who to access what resources from where and when with legitimate reason (why). The pitfall is the "how" … how does the existing environment fit with this access model and not-to-mention the changes in user experience. A M2M (Machine to Machine) ZTNA might be applicable use case but this will definitely take a while to transform for access involving human. Even worst, some cybersecurity practitioners introduce this ZTNA model in the ICS environment to combat against cyber threats which are even just conceptual because the ICS environment has...

Trust #3

21st July 202321st July 2023 By cliangNo Comments

Driving on the road is risky in the physical world. The worst consequence is fatality. There are life-saving measures like air bag, seat belt in the vehicle. As a driver, how do you ensure these measures will work when needed? No, we can't but to trust these safety measures will work per design. At most these are checked during vehicle maintenance but no guarantee they work without actually activating the trigger. Similarly a data exchange link is purposely built to convert TCP with DPI (Deep Packet Inspection) to serial communication in getting around the so-called vulnerable routable protocol in a lock down (both physical & cyber aspect) environment. Assessment of this communication link appears reasonable to verify properly configured but extending the scope to its surrounding systems how well they are secure will be excessive, overkill and waste of resources. There are many things we must trust based on our instinct and exercise professional judgment. Otherwise, there is no...

Policy and Usability #2

11th July 2023 By cliangNo Comments

For regions driving on the left, driver seat in the vehicle is on the right. If this policy is blindly followed in private venue without reimagine for practicality, it will end up the driver is unable to activate the toll gate, or make this a very complicated task. This can be resolved either at design stage to move the toll gate at the centre position serving both lanes, or simply change the direction of driving in this private venue for cost-effective retrofit. Therefore, competent cybersecurity practitioners must fully understand the business nature of the organization they work for, remove unnecessary controls in the systems to fit practicality or even revise the policy with flexibility making cybersecurity as business enabler. ...

Policy and Usability

29th June 202330th June 2023 By cliangNo Comments

I came across certain cybersecurity practitioners who are obsessive with technical controls and insist a strict binary decision in determining policy compliance. Otherwise, so-called non-compliance process needs to be initiated with necessary executive signature as acceptance. Even worst, the policy is badly written and lack of precise generic as well as precise specific at the appropriate scenarios. Such mentality is not securing the business but an major obstacle in digital transformation and competitiveness with peers. As competent cybersecurity practitioners, our roles is to explain what are protection in place to neutralize the published cyber threats rather than creating FUD to management. Sometimes, a management directive with disciplinary action for non-compliance is far much cost-effective than technical controls. Example is password complexity and MFA, this only make password sharing harden but not impossible. Education is another domain why we should not doing so. More technical controls means complexity. Complexity doesn't make it more secure but user will try to evade or circumvent the...

Dual Home

19th May 202319th May 2023 By cliangNo Comments

Certain cybersecurity practitioners have no knowledge of the implication when writing policy statement even with help from external subject matter experts. A typical example is that host with "dual home" connection must not be allowed. There are some rationales that this network setup will incur cybersecurity risks but only on particular scenarios. It is risky if one network interface card (NIC) lands on trusted zone while the other NIC lands on a "dirty" zone. The host is then acting as a network firewall that might not be robust as a dedicated network firewall device capabilities. But if the host (especially in control systems) needs this setup to be managed by computer management system (e.g. domain controller) in one network while the other network manages the controllers, sensors and the design is certified by the manufacturer, blindly changing this to non-dual home setup will affect the intended operational capabilities. Lesson learned: don't write something that causes your business immediately falling into...

Consequence

6th April 20236th April 2023 By cliangNo Comments

Certain cybersecurity practitioners are obsessive on technical controls. They overlook the consequence due to cyber or other non-cyber causes will be the same. Let's look at the illustration. Supposed if the truck has insecure network connection. It might be controlled remotely by threat actors. The adverse consequence might cause the truck hit any target or spill off the load. The same adverse consequence could be due to faults in the brake, fatigue of the chain, improper driving attitude … So, there should be a balance of cyber protection rather than creating many unnecessary technical controls to overkill the usage. More controls means more complex and more human errors will be resulted. ...

Policy #10

10th March 202310th March 2023 By cliangNo Comments

In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...

Infected

26th February 20234th March 2023 By cliangNo Comments

A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...

Improper Control #2

24th January 2023 By cliangNo Comments

The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...