Emergency vs Privacy

It is common to leave contact information in passport, contact card in wallet such that under emergency situation, others could notify your family member or significant half. This will be helpful if you are travelling alone, or aged. But how do we eliminate scam? Our contact information (email, phone number) is perhaps widely shared when register for web service as 2-step authentication, product registration for warranty, leave as call back for inquiry results, or our friends' devices carrying our contacts are compromised. There is a little trick to beat against scammer by establishing a one-way trust. Put a preset phase in the emergency contact card. Pre-arrange this with your contact(s) the caller must quote this preset phase to prove the contact info is obtained from this emergency contact card but not elsewhere. ...
Read More

Bag Tag

It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More

Renewable Energy

It is one of the decarbonization means. Investment involves initial plant setup and then recurring operating cost. There is no need for fuel except resources to manage the plant properly. The entire ecosystem will need site survey, i.e. how many days with sufficient wind are there in a year and the strength, physical security from sabotage of the plant and then digital security against cyber attack - bring down the grid, damage the equipment, scheduled plant maintenance. This shall best have a Hazard and Operability (HAZOP) exercise that include everything that most cybersecurity practitioners are only focusing on cybersecurity, or technical controls. If they do, they are incompetent for the job. ...
Read More

Administrative Control #2

SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More

Risk Taking #2

Each one is fully responsible for the consequence by own act no matter in physical or cyber worlds. In physical world, the worst consequence is fatality if waring sign is ignored. In cyber world, it could be files are locked by ransomware, identity theft leading to financial loss or criminal offence if abused by threat actor. The hard part is there won't be obvious warning sign because attacks are stealthy or via deepfake. Education, situation awareness are the essential elements to secure the human aspect. ...
Read More

Address

There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...
Read More

Responsibility

I saw certain cyber security awareness poster has stated that keeping cyber secure is a shared responsibility. In certain way, this is true. Each of us plays a different part to protect the assets in the digital world. But "shared responsibility" appears as no one will take accountability and any one will think someone will take the lead to secure. In the illustration, you are responsible to well equip yourself to enter into the wild. You are well informed "You must be properly prepared to meet these hazards on their own terms. This is your responsibility." That should apply to the digital world and "shared" responsibility isn't the proper term and tone. ...
Read More

No Direction

The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...
Read More

Trust #4

A machine in the corner of the mall for digital currency exchange. Whether you use it or not is a kind of risk taking because you don't know what is behind the machine, who operates it, any proper business license to protect your money if things go wrong. In digital world, we must not solely put focus just on cyber protection. Every aspect counts towards a secure business model. From the digital currency operator's perspective, secure cyber protection is not enough. Physical security, anti-tampering to manipulate network connection, I/O port interfaces and so on are all attack vectors. From he customer perspective, trustworthy of the machine is the prime concern. ...
Read More

Protocol

Protocol requires proper data format and valid ranges in different preset fields per design to work properly. Threat actors are trying to manipulate the different fields and data ranges in order to exploit weakness of underlying process to handle the protocol. Just like the illustrated locks. It allow dual admins to unlock it where each admin has own access key. If a "malicious" admin who does not follow the protocol to make the locks in series but putting them in parallel, then access is denied to other admin because unlock will require both keys at the same time. Therefore, when we talk about security, there are lots of considerations: robustness of the process enforceable by strong technology with people acting honestly and all driven by laws & regulations (or organization policies). Protection is beyond encryption, firewall, system hardening. These are evadable.Most said human is the weakess link. Yes, this is still true but we must include factors like Incompetent cybersecurity practitioners providing recommendations without...
Read More