Opportunist

By cliangNo Comments
Dual signages on display - adopt the appropriate one in particular situation? Policy statement must be clearly defined and published. It must also be precise without ambiguity but subject to interpretation by different parties. If your cybersecurity policies are written unclear, a lot of unnecessary internal overheads of so-called policy exceptions or enforcement issues will be surfaced. Therefore, regular policy review and adjustment is indeed integrated into the policy requirement. And last but not least, don't be aggressive to write something that is not achievable in the specific business environment. ...
Read More

Different perspectives

By cliangNo Comments
It is the same scene but different people will interpret it differently. Business managers or plant floor engineers have their mission to achieve in delivering the business outcome while cybersecurity practitioners have their opinions to "ensure" a secure business or operational environment to fulfil their job role. Most often, this creates conflict. As cybersecurity practitioner, we shall never blindly apply academic knowledge because each organization has its own specific ways of doing business. What the book or even the organization security polices themselves are just generic guiding principles. We are all hired to exercise professional judgment, to help business understand the cyber risks and after all it is the business decision to accept. If business has hesitation, then we provide them the big picture, how cyber threats are likely exploited and the practical counter-measures to reduce the likelihood. Essentially, cyber threat is just one of the many operation risks to address. Don't invent extra and unnecessary cyber protections...
Read More

We are all just prisoners here, of our own device …

By cliangNo Comments
The lyrics from "Hotel California": the song was recorded in 1976 and the prediction is so true Disruptive technologies and their rapid advancement have changed the way we live. With proliferation of Internet hotspot (mostly free) & powerful mobile device (smaller size, powerful processor, larger storage), now everyone is able to get connected from casual reading email, browsing the web, sharing status in social media, chatting via instant message to checking flight status, exchange rates, performing critical decision like confirming high value transactions. With so much convenience, we rely heavily on this tiny device to keep our memories (contact info, photos, reminders), credentials (digital wallet, second factor authenticator) and get connected. We can't afford to lose it nor have it malfunctioned. Otherwise, we shall be handicapped in the physical world. We are now the prisoner of our device … ...
Read More

Excessive and Unnecessary Control

By cliangNo Comments
So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...
Read More

ROAM

By cliangNo Comments
Remote Office Access Method (inspired by ISAM, VSAM in old days) has undergone significant changes over the past decades due to technology advancement. The need arises to provide better efficiency for system support especially if expertise is required from overseas. In early days, when remote access is required via dumb terminal with dial up connection, call back is required to authenticate the pre-registered phone number. With routable network, 2-factor authentication via secure token is required to permit the remote session from Virtual Private Network (VPN) connection. This requires complex pre-registration of the user identity associated with the token in generating the one-time password (OTP). The evolution continues into 2-step authentication with OTP in different form factors: SMS, apps in consumer mobile device or designated email. Enrollment becomes easier with guided self-service making admin-less. Access technology is also evolving from full tunnel VPN to split tunnel VPN through Transport Layer Security (TLS) via web browser or apps in workstation with rich desktop experience as if...
Read More

Do The Right Thing

By cliangNo Comments
No matter in physical or cyber world, there are facilities built for people using them to achieve certain purposes - whether paid or free. All these facilities are designed per proper usage. That said, if the assumed usage behavior is not exercised, some adverse consequence might be resulted to the facility provider or the facility user. Take Internet banking as an example. Banks always remind people to safeguard their access credential (i.e. password) to avoid account being misused: never disclose the password to 3rd party not even the Bank, mandate 2-step authentication, enforce regular changing of password, never click links from email or from social network shared by others. Further, the Bank will alert account holder via text message or email for any credit card transaction executed with physically wiping the card, impose transaction limit to 3rd parties, etc. So as an user, do the right thing as advised to keep cyber secure. That means in the Internet banking example,...
Read More

Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Insider #2

By cliangNo Comments
Physical access requires substantial resources while visual accessibility is anywhere Industrial Control Systems (ICS) in a plant are now modernized using commodity hardware and software with networking capability to enhance overall efficiency, business analytics and to standardize skillset in plant operation plus support. With network, remote diagnostic and support are also possible to cut down the turn around time without waiting for engineer on site. Some cybersecurity practitioners put focus only on the cyber portion of the plant. This is not wrong provided that the physical aspects are equally considered at the compatible level. This is because the ICS is just a portion of the entire plant. The physical and mechanical plant conditions must also be secured. If background check is deemed necessary for O&M teams to reduce insider threat, this should also extend to the service crews (e.g. delivery, janitor), physical security guard service, contractors, vendors or even management. Most often, management level is by default granted with...
Read More

Rule or Ruler

By cliangNo Comments
As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...
Read More

Transformation

By cliangNo Comments
Due to rapid technology advancement, business operations are always undergone transformation. A phone kiosk becomes legacy as the use case is approaching to zero. While transformation creates new jobs, it also makes other jobs extinct. Imagine when there is no need to deploy phone kiosk, job functions regarding the manufacturing line, its supply chain, sales, installation, regular maintenance are no longer needed. Therefore, the transformation shall not only viewed at the business model but also the workforce development and the mentality to accept changes are part of life. Transformation also integrates cybersecurity as part of the job function except the demand of scale and skill might be different. Never complain cybersecurity is none of your business. The positive attitude is to look into the appropriate training to adapt and manage such new challenge. ...
Read More