Policies – The SECOND Advisories Limited

Isolation #2

2nd June 20252nd June 2025 By cliangNo Comments

In pandemic disease era, facemask is a effective means to protect being infected via airborne transmission. This is usually voluntary but in extreme situation, facemask is mandated by authority for presence in the public. Facemask serves two-folded protection: (a) protecting an individual from infected or (b) containing an infected individual from spreading the disease. In cyber world, similar protection philosophy applies. A device has platform protection (like host firewall) from being attacked by compromised device in the network, or limits its attack to other network neighborhood, if compromised. Further peer isolation in the network, usually enforced in wireless network, will enhance this protection. When formulating protection, we need to think in all perspectives. ...

Policies #10

27th April 202527th April 2025 By cliangNo Comments

Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...

Administrative Control #2

21st February 202521st February 2025 By cliangNo Comments

SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...

The Forgotten Place #6

5th December 20245th December 2024 By cliangNo Comments

We are living in the cyber era. This is commonly seen. See previous posts for recommendations. ...

The Forgotten Place #5

20th November 202420th November 2024 By cliangNo Comments

It is self-explanatory. There are similar faults posted previously. Risk of consequence must be understood before deploying information automation tool. If the display is for information of the mall, failure does not matter much and at most the reputation of the management office. But if the display shows real time high value trading, failure will cause substantial direct and indirect financial impacts. Direct is the loss of opportunity to conduct transaction by the users of the display. Indirect could be claims thru litigation by users of the display causing their direct loss due to this failure. Technically, multi-displays are deployed for resilience. From policy perspective, users must sign usage agreement to undertake consequence due to machine failure and disclaim the service provide for any direct or indirect losses. ...

Address

2nd November 20242nd November 2024 By cliangNo Comments

There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...

Security By Trust

19th October 2024 By cliangNo Comments

In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...

Welcome

5th October 20245th October 2024 By cliangNo Comments

When we establish usage terms, we must consider the consequence and adopt the most appropriate wordings. Similar to other system settings, do not take default even for logon banner. In the past, there was incident threat actor penetrated into FTP server but caught. There is no legal ground to indicate this is unauthorized activity because the FTP server gives "Welcome to xxx FTP server, …" upon logon. There is no explicit wording of unauthorized usage will be prosecuted. So, there is the need to have holistic review what are default settings come with the software or application, review and revise accordingly. ...

Label

30th August 202430th August 2024 By cliangNo Comments

Label is commonly seen and required to identify things especially in cables. Without proper identification, it will be tedious in trouble-shooting. There is always debates on label. On one hand, it eases operation and maintenance tasks but on the dark side, it exposes the usage of the marked item. A mitigation is to assign label ID and mark this is the drawing. This requires resources to sustain the documentation when changes occur and regular inventory check to validate the marking is still correct. For the illustration, it has certain pitfall for insights. It exposes the location is for military purpose, a target for threat actor to penetrate or attack. "No trespassing" is unlikely enforceable especially during political conflict time. Ultimately, this requires the holistic assessment to balance the signage, back-end enforcement mechanism and cater for unexpected scenarios. All these are the attributes of writing a good policy that can be practically achieved. That said, don't just copy textbook knowledge and apply to your organization cybersecurity...

No Direction

22nd May 202423rd May 2024 By cliangNo Comments

The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...