Trust #4

A machine in the corner of the mall for digital currency exchange. Whether you use it or not is a kind of risk taking because you don't know what is behind the machine, who operates it, any proper business license to protect your money if things go wrong. In digital world, we must not solely put focus just on cyber protection. Every aspect counts towards a secure business model. From the digital currency operator's perspective, secure cyber protection is not enough. Physical security, anti-tampering to manipulate network connection, I/O port interfaces and so on are all attack vectors. From he customer perspective, trustworthy of the machine is the prime concern. ...
Read More

Clarity

Policies must be written precisely. That said, clarity is essential or otherwise it will create dispute, confusion in policy enforcement, audit exercise. The illustration has different interpretations: Apartment solely for retired government officials Government managed apartment for senior citizen If this appears in policy statement, it is not ideal. ...
Read More

Availability

Typical security objectives of cybersecurity are confidentiality, integrity and availability. It's just how they are prioritized in dealing with different use cases. Confidentiality is per the associated information classification to derive the necessary protection. Integrity protection is to understand consequence thru risk assessment what info entities need to protect. Then what about availability? I saw a cybersecurity practitioner developed security policy by copying textbook definition - simply to ensure information is available at all time. Without a measurement, it is not practically achievable. We have to define information must be available per the service pledge. Then, give certain margin in the service pledge with definition availability excludes planned outage for maintenance, achieving say 99.99% at all time. This is the foundation to establish cost-optimal resilience to achieve the committed target. ...
Read More

Enforcement #5

What can and what cannot be practically enforced? Setting up a written directive (policy statement) is easy. But the actual value of a policy statement is to achieve certain purpose in arriving at the desirable consequence. If something cannot be practically accomplished, that is a bad policy. Some cybersecurity practitioners establish policies very strictly hoping to secure the organization business operations. The pitfall is a large gap will be resulted with reality or the current setup. Flexibility must be built to avoid so many non-compliance cases. Non-compliance also affects the corporate governance in the entire organization. The proper approach is to make it incremental strengthening, listen and adopt feedbacks from field users who will tell what works and what absolutely not works. Even if that works, other elements to consider are maximize the investment for best protection and the urgency to do so. Never establish policies based on media, sales pitch nor textbook knowledge. ...
Read More

Security Culture

A trivial observation will reveal a lot of issues about the security culture of an organization. 1. Does the organization: Have information security policies in place Define the differennt information classes Provide examples of each information class Establish approval process with appropriate authoritive level to declassify information for sharing Deploy viable means to share confidential materials Communicate properly all staff with mandatory regular refresher programme Integrate information security undertaking in the employment term Impose discrepancy process for policy violation Enforce role based access profile per job function Review periodically for appropriate access rights 2. Do the staff: Have minimal access to information just per the job roles Forget to reclassify the information after approval has been granted Understand what has gone wrong It seems so many issues have been surfaced but this is the challenge and a matter of fact when all of us living in the digital world, not-to-mention unstructured information is everywhere beyond the organization cyber landscape. The bottom line relies on human rather than technologies to secure information mandated by policies (written directives). ...
Read More

ZTNA

Zero Trust Network Access (ZTNA) is suddenly becoming eye-catching in ICT. No doubt, this will enhance cybersecurity as untrusted by default. The theory is simple: going thru multiple policies (technical configuration settings) and authentication before gaining access to the designated network resources. The controls are applied on who (access roles), when (time of day), what (network resources), where (network location) & why (what type of transaction or business reason). In a nutshell, who to access what resources from where and when with legitimate reason (why). The pitfall is the "how" … how does the existing environment fit with this access model and not-to-mention the changes in user experience. A M2M (Machine to Machine) ZTNA might be applicable use case but this will definitely take a while to transform for access involving human. Even worst, some cybersecurity practitioners introduce this ZTNA model in the ICS environment to combat against cyber threats which are even just conceptual because the ICS environment has...
Read More

Policy and Usability #2

For regions driving on the left, driver seat in the vehicle is on the right. If this policy is blindly followed in private venue without reimagine for practicality, it will end up the driver is unable to activate the toll gate, or make this a very complicated task. This can be resolved either at design stage to move the toll gate at the centre position serving both lanes, or simply change the direction of driving in this private venue for cost-effective retrofit. Therefore, competent cybersecurity practitioners must fully understand the business nature of the organization they work for, remove unnecessary controls in the systems to fit practicality or even revise the policy with flexibility making cybersecurity as business enabler. ...
Read More

Policy and Usability

I came across certain cybersecurity practitioners who are obsessive with technical controls and insist a strict binary decision in determining policy compliance. Otherwise, so-called non-compliance process needs to be initiated with necessary executive signature as acceptance. Even worst, the policy is badly written and lack of precise generic as well as precise specific at the appropriate scenarios. Such mentality is not securing the business but an major obstacle in digital transformation and competitiveness with peers. As competent cybersecurity practitioners, our roles is to explain what are protection in place to neutralize the published cyber threats rather than creating FUD to management. Sometimes, a management directive with disciplinary action for non-compliance is far much cost-effective than technical controls. Example is password complexity and MFA, this only make password sharing harden but not impossible. Education is another domain why we should not doing so. More technical controls means complexity. Complexity doesn't make it more secure but user will try to evade or circumvent the...
Read More

Safety and Cybersecurity

In any field work, safety is the most important thing. Yet, we cannot totally eliminate the likelihood of fatality no matter which types of organization. What we can do is to demonstrate that there is safety system, culture, management committment, user education, pre-work assessment to reduce the likelihood. Likewise, there no 100% cyber secure business. Do not introduce unnecessary controls or else more chance of human error, technology failure that all these will impact the business outcome rather adding protection. Think also the likelihood of exploit from physical aspect rather than just drill down in the cyber aspect. The best strategy is to ensure resilience to resume business operation because there are too many threats in the wild that we don't know. We can only protect what we know and that is worth to protect. ...
Read More

Container or Content

When installing controls, you have to understand what is the protection objective. Don't just apply textbook knowledge for the sake of having controls. Understand the business environment and the consequence to determine the optimal controls. Sometimes, controls are really unnecessary because the consequence is acceptable by common sense. If you put the wrong focus, the protection doesn't make any sense and wasting valuable resources. Don't just insist for policy compliance because policy could be written incorrectly. Apply your professonal judgment as we are hired to do so. If not, you are neither competent for the job nor having common sense. ...
Read More