The Forgotten Place #5

It is self-explanatory. There are similar faults posted previously. Risk of consequence must be understood before deploying information automation tool. If the display is for information of the mall, failure does not matter much and at most the reputation of the management office. But if the display shows real time high value trading, failure will cause substantial direct and indirect financial impacts. Direct is the loss of opportunity to conduct transaction by the users of the display. Indirect could be claims thru litigation by users of the display causing their direct loss due to this failure. Technically, multi-displays are deployed for resilience. From policy perspective, users must sign usage agreement to undertake consequence due to machine failure and disclaim the service provide for any direct or indirect losses. ...
Read More

Address

There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...
Read More

Security By Trust

In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Welcome

When we establish usage terms, we must consider the consequence and adopt the most appropriate wordings. Similar to other system settings, do not take default even for logon banner. In the past, there was incident threat actor penetrated into FTP server but caught. There is no legal ground to indicate this is unauthorized activity because the FTP server gives "Welcome to xxx FTP server, …" upon logon. There is no explicit wording of unauthorized usage will be prosecuted. So, there is the need to have holistic review what are default settings come with the software or application, review and revise accordingly. ...
Read More

Label

Label is commonly seen and required to identify things especially in cables. Without proper identification, it will be tedious in trouble-shooting. There is always debates on label. On one hand, it eases operation and maintenance tasks but on the dark side, it exposes the usage of the marked item. A mitigation is to assign label ID and mark this is the drawing. This requires resources to sustain the documentation when changes occur and regular inventory check to validate the marking is still correct. For the illustration, it has certain pitfall for insights. It exposes the location is for military purpose, a target for threat actor to penetrate or attack. "No trespassing" is unlikely enforceable especially during political conflict time. Ultimately, this requires the holistic assessment to balance the signage, back-end enforcement mechanism and cater for unexpected scenarios. All these are the attributes of writing a good policy that can be practically achieved. That said, don't just copy textbook knowledge and apply to your organization cybersecurity...
Read More

No Direction

The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...
Read More

Trust #4

A machine in the corner of the mall for digital currency exchange. Whether you use it or not is a kind of risk taking because you don't know what is behind the machine, who operates it, any proper business license to protect your money if things go wrong. In digital world, we must not solely put focus just on cyber protection. Every aspect counts towards a secure business model. From the digital currency operator's perspective, secure cyber protection is not enough. Physical security, anti-tampering to manipulate network connection, I/O port interfaces and so on are all attack vectors. From he customer perspective, trustworthy of the machine is the prime concern. ...
Read More

Clarity

Policies must be written precisely. That said, clarity is essential or otherwise it will create dispute, confusion in policy enforcement, audit exercise. The illustration has different interpretations: Apartment solely for retired government officials Government managed apartment for senior citizen If this appears in policy statement, it is not ideal. ...
Read More

Availability

Typical security objectives of cybersecurity are confidentiality, integrity and availability. It's just how they are prioritized in dealing with different use cases. Confidentiality is per the associated information classification to derive the necessary protection. Integrity protection is to understand consequence thru risk assessment what info entities need to protect. Then what about availability? I saw a cybersecurity practitioner developed security policy by copying textbook definition - simply to ensure information is available at all time. Without a measurement, it is not practically achievable. We have to define information must be available per the service pledge. Then, give certain margin in the service pledge with definition availability excludes planned outage for maintenance, achieving say 99.99% at all time. This is the foundation to establish cost-optimal resilience to achieve the committed target. ...
Read More