Insecure Node
Due to connectivity, an insecure component will no longer just harm itself but other components in the ecosystem as well. Therefore, any cyber asset must be secure....
Control #2
Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc.
Yes, to some degrees these are true and required. But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls. Further, resources are always limited in real world. We have to deploy optimal controls. Examples are:
Preventive control - building the separation between opposite lanes is costly
Detective control - the traffic camera is less costly but requires process to review events
Administrative control - the double solid white lines are the most cost-effective control
Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....
USB Port Misconception
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason.
Two mistakes:
1. USB ports are standard I/O interface now. There are different needs like keyboard, mouse, IP phone device using USB connection. They cannot be blocked as a blanket directive. The proper way to say is to manage removable media.
2. The protection objective is not clear. What is this technical control for:
Limit importing malware
Limit data leakage
Something else
With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers. This is totally outside technical control.
The reality is that file exchange is always legitimate business needs. Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in.
The ultimate control relies on management...
Cyber Risk Likelihood
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry.
In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
CONFIDENTIAL?
People talk about leaking company CONFIDENTIAL information. It is not just a word slipped from your mouth to blame your staff but a proper management system to formalize it.
You have to rethink:
- Do you have an information classification policies?
- Does your information carry any classification marking? And if no marking, what is the default classification? No classification label should never be regarded as CONFIDENTIAL.
- Are you holding information that is also available from other sources or publicly known?
- Have you provided training or orientation to raise the staff awareness the proper handling of company information?
If you don’t have any one of these, it’s the fault of your company but not your staff....