USB Port Misconception

By cliangNo Comments
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now.  There are different needs like keyboard, mouse, IP phone device using USB connection.  They cannot be blocked as a blanket directive.  The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers.  This is totally outside technical control. The reality is that file exchange is always legitimate business needs.  Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...
Read More

Cyber Risk Likelihood

By cliangNo Comments
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry. In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
Read More

CONFIDENTIAL?

By cliangNo Comments
People talk about leaking company CONFIDENTIAL information.  It is not just a word slipped from your mouth to blame your staff but a proper management system to formalize it. You have to rethink: - Do you have an information classification policies? - Does your information carry any classification marking? And if no marking, what is the default classification? No classification label should never be regarded as CONFIDENTIAL. - Are you holding information that is also available from other sources or publicly known? - Have you provided training or orientation to raise the staff awareness the proper handling of company information? If you don’t have any one of these, it’s the fault of your company but not your staff....
Read More