Policies – Page 3 – The SECOND Advisories Limited

Consequence

6th April 20236th April 2023 By cliangNo Comments

Certain cybersecurity practitioners are obsessive on technical controls. They overlook the consequence due to cyber or other non-cyber causes will be the same. Let's look at the illustration. Supposed if the truck has insecure network connection. It might be controlled remotely by threat actors. The adverse consequence might cause the truck hit any target or spill off the load. The same adverse consequence could be due to faults in the brake, fatigue of the chain, improper driving attitude … So, there should be a balance of cyber protection rather than creating many unnecessary technical controls to overkill the usage. More controls means more complex and more human errors will be resulted. ...

Information Security

24th March 202324th March 2023 By cliangNo Comments

It is the early term in this domain. It covers everything under the sun regarding information.As time goes by, information containers are moving into digital and seldom in hardcopies making it cyber nature and then cybersecurity becomes a fashion and buzzword. We have already replaced fax machine by email or secure electronic communication, carrying thumb drive instead of bundle of hardcopies, balance in stock account replacing the stock certificates. It is true for most of the cases but there are still information in hardcopy forms like birth certificate, marriage certificate, dealth certificate, passport, deed of assignment, legal documents in court etc. Therefore, these are outside the "cyber" sense and we must not forget the necessary protection to secure these kinds of information. The challenge is the "backup" which will require certified true copy issued by authenticated body. Sometimes, you can only have the original copy without backup like passport. Safekeeping the information container in possession is the prime protection. ...

Policy #10

10th March 202310th March 2023 By cliangNo Comments

In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...

Policy Making

5th January 20235th January 2023 By cliangNo Comments

For certain job roles of cybersecurity practitioners, policy making is necessary as a foundation in running the business securely to a reasonably degree. While doing so, we must fully understand the business objectives, operating environment and intended business outcomes taking text book knowledge as a reference rather than blindly applying. Where necessary, suitable qualifier or elaboration is required to enhance clarity. Example is personal privacy. The data subject must be a living individual shall have differentiated the situation in real life. Without this, it is impossible and impractical to enforce by replacing all the tombstone around the globe. ...

Physics #2

31st October 2022 By cliangNo Comments

This is another great example to think deeper to balance cyber and physical world rather than just blindly putting unnecessary investment in cyber protection. There are researchers able to demonstrate remote control of the crane via a Casio watch. Is this scary? Without knowing the exploitation condition, management will be misinformed. We, as security practitioners, must analyze the situation, identify how this can be exploited before provide the correct message. The physical conditions of the crane must also be well under attention. Imagine a loosen bolt / nut, or erected at the improper foundation, incorrect procedure to extend the crane height could all result into the same catastrophic consequence. ...

Directive

13th September 202213th September 2022 By cliangNo Comments

A clear directive (warning on usage) is required to keep human safe. This is the most effective safety protection. After all, everyone is responsible for own safety. Similarly, a proper directive (usage terms) is deemed sufficient to keep cyber safe. It's just a matter to exercise disciplinary process in an organization is rare leading to too many controls. Making things complicated does not necessarily enhance security but could degrade intended protection. People will try to get around controls to make life easier. ...

Usability

2nd September 20222nd September 2022 By cliangNo Comments

Everything is now undergoing digital transformation residing in the cyber space. Certain cybersecurity practitioners I met are overkilling business operations with cyber protection claiming to stay secure. Take the illustration above, the glass window provides scenery view from the room. If the reinforced steel covers are put on, it could definitely protect the glass window from strong wind during adverse weather. But if this steel covers are closed all the time, this will drive guests away affecting revenue. We need to be pragmatic and accept there are always risks from various domains to the business. And it's impractical to eliminate all risks. If you attempt doing so, it will end up "The operation was successful. The maharaja is dead." ...

Isolation

19th August 202219th August 2022 By cliangNo Comments

By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...

Misconception

9th July 20229th July 2022 By cliangNo Comments

Administrative control back by legal system is the most effective control Many cybersecurity practitioners has misconception that technical controls are means to secure the cyber environment. They insist for encryption, MFA, session time out, catch up with security patches, deploy latest version, mandate anomalies detection in virtual environment etc. Sometimes, excessive controls will not increase the level of security much. Even worst, new controls will bring to new risks not to mention degrading productivity. Have a thorough understanding the business, cyber environment and attack surface is the essential element. Conducting a risk assessment is to strike the right balance what to invest and what risks can be tolerated. Example #1, if the system is fully isolated, remote exploit thru network even with CVSS score of 10 doesn't matter. Example #2, RFiD tags won't be stick to each piece of commodity in the supermarket. Only high value items are tagged. This is the business risk to accept when running the self-service operating model. ...

Dynamic Policy

27th June 202227th June 2022 By cliangNo Comments

Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won't stipulate specific protection. Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation. An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder's spending profile, usual spending location, repayment history etc. The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That's why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on...