Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More

Full Coverage

By cliangNo Comments
Traffic camera is only deployed at risky locations to detect unsafe driving behavior but not everywhere This time, I talk about auditor instead of cybersecurity practitioner that I have come across. In an ICS audit, auditor has questioned why the deployed anomalies detection does not have full coverage of all devices. This will impose cyber risks due to malicious traffic cannot be detect early. Despite thorough elaboration with the following rationales, auditor is still not satisfied: The ICS is isolated from the Internet and not even any other peer ICSWithin the ICS, the plant units are further zoned in the network such that cyber threats are contained prohibiting lateral movement to compromise the entire ICSThe ICS is hardened with removable media lock downOutgoing process information data to other the repository in the ICS network is thru unidirectional gateway enforcing push out to avoid reverse TCP attack in the case of stateful network firewallFull coverage will have only very a small gain in detection capability...
Read More

Let me drop everything …

By cliangNo Comments
And work on your problem! Politics are always incurred in work and culture of an organizations especially large one. Cybersecurity becomes a hot topic and new normal to strike for cyber safe in applicaton system, business process or industrial automation. There are cybersecurity policies mandating the right things to do. However, no policies are perfect and neither can policies address all situations in real life. It then creates a new political atmosphere. The appropriate approach is to engage a 3rd party to look at the entire cybersecurity culture of an organization from fresh-eye, the competency of the cybersecurity team whether the members possess the relative credentials, their ability to upkeep knowledge, their working relationship with business, the cybersecurity strategy or priority on the organization as a whole rather than micro-management and zero-one decision of so-called policy compliance. ...
Read More

Administrative Control

By cliangNo Comments
Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks. Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues: People will find ways to circumvent controls because affecting productivity (writing down complex password)New control might introduce new system weaknessExtra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch ...) These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations. ...
Read More

Dual Standards

By cliangNo Comments
It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine. For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners. Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important. ...
Read More

Enforcement #4

By cliangNo Comments
A directive must come with sensible enforcement Cybersecurity policy establishment and cybersecurity policy enforcement are usually executed independently in an organization. Normally, policy authors are more knowledgeable to stipulate the rationale behind whether explicitly or implicitly why protection are required to secure the cyber space of the organization. Enforcement team simply follow the book to provide advisories or perform compliance check. The world is not perfect and situation will drive decision if it is a policy exception or the inadequacy of policy for revision. As cybersecurity practitioner, we must exercise our professional judgment to advise pragmatic approach in helping business for policy compliance rather than just a zero or one decision. After all, a "cyber court" in an organization is uncommon where the "cyber judge" will have the final ruling. Certain cybersecurity practitioners even have mal-practice to involve Senior Management for approval without taking up professional responsibility. Senior Management should be in the informed role rather than an approval role. ...
Read More

Opportunist

By cliangNo Comments
Dual signages on display - adopt the appropriate one in particular situation? Policy statement must be clearly defined and published. It must also be precise without ambiguity but subject to interpretation by different parties. If your cybersecurity policies are written unclear, a lot of unnecessary internal overheads of so-called policy exceptions or enforcement issues will be surfaced. Therefore, regular policy review and adjustment is indeed integrated into the policy requirement. And last but not least, don't be aggressive to write something that is not achievable in the specific business environment. ...
Read More

Surrealism

By cliangNo Comments
It is easy to for artists to draw something or writers compose fictions beyond imagination. Such creation even stimulates innovation that when putting into practice disrupting the industry and our life. However when writing cybersecurity policies, the directives must be pragmatically achievable and effectively enforceable. After all, policies are the internal company rules for every level to comply with. If the rules cannot be achieved, nor enforced, these rules are just a document in the bookshelf. Follow what the industry or the peers do rather than inventing something high-sounding but cannot be landed on the ground. Non-compliance will be the outcome. ...
Read More

Dead End

By cliangNo Comments
Can't turn left nor right and no pass thru ahead Good cybersecurity policies (management directives) should avoid incorrect interpretation nor perception. Further down the road, if policies is not precise generic nor precise specific for just-right coverage - many "policy exceptions" will be resulted. The most incorrect approach is to ask the senior management to approve such exception. The whole game should be the cybersecurity Subject Matter Expert (SME) assesses the area where policies cannot be complied with. The SME shall recommend pragmatic compensating controls and grant temporary approval while senior management is in the role of being informed. We, cybersecurity practitioners, must help senior management to understand cyber risks (mostly perception), how the risks could be exploited n own specific business environment. Like the recent Log4Shell zero-day vulnerability, understand what it is rather than blindly to push applying patches, assess the likelihood of exploitability and stand firm to explain why this is not severe if there are cyber threats intelligence...
Read More

Different perspectives

By cliangNo Comments
It is the same scene but different people will interpret it differently. Business managers or plant floor engineers have their mission to achieve in delivering the business outcome while cybersecurity practitioners have their opinions to "ensure" a secure business or operational environment to fulfil their job role. Most often, this creates conflict. As cybersecurity practitioner, we shall never blindly apply academic knowledge because each organization has its own specific ways of doing business. What the book or even the organization security polices themselves are just generic guiding principles. We are all hired to exercise professional judgment, to help business understand the cyber risks and after all it is the business decision to accept. If business has hesitation, then we provide them the big picture, how cyber threats are likely exploited and the practical counter-measures to reduce the likelihood. Essentially, cyber threat is just one of the many operation risks to address. Don't invent extra and unnecessary cyber protections...
Read More