PPT, PPTP

By cliang1 Comment
People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable.  Without the last P, it's like a chair with broken leg that will fall (fail)....
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

Policies #2

By cliangNo Comments
Setting up policies seems easy, it's just putting down the management objective in written form. However, the objective must be practically achievable and enforceable for all stakeholders involved.  Otherwise, it's just a slogan in the air as well as a low-hanging fruit of non-compliance in any assessment exercise....
Read More

Sunrise, Sunset

By cliangNo Comments
You cannot tell because it lacks of reference - time of day taken or more precisely which planet but generally assumed on Earth. Similarly, is the infrastructure/system cyber secure? It needs reference points. The corporate cybersecurity policies, the corporate risk matrix are the reference points to prioritize protection measures for reducing likelihood. Furthermore, a scoping statement is required especially if we are talking about cybersecurity assessment or accreditation.  An ISO standard compliance is meaningless without statement of applicability.  Whether it's just (a) the in/out tray of document handling or (b) the information processing system/infrastructure handling electronic document will make a great difference in terms of operational controls as well as ongoing effort to sustain the accreditation....
Read More

Privacy

By cliangNo Comments
We all know the importance of privacy and the need to protect it. While protecting privacy, we need to look at regulation requirements in 360 degrees, i.e. we cannot hide something that is supposed mandatory for display. A question for reader: in postal mail, is the window envelop displaying both name and address violating privacy?...
Read More

Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

The Good, The Great

By cliangNo Comments
As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor). The Good auditors are able to pick discrepancy of your operation against the "policies" (written directives, procedures or instructions document) down to minute details.  They regard these are the yardstick ("so it shall be written, so it shall be done") for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.).  How these documents are effectively managed isn't the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents. The Great auditors make a step further.  They will give further thoughts if the written "policies" have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement.  E.g. make reference to revised password setting per NIST SP-800-63-3. The cybersecurity practitioners need to keep abreast of latest...
Read More

Control #2

By cliangNo Comments
Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc. Yes, to some degrees these are true and required.  But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls.  Further, resources are always limited in real world.  We have to deploy optimal controls.  Examples are: Preventive control - building the separation between opposite lanes is costly Detective control - the traffic camera is less costly but requires process to review events Administrative control - the double solid white lines are the most cost-effective control Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....
Read More

USB Port Misconception

By cliangNo Comments
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now.  There are different needs like keyboard, mouse, IP phone device using USB connection.  They cannot be blocked as a blanket directive.  The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers.  This is totally outside technical control. The reality is that file exchange is always legitimate business needs.  Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...
Read More