Policies #3 (From Directive to Enforcement)

By cliangNo Comments
1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...
Read More

Foundation

By cliangNo Comments
Proper cybersecurity in an organization must have a foundation. The effective approach is driven from the top to mandate integration of cybersecurity in the business process. This is in the form of Policies and enforced via corporate governance. Underneath the policies, various domains in risk management, policies exceptions, technology standardization, secure architecture, secure system deployment, procurement specification, incident respond, recovery, business continuity and workforce development are the pillars. Without a sound foundation, the object in the air will fall, just a matter of when. ...
Read More

Insider

By cliang1 Comment
This is a popular topic in Board Room too.  No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...
Read More

Back Door

By cliangNo Comments
Each house has its own perimeter to control entry.  However behind the perimeter, they are mutually accessible at the back end.  Thus, break-in to one house will allow intruder transverse to its neighbor without going thru the neighbor's perimeter. Same attack surface applies in the cyber world.  Therefore, test and live environments must be segregated.  The former is less cyber hygiene because it is subject to broader access by developer or vendor with loose controls....
Read More

Governance

By cliangNo Comments
Last article, I talked about PPTP.  With organization policies formally established, the next is the governance to make it work.  Otherwise, policies are just slogan in the air. The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to: Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process Approve risk acceptance for deviation from these established policies Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media....
Read More

PPT, PPTP

By cliang1 Comment
People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable.  Without the last P, it's like a chair with broken leg that will fall (fail)....
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

Policies #2

By cliangNo Comments
Setting up policies seems easy, it's just putting down the management objective in written form. However, the objective must be practically achievable and enforceable for all stakeholders involved.  Otherwise, it's just a slogan in the air as well as a low-hanging fruit of non-compliance in any assessment exercise....
Read More

Sunrise, Sunset

By cliangNo Comments
You cannot tell because it lacks of reference - time of day taken or more precisely which planet but generally assumed on Earth. Similarly, is the infrastructure/system cyber secure? It needs reference points. The corporate cybersecurity policies, the corporate risk matrix are the reference points to prioritize protection measures for reducing likelihood. Furthermore, a scoping statement is required especially if we are talking about cybersecurity assessment or accreditation.  An ISO standard compliance is meaningless without statement of applicability.  Whether it's just (a) the in/out tray of document handling or (b) the information processing system/infrastructure handling electronic document will make a great difference in terms of operational controls as well as ongoing effort to sustain the accreditation....
Read More

Privacy

By cliangNo Comments
We all know the importance of privacy and the need to protect it. While protecting privacy, we need to look at regulation requirements in 360 degrees, i.e. we cannot hide something that is supposed mandatory for display. A question for reader: in postal mail, is the window envelop displaying both name and address violating privacy?...
Read More