Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

The Good, The Great

By cliangNo Comments
As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor). The Good auditors are able to pick discrepancy of your operation against the "policies" (written directives, procedures or instructions document) down to minute details.  They regard these are the yardstick ("so it shall be written, so it shall be done") for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.).  How these documents are effectively managed isn't the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents. The Great auditors make a step further.  They will give further thoughts if the written "policies" have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement.  E.g. make reference to revised password setting per NIST SP-800-63-3. The cybersecurity practitioners need to keep abreast of latest...
Read More

Control #2

By cliangNo Comments
Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc. Yes, to some degrees these are true and required.  But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls.  Further, resources are always limited in real world.  We have to deploy optimal controls.  Examples are: Preventive control - building the separation between opposite lanes is costly Detective control - the traffic camera is less costly but requires process to review events Administrative control - the double solid white lines are the most cost-effective control Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....
Read More

USB Port Misconception

By cliangNo Comments
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now.  There are different needs like keyboard, mouse, IP phone device using USB connection.  They cannot be blocked as a blanket directive.  The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers.  This is totally outside technical control. The reality is that file exchange is always legitimate business needs.  Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...
Read More

Cyber Risk Likelihood

By cliangNo Comments
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry. In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
Read More

CONFIDENTIAL?

By cliangNo Comments
People talk about leaking company CONFIDENTIAL information.  It is not just a word slipped from your mouth to blame your staff but a proper management system to formalize it. You have to rethink: - Do you have an information classification policies? - Does your information carry any classification marking? And if no marking, what is the default classification? No classification label should never be regarded as CONFIDENTIAL. - Are you holding information that is also available from other sources or publicly known? - Have you provided training or orientation to raise the staff awareness the proper handling of company information? If you don’t have any one of these, it’s the fault of your company but not your staff....
Read More