Staging

By cliangNo Comments
Staging environment is usually established to validate computer systems functionalities before changes are implemented in the live system. It is one of the precautions to minimize disruption to business. There are multiple considerations in setting up a staging environment. To name a few: What is the coverage: minimal subset for core functions only, or the entire duplication of the system landscape? What data should be loaded: solely test data, or live data with sensitive info masked? Bear in mind that data will drive business logic and "fake" data cannot be used sometimes. How much coverage of test cases to verify: affected functions, or entire system as regression test? User account plus Roles & Responsibilities: create test accounts, or cloned from live system? Other connected systems: their respective staging environment, or something else (definitely not their live system)? For the Industrial Control System (ICS), this is even more complicated. The computer system is connected with actual plant equipment to control and monitor the plant. Even though a staging...
Read More

Anomaly

By cliangNo Comments
Observations are basis in any informed-assessment to understand if operations are compliance to rules & regulations meeting the expected standards. Observations are used to support the finding in the report. They can be in the form of screenshots, photo, configuration files in plain text. When you find anomalies, what is your first respond? You have to double check if it is a false positive first. If it is valid, then check if exception process has been granted with valid reason and appropriate level of approval. That is not yet the end. A more responsible cybersecurity practitioner or auditor shall also look at the effectiveness of the written directive - if they are reasonable and practically achievable. This is the hard part because it might outside the scope of assessment, or the assessor solely bases on the book. In any cases, policy maker should look at the report and rethink if the written directives are too tight, too rigid in killing the business. Bear in...
Read More

Treat or Trick #2

By cliangNo Comments
I talked about "strengthening human awareness cannot be overlooked". The easiest penetration into a corporate network is via phishing email. To validate workforce awareness and readiness withstanding phishing attacks, organizations start using simulated phishing emails to test who will take the bait: embedded document or hyperlink to track. This is a good motive except other surrounding elements need to be considered. Nowadays, email service provider will mark external emails to draw attention they are coming from outside. There are also emails generated from application for information using SMTP connector which carries the same external marker. Unless the corporate email gateway whitelists these SMTP sources or else workforce will get confused what emails to trust. Mail headers in simulated emails - this will disclose the email is a phishing test exercise for "advanced" or "professional" email users who know how to check the SMTP mail headers. Phishing test results will be affected because real phishing emails do not carry such identification. We should focus more...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

Ice Road

By cliangNo Comments
This is seasonal - only happened a short while during winter time when lake or river is frozen with thickness that can support vehicles riding on it. What is the insight? We face a lot of changes in business environment, make adoption to stay competitiveness while deploying cost-effective protection measures against new threats. Examples are continuous digitization or disruptive technologies that business cannot escape from except cope with these. As standard practice, conduct a comprehensive risk assessment with the right Subject Matter Expert to guide thru the stakeholders to reimagine the new targeting operating model to understand threats and consequence and this decide level of risk acceptance. As always, we have to take risks. Here in the ice road, the risk contributors are the load of the vehicle, vehicle fitness, weather condition at time of crossing and the skillset of the vehicle driver. The prime objective (business outcome) is to stay alive crossing the ice road with the load to reach the destination. ...
Read More

Design & Build #3

By cliangNo Comments
Earlier, I talked about similar. When conducting a comprehensive assessment of a facility, we should not just look at the cyber aspects but also the reliability and safety of the facility. Those exposed pipelines could be essential supply of human nessasities or dischargs of waste. If they are physically damaged (intentionally or unintentionally), these facilities will be disrupted therefore affecting normal live or even life. Physical security is also importantly in protecting the cyber components of facilities. ...
Read More

Emergency vs Privacy

By cliangNo Comments
It is common to leave contact information in passport, contact card in wallet such that under emergency situation, others could notify your family member or significant half. This will be helpful if you are travelling alone, or aged. But how do we eliminate scam? Our contact information (email, phone number) is perhaps widely shared when register for web service as 2-step authentication, product registration for warranty, leave as call back for inquiry results, or our friends' devices carrying our contacts are compromised. There is a little trick to beat against scammer by establishing a one-way trust. Put a preset phase in the emergency contact card. Pre-arrange this with your contact(s) the caller must quote this preset phase to prove the contact info is obtained from this emergency contact card but not elsewhere. ...
Read More

Bag Tag

By cliangNo Comments
It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More

Renewable Energy

By cliangNo Comments
It is one of the decarbonization means. Investment involves initial plant setup and then recurring operating cost. There is no need for fuel except resources to manage the plant properly. The entire ecosystem will need site survey, i.e. how many days with sufficient wind are there in a year and the strength, physical security from sabotage of the plant and then digital security against cyber attack - bring down the grid, damage the equipment, scheduled plant maintenance. This shall best have a Hazard and Operability (HAZOP) exercise that include everything that most cybersecurity practitioners are only focusing on cybersecurity, or technical controls. If they do, they are incompetent for the job. ...
Read More