Assumption

By cliangNo Comments
Risk assessment is part of the risk management process to identify exposure, likelihood and business risks so that the necessary protection measures could minimize the impact. The tricky thing is most often controls are implicitly assumed, e.g. the access control to the target application relies on the robustness of the Identity Provider enforcing the defined roles & privileges, the effectiveness of anti-malware protection relies on the backend process to refresh for up-to-date definition, the platform and system applications are regularly hardened from known vulnerabilities, network perimeter controls are defined correctly and so on. Therefore, it is important to align and set the scene what key assumptions are referred in the very first step before assessing risks. If any of these is incorrect, then the exposure will be under-estimated and so for the residual risks....
Read More

Limitation

By cliangNo Comments
Every technology or system must have inherent limitations: no matter itself or its environment. Say, surveillance via CCTV for physical security, there is still the need to deploy guards patrolling the strategic locations to validate what you see if legitimate and augment the "blind spot" of CCTV coverage. Therefore: Unmanaged limitations will develop into vulnerabilities Exploitable vulnerabilities will become risks Neglected risks will impact the business Regular process review or system vulnerability assessment are then required for continuous cybersecurity strengthening....
Read More

Blockchain

By cliangNo Comments
Everyone is talking about this great technology and every industry is trying to adopt in the business model. Without going deep into technicality and in nutshell, the digital proof of the transaction is established and guaranteed in this distributed ledger.  However, an important element need to think about: how can the digital transaction in the cyber world be enforced for fulfillment in the physical world without any regulation? Think twice: if you have paid ransom via such digital transaction intended to unlock files encrypted by ransomware, how do you ensure that "service" is delivered? Therefore, internal use or limited adoption within closed community enforced with contractual terms are likely the use case in near term....
Read More

Business Value

By cliangNo Comments
One of the fundamental principles in cybersecurity is to apply necessary controls to reduce business impact. Business value is the catalyst in the risk management. The cyber poker machine is chosen as an illustration here. If this cyber application is deployed in a casino, the bet outcome means money. The result of each bet must be protected against manipulation like session replay, unauthenticated or fraudulent submission to control the coins release valve. But if it is deployed as part of the entertainment system in an aircraft, then it doesn't matter. The bet outcome is just for fun....
Read More