Isolation

By cliangNo Comments
By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More

“Insecure” Tunnel

By cliangNo Comments
Older TLS (Transport Layer Security) version is marked insecure by vulnerability scanner. Certain cybersecurity practitioners make decision solely based on scanner report and blindly to urge system admin to "fix" it without looking at the big picture. The vulnerability scanner has zero knowledge on the system landscape, criticality of the system being evaluated and most importantly where is the scanner placed in the network. Good practice is to assess the big picture, mark these are non-issues and forget it if it is just an internal system in isolated environment. Resources should be deployed on more important things. ...
Read More

Coverage

By cliangNo Comments
Security technology alone cannot reassure protection. It requires human judgment: What is the value of target being protected? Risks to low value asset or low business impact are simply accepted as part of the operating cost. Example is the anti-theft RFiD tags.How is the controls deployed? Is the control in place properly? Gap in control will leave a loop-hole.Most importantly, how is the control operated and sustained to maintain its effectiveness? Adding controls does not increase security sometimes but incur unnecessary overheads or activities that overkill the purpose. A comprehensive assessment from design, build, deploy, regular validation is required through out the life cycle of the deployed cybersecurity protection. ...
Read More

Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More

Spare Capacity

By cliangNo Comments
Roof needs to cater for extra loading due to different weather conditions Availability is one of the protection objectives in cybersecurity. When deploying new systems, the design must cater for spare capacity. Usage patterns need to be understood too as this will surge capacity demand instantaneously. Capacity refers to bandwidth, storage, processing speed. This must be estimated in the next 3-5 years with the projected growth rate plus the peak demand, setting threshold to trigger alert to resolve the capacity issue. It can be adding more storage, or archiving historical records offline, or deleting records per corporate retention policy. It is part of system management to maintain a healthy cyber environment to run business. Otherwise, business services will be interrupted. ...
Read More

Purpose of control

By cliangNo Comments
When we deploy control, we always have to understand what we are trying to achieve. In the illustration, if the purpose is just to prevent accidential openning of the cabinet door hurting nearby pedestrian, then something fixes the door in position suffices. There is no need to apply a lock because it will involve key management. Without proper key management, accessing the cabinet inside will be affected. As such, don't impose unnecessary and excessive controls. It won't improve but complicate the use case. ...
Read More

Excessive and Unnecessary Control

By cliangNo Comments
So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...
Read More

Risk Evaluation

By cliangNo Comments
Risk assessment is the approach to identify hazard and implement proper controls to reduce likelihood. When doing so, we should look at the portion that must be function well to support the intended outcome. In the illustration, the vehicle is to transport people or goods from one location to another. The engine and tires must be in good condition with sufficient fuel plus cooling fans to achieve this purpose. Any one of these components fails will affect the intended outcome. Therefore, vehicle (especially commercial) needs to undergo regular inspection and maintenance to keep in good condition. Check the tires and fuel capacity before any trip to reduce the likelihood of break down. Having spare tires or road-side assist contact numbers are the mitigation under assumption that the cellular phone signal coverage is within the trip. Otherwise, a different support model (say, satellite phone) is required.. ...
Read More

Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Vulnerability Management #2

By cliangNo Comments
Vulnerability Management or Scare Your Management Some cybersecurity practitioners conduct vulnerability management (VM) by just using automated vulnerability scanning tool (scanner) to uncover system vulnerabilities and then job is done. Even the worst, the scanner is placed next to the component using the target's administrative credential to probe. Raw results from the scanner is presented to the Management of vulnerabilities detected highlighting how many critical, high, moderate, low risks. This is a totally incorrect approach. The vulnerability scan is only the 1st step of the VM. The raw result gives you the worst scenario. It illustrates the system weakness assuming the adversaries have already gained the network access to that component by evading all the cybersecurity perimeter controls plus system privileges escalated. We must not forget the 2nd step is to evaluate if there are other controls (e.g. network segmentation, anomalies detection, system lock down etc.) implemented in reducing the likelihood of exploitation. This is...
Read More