Information Integrity

By cliangNo Comments
Why buying 2? Sometimes, a small mistake will invite question if the information processing facilities are producing accurate result without malicious tempering. The illustrated sales price might be just input manually, or generated from system as per scheduled price promotion. No matter which scenario, either a broken business process (lack of review, approval to publish) exists, or automated consistency check is missing. With such small mistake goes into publicity, it will require a lot of PR effort to reassure this is an isolated case and not affecting the other back office application like customer data, staff personal data, financial records etc. ...
Read More

Identify

By cliangNo Comments
Most often, vendors are proposing security solution in a basket of features. They claim for security suite with unified console and dashboard. It is necessary to assess and identify the baseline security in business requirements what are the necessary protection. Otherwise, it will cost more, and more to manage in terms of support, maintenance, skillset, user experience. Some guiding questions are to facilitate the decision. The answers are situation and organization specific. Taking remote access as an illustration here. Who are the users accessing the infrastructure or system: From own organization?From business partners (vendor or contractor)?General public? When is this service needed? This will decide: Resilence arrangementMaintenance windowBusiness continuityDisaster recoveryRecovey Time ObjectiveService level pledge What service needed after connection established Infrastructure (e.g. storage, email, intranet)?Business applications? Where do users access Within organization network (due to network segmentation)From business partners networkInternetOrganization device or any device? Why this remote access is needed This is the business justification, for exampleSpeedy vendor support without traveling to siteEnhancing productivity especially in COVID-19 to keep physical distance How...
Read More

Governance #2

By cliangNo Comments
Successful cybersecurity posture in an organization requires effective cyber protection of its cyber assets. There is a broad interpretation on cyber protection. In certain extreme cases, people put focus on technical controls and how are these controls implemented sometimes down to specific technology brand name or even model per personal preference. This doesn't hurt as long as Providing transparency on the rationale of the chosen technology vendorPublishing the standard for reference rather than hiding inside one's mindFacilitating end users to procure those specific brandsCommunicating with Teams involved to raise awareness of the requirement That said, it falls into one of the organization governance roles as cybersecurity standarization. The merits are reducing learning curve to manage the control, partnership with vendor for better support and purchase discount, technology roadmap and life cycle management. Like any other tools, it is subject to misuse and then resulting into internal politics. ...
Read More

Design & Build #2

By cliangNo Comments
A deployed function looks not elegant. Is this due to design problem, or deployment is not in accordance to the design? Fixing it will be costly without retrofit. Similarly, this happens to cyber protection. Protection effectiveness will be degraded or even none if improper design, or incorrectly deployed. To address this pitfall, comprehensive assessment from design, configuration check before commissioning and regular health check at O&M stage are necessary. Even if the system has not been changed, the external threat landscape has evolved and need to strengthen control to protect. ...
Read More

Defeated Control

By cliangNo Comments
Detective control is blocked (defeated) When designing security controls, it is necessary to determine if the controls can be executed effectively. Somehow due to unexpected situation, controls are defeated. To avoid this pitfall, holistic assessment is required during: Design stage if intended control function is effective without being circumvented, the design effectiveness reviewO&M stage if the control can be operated as per design, the operation effectiveness review The entire life cycle of digital solution shall be: Identify the business value at initiation such that necessary and optimal controls are in place to minimize the business impact; this acts as procurement requirementDetermine proposed controls during design if they are effective and if not, develop necessary compensating controls. A typical example is the guard patrol to validate if CCTV are still operating properlyValidate controls before system goes live; rectify any deviations in the deployed solution from designAssess if controls are effective to combat new threats during O&M regularlyDispose controls securely at retirement of the digital...
Read More

Accountability

By cliangNo Comments
To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable. Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance. The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner. For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted...
Read More

Visibility

By cliangNo Comments
In physical world, this creates uncertainties for moving forward. In the cyber world, this means even more. From business perspective, vast amount of information that data analystic is needed to derive management insight in understanding customer profile, product popularity, performance etc. to align with business planning In cybersecurity perspective, this can be considered in various use cases Asset inventory: provides the components in the information processing infrastructure such that prompt reaction to incident and new threats plus properly managing technology obsolescence are possibleSystem events: feeds into SIEM to locate potential threats that has been persistentNetwork traffic: detects traffic flow to detect or block potential malicious activitiesVulnerability: itemizes known technical vulnerabilities to develop counter-measuresPerformance dashboard: provide cybersecurity KPI to drive improvement ...
Read More

Access Control #3

By cliangNo Comments
Controlling cyber (or network) access is always a main concern to limit threat vectors for lateral movement once they have gained a stepping stone within the infrastructure. The physical access aspect must not be forgotten. No matter how sophiscated controls are implemented and in place, if the core equipment is exposed to access at wish, this will defeat all these cyber controls. Bear in mind that all controls are to defer the access as much as possible. There is no bullet proof solution. A comprehensive risk assessment against the target of evaluation is very important to develop effective compensating controls. ...
Read More

Credential

By cliangNo Comments
It's the secret to access your protected resources in the network, or the cyber space. Therefore, you have to keep it to yourself only, traditionally. If we adopt the business continuity concept in personal life, then somehow the secret must be shared with your significant half or else the access is gone forever. Of couse, this must be arranged in advance like asset escrow but so far no credible service in the market for this cyber entity. For optimal & practical setup, use 2-step authentication (most portals now have this feature) and store the password in sealed envelop. This is a split secret arrangement. You hold the second factor with you to control access even the sealed envelop is compromised. ...
Read More

Anonymity

By cliangNo Comments
Privacy is a major concern nowadays. Sensitive info need to be tokenized or masked while leaving functional info unchanged during business analytic or conducting system tests. Nevertheless, a function might be uniquely provided by a particular individual within the information sample. In this case, even if the identity is masked, the functional aspect can also traced back to that particular individual. This is something like weak hashing function subject to reversible attack. This is the situation to watch out and need to voice out the limitation to data subject and data owner. ...
Read More