Process – Page 7 – The SECOND Advisories Limited

Technology

1st February 20191st February 2019 By cliangNo Comments

Technology helps avoiding mistake, operating continuously and enforcing certain outcome. However, technology is designed and deployed by human. There must be faults during the above process (that's why we have patch Tuesday or so). In the illustrated vault, it has thick door and wall. That should be strong to withstand theft, physical attack or natural disaster to secure contents stored there. If the access to vault is not well managed, then the intended protection will be void. ...

Perimeter #2

8th January 20198th January 2019 By cliangNo Comments

Perimeter is intended to control and scrutinize access. Now, systems are interconnected and standalone system is no longer considered effective. This will then expose the attack surface. Example is port 80. You have web site for point of presence in the market. Web site needs to allow anonymous access, or the Internet surfer. Though firewall is deployed, the web port (TCP 80, 443 or whatever is required) must be opened. Attack then shifts to application like injecting malicious contents passing thru the network layer, submitting large amount of requests to slow down or corrupt the system, manipulating client side data and resubmit to back-end. Counter-measures will then require Software Secure Development LifecycleSecure configurationRegular security patches and upgradesPeriodic comprehensive assessment (indeed, some industries mandate this)Situation awareness for different types of roles involved ...

The Same I

2nd January 20192nd January 2019 By cliangNo Comments

In cyber world, this means risk. Deployed cyber components require up-keeping their healthiness, like applying security patches and updating with latest protection definition. If they remain the same as yesterday, sooner they shall get compromised causing undesirable consequence that depends on the nature of business. ...

Big Picture

30th December 201830th December 2018 By cliangNo Comments

Common pitfalls in conducting risk assessment are Controls in place are not explicitly stated as assumptionLack of big picture A holistic view on the target of evaluation (ToE) as well as its surrounding is vital. We should not just look at the ToE only. We need to think and assess Risks due to compromised components around ToESimilarly risks affecting them due to insecure ToE ...

Policies #3 (From Directive to Enforcement)

24th December 201824th December 2018 By cliangNo Comments

1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...

Insider

18th December 201817th June 2021 By cliang1 Comment

This is a popular topic in Board Room too. No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...

Insecurity

15th December 2018 By cliangNo Comments

Road system in physical world is designed for safe (secure) use - sign board, speed limit, road shoulder, proper lane separation. There is occasion insecurity taking place. There are many contributing factors such as: Adverse weather (low visibility, slippy road, hurricane) Malfunctioned equipment (vehicle) Collateral damage due to other road accidents Body condition of driver, under medical or drug influence Inexperienced or negligence drivers Similar principles apply in cyber world Untrained user or human error Failure to handle exception situation properly Unpatched system components exposing to known vulnerabilities Attack from peers nodes of connected system There is one more contributing factor: if security hasn't been integrated into design and deployment of the target system, it won't be secure....

Tagging

3rd December 2018 By cliangNo Comments

Tag or label is an important aspect to document cyber assets like hardware components or cabling. This is not an one-off exercise. Assets are subject to replacement due to fault, addition because of new system functionalities or removal upon decommissioning. It is therefore necessary to maintain an accurate asset inventory with consistent labeling scheme. This asset inventory will not only help to locate faulty component for problem shooting or to isolate compromised component but also reflects the correct position of asset value in the company books....

Automation

26th November 2018 By cliangNo Comments

Everyday, we rely so much on automation ... be seen or behind the scene: rice cooker, temperature control of air conditioner, TV program recorder, garage entry, escalator, fire alarm system, traffic light, public lighting, vehicle, train, vessel, cargo terminal, electric grid, etc. Are we ready to bear with the failure in any of these automation? Or how long we can tolerate with degraded service? These are the basis to derive the alternate processing model to resume service though it might not be up to the expected service quality. Shortening the unplanned outage time or increasing service quality during outage will be materialized into substantial monetary terms. Cybersecurity practitioner can only facilitate the thought process but the ultimate decision is from business - risk taking between optimal or optional investment to meet the business target....

Preparedness

16th November 2018 By cliangNo Comments

No doubt, we do have deployed and sustained protection as counter-measure against cyber threats. However, the cyber threat landscape is always evolving - new trick, zero-day exploit, Advanced Persistent Threat (APT) are there and we don't know what we don't know. In this regard, we must assume our system or infrastructure shall be compromised. It is just a matter at what time this happens. To deal with the worst scenario, we have to get well prepared beforehand. Things like: Establish directive to trade off between service resumption or digital evidence preservation Determine dependency of resuming service in alternate facility though in degraded level Streamline philosophy of containment to minimize damage due to cyber attack Maintain contact info as well as reliable and trusted communication channel among key personnel during emergency situation Prepare Line-To-Take templates to simplify the job for PR Most importantly, Human safety and environment protection should be the first priority Regular drill to validate the readiness and find ways to improve ...