Insider

By cliang1 Comment
This is a popular topic in Board Room too.  No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...
Read More

Insecurity

By cliangNo Comments
Road system in physical world is designed for safe (secure) use - sign board, speed limit, road shoulder, proper lane separation. There is occasion insecurity taking place.  There are many contributing factors such as: Adverse weather (low visibility, slippy road, hurricane) Malfunctioned equipment (vehicle) Collateral damage due to other road accidents Body condition of driver, under medical or drug influence Inexperienced or negligence drivers Similar principles apply in cyber world Untrained user or human error Failure to handle exception situation properly Unpatched system components exposing to known vulnerabilities Attack from peers nodes of connected system There is one more contributing factor: if security hasn't been integrated into design and deployment of the target system, it won't be secure....
Read More

Tagging

By cliangNo Comments
Tag or label is an important aspect to document cyber assets like hardware components or cabling. This is not an one-off exercise.  Assets are subject to replacement due to fault, addition because of new system functionalities or removal upon decommissioning.  It is therefore necessary to maintain an accurate asset inventory with consistent labeling scheme. This asset inventory will not only help to locate faulty component for problem shooting or to isolate compromised component but also reflects the correct position of asset value in the company books....
Read More

Automation

By cliangNo Comments
Everyday, we rely so much on automation ... be seen or behind the scene: rice cooker, temperature control of air conditioner, TV program recorder, garage entry, escalator, fire alarm system, traffic light, public lighting, vehicle, train, vessel, cargo terminal, electric grid, etc. Are we ready to bear with the failure in any of these automation?  Or how long we can tolerate with degraded service? These are the basis to derive the alternate processing model to resume service though it might not be up to the expected service quality.  Shortening the unplanned outage time or increasing service quality during outage will be materialized into substantial monetary terms. Cybersecurity practitioner can only facilitate the thought process but the ultimate decision is from business - risk taking between optimal or optional investment to meet the business target....
Read More

Preparedness

By cliangNo Comments
No doubt, we do have deployed and sustained protection as counter-measure against cyber threats.  However, the cyber threat landscape is always evolving - new trick, zero-day exploit, Advanced Persistent Threat (APT) are there and we don't know what we don't know. In this regard, we must assume our system or infrastructure shall be compromised.  It is just a matter at what time this happens. To deal with the worst scenario, we have to get well prepared beforehand.   Things like: Establish directive to trade off between service resumption or digital evidence preservation Determine dependency of resuming service in alternate facility though in degraded level Streamline philosophy of containment to minimize damage due to cyber attack Maintain contact info as well as reliable and trusted communication channel among key personnel during emergency situation Prepare Line-To-Take templates to simplify the job for PR Most importantly, Human safety and environment protection should be the first priority Regular drill to validate the readiness and find ways to improve ...
Read More

Crowdsourcing

By cliangNo Comments
Landlord: "Tell me your monthly sales amount." Tenant: "No way, this is confidential business information." With a little trick, such confidential information can be collected. Giving certain incentive, customers will queue up and surrender the sales receipts to the concierge of the mall. Free parking is one of the incentive models.  For in-mall spending over certain amount, concierge validates the parking ticket and captures the receipt details.  But this is less granular because not every customer comes to the mall with own vehicle. A more advanced model is to establish royalty membership to earn points per the spending amount in the mall.  This is still not accurate because not every customer will join the royalty scheme but more granular than the free parking model. Then, confidential sales information could be captured from the crowd for analytics....
Read More

Boundary

By cliangNo Comments
Typically, the boundary defines a clear demarcation of accountability in the case of ICT or ICS system landscape.  It also confines the work scope in any professional engagement activities to ease managing the work product expectation. However, as a cybersecurity practitioner, we must look further beyond to strike for a holistic view in order not to miss out any inherent threats.  It's just a matter of fact how far and how detail we are comfortable to go beyond, or simply include a scope statement for the "limited vision"....
Read More

Design & Build

By cliangNo Comments
Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle.  If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning.  Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More

Operation Risk

By cliangNo Comments
Unlike IT application, ICS (Industrial Control System) involves direct physical process that will affect human safety and impose environment impacts. When we conduct ICS risk assessment, we must not just limited thoughts to cyber risks.  Cyber risk is just one of the causes that affect the stability, manageability and operability of the ICS. For impacts caused by cyber issues, are these due to general equipment fault rather than cyber attack?  What about other physical damages like communication lines fails due to natural disaster, or machinery break down from wear and tear?  The counter-measures shall then also address non-cyber issues for a comprehensive business continuity arrangement....
Read More