Technology – The SECOND Advisories Limited

Protocol

24th March 202424th March 2024 By cliangNo Comments

Protocol requires proper data format and valid ranges in different preset fields per design to work properly. Threat actors are trying to manipulate the different fields and data ranges in order to exploit weakness of underlying process to handle the protocol. Just like the illustrated locks. It allow dual admins to unlock it where each admin has own access key. If a "malicious" admin who does not follow the protocol to make the locks in series but putting them in parallel, then access is denied to other admin because unlock will require both keys at the same time. Therefore, when we talk about security, there are lots of considerations: robustness of the process enforceable by strong technology with people acting honestly and all driven by laws & regulations (or organization policies). Protection is beyond encryption, firewall, system hardening. These are evadable.Most said human is the weakess link. Yes, this is still true but we must include factors like Incompetent cybersecurity practitioners providing recommendations without...

Architect

18th January 202418th January 2024 By cliangNo Comments

In physical world, an architect is "a person whose job is to design new buildings and make certain that they are built correctly", Cambridge. If this definition applies to digital world, the system architect is to ensure the system is built correctly per business requirement. Extending to cybersecurity, the cybersecurity architect is to ensure proper protection is incorporated in the digital landscape. Most often, cyber protections are overkilled. I come across an example that USB thumb drive carrying publicly downloaded security patches requires encryption because company policy only allows encrypted drive. On the IT side, there is no issue because patches are downloaded from IT machine with Internet access. But when transferring files to the OT side, it will create issue because decryption will need running special program in the USB "public" drive where OT environment is lock down. Further, the objective of encryption is to protect sensitive information in the USB because contents could be disclosed when lost. If dedicated USB...

Poisoning

6th January 20246th January 2024 By cliangNo Comments

We heard about DNS poisonong, search engine poisoning, ARP poisoning etc. With the rise of AI, data poisonings is evolved. There are 2 types of poisoning: Malicious user to bypass the protection scheme of AI to output what is prohibited for abuse Poison the data model to generate incorrect results to user [The analogy is in the typical web application that malicous user plant bad data and stored in backend database as persistent threat to attack other users due to poor coding.] On top of regulatory and ethical issues, the key to deal with this is to enable secure use of AI by formulating guidance and apply final human judgment. Treat AI output as reference for insights and research only. ...

Network #2

23rd December 202323rd December 2023 By cliangNo Comments

Digitalization needs things connected to deliver the business outcome. Without network, not much or even none can be achieved. And there won't be luxury nor feasible for a point to point dedicated end-to-end communication line. Therefore, the network part is always the focus for cyber risk due to no need to access physically the component and connectivity. But remember, other aspects like physical security, application controls, service provider management are equally important to secure the digital function. ...

Architecture #2

24th November 202324th November 2023 By cliangNo Comments

Parthenon, 447 BC Some cybersecurity practitioners always mention network diagram to have cybersecurity architecture for review and so-called approval. They know just the term and never grasp the real meaning. Cybersecurity architecture is actually the digital landscape having these core elements: network zoning, electronic perimeter control, cyber protection measures. The last one is an organization-wide issue because protection measures are not solely via technical controls which are the last to consider. Not everything can be technically enforced and if it does, it kills business. Enhancing workforce competency especially cybersecurity practitioners who act as internal subject matter expert to provide reputable and credible opinions rather than just slipping words out of their mouth. Situation awareness is another key player in protection measure. The illustrated architecture is an aged structure with and yet it is still standing there. By the same token we should not solely demand refreshing technology obsolescence because it has entered end of support. It needs a holistic...

Tunnel #3

31st August 202331st August 2023 By cliangNo Comments

See thru tunnel TLS is breakable. Similar post is here. This is normally done at the Internet gateway. Anything flowing thru the tunnel will be visible and web surfers don't even know. The major rationales for Deep Packet Inspection are: Organizations impose DLP (Data Leakage Protection) technology Certain regions control the contents Therefore, don't expect privacy even the padlock is displayed in the web browser bar. Either you exercise further content protection before passing out to cloud folder, use VPN or even going extreme using the Dark Web. ...

Infected

26th February 20234th March 2023 By cliangNo Comments

A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...

Architecture

11th February 2023 By cliangNo Comments

ICS now totally utilitizes general computing equipment (server, workstatiom, OS, DB, communication) rather than developing own C&I. Therefore, OEM has to test the integration of machineries with these commodities sourced from the market. The industry has already defined the standard architecture how should the different types of components be zoned in the different network segments. Certain cybersecurity practitioners have misused the term architecture review. To be specific, it is the design review how is the design system deviated from the standard architecture, what are the ingress/egress points to the system, what is the worst scenario consequence and the anticipated likelihood to derive the optimal controls. We should not change the approved design by the OEM because they have validated the functionality and usability of the ICS to deliver the outcome. Catching security patches, new software version, adding extra firewall in between or even changing network layer protocol for perceived security could break the ICS. It will then be just like "The operation...

Improper Control #2

24th January 2023 By cliangNo Comments

The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...

Stepping Stone #2

18th December 2022 By cliangNo Comments

Jump hosts are typical used for remote access. These are controls: User accounts with multi-factor authenticationTime of day granted to this user accountRuleset to limit destination hosts when landed; and per login userSession monitoring On reasonable ground, some are mandatory while other extra measures depend. In extreme cases, multiple jump hosts are demanded that whether network latency, usability are at doubt. The optimal decision is to balance risk and usability with a hoslistic and objective assessment. Otherwise, it will be overkilled. ...