The Forgotten Place #3
Continuation of this....
The Forgotten Place #2
Continuation of this....
The Forgotten Place
Most of the time, tight technical controls are deployed at infrastructure, network, platform, application or end points to address cybersecurity.
A "misbehaved" device will ruin all these efforts. Perhaps a written hard copy disclaimer should be posted at the bottom of the display to indicate the information or service is provided as-is, and disclaim responsibilities arising from any consequential or collateral damages due to information error or service interruption. A comprehensive risk assessment should have picked up this....
Residual Risk
When deploying protection or counter-measure, it is necessary to understand
If new risks are introduced?
Will these new risks even exceed the consequence of do nothing?
An example is DLP (Data Leakage Protection, not Prevention). It requires "super" privileges to access every resource being monitored to alert sensitive information being shared improperly. Even though this might be a system account, mis-configuration or process weakness could exploit the DLP to leak more sensitive information to unintended recipient....
Insecure Node
Due to connectivity, an insecure component will no longer just harm itself but other components in the ecosystem as well. Therefore, any cyber asset must be secure....
Incident Respond
Organizations usually invest substantially to manage and mitigate cyber attack with the detection technologies like log correlation and SOC (Security Operation Center) establishment plus comprehensive process of detailed respond to cyber threat scenarios with surprised drills etc.
Not doubt, this will uplift the organization capacity and demonstrate due diligence has been exercised to deal with cyber attacks to stakeholders.
On the other hand, cyber is just one of the failure or attack scenarios. Like fire incident, it might be due to human negligence (left burning cigarette unattended), natural disaster (strike by lightning) or cyber attack (S01E04 Fire Code - vulnerable printer firmware). No matter how, isolation to contain threat and promptly recovery to resume are required whether cyber or not.
Resource (both skill set and manpower) in real life is always limited and should be put on recovery then drive from this end what is required for service resumption meeting recovery time objective. And don't forget the TCO (Total Cost Ownership) involved to sustain...
Cryptography
Example in real world for cyber world.
There are 2 salient points in cryptography:
Algorithm (or how it works) is publicly known, source codes are even published (mechanism of the combination lock is known)
Key is secret, this is the only way to access the cipher text (the combination code you have chosen to unlock)
Therefore, never invent your own crypto algorithm no matter how much obfuscation you have made in the codes. It is just security through obscurity.
Of course, even a recognized (or certified) crypto will be subject to attack (online or offline) due to technology advancement over time. Essentially, counter-measures are to increase the time attacker needs to get thru: regular password change, complex password, 2FA, adding salt and pepper in the stored hash etc....
Misplaced Control
Security technologies are secure but if deployed incorrectly, the intended protection will be in vain.
It is necessary to have a design review and configuration check to minimize this type of issue. Preferably, this should be done by 3rd party for independence as well as from fresh eyes.
Of course, a reasonable scope of coverage has to be defined. That's why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables....
USB Port Misconception
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason.
Two mistakes:
1. USB ports are standard I/O interface now. There are different needs like keyboard, mouse, IP phone device using USB connection. They cannot be blocked as a blanket directive. The proper way to say is to manage removable media.
2. The protection objective is not clear. What is this technical control for:
Limit importing malware
Limit data leakage
Something else
With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers. This is totally outside technical control.
The reality is that file exchange is always legitimate business needs. Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in.
The ultimate control relies on management...
Cyber Risk Likelihood #2
In physical world, public touch points are not hygiene. The more people touch it, the more "dirty" it will be.
In cyber world, if a network node has exposured as a public touch point, e.g. accessible elsewhere in the internet, it will become more vulnerable and cyber attack is highly increased.
The "distance" to access the network node will influence the cyber risk likelihood rather than prediction based on historical occurrence. The different layers of protection in between will reduce this cyber risk likelihood.
Last but not least, don't forget to secure the physical access path....