Vulnerability Management

By cliangNo Comments
This is always a debating topic during audit or security assessment. Auditor: your control system lacks of the latest security patches installed and vulnerable to cyber attack Asset owner: security patches must be certified by OEM or else OEM will not be responsible for failure or damages due to non-certified changes made to the control system Whether patches are up to date isn't the key issue.  The bottom line is to understand if there is repeatable mechanism to manage security vulnerabilities.  After all, having all latest patches deployed doesn't mean the control system is secure while any missing patches doesn't mean control system is immediately at risk. The motto from VX Heaven gives a good inspiration: "Viruses don't harm, ignorance does!"...
Read More

The Forgotten Place

By cliang3 Comments
Most of the time, tight technical controls are deployed at infrastructure, network, platform, application or end points to address cybersecurity. A "misbehaved" device will ruin all these efforts.  Perhaps a written hard copy disclaimer should be posted at the bottom of the display to indicate the information or service is provided as-is, and disclaim responsibilities arising from any consequential or collateral damages due to information error or service interruption.  A comprehensive risk assessment should have picked up this....
Read More

Residual Risk

By cliangNo Comments
When deploying protection or counter-measure, it is necessary to understand If new risks are introduced? Will these new risks even exceed the consequence of do nothing? An example is DLP (Data Leakage Protection, not Prevention).  It requires "super" privileges to access every resource being monitored to alert sensitive information being shared improperly.  Even though this might be a system account, mis-configuration or process weakness could exploit the DLP to leak more sensitive information to unintended recipient....
Read More

Incident Respond

By cliangNo Comments
Organizations usually invest substantially to manage and mitigate cyber attack with the detection technologies like log correlation and SOC (Security Operation Center) establishment plus comprehensive process of detailed respond to cyber threat scenarios with surprised drills etc. Not doubt, this will uplift the organization capacity and demonstrate due diligence has been exercised to deal with cyber attacks to stakeholders. On the other hand, cyber is just one of the failure or attack scenarios.  Like fire incident, it might be due to human negligence (left burning cigarette unattended), natural disaster (strike by lightning) or cyber attack (S01E04 Fire Code - vulnerable printer firmware).  No matter how, isolation to contain threat and promptly recovery to resume are required whether cyber or not. Resource (both skill set and manpower) in real life is always limited and should be put on recovery then drive from this end what is required for service resumption meeting recovery time objective.  And don't forget the TCO (Total Cost Ownership) involved to sustain...
Read More

Cryptography

By cliangNo Comments
Example in real world for cyber world. There are 2 salient points in cryptography: Algorithm (or how it works) is publicly known, source codes are even published (mechanism of the combination lock is known) Key is secret, this is the only way to access the cipher text (the combination code you have chosen to unlock) Therefore, never invent your own crypto algorithm no matter how much obfuscation you have made in the codes.  It is just security through obscurity. Of course, even a recognized (or certified) crypto will be subject to attack (online or offline) due to technology advancement over time.  Essentially, counter-measures are to increase the time attacker needs to get thru: regular password change, complex password, 2FA, adding salt and pepper in the stored hash etc....
Read More

Misplaced Control

By cliangNo Comments
Security technologies are secure but if deployed incorrectly, the intended protection will be in vain. It is necessary to have a design review and configuration check to minimize this type of issue.  Preferably, this should be done by 3rd party for independence as well as from fresh eyes. Of course, a reasonable scope of coverage has to be defined.  That's why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables....
Read More