Poisoning

By cliangNo Comments
We heard about DNS poisonong, search engine poisoning, ARP poisoning etc. With the rise of AI, data poisonings is evolved. There are 2 types of poisoning: Malicious user to bypass the protection scheme of AI to output what is prohibited for abuse Poison the data model to generate incorrect results to user [The analogy is in the typical web application that malicous user plant bad data and stored in backend database as persistent threat to attack other users due to poor coding.] On top of regulatory and ethical issues, the key to deal with this is to enable secure use of AI by formulating guidance and apply final human judgment. Treat AI output as reference for insights and research only. ...
Read More

Network #2

By cliangNo Comments
Digitalization needs things connected to deliver the business outcome. Without network, not much or even none can be achieved. And there won't be luxury nor feasible for a point to point dedicated end-to-end communication line. Therefore, the network part is always the focus for cyber risk due to no need to access physically the component and connectivity. But remember, other aspects like physical security, application controls, service provider management are equally important to secure the digital function. ...
Read More

Architecture #2

By cliangNo Comments
Parthenon, 447 BC Some cybersecurity practitioners always mention network diagram to have cybersecurity architecture for review and so-called approval. They know just the term and never grasp the real meaning. Cybersecurity architecture is actually the digital landscape having these core elements: network zoning, electronic perimeter control, cyber protection measures. The last one is an organization-wide issue because protection measures are not solely via technical controls which are the last to consider. Not everything can be technically enforced and if it does, it kills business. Enhancing workforce competency especially cybersecurity practitioners who act as internal subject matter expert to provide reputable and credible opinions rather than just slipping words out of their mouth. Situation awareness is another key player in protection measure. The illustrated architecture is an aged structure with and yet it is still standing there. By the same token we should not solely demand refreshing technology obsolescence because it has entered end of support. It needs a holistic...
Read More

Tunnel #3

By cliangNo Comments
See thru tunnel TLS is breakable. Similar post is here. This is normally done at the Internet gateway. Anything flowing thru the tunnel will be visible and web surfers don't even know. The major rationales for Deep Packet Inspection are: Organizations impose DLP (Data Leakage Protection) technology Certain regions control the contents Therefore, don't expect privacy even the padlock is displayed in the web browser bar. Either you exercise further content protection before passing out to cloud folder, use VPN or even going extreme using the Dark Web. ...
Read More

Infected

By cliangNo Comments
A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...
Read More

Architecture

By cliangNo Comments
ICS now totally utilitizes general computing equipment (server, workstatiom, OS, DB, communication) rather than developing own C&I. Therefore, OEM has to test the integration of machineries with these commodities sourced from the market. The industry has already defined the standard architecture how should the different types of components be zoned in the different network segments. Certain cybersecurity practitioners have misused the term architecture review. To be specific, it is the design review how is the design system deviated from the standard architecture, what are the ingress/egress points to the system, what is the worst scenario consequence and the anticipated likelihood to derive the optimal controls. We should not change the approved design by the OEM because they have validated the functionality and usability of the ICS to deliver the outcome. Catching security patches, new software version, adding extra firewall in between or even changing network layer protocol for perceived security could break the ICS. It will then be just like "The operation...
Read More

Improper Control #2

By cliangNo Comments
The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...
Read More

Stepping Stone #2

By cliangNo Comments
Jump hosts are typical used for remote access. These are controls: User accounts with multi-factor authenticationTime of day granted to this user accountRuleset to limit destination hosts when landed; and per login userSession monitoring On reasonable ground, some are mandatory while other extra measures depend. In extreme cases, multiple jump hosts are demanded that whether network latency, usability are at doubt. The optimal decision is to balance risk and usability with a hoslistic and objective assessment. Otherwise, it will be overkilled. ...
Read More

Access Control #4

By cliangNo Comments
From technology point of view of a discrete control, opening the bridge will disconnect the traffic across the sides. Is this barrier secure? It all depends how the entire protection system is run. The bridge will only block access via that land path. What about access is via air or water? By the same token, vulnerabilities in a computer platform or its underlying applications will not pose immediate cyber threat if it has its own surrounding effective electronic security perimeter. As professional cybersecurity practitioner, we have to reassure comfort to management rather than just follow text book knowledge to clear all known vulnerabilities. That is not practical to achieve. ...
Read More

Seasonal Factor #2

By cliangNo Comments
The Ice Road only opens Jan-Feb Anomalies detection highlights the technology will learn your environment as baseline reference such that "unusual" traffic will be flagged for alert. This will save detection ruleset definition but vendor always stresses short learning time (even just 1 or 2 weeks) to convince deployment for quick win demonstrating ROI. Sometimes, network traffic or application behaviors are seasonal based because of the business operations. Therefore as always, recurring maintenance efforts are required to sustain its effectiveness and don't be influenced by vendor for zero-deployment and zero-maintenance. ...
Read More