Policies #3 (From Directive to Enforcement)

By cliangNo Comments
1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...
Read More

Insider

By cliang1 Comment
This is a popular topic in Board Room too.  No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...
Read More

Insecurity

By cliangNo Comments
Road system in physical world is designed for safe (secure) use - sign board, speed limit, road shoulder, proper lane separation. There is occasion insecurity taking place.  There are many contributing factors such as: Adverse weather (low visibility, slippy road, hurricane) Malfunctioned equipment (vehicle) Collateral damage due to other road accidents Body condition of driver, under medical or drug influence Inexperienced or negligence drivers Similar principles apply in cyber world Untrained user or human error Failure to handle exception situation properly Unpatched system components exposing to known vulnerabilities Attack from peers nodes of connected system There is one more contributing factor: if security hasn't been integrated into design and deployment of the target system, it won't be secure....
Read More

Back Door

By cliangNo Comments
Each house has its own perimeter to control entry.  However behind the perimeter, they are mutually accessible at the back end.  Thus, break-in to one house will allow intruder transverse to its neighbor without going thru the neighbor's perimeter. Same attack surface applies in the cyber world.  Therefore, test and live environments must be segregated.  The former is less cyber hygiene because it is subject to broader access by developer or vendor with loose controls....
Read More

The Race

By cliangNo Comments
It's about attack and defense in the cyber space. In early days, breaking login is via password brute force attack to try every combination. Then, password settings are imposed to enforce password complexity, password history, password age, account lock out etc. Rainbow table comes into the scene.  All password combinations are pre-computed into its equivalent hash to match the collected irreversible hash.  Break-in is then fast. Salt and pepper are then added to the password hash as counter-measure to rainbow table. Pass-the-hash will defeat the salts as the authenticated credential is cached in memory.  By installing persistent backdoor and listen to admin login, grab the hash then traverse via the network. So, the race continues.  And no matter how advance the cyber protections are deployed, a negligent user with unattended login session will render all these useless. Therefore, educating user for proper discipline and usage in the cyber space is the number one defense....
Read More

Access Control #2

By cliangNo Comments
Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...
Read More

The Past

By cliangNo Comments
Earlier, I talked about network anomaly detection. It is the kind of technology based on the past activities to predict if your network is healthy and normal. Key considerations to evaluate for deployment: The "past" activities must be correctly understood by the technology in the first place as the baseline reference Using a typical life cycle management concept, the algorithm must be intelligent enough to manage the entire suite of new, change, delete use cases of network traffic without too much false negative nor false positive Predict "new" traffic deviated from the baseline with different severity level per intention Whether the algorithm is equipped with deep packet inspection (or even better with machine learning capability) to inspect expected connections with different payload from baseline Report missing traffic from baseline that could be sign of malfunctioned field device(s) to the host or controller Challenges are: Competency and capability of the deployment team to understand your environment Criteria to sign off as project completion from...
Read More

Automation

By cliangNo Comments
Everyday, we rely so much on automation ... be seen or behind the scene: rice cooker, temperature control of air conditioner, TV program recorder, garage entry, escalator, fire alarm system, traffic light, public lighting, vehicle, train, vessel, cargo terminal, electric grid, etc. Are we ready to bear with the failure in any of these automation?  Or how long we can tolerate with degraded service? These are the basis to derive the alternate processing model to resume service though it might not be up to the expected service quality.  Shortening the unplanned outage time or increasing service quality during outage will be materialized into substantial monetary terms. Cybersecurity practitioner can only facilitate the thought process but the ultimate decision is from business - risk taking between optimal or optional investment to meet the business target....
Read More

Tunnel

By cliangNo Comments
"Digital" tunnel is common in the cyber world.  The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure.  Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection.  This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive.  It's the organization policies, laws & regulations to govern the proper usage. ...
Read More