Clock

By cliangNo Comments
Clock displays time of day.  Time is invisible and exists virtually.  Everyone of us has the same amount of time, no matter you're rich or not.  You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc.  Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics.  In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination.  In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network.  There are various considerations: Clock source: National lab, or...
Read More

Tracking

By cliangNo Comments
In cyber world, logging is fundamental to track electronic activities for problem shooting or digital forensics. With device proliferation especially in the IoT domain, substantial logging volume is generated making log review a hard time. The SIEM (Security Information Event Management) technology has surfaced to relax this tedious task.  It consolidates and associates event logs and picks out "interesting" scenarios for automated action or human alert. The challenges are: What types (or level, e.g. brief, detail, info, warning, critical) of logging are available and required: platform, infrastructure, application ... Context of log data: time of day, time zone, IP address, user identities, machine names, machine address ... How to ships the logs from different network zones to the central SIEM without breaking network zoning Clock source to sync across all these network zones Algorithm of event correlation (human define or machine learning) Criteria to automate alert with confidence (false negative or false positive will ruin the trust) Most importantly, logging must comply with...
Read More

Aurora

By cliangNo Comments
In physical world, it is beautiful scenery.  In cyber world, Aurora vulnerability refers cyber attack resulting into damage of physical components (the generator) in the electric grid. When the threat actor is able to reach the control network, repeatedly sending command for rapidly open and close a generator's circuit breakers out of phase will cause it explode. For such critical asset with severe consequence when failed, necessary cybersecurity controls shall include but not limited to these measures: Incorporate security at design stage Isolate automation components from external connections Zone components within control system network Apply least privilege principle Control physical access to critical asset Conduct regular cyber maintenance (protection updates Validate incident detection and respond readiness Equip support personnel skill set Execute periodic assessment for assurance Refresh end of life components Manage insider threat ...
Read More

Grade of Protection #2

By cliangNo Comments
Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door.  The door is locked with customer chosen numeric digits each time when closing.  This code will then be used to open the safe.  There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk.  The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...
Read More

Resilience

By cliangNo Comments
How much resilience is sufficient: single, dual, triple, quadruple or more? You need to understand what is the consequence of system component failure to the committed service per agreement. It is the kind of balancing risk for optimal investment.  Even if there is penalty clause for breaching the committed service level, the amount paid out might be much less than the TCO (Total Cost of Ownership) of investing a robust infrastructure and the recurring running cost. Nevertheless, intangible loss like brand name or reputation damage need to be considered....
Read More

Perimeter

By cliangNo Comments
The key difference between physical and cyber perimeters is visibility. To augment physical perimeter limitations, surveillance cameras (probably with video analytic to detect intruder) and guard patrol are required. For cyber perimeter, threat actors need to understand what are behind the Internet-facing entry point (web, remote login etc.) in order to reach the internal cyber assets.  Their first step is to conduct reconnaissance.  See Lockheed Martin, the Cyber Kill Chain® framework. Organizations nowadays must have a web presence in doing business.  The hard part is to minimize the cyber footprint.  It's a matter how well the Internet-facing entry points are configured per best practices (least privileges, exclusion from search engine, scrutinize data input, enforce server-side logic etc.) and sustaining the protection (security patches, version upgrade, hot fixes etc.).  Further, regular validation via black box, white box penetration tests are necessary for assurance....
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More

Black List, White List, Sandbox

By cliangNo Comments
Malware is the key attack act in the cyber space. Black list is used in anti-malware protection, anti-spam or web site filters for blocking the bad.  This will require frequent update of the black list definition because new species will evade the filter.  Then we don't know what we don't know. To nail down to the scenario we know what we know, white list defines trusted components or connection and permits their execution.  Examples are application white listing technology or firewall rules. So, what about something in between?  This is because either white list or black list demands regular definition update for effective protection.  Sandbox technology provides an isolated environment to execute and observe behaviors of codes to determine if hostile or not. The ideal solution is a combination of these technologies for best defense.  Of course, this is still not 100% guaranteed to be cyber secure....
Read More

Grade of Protection

By cliangNo Comments
When we deploy protection, normally it might be of civilian grade even it appears harder to break in.  If attack is originated from state-level as a targeted attack, such civilian grade countermeasure won't be effective. That is why a 360 degree assessment is needed to decide threat actors, likelihood, consequence and then the corresponding countermeasures....
Read More