Identify – The SECOND Advisories Limited

Misalignment

27th March 202627th March 2026 By cliangNo Comments

Image is generated by CoPilot This happens all the time, not just in cybersecurity domain. A common example is new system development based on business requirements but the delivered system is not usable practically or need many human intervention in the process. There are many contributors: Business requirement is generically spelt out, it is hard to indicate UI/UX in a formal specification precisely The business requirements are not well understood by the system developers, they think from the computer perspectives rather than the process perspectives Business representatives participate in the development do not fully understand current process Test cases lack of real life cases to validate the list goes on … Similarly in cybersecurity, policy maker and execution of the policy will be misaligned if the policy maker does not understand exactly the floor operation. Don't just copy/paste text book knowledge to lay down as policies. If you do, it would be disaster. ...

Protection

11th February 202611th February 2026 By cliangNo Comments

Image is generated by CoPilot In business world, resources are limited and must be best utilized for purpose. How much protection is sufficient, especially in the cyber world? It depends on the severity of the consequence driven from social impact and regulatory compliance. Take network firewall as example. Its purpose is to regulate network traffic to filter unwanted connections. Itis deployed to connect different systems because systems are now no longer standalone. Communications are needed for information exchange while denying unwanted network traffic. The use of protection measure will require considering the TCO (Total Cost of Ownership) in optimizing the resources. This is not just money but also the human efforts to sustain. To name a few of the maintenance overheads: Plan ahead before the component(s) enters into End of Support (EoS) state from OEM Execute procurement to refresh component(s) entering into EoS Coordinate with operation team with outage window for component(s) refresh Manage access credential to the components Perform backup and recovery test of the component configuration Conduct vulnerability...

Obsolescence

26th November 202526th November 2025 By cliangNo Comments

One of the biggest challenges in OT (Operation Technology) system is the technology obsolescence. Here, we are not talking about the machinery part but the controller part. A typical machine (or plant) have 2 major portions: machinery (e.g. motor, valve) and C&I. Nowadays the traditional C&I are replaced by commodity hardware/software because they are readily available from the market. The pain point exists. Technology product lifecycle is shorter than the machinery. Most often, those micro-processor controller enters into end of support state because the OEM of the embedded OS platform, applications will not fix any public known vulnerabilities as they do have support policy to entertain only the latest few versions. From system reliability perspective, support is important but from cyber security perspective, end of support is not the end of the world. As long as the "system" is still running, there is no means to upgrade because of the fear of hypothetical cyber attack. The plant room in the illustration shall host those...

Treat or Trick #2

31st October 202531st October 2025 By cliangNo Comments

I talked about "strengthening human awareness cannot be overlooked". The easiest penetration into a corporate network is via phishing email. To validate workforce awareness and readiness withstanding phishing attacks, organizations start using simulated phishing emails to test who will take the bait: embedded document or hyperlink to track. This is a good motive except other surrounding elements need to be considered. Nowadays, email service provider will mark external emails to draw attention they are coming from outside. There are also emails generated from application for information using SMTP connector which carries the same external marker. Unless the corporate email gateway whitelists these SMTP sources or else workforce will get confused what emails to trust. Mail headers in simulated emails - this will disclose the email is a phishing test exercise for "advanced" or "professional" email users who know how to check the SMTP mail headers. Phishing test results will be affected because real phishing emails do not carry such identification. We should focus more...

Control #4

13th September 2025 By cliangNo Comments

The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...

In The Cloud

31st August 2025 By cliangNo Comments

We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...

Ice Road

21st June 202521st June 2025 By cliangNo Comments

This is seasonal - only happened a short while during winter time when lake or river is frozen with thickness that can support vehicles riding on it. What is the insight? We face a lot of changes in business environment, make adoption to stay competitiveness while deploying cost-effective protection measures against new threats. Examples are continuous digitization or disruptive technologies that business cannot escape from except cope with these. As standard practice, conduct a comprehensive risk assessment with the right Subject Matter Expert to guide thru the stakeholders to reimagine the new targeting operating model to understand threats and consequence and this decide level of risk acceptance. As always, we have to take risks. Here in the ice road, the risk contributors are the load of the vehicle, vehicle fitness, weather condition at time of crossing and the skillset of the vehicle driver. The prime objective (business outcome) is to stay alive crossing the ice road with the load to reach the destination. ...

Design & Build #3

13th May 2025 By cliangNo Comments

Earlier, I talked about similar. When conducting a comprehensive assessment of a facility, we should not just look at the cyber aspects but also the reliability and safety of the facility. Those exposed pipelines could be essential supply of human nessasities or dischargs of waste. If they are physically damaged (intentionally or unintentionally), these facilities will be disrupted therefore affecting normal live or even life. Physical security is also importantly in protecting the cyber components of facilities. ...

Policies #11

27th April 20258th July 2025 By cliangNo Comments

Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...

Bag Tag

31st March 2025 By cliangNo Comments

It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...