Availability

Typical security objectives of cybersecurity are confidentiality, integrity and availability. It's just how they are prioritized in dealing with different use cases. Confidentiality is per the associated information classification to derive the necessary protection. Integrity protection is to understand consequence thru risk assessment what info entities need to protect. Then what about availability? I saw a cybersecurity practitioner developed security policy by copying textbook definition - simply to ensure information is available at all time. Without a measurement, it is not practically achievable. We have to define information must be available per the service pledge. Then, give certain margin in the service pledge with definition availability excludes planned outage for maintenance, achieving say 99.99% at all time. This is the foundation to establish cost-optimal resilience to achieve the committed target. ...
Read More

Network #2

Digitalization needs things connected to deliver the business outcome. Without network, not much or even none can be achieved. And there won't be luxury nor feasible for a point to point dedicated end-to-end communication line. Therefore, the network part is always the focus for cyber risk due to no need to access physically the component and connectivity. But remember, other aspects like physical security, application controls, service provider management are equally important to secure the digital function. ...
Read More

Enforcement #5

What can and what cannot be practically enforced? Setting up a written directive (policy statement) is easy. But the actual value of a policy statement is to achieve certain purpose in arriving at the desirable consequence. If something cannot be practically accomplished, that is a bad policy. Some cybersecurity practitioners establish policies very strictly hoping to secure the organization business operations. The pitfall is a large gap will be resulted with reality or the current setup. Flexibility must be built to avoid so many non-compliance cases. Non-compliance also affects the corporate governance in the entire organization. The proper approach is to make it incremental strengthening, listen and adopt feedbacks from field users who will tell what works and what absolutely not works. Even if that works, other elements to consider are maximize the investment for best protection and the urgency to do so. Never establish policies based on media, sales pitch nor textbook knowledge. ...
Read More

Policy and Usability #2

For regions driving on the left, driver seat in the vehicle is on the right. If this policy is blindly followed in private venue without reimagine for practicality, it will end up the driver is unable to activate the toll gate, or make this a very complicated task. This can be resolved either at design stage to move the toll gate at the centre position serving both lanes, or simply change the direction of driving in this private venue for cost-effective retrofit. Therefore, competent cybersecurity practitioners must fully understand the business nature of the organization they work for, remove unnecessary controls in the systems to fit practicality or even revise the policy with flexibility making cybersecurity as business enabler. ...
Read More

Container or Content

When installing controls, you have to understand what is the protection objective. Don't just apply textbook knowledge for the sake of having controls. Understand the business environment and the consequence to determine the optimal controls. Sometimes, controls are really unnecessary because the consequence is acceptable by common sense. If you put the wrong focus, the protection doesn't make any sense and wasting valuable resources. Don't just insist for policy compliance because policy could be written incorrectly. Apply your professonal judgment as we are hired to do so. If not, you are neither competent for the job nor having common sense. ...
Read More

Dual Home

Certain cybersecurity practitioners have no knowledge of the implication when writing policy statement even with help from external subject matter experts. A typical example is that host with "dual home" connection must not be allowed. There are some rationales that this network setup will incur cybersecurity risks but only on particular scenarios. It is risky if one network interface card (NIC) lands on trusted zone while the other NIC lands on a "dirty" zone. The host is then acting as a network firewall that might not be robust as a dedicated network firewall device capabilities. But if the host (especially in control systems) needs this setup to be managed by computer management system (e.g. domain controller) in one network while the other network manages the controllers, sensors and the design is certified by the manufacturer, blindly changing this to non-dual home setup will affect the intended operational capabilities. Lesson learned: don't write something that causes your business immediately falling into...
Read More

FUD #2

Things outside your comfort zone or knowledge will generate FUD. There are always news exaggreating cyber risks causing severe consequence to certain organizations. Sometimes cyber threats are even just based on perspection with assumption threat actor has gained complete knowledge or your environment and yet skill to achieve this is very complex. As competent cybersecurity practitioner, we must assess the threat situation, what are controls in place and provide management comfort rather than spending unnecessary resources to protect something that does not harm much. Every business exposes to risks and we cannot eliminate all risks but to prioritize the limited resources to maximize protected values. ...
Read More

Patches

One of the key activities in cybersecurity is to deploy security patches on regular basis. This is intended to upkeep cyber protection strength of the ICT or ICS infrastructure, platform and application. Certain cybersecurity practitioners are just blindly follow text book knowledge to mandate missing patches are policy violation and need to follow exception process. The cyber protection has undergone various strategical changes over the years: from prevention to detection and now resilience because there are a lot of unknowns to make prevention nor detection effective; from physical location centric to context-based because data are everywhere. Bottom line is to apply patches according to the specific business environment via assessing likelihood of exploitation. If the system is isolated from the Internet with strong physical access control and removable media control, there is no urgency to deploy so-called zero-day vulnerability patch. Follow the now, next or never philosophy because some patches are not even needed like the log4j that has been over-amplified to incur...
Read More

Consequence

Certain cybersecurity practitioners are obsessive on technical controls. They overlook the consequence due to cyber or other non-cyber causes will be the same. Let's look at the illustration. Supposed if the truck has insecure network connection. It might be controlled remotely by threat actors. The adverse consequence might cause the truck hit any target or spill off the load. The same adverse consequence could be due to faults in the brake, fatigue of the chain, improper driving attitude … So, there should be a balance of cyber protection rather than creating many unnecessary technical controls to overkill the usage. More controls means more complex and more human errors will be resulted. ...
Read More

Information Security

It is the early term in this domain. It covers everything under the sun regarding information.As time goes by, information containers are moving into digital and seldom in hardcopies making it cyber nature and then cybersecurity becomes a fashion and buzzword. We have already replaced fax machine by email or secure electronic communication, carrying thumb drive instead of bundle of hardcopies, balance in stock account replacing the stock certificates. It is true for most of the cases but there are still information in hardcopy forms like birth certificate, marriage certificate, dealth certificate, passport, deed of assignment, legal documents in court etc. Therefore, these are outside the "cyber" sense and we must not forget the necessary protection to secure these kinds of information. The challenge is the "backup" which will require certified true copy issued by authenticated body. Sometimes, you can only have the original copy without backup like passport. Safekeeping the information container in possession is the prime protection. ...
Read More