Information Security

It is the early term in this domain. It covers everything under the sun regarding information.As time goes by, information containers are moving into digital and seldom in hardcopies making it cyber nature and then cybersecurity becomes a fashion and buzzword. We have already replaced fax machine by email or secure electronic communication, carrying thumb drive instead of bundle of hardcopies, balance in stock account replacing the stock certificates. It is true for most of the cases but there are still information in hardcopy forms like birth certificate, marriage certificate, dealth certificate, passport, deed of assignment, legal documents in court etc. Therefore, these are outside the "cyber" sense and we must not forget the necessary protection to secure these kinds of information. The challenge is the "backup" which will require certified true copy issued by authenticated body. Sometimes, you can only have the original copy without backup like passport. Safekeeping the information container in possession is the prime protection. ...
Read More

Policy #10

In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...
Read More

Architecture

ICS now totally utilitizes general computing equipment (server, workstatiom, OS, DB, communication) rather than developing own C&I. Therefore, OEM has to test the integration of machineries with these commodities sourced from the market. The industry has already defined the standard architecture how should the different types of components be zoned in the different network segments. Certain cybersecurity practitioners have misused the term architecture review. To be specific, it is the design review how is the design system deviated from the standard architecture, what are the ingress/egress points to the system, what is the worst scenario consequence and the anticipated likelihood to derive the optimal controls. We should not change the approved design by the OEM because they have validated the functionality and usability of the ICS to deliver the outcome. Catching security patches, new software version, adding extra firewall in between or even changing network layer protocol for perceived security could break the ICS. It will then be just like "The operation...
Read More

Improper Control #2

The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...
Read More

Policy Making

For certain job roles of cybersecurity practitioners, policy making is necessary as a foundation in running the business securely to a reasonably degree. While doing so, we must fully understand the business objectives, operating environment and intended business outcomes taking text book knowledge as a reference rather than blindly applying. Where necessary, suitable qualifier or elaboration is required to enhance clarity. Example is personal privacy. The data subject must be a living individual shall have differentiated the situation in real life. Without this, it is impossible and impractical to enforce by replacing all the tombstone around the globe. ...
Read More

Stepping Stone #2

Jump hosts are typical used for remote access. These are controls: User accounts with multi-factor authenticationTime of day granted to this user accountRuleset to limit destination hosts when landed; and per login userSession monitoring On reasonable ground, some are mandatory while other extra measures depend. In extreme cases, multiple jump hosts are demanded that whether network latency, usability are at doubt. The optimal decision is to balance risk and usability with a hoslistic and objective assessment. Otherwise, it will be overkilled. ...
Read More

Physics #2

This is another great example to think deeper to balance cyber and physical world rather than just blindly putting unnecessary investment in cyber protection. There are researchers able to demonstrate remote control of the crane via a Casio watch. Is this scary? Without knowing the exploitation condition, management will be misinformed. We, as security practitioners, must analyze the situation, identify how this can be exploited before provide the correct message. The physical conditions of the crane must also be well under attention. Imagine a loosen bolt / nut, or erected at the improper foundation, incorrect procedure to extend the crane height could all result into the same catastrophic consequence. ...
Read More

Seasonal Factor #2

The Ice Road only opens Jan-Feb Anomalies detection highlights the technology will learn your environment as baseline reference such that "unusual" traffic will be flagged for alert. This will save detection ruleset definition but vendor always stresses short learning time (even just 1 or 2 weeks) to convince deployment for quick win demonstrating ROI. Sometimes, network traffic or application behaviors are seasonal based because of the business operations. Therefore as always, recurring maintenance efforts are required to sustain its effectiveness and don't be influenced by vendor for zero-deployment and zero-maintenance. ...
Read More

Usability

Everything is now undergoing digital transformation residing in the cyber space. Certain cybersecurity practitioners I met are overkilling business operations with cyber protection claiming to stay secure. Take the illustration above, the glass window provides scenery view from the room. If the reinforced steel covers are put on, it could definitely protect the glass window from strong wind during adverse weather. But if this steel covers are closed all the time, this will drive guests away affecting revenue. We need to be pragmatic and accept there are always risks from various domains to the business. And it's impractical to eliminate all risks. If you attempt doing so, it will end up "The operation was successful. The maharaja is dead." ...
Read More

Isolation

By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More