Security By Trust

In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Time

Time is an interesting phenomenon. It dominates everything both in physical and cyber worlds. All living individual or objects are under influence of time: getting aged. All data traffic are regulated with time as base reference for synchronization and handshaking. Everyone has equal amount of time. Time cannot be borrowed nor saved for later use. Time is abstract that cannot be touched nor felt its existence. That said, how do we deal with time? This is really use case based. In time-sensitive action, time is kept down to micro or nano second. Examples are stock trading transaction and racing. In certain case, "coarse" time reference may be used like the illustration that hour indication is sufficient - morning, afternoon, evening or night time. It all depends how time reference is deployed in the use case, and how time measurement is secure to maintain integrity. Inevitably, a comprehensive risk assessment (not just cyber but the business as a whole) is required to understanding risk...
Read More

Label

Label is commonly seen and required to identify things especially in cables. Without proper identification, it will be tedious in trouble-shooting. There is always debates on label. On one hand, it eases operation and maintenance tasks but on the dark side, it exposes the usage of the marked item. A mitigation is to assign label ID and mark this is the drawing. This requires resources to sustain the documentation when changes occur and regular inventory check to validate the marking is still correct. For the illustration, it has certain pitfall for insights. It exposes the location is for military purpose, a target for threat actor to penetrate or attack. "No trespassing" is unlikely enforceable especially during political conflict time. Ultimately, this requires the holistic assessment to balance the signage, back-end enforcement mechanism and cater for unexpected scenarios. All these are the attributes of writing a good policy that can be practically achieved. That said, don't just copy textbook knowledge and apply to your organization cybersecurity...
Read More

Fault Detection

When using technology, usually there is inherent trust that the outcome is correct because it has been tested before going to market. With competition, time-to-market is squeezed. We have seen examples of vehicle recall for fixing certain faults. Even worst, other factors like insufficient training, lack of comprehensive operation instruction could cause tragedy or fatality. In the illustration, GPS infrastructure is proven but the map data might not be updated or the software to map the GPS signal to the location could have fault. A dual GPSs could mitigate an incorrect navigation if the impact due to incorrect route is significant. That said, the entire principle gets back to risk management - what measures can be controlled to reduce likelihood and what does not. ...
Read More

Trust #5

For free Internet kiosk like this, will you use? In old days when device is rare for Internet ready and Internet access isn't anywhere, yes, facility like this is welcome. Even at that era, use it with caution and for general web browsing (e.g. searching for information rather than login to web portal like bank account) because your sensitive information might be captured and stored elsewhere behind the scene. With cell phone and data plan generally affordable, such facility will be phased out like public paid phone. That's the expected consequence of technology innovation and advancement. It's just a matter of time when these facilities will be decommissioned. ...
Read More

Clarity

Policies must be written precisely. That said, clarity is essential or otherwise it will create dispute, confusion in policy enforcement, audit exercise. The illustration has different interpretations: Apartment solely for retired government officials Government managed apartment for senior citizen If this appears in policy statement, it is not ideal. ...
Read More

Availability

Typical security objectives of cybersecurity are confidentiality, integrity and availability. It's just how they are prioritized in dealing with different use cases. Confidentiality is per the associated information classification to derive the necessary protection. Integrity protection is to understand consequence thru risk assessment what info entities need to protect. Then what about availability? I saw a cybersecurity practitioner developed security policy by copying textbook definition - simply to ensure information is available at all time. Without a measurement, it is not practically achievable. We have to define information must be available per the service pledge. Then, give certain margin in the service pledge with definition availability excludes planned outage for maintenance, achieving say 99.99% at all time. This is the foundation to establish cost-optimal resilience to achieve the committed target. ...
Read More

Network #2

Digitalization needs things connected to deliver the business outcome. Without network, not much or even none can be achieved. And there won't be luxury nor feasible for a point to point dedicated end-to-end communication line. Therefore, the network part is always the focus for cyber risk due to no need to access physically the component and connectivity. But remember, other aspects like physical security, application controls, service provider management are equally important to secure the digital function. ...
Read More

Enforcement #5

What can and what cannot be practically enforced? Setting up a written directive (policy statement) is easy. But the actual value of a policy statement is to achieve certain purpose in arriving at the desirable consequence. If something cannot be practically accomplished, that is a bad policy. Some cybersecurity practitioners establish policies very strictly hoping to secure the organization business operations. The pitfall is a large gap will be resulted with reality or the current setup. Flexibility must be built to avoid so many non-compliance cases. Non-compliance also affects the corporate governance in the entire organization. The proper approach is to make it incremental strengthening, listen and adopt feedbacks from field users who will tell what works and what absolutely not works. Even if that works, other elements to consider are maximize the investment for best protection and the urgency to do so. Never establish policies based on media, sales pitch nor textbook knowledge. ...
Read More

Policy and Usability #2

For regions driving on the left, driver seat in the vehicle is on the right. If this policy is blindly followed in private venue without reimagine for practicality, it will end up the driver is unable to activate the toll gate, or make this a very complicated task. This can be resolved either at design stage to move the toll gate at the centre position serving both lanes, or simply change the direction of driving in this private venue for cost-effective retrofit. Therefore, competent cybersecurity practitioners must fully understand the business nature of the organization they work for, remove unnecessary controls in the systems to fit practicality or even revise the policy with flexibility making cybersecurity as business enabler. ...
Read More