Big Picture

By cliangNo Comments
Common pitfalls in conducting risk assessment are Controls in place are not explicitly stated as assumptionLack of big picture A holistic view on the target of evaluation (ToE) as well as its surrounding is vital. We should not just look at the ToE only. We need to think and assess Risks due to compromised components around ToESimilarly risks affecting them due to insecure ToE ...
Read More

Policies #3 (From Directive to Enforcement)

By cliangNo Comments
1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...
Read More

Foundation

By cliangNo Comments
Proper cybersecurity in an organization must have a foundation. The effective approach is driven from the top to mandate integration of cybersecurity in the business process. This is in the form of Policies and enforced via corporate governance. Underneath the policies, various domains in risk management, policies exceptions, technology standardization, secure architecture, secure system deployment, procurement specification, incident respond, recovery, business continuity and workforce development are the pillars. Without a sound foundation, the object in the air will fall, just a matter of when. ...
Read More

Insider

By cliang1 Comment
This is a popular topic in Board Room too.  No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...
Read More

Cyber Citizen

By cliangNo Comments
We are really living in the cyber era.  From early childhood, kids will touch on device, get connected or even act in the cyber world. Like physical world, the parents (or school) must educate the good practices in the cyber world, just like to understand and observe the road protocols.  The aim is to avoid getting hurt by careless road users - whether the careless road users are others or self....
Read More

Tagging

By cliangNo Comments
Tag or label is an important aspect to document cyber assets like hardware components or cabling. This is not an one-off exercise.  Assets are subject to replacement due to fault, addition because of new system functionalities or removal upon decommissioning.  It is therefore necessary to maintain an accurate asset inventory with consistent labeling scheme. This asset inventory will not only help to locate faulty component for problem shooting or to isolate compromised component but also reflects the correct position of asset value in the company books....
Read More

Access Control #2

By cliangNo Comments
Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...
Read More

Governance

By cliangNo Comments
Last article, I talked about PPTP.  With organization policies formally established, the next is the governance to make it work.  Otherwise, policies are just slogan in the air. The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to: Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process Approve risk acceptance for deviation from these established policies Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media....
Read More

PPT, PPTP

By cliang1 Comment
People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable.  Without the last P, it's like a chair with broken leg that will fall (fail)....
Read More

Crowdsourcing

By cliangNo Comments
Landlord: "Tell me your monthly sales amount." Tenant: "No way, this is confidential business information." With a little trick, such confidential information can be collected. Giving certain incentive, customers will queue up and surrender the sales receipts to the concierge of the mall. Free parking is one of the incentive models.  For in-mall spending over certain amount, concierge validates the parking ticket and captures the receipt details.  But this is less granular because not every customer comes to the mall with own vehicle. A more advanced model is to establish royalty membership to earn points per the spending amount in the mall.  This is still not accurate because not every customer will join the royalty scheme but more granular than the free parking model. Then, confidential sales information could be captured from the crowd for analytics....
Read More