Identify – Page 11 – The SECOND Advisories Limited

Insider

18th December 201817th June 2021 By cliang1 Comment

This is a popular topic in Board Room too. No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider. According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher? Source: PNNL - Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat The line of defence shall be: Preventive controls as barrier (where technology is available and investment is justified)Detective controls as digital evidence (when events are reviewed effectively to identify offender)Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)Corporate disciplinary process or contractual undertaking enforcement for offenderLaws & regulations as the ultimate deterrent ...

Cyber Citizen

6th December 201810th December 2018 By cliangNo Comments

We are really living in the cyber era. From early childhood, kids will touch on device, get connected or even act in the cyber world. Like physical world, the parents (or school) must educate the good practices in the cyber world, just like to understand and observe the road protocols. The aim is to avoid getting hurt by careless road users - whether the careless road users are others or self....

Tagging

3rd December 2018 By cliangNo Comments

Tag or label is an important aspect to document cyber assets like hardware components or cabling. This is not an one-off exercise. Assets are subject to replacement due to fault, addition because of new system functionalities or removal upon decommissioning. It is therefore necessary to maintain an accurate asset inventory with consistent labeling scheme. This asset inventory will not only help to locate faulty component for problem shooting or to isolate compromised component but also reflects the correct position of asset value in the company books....

Access Control #2

30th November 2018 By cliangNo Comments

Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...

Governance

20th November 201820th November 2018 By cliangNo Comments

Last article, I talked about PPTP. With organization policies formally established, the next is the governance to make it work. Otherwise, policies are just slogan in the air. The governance must be driven by the governing body (usually the senior management in the organization) that includes but not limited to: Mandate cybersecurity directives (policies) for enforceable, repeatable and achievable business process Approve risk acceptance for deviation from these established policies Stipulate strategic decision to ensure business outcomes align with organization business objectives like digital transformation, Recovery Time Objective (RTO), recovery priority, funding The hard part is the the governing body needs to determine the right path for the organization rather than distracted by sales pitches or FUD exaggerated by the media....

PPT, PPTP

18th November 201819th November 2018 By cliang1 Comment

People, Process and Technology (PPT) are always referred as the foundation in the cybersecurity community. Yes, they are. But without establishing formal organization policies to drive, many pitfalls will be envisaged Misalignment among business units Misinterpreted context of the policies Lack of management support for continuous improvement Insufficient skill set in the workforce Therefore, a more precise model PPTP (People, Process, Technology, Policies) deems suitable. Without the last P, it's like a chair with broken leg that will fall (fail)....

Crowdsourcing

6th November 2018 By cliangNo Comments

Landlord: "Tell me your monthly sales amount." Tenant: "No way, this is confidential business information." With a little trick, such confidential information can be collected. Giving certain incentive, customers will queue up and surrender the sales receipts to the concierge of the mall. Free parking is one of the incentive models. For in-mall spending over certain amount, concierge validates the parking ticket and captures the receipt details. But this is less granular because not every customer comes to the mall with own vehicle. A more advanced model is to establish royalty membership to earn points per the spending amount in the mall. This is still not accurate because not every customer will join the royalty scheme but more granular than the free parking model. Then, confidential sales information could be captured from the crowd for analytics....

Boundary

29th October 2018 By cliangNo Comments

Typically, the boundary defines a clear demarcation of accountability in the case of ICT or ICS system landscape. It also confines the work scope in any professional engagement activities to ease managing the work product expectation. However, as a cybersecurity practitioner, we must look further beyond to strike for a holistic view in order not to miss out any inherent threats. It's just a matter of fact how far and how detail we are comfortable to go beyond, or simply include a scope statement for the "limited vision"....

Design & Build

23rd October 2018 By cliangNo Comments

Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle. If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning. Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....

FUD

21st October 201821st October 2018 By cliangNo Comments

Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...