Cybersecurity Transformation

By cliangNo Comments
To be successful in cybersecurity transformation, each one in the organization shall contribute as the baseline. Culture or politic in certain organizations prohibits; and this is not just applied to cybersecurity. If you SEE something need improvement and TALK about it with your boss, you'll become the issue owner to handle the resolution.  This drives the culture of don't see and don't talk.  Top  executives don't HEAR things that potentially affects the organization. The essential success factors in the transformation journey include but not limited to: Senior management buy-in Provide necessary support for sustainability (not just a slogan in the air but actually allocate dedicated resources and invest in human capital) Top-down approach to drive end result with metrics Staff own passion adaptive to the changing business environment Once the people barrier is break-thru, other process issues will then go well....
Read More

Assumption

By cliangNo Comments
Risk assessment is part of the risk management process to identify exposure, likelihood and business risks so that the necessary protection measures could minimize the impact. The tricky thing is most often controls are implicitly assumed, e.g. the access control to the target application relies on the robustness of the Identity Provider enforcing the defined roles & privileges, the effectiveness of anti-malware protection relies on the backend process to refresh for up-to-date definition, the platform and system applications are regularly hardened from known vulnerabilities, network perimeter controls are defined correctly and so on. Therefore, it is important to align and set the scene what key assumptions are referred in the very first step before assessing risks. If any of these is incorrect, then the exposure will be under-estimated and so for the residual risks....
Read More

Business Value

By cliangNo Comments
One of the fundamental principles in cybersecurity is to apply necessary controls to reduce business impact. Business value is the catalyst in the risk management. The cyber poker machine is chosen as an illustration here. If this cyber application is deployed in a casino, the bet outcome means money. The result of each bet must be protected against manipulation like session replay, unauthenticated or fraudulent submission to control the coins release valve. But if it is deployed as part of the entertainment system in an aircraft, then it doesn't matter. The bet outcome is just for fun....
Read More

The 4C of cybersecurity

By cliangNo Comments
Cautious - understand cybersecurity is important but need to explore how to execute or manage Conformance - doing things adhere to the cybersecurity requirements Compliance - having 3rd party review and certified for cybersecurity assurance of a selected scope Committment - every aspect takes care of cybersecurity For the illustration, it is solely BS1363 compliance for the scope of the AC plug itself.  Though there is metal earth pin, it is just dummy and cannot achieve the intended protection (end-to-end security)...
Read More

Cyber Risk Likelihood

By cliangNo Comments
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry. In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
Read More

Improper Usage

By cliangNo Comments
Park your car at a legitimate parking lot in the street. What's wrong? Even it is a legitimate parking zone, the permitted usage restricts to bus only. Similarly in the cyber world, proper usage is essential to stay secure. Examples are software license (commercial or personal; by device or user; internal or Internet facing application), penetration tools (for authorized  assessment or malicious purpose), specific hardware (prohibit for re-export to 3rd party) etc....
Read More

CONFIDENTIAL?

By cliangNo Comments
People talk about leaking company CONFIDENTIAL information.  It is not just a word slipped from your mouth to blame your staff but a proper management system to formalize it. You have to rethink: - Do you have an information classification policies? - Does your information carry any classification marking? And if no marking, what is the default classification? No classification label should never be regarded as CONFIDENTIAL. - Are you holding information that is also available from other sources or publicly known? - Have you provided training or orientation to raise the staff awareness the proper handling of company information? If you don’t have any one of these, it’s the fault of your company but not your staff....
Read More