Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

The Good, The Great

By cliangNo Comments
As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor). The Good auditors are able to pick discrepancy of your operation against the "policies" (written directives, procedures or instructions document) down to minute details.  They regard these are the yardstick ("so it shall be written, so it shall be done") for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.).  How these documents are effectively managed isn't the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents. The Great auditors make a step further.  They will give further thoughts if the written "policies" have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement.  E.g. make reference to revised password setting per NIST SP-800-63-3. The cybersecurity practitioners need to keep abreast of latest...
Read More

The Forgotten Place

By cliang3 Comments
Most of the time, tight technical controls are deployed at infrastructure, network, platform, application or end points to address cybersecurity. A "misbehaved" device will ruin all these efforts.  Perhaps a written hard copy disclaimer should be posted at the bottom of the display to indicate the information or service is provided as-is, and disclaim responsibilities arising from any consequential or collateral damages due to information error or service interruption.  A comprehensive risk assessment should have picked up this....
Read More

Cybersecurity Transformation

By cliangNo Comments
To be successful in cybersecurity transformation, each one in the organization shall contribute as the baseline. Culture or politic in certain organizations prohibits; and this is not just applied to cybersecurity. If you SEE something need improvement and TALK about it with your boss, you'll become the issue owner to handle the resolution.  This drives the culture of don't see and don't talk.  Top  executives don't HEAR things that potentially affects the organization. The essential success factors in the transformation journey include but not limited to: Senior management buy-in Provide necessary support for sustainability (not just a slogan in the air but actually allocate dedicated resources and invest in human capital) Top-down approach to drive end result with metrics Staff own passion adaptive to the changing business environment Once the people barrier is break-thru, other process issues will then go well....
Read More

Assumption

By cliangNo Comments
Risk assessment is part of the risk management process to identify exposure, likelihood and business risks so that the necessary protection measures could minimize the impact. The tricky thing is most often controls are implicitly assumed, e.g. the access control to the target application relies on the robustness of the Identity Provider enforcing the defined roles & privileges, the effectiveness of anti-malware protection relies on the backend process to refresh for up-to-date definition, the platform and system applications are regularly hardened from known vulnerabilities, network perimeter controls are defined correctly and so on. Therefore, it is important to align and set the scene what key assumptions are referred in the very first step before assessing risks. If any of these is incorrect, then the exposure will be under-estimated and so for the residual risks....
Read More

Business Value

By cliangNo Comments
One of the fundamental principles in cybersecurity is to apply necessary controls to reduce business impact. Business value is the catalyst in the risk management. The cyber poker machine is chosen as an illustration here. If this cyber application is deployed in a casino, the bet outcome means money. The result of each bet must be protected against manipulation like session replay, unauthenticated or fraudulent submission to control the coins release valve. But if it is deployed as part of the entertainment system in an aircraft, then it doesn't matter. The bet outcome is just for fun....
Read More