The 4C of cybersecurity

By cliangNo Comments
Cautious - understand cybersecurity is important but need to explore how to execute or manage Conformance - doing things adhere to the cybersecurity requirements Compliance - having 3rd party review and certified for cybersecurity assurance of a selected scope Committment - every aspect takes care of cybersecurity For the illustration, it is solely BS1363 compliance for the scope of the AC plug itself.  Though there is metal earth pin, it is just dummy and cannot achieve the intended protection (end-to-end security)...
Read More

Cyber Risk Likelihood

By cliangNo Comments
In physical world, likelihood is based on historical frequencies, scientific calculation like path of hurricane, engineering specification such as MTBF (Mean Time Between Failure). Likelihood is the foundation to predict when an event will occur. It is the key catalyst in the insurance industry. In cyber world, this is not going to be the same. Uncovered vulnerability will turn security protection insecure over night. An example is TLS (Transport Layer Security). People take TLS for granted as a secure means to protect sensitive information submission over the network. The Heartbleed suddenly shocked everyone and this can't be predicted per traditional manner. A different approach has to be adopted to address cyber risk likelihood....
Read More

Improper Usage

By cliangNo Comments
Park your car at a legitimate parking lot in the street. What's wrong? Even it is a legitimate parking zone, the permitted usage restricts to bus only. Similarly in the cyber world, proper usage is essential to stay secure. Examples are software license (commercial or personal; by device or user; internal or Internet facing application), penetration tools (for authorized  assessment or malicious purpose), specific hardware (prohibit for re-export to 3rd party) etc....
Read More

CONFIDENTIAL?

By cliangNo Comments
People talk about leaking company CONFIDENTIAL information.  It is not just a word slipped from your mouth to blame your staff but a proper management system to formalize it. You have to rethink: - Do you have an information classification policies? - Does your information carry any classification marking? And if no marking, what is the default classification? No classification label should never be regarded as CONFIDENTIAL. - Are you holding information that is also available from other sources or publicly known? - Have you provided training or orientation to raise the staff awareness the proper handling of company information? If you don’t have any one of these, it’s the fault of your company but not your staff....
Read More