Seasonal Factor #2

By cliangNo Comments
The Ice Road only opens Jan-Feb Anomalies detection highlights the technology will learn your environment as baseline reference such that "unusual" traffic will be flagged for alert. This will save detection ruleset definition but vendor always stresses short learning time (even just 1 or 2 weeks) to convince deployment for quick win demonstrating ROI. Sometimes, network traffic or application behaviors are seasonal based because of the business operations. Therefore as always, recurring maintenance efforts are required to sustain its effectiveness and don't be influenced by vendor for zero-deployment and zero-maintenance. ...
Read More

Usability

By cliangNo Comments
Everything is now undergoing digital transformation residing in the cyber space. Certain cybersecurity practitioners I met are overkilling business operations with cyber protection claiming to stay secure. Take the illustration above, the glass window provides scenery view from the room. If the reinforced steel covers are put on, it could definitely protect the glass window from strong wind during adverse weather. But if this steel covers are closed all the time, this will drive guests away affecting revenue. We need to be pragmatic and accept there are always risks from various domains to the business. And it's impractical to eliminate all risks. If you attempt doing so, it will end up "The operation was successful. The maharaja is dead." ...
Read More

Isolation

By cliangNo Comments
By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More

“Insecure” Tunnel

By cliangNo Comments
Older TLS (Transport Layer Security) version is marked insecure by vulnerability scanner. Certain cybersecurity practitioners make decision solely based on scanner report and blindly to urge system admin to "fix" it without looking at the big picture. The vulnerability scanner has zero knowledge on the system landscape, criticality of the system being evaluated and most importantly where is the scanner placed in the network. Good practice is to assess the big picture, mark these are non-issues and forget it if it is just an internal system in isolated environment. Resources should be deployed on more important things. ...
Read More

Coverage

By cliangNo Comments
Security technology alone cannot reassure protection. It requires human judgment: What is the value of target being protected? Risks to low value asset or low business impact are simply accepted as part of the operating cost. Example is the anti-theft RFiD tags.How is the controls deployed? Is the control in place properly? Gap in control will leave a loop-hole.Most importantly, how is the control operated and sustained to maintain its effectiveness? Adding controls does not increase security sometimes but incur unnecessary overheads or activities that overkill the purpose. A comprehensive assessment from design, build, deploy, regular validation is required through out the life cycle of the deployed cybersecurity protection. ...
Read More

Misconception

By cliangNo Comments
Administrative control back by legal system is the most effective control Many cybersecurity practitioners has misconception that technical controls are means to secure the cyber environment. They insist for encryption, MFA, session time out, catch up with security patches, deploy latest version, mandate anomalies detection in virtual environment etc. Sometimes, excessive controls will not increase the level of security much. Even worst, new controls will bring to new risks not to mention degrading productivity. Have a thorough understanding the business, cyber environment and attack surface is the essential element. Conducting a risk assessment is to strike the right balance what to invest and what risks can be tolerated. Example #1, if the system is fully isolated, remote exploit thru network even with CVSS score of 10 doesn't matter. Example #2, RFiD tags won't be stick to each piece of commodity in the supermarket. Only high value items are tagged. This is the business risk to accept when running the self-service operating model. ...
Read More

Dynamic Policy

By cliangNo Comments
Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won't stipulate specific protection. Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation. An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder's spending profile, usual spending location, repayment history etc. The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That's why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on...
Read More

Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More

Let me drop everything …

By cliangNo Comments
And work on your problem! Politics are always incurred in work and culture of an organizations especially large one. Cybersecurity becomes a hot topic and new normal to strike for cyber safe in applicaton system, business process or industrial automation. There are cybersecurity policies mandating the right things to do. However, no policies are perfect and neither can policies address all situations in real life. It then creates a new political atmosphere. The appropriate approach is to engage a 3rd party to look at the entire cybersecurity culture of an organization from fresh-eye, the competency of the cybersecurity team whether the members possess the relative credentials, their ability to upkeep knowledge, their working relationship with business, the cybersecurity strategy or priority on the organization as a whole rather than micro-management and zero-one decision of so-called policy compliance. ...
Read More

Dual Standards

By cliangNo Comments
It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine. For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners. Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important. ...
Read More