Misconception

By cliangNo Comments
Administrative control back by legal system is the most effective control Many cybersecurity practitioners has misconception that technical controls are means to secure the cyber environment. They insist for encryption, MFA, session time out, catch up with security patches, deploy latest version, mandate anomalies detection in virtual environment etc. Sometimes, excessive controls will not increase the level of security much. Even worst, new controls will bring to new risks not to mention degrading productivity. Have a thorough understanding the business, cyber environment and attack surface is the essential element. Conducting a risk assessment is to strike the right balance what to invest and what risks can be tolerated. Example #1, if the system is fully isolated, remote exploit thru network even with CVSS score of 10 doesn't matter. Example #2, RFiD tags won't be stick to each piece of commodity in the supermarket. Only high value items are tagged. This is the business risk to accept when running the self-service operating model. ...
Read More

Dynamic Policy

By cliangNo Comments
Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won't stipulate specific protection. Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation. An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder's spending profile, usual spending location, repayment history etc. The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That's why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on...
Read More

Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More

Let me drop everything …

By cliangNo Comments
And work on your problem! Politics are always incurred in work and culture of an organizations especially large one. Cybersecurity becomes a hot topic and new normal to strike for cyber safe in applicaton system, business process or industrial automation. There are cybersecurity policies mandating the right things to do. However, no policies are perfect and neither can policies address all situations in real life. It then creates a new political atmosphere. The appropriate approach is to engage a 3rd party to look at the entire cybersecurity culture of an organization from fresh-eye, the competency of the cybersecurity team whether the members possess the relative credentials, their ability to upkeep knowledge, their working relationship with business, the cybersecurity strategy or priority on the organization as a whole rather than micro-management and zero-one decision of so-called policy compliance. ...
Read More

Dual Standards

By cliangNo Comments
It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine. For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners. Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important. ...
Read More

Opportunist

By cliangNo Comments
Dual signages on display - adopt the appropriate one in particular situation? Policy statement must be clearly defined and published. It must also be precise without ambiguity but subject to interpretation by different parties. If your cybersecurity policies are written unclear, a lot of unnecessary internal overheads of so-called policy exceptions or enforcement issues will be surfaced. Therefore, regular policy review and adjustment is indeed integrated into the policy requirement. And last but not least, don't be aggressive to write something that is not achievable in the specific business environment. ...
Read More

Spare Capacity

By cliangNo Comments
Roof needs to cater for extra loading due to different weather conditions Availability is one of the protection objectives in cybersecurity. When deploying new systems, the design must cater for spare capacity. Usage patterns need to be understood too as this will surge capacity demand instantaneously. Capacity refers to bandwidth, storage, processing speed. This must be estimated in the next 3-5 years with the projected growth rate plus the peak demand, setting threshold to trigger alert to resolve the capacity issue. It can be adding more storage, or archiving historical records offline, or deleting records per corporate retention policy. It is part of system management to maintain a healthy cyber environment to run business. Otherwise, business services will be interrupted. ...
Read More

Surrealism

By cliangNo Comments
It is easy to for artists to draw something or writers compose fictions beyond imagination. Such creation even stimulates innovation that when putting into practice disrupting the industry and our life. However when writing cybersecurity policies, the directives must be pragmatically achievable and effectively enforceable. After all, policies are the internal company rules for every level to comply with. If the rules cannot be achieved, nor enforced, these rules are just a document in the bookshelf. Follow what the industry or the peers do rather than inventing something high-sounding but cannot be landed on the ground. Non-compliance will be the outcome. ...
Read More

Purpose of control

By cliangNo Comments
When we deploy control, we always have to understand what we are trying to achieve. In the illustration, if the purpose is just to prevent accidential openning of the cabinet door hurting nearby pedestrian, then something fixes the door in position suffices. There is no need to apply a lock because it will involve key management. Without proper key management, accessing the cabinet inside will be affected. As such, don't impose unnecessary and excessive controls. It won't improve but complicate the use case. ...
Read More

Different perspectives

By cliangNo Comments
It is the same scene but different people will interpret it differently. Business managers or plant floor engineers have their mission to achieve in delivering the business outcome while cybersecurity practitioners have their opinions to "ensure" a secure business or operational environment to fulfil their job role. Most often, this creates conflict. As cybersecurity practitioner, we shall never blindly apply academic knowledge because each organization has its own specific ways of doing business. What the book or even the organization security polices themselves are just generic guiding principles. We are all hired to exercise professional judgment, to help business understand the cyber risks and after all it is the business decision to accept. If business has hesitation, then we provide them the big picture, how cyber threats are likely exploited and the practical counter-measures to reduce the likelihood. Essentially, cyber threat is just one of the many operation risks to address. Don't invent extra and unnecessary cyber protections...
Read More