Dual Standards

By cliangNo Comments
It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine. For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners. Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important. ...
Read More

Opportunist

By cliangNo Comments
Dual signages on display - adopt the appropriate one in particular situation? Policy statement must be clearly defined and published. It must also be precise without ambiguity but subject to interpretation by different parties. If your cybersecurity policies are written unclear, a lot of unnecessary internal overheads of so-called policy exceptions or enforcement issues will be surfaced. Therefore, regular policy review and adjustment is indeed integrated into the policy requirement. And last but not least, don't be aggressive to write something that is not achievable in the specific business environment. ...
Read More

Spare Capacity

By cliangNo Comments
Roof needs to cater for extra loading due to different weather conditions Availability is one of the protection objectives in cybersecurity. When deploying new systems, the design must cater for spare capacity. Usage patterns need to be understood too as this will surge capacity demand instantaneously. Capacity refers to bandwidth, storage, processing speed. This must be estimated in the next 3-5 years with the projected growth rate plus the peak demand, setting threshold to trigger alert to resolve the capacity issue. It can be adding more storage, or archiving historical records offline, or deleting records per corporate retention policy. It is part of system management to maintain a healthy cyber environment to run business. Otherwise, business services will be interrupted. ...
Read More

Surrealism

By cliangNo Comments
It is easy to for artists to draw something or writers compose fictions beyond imagination. Such creation even stimulates innovation that when putting into practice disrupting the industry and our life. However when writing cybersecurity policies, the directives must be pragmatically achievable and effectively enforceable. After all, policies are the internal company rules for every level to comply with. If the rules cannot be achieved, nor enforced, these rules are just a document in the bookshelf. Follow what the industry or the peers do rather than inventing something high-sounding but cannot be landed on the ground. Non-compliance will be the outcome. ...
Read More

Purpose of control

By cliangNo Comments
When we deploy control, we always have to understand what we are trying to achieve. In the illustration, if the purpose is just to prevent accidential openning of the cabinet door hurting nearby pedestrian, then something fixes the door in position suffices. There is no need to apply a lock because it will involve key management. Without proper key management, accessing the cabinet inside will be affected. As such, don't impose unnecessary and excessive controls. It won't improve but complicate the use case. ...
Read More

Different perspectives

By cliangNo Comments
It is the same scene but different people will interpret it differently. Business managers or plant floor engineers have their mission to achieve in delivering the business outcome while cybersecurity practitioners have their opinions to "ensure" a secure business or operational environment to fulfil their job role. Most often, this creates conflict. As cybersecurity practitioner, we shall never blindly apply academic knowledge because each organization has its own specific ways of doing business. What the book or even the organization security polices themselves are just generic guiding principles. We are all hired to exercise professional judgment, to help business understand the cyber risks and after all it is the business decision to accept. If business has hesitation, then we provide them the big picture, how cyber threats are likely exploited and the practical counter-measures to reduce the likelihood. Essentially, cyber threat is just one of the many operation risks to address. Don't invent extra and unnecessary cyber protections...
Read More

Excessive and Unnecessary Control

By cliangNo Comments
So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...
Read More

WiFi

By cliang1 Comment
Getting connected to the Internet for various activities (getting updates from email, news, social media, weather, checking maps, traffic condition etc.) becomes an expected living habit due to mature technology and well established infrastructure. This need is even more when travelling around. Free or paid Internet access is available anywhere in library, hotel, airport, café, shopping malls and even inflight. Therefore WiFi cybersecurity is a concern. I have heard criticism from a cybersecurity practitioner on a single workstation (specific business function) in getting system updates via corporate guest WiFi is insecure and the connection should be switched to a 4G/5G data plan but there is no reason behind. This appears as an irrational advice. By default, Internet isn't secure whether it's WiFi or data plan. The recommendation should provide reason why it is insecure and mostly importantly practical measure to secure. If we look at this further, the insecurity from WiFi is likely due to: The infrastructure does not impose...
Read More

Risk Evaluation

By cliangNo Comments
Risk assessment is the approach to identify hazard and implement proper controls to reduce likelihood. When doing so, we should look at the portion that must be function well to support the intended outcome. In the illustration, the vehicle is to transport people or goods from one location to another. The engine and tires must be in good condition with sufficient fuel plus cooling fans to achieve this purpose. Any one of these components fails will affect the intended outcome. Therefore, vehicle (especially commercial) needs to undergo regular inspection and maintenance to keep in good condition. Check the tires and fuel capacity before any trip to reduce the likelihood of break down. Having spare tires or road-side assist contact numbers are the mitigation under assumption that the cellular phone signal coverage is within the trip. Otherwise, a different support model (say, satellite phone) is required.. ...
Read More

Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More