Excessive and Unnecessary Control

By cliangNo Comments
So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...
Read More

WiFi

By cliang1 Comment
Getting connected to the Internet for various activities (getting updates from email, news, social media, weather, checking maps, traffic condition etc.) becomes an expected living habit due to mature technology and well established infrastructure. This need is even more when travelling around. Free or paid Internet access is available anywhere in library, hotel, airport, café, shopping malls and even inflight. Therefore WiFi cybersecurity is a concern. I have heard criticism from a cybersecurity practitioner on a single workstation (specific business function) in getting system updates via corporate guest WiFi is insecure and the connection should be switched to a 4G/5G data plan but there is no reason behind. This appears as an irrational advice. By default, Internet isn't secure whether it's WiFi or data plan. The recommendation should provide reason why it is insecure and mostly importantly practical measure to secure. If we look at this further, the insecurity from WiFi is likely due to: The infrastructure does not impose...
Read More

Risk Evaluation

By cliangNo Comments
Risk assessment is the approach to identify hazard and implement proper controls to reduce likelihood. When doing so, we should look at the portion that must be function well to support the intended outcome. In the illustration, the vehicle is to transport people or goods from one location to another. The engine and tires must be in good condition with sufficient fuel plus cooling fans to achieve this purpose. Any one of these components fails will affect the intended outcome. Therefore, vehicle (especially commercial) needs to undergo regular inspection and maintenance to keep in good condition. Check the tires and fuel capacity before any trip to reduce the likelihood of break down. Having spare tires or road-side assist contact numbers are the mitigation under assumption that the cellular phone signal coverage is within the trip. Otherwise, a different support model (say, satellite phone) is required.. ...
Read More

Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Vulnerability Management #2

By cliangNo Comments
Vulnerability Management or Scare Your Management Some cybersecurity practitioners conduct vulnerability management (VM) by just using automated vulnerability scanning tool (scanner) to uncover system vulnerabilities and then job is done. Even the worst, the scanner is placed next to the component using the target's administrative credential to probe. Raw results from the scanner is presented to the Management of vulnerabilities detected highlighting how many critical, high, moderate, low risks. This is a totally incorrect approach. The vulnerability scan is only the 1st step of the VM. The raw result gives you the worst scenario. It illustrates the system weakness assuming the adversaries have already gained the network access to that component by evading all the cybersecurity perimeter controls plus system privileges escalated. We must not forget the 2nd step is to evaluate if there are other controls (e.g. network segmentation, anomalies detection, system lock down etc.) implemented in reducing the likelihood of exploitation. This is...
Read More

Information Integrity #2

By cliangNo Comments
The missing Chinese character is "zero", this gives entirely different meaning. Disseminating of informative message appears does not have much of cybersecurity concerns. However, it depends on the usage purpose. If the incorrect information does not impose adverse consequence, then it only cause inconvenience to the target audience. But if it does (like sending out incorrect result of lottery draws, stock price, exchange rates), then the service provider has liability. Usually, a disclaimer is added to relieve the liability and using the service will constitute the acceptance of the usage term implicitly. Bottom-line is to have a comprehensive risk assessment of the digital solution or service offered to other parties. ...
Read More

Deep Packet Inspection (DPI) Firewall

By cliangNo Comments
No doubt, the technology is secure. But without assessing the situation holistically, this is inconclusive. Rulesets might be wrongly set or firewall is wrongly configured, then the DPI firewall is insecure. If the connecting components are in a restricted and lock down environment, a DPI firewall is overkill and won't contribute to enhance more security. By the same token, media always exaggerate cyber threats. We must judge if such threat scenarios are likely in our environment rather than blindly doing unnecessary lock down on existing systems. An example is the ransomware attack via inactive user account thru VPN without 2-factor authentication, or authenticated users via PrintNightmare exploit. Something must be done but not to complete today. Security enhancement must be assessed, managed rather than in a piecemeal manner. The latter might even create more problems after blindly applying the counter-measures. Remember - action without plan is nightmare; plan without action is day dream. ...
Read More

Policy #9

By cliangNo Comments
When writing policies, positive logic shall be adopted. It eases readers understand what is allowed rather than spending time to evaluate the allowed exception. In the illustration, the first impression: no entry is applied to the named vehicle types and need a second thought to locate the word "except". A wrongly communicated message might then cause different outcome. This should be avoided in written directives. ...
Read More

Privacy

By cliangNo Comments
We have a lot of personal data exposed in the cyber world in our daily life. To name a few, the "intrusive components" are: Electronic pass for toll road: where you are heading to, or even your entire journey if throughout the itinerary, there are traffic cameras and auto toll collection pointsCCTV: inside building, public areas, dashcam in vehicles nearbyCredit card: traces back to your identify, location, amount consumed, commodity purchasedHealth monitoring device: you wear in your body to capture your health data continuously, share in the technology provider's community if you wishOperating System: sharing the diagnostic data with the technology vendor when problem occurs or during online trouble shootingWeb site cookies: IP address to geo-location of your web surfing location, your web preferenceDigital photo: modern cameras are equipped with geo-tagging The most intrusive device is your cell phone. You carry it almost all the time. It exposes your geo-location from which cell towers your phone is connecting to. What should...
Read More

Discovery

By cliangNo Comments
This is widely adopted in various process like: Asset discovery: to scan the network and take inventory of the components connected in the networkElectronic document discovery: to scan the network resources for automatic information classification and privacy complianceForensic eDiscovery: to collect cyber activities from the designated equipment uncovering the sequence of events No matter which application, the essential aspect is the correct use of the tool. Otherwise, incorrect or inaccurate information is captured that could incur undesirable consequence where decision will base upon. Training or certification for the competent person running the process will be the key. ...
Read More