Assumption #3

By cliangNo Comments
DO NOT ACROOS - implicitly applied to vehicles only When we develop written directive, there might be chance that certain elements are assumed and be implicit. It is essential to engage stakeholders, listen to feedbacks and address opinions rather than dictate what should be done. If you do, you deem to be failed to develop a good policy. ...
Read More

Taxonomy #2

By cliangNo Comments
I have seen cybersecurity directive regarding applicability is to protect OT (Operational Technology) system so as to minimize cyber attacks to energy production. Renewable energy like solar panel or consumer grade wind turbine at household are producing energy with certain OT systems for control. Unfortunately, that organization also markets these equipment. Confusion arises if these OT systems should be under the same set of protection principles unless a precise specific taxonomy is specified in the directive. ...
Read More

Landscape

By cliangNo Comments
Some cybersecurity practitioners only drill down to the level of details of network diagram or even wiring diagram to identify adequacy of cyber protection. The system landscape or architecture is no doubt an element to look at but just part of it. The holistic approach shall look like these: What is the purpose of the systemHow is information used - control machine, information for decision making of critical operation or solely display as-isWhat is the consequence if compromisedWhat is the tolerable down timeWhat are options to bring up service within this unplanned down time windowHow to strike the balance for freezing the compromised system for digital forensic vs system recovery in meeting service pledge With these in mind, these diagrams are only useful to assess the attack path and the optimal countermeasures. And don't criticize insufficient information in the diagrams without setting a reference standard - this should be objective rather than subjective. ...
Read More

Taxonomy

By cliangNo Comments
In policy development, it is essential the coverage of the rule is sufficient and precise to avoid ambiguity. A living creature could be animals, birds, fishes, reptiles and human beings for full coverage. A targeted group might be stipulated as non-human living creatures, or even specific as reptiles when certain situations need more precision. Policy maker needs to understand clearly the scenario when formulating the directive just right in meeting practical implementation. ...
Read More

Blind Spot

By cliangNo Comments
Can the bird be detected? When designing controls, we must understand what to protect. There might be blind spot that the intended controls are ineffective or even void. For inherent design weakness, retrofit would be costly and sometimes not possible without rebuilt from scratch. As a good practice, a design review to assess the control effectiveness before build will avoid such pitfall. Either a peer review or engaging independent subject matter expert will help to spot weakness with fresh eyes. ...
Read More

Policy #7

By cliangNo Comments
The illustrated directive is unclear. Drone, also known as unmanned aerial vehicle, has different form factors. If the sign comes without the icon, then it's pretty clear. With the icon there, it becomes only this type of drone is not allowed. This happens exactly in typical policy statement for network connection where cybersecurity practitioners have implicit assumptions. The issue has been elaborated in earlier blog for network connection. In nutshell, the precise directive is to secure the network with the appropriate controls of layer 3 to layer 7 data flow. ...
Read More

Policy #6

By cliangNo Comments
What and when are allowed? Common pitfalls in writing policies (written directives) are: Embedded assumption by the author that is unknown to other readersFailed to provide clarityMost importantly, failed to listen feedback for adjustment We are hired to make professional judgment. We must not be fraid to challenge if the written directive is clear enough, not just because it has been approved by senior management. We also need to admit policy statement is never 100% perfect as the business environment is changing. An interesting example is the power energy sector. No doubt the power plant and grid are the Critical Infrastructure (CI) assets to secure from cyber-attack in order to maintain reliable supply to customers or comply with regulatory requirements. But we must not forget there are other sources like renewable energy that the "plant" is just a customer own installation outside the CI. How should the policy statement be precise enough to differentiate the cyber protection requirement will be a tough job....
Read More

Identify

By cliangNo Comments
Most often, vendors are proposing security solution in a basket of features. They claim for security suite with unified console and dashboard. It is necessary to assess and identify the baseline security in business requirements what are the necessary protection. Otherwise, it will cost more, and more to manage in terms of support, maintenance, skillset, user experience. Some guiding questions are to facilitate the decision. The answers are situation and organization specific. Taking remote access as an illustration here. Who are the users accessing the infrastructure or system: From own organization?From business partners (vendor or contractor)?General public? When is this service needed? This will decide: Resilence arrangementMaintenance windowBusiness continuityDisaster recoveryRecovey Time ObjectiveService level pledge What service needed after connection established Infrastructure (e.g. storage, email, intranet)?Business applications? Where do users access Within organization network (due to network segmentation)From business partners networkInternetOrganization device or any device? Why this remote access is needed This is the business justification, for exampleSpeedy vendor support without traveling to siteEnhancing productivity especially in COVID-19 to keep physical distance How...
Read More

Visibility #3

By cliangNo Comments
Below the iceberg, there is a large portion that is out of sight. That's why it is dangerous for vessels when approaching an iceberg. You need to keep a safe distance from it to avoid hitting it. The iceberg is often used to illustrate the dark web. The visible part is WWW (World Wide Web), below is the deep web then further down the dark web. The general perception on dark web is bad or associated with cyber criminals. However like penetration test tools, the tools can be misused to attack other computers but also to serve as a means to uncover infrastructure weakness for cybersecurity enhancement. The difference is between unauthorized and authorized intention. In the case of dark web, the usefulness might be Understand how the underground market business model operate, what are on sales such that you will revisit how to secure these cyber assets in your own environmentUncover if your or corporate information is there for sales ...
Read More

Governance #2

By cliangNo Comments
Successful cybersecurity posture in an organization requires effective cyber protection of its cyber assets. There is a broad interpretation on cyber protection. In certain extreme cases, people put focus on technical controls and how are these controls implemented sometimes down to specific technology brand name or even model per personal preference. This doesn't hurt as long as Providing transparency on the rationale of the chosen technology vendorPublishing the standard for reference rather than hiding inside one's mindFacilitating end users to procure those specific brandsCommunicating with Teams involved to raise awareness of the requirement That said, it falls into one of the organization governance roles as cybersecurity standarization. The merits are reducing learning curve to manage the control, partnership with vendor for better support and purchase discount, technology roadmap and life cycle management. Like any other tools, it is subject to misuse and then resulting into internal politics. ...
Read More