Defeated Control

By cliangNo Comments
Detective control is blocked (defeated) When designing security controls, it is necessary to determine if the controls can be executed effectively. Somehow due to unexpected situation, controls are defeated. To avoid this pitfall, holistic assessment is required during: Design stage if intended control function is effective without being circumvented, the design effectiveness reviewO&M stage if the control can be operated as per design, the operation effectiveness review The entire life cycle of digital solution shall be: Identify the business value at initiation such that necessary and optimal controls are in place to minimize the business impact; this acts as procurement requirementDetermine proposed controls during design if they are effective and if not, develop necessary compensating controls. A typical example is the guard patrol to validate if CCTV are still operating properlyValidate controls before system goes live; rectify any deviations in the deployed solution from designAssess if controls are effective to combat new threats during O&M regularlyDispose controls securely at retirement of the digital...
Read More

Connection

By cliang1 Comment
The cyber world is built up by connecting different systems and devices via information highway. Therefore, the key cybersecurity element is to establish the perimeter. In physical world, port control is the location perimeter. You need to go thru immigration, bag scanning at custom before you and your accompanied goods are permitted for entry. Some countries also require going thru immigration before exit. This is easily visualized. In cyber world, controls at the network perimeter will need precise directives (or policies) such that adding new components or functions shall comply with the rules accordingly. That said, the policy must be precise. Most often, "connection" is unclear and need clarity. Using ISO 7 layer concept, network cables are always physically connected to the network devices. For certain cases if network based IPS or IDS is deployed, it will need collecting mirrored traffic from all over the network devices even if these network segments are zoned by design. ...
Read More

Accountability

By cliangNo Comments
To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable. Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance. The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner. For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted...
Read More

Visibility

By cliangNo Comments
In physical world, this creates uncertainties for moving forward. In the cyber world, this means even more. From business perspective, vast amount of information that data analystic is needed to derive management insight in understanding customer profile, product popularity, performance etc. to align with business planning In cybersecurity perspective, this can be considered in various use cases Asset inventory: provides the components in the information processing infrastructure such that prompt reaction to incident and new threats plus properly managing technology obsolescence are possibleSystem events: feeds into SIEM to locate potential threats that has been persistentNetwork traffic: detects traffic flow to detect or block potential malicious activitiesVulnerability: itemizes known technical vulnerabilities to develop counter-measuresPerformance dashboard: provide cybersecurity KPI to drive improvement ...
Read More

Risk Taking

By cliangNo Comments
We can't have 100% secure solution in the course of business. We need to evalate risk and reduce to acceptable level to achieve our mission. The hard part is an objective assessment of risk with predicted likelihood and the associated value tied with the consequence. The decision support is to review the business outcome values vs the cost to reduce the likelihood. For cyber risk, it is more challenging since when new threats are uncovered, they become immediate impacts. The frequency cannot be predicted using traditional approach. At worst, be prepared bad thing happens with reasonable efforts to recover instead to prevent any KNOWN threats, because there are so many unknowns beyond imagination. ...
Read More

Policy #5

By cliangNo Comments
If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...
Read More

When Security System Fails

By cliangNo Comments
Security function of the business or physical process is protected by security system. Specific security system for the latter is the SIS (Safety Instrumented System). When security system fails, its intended function fails too. It could be lost of view, view being manipulated, sub-standard product produced, high value asset damage, environment pollution and most seriously human fatality. When assessing business impacts, we must not forget to assess the entire ecosystem including these auxiliary systems. ...
Read More

Deception

By cliangNo Comments
Everything on earth has good or evil perspectives, same for deception in cyber world. We heard a lot about phishing or scam that is the evil side of deception. However, there is the need for good deception in the cyber space.  To understand how threat actors penetrate or launch attacks, honeypots are established to let them take the bait.  Honeypots can be vulnerable web sites, decoy email address or decoy social network identity that are under monitoring. For vulnerable systems, researchers are able to understand the behaviors and TTP of threat actors from reconnaissance, access, ex-filtrate data, cover the track. Effective counter-measures can be developed in the cyber kill chain. For phishing, researchers are able to spot if new exploits are deployed in content rich email or attachment to masquerade the malicious attempts then alert the community. Scams from social network could also be traced to inform law enforcement agency to take down the malicious identities....
Read More

If Not Now, When?

By cliangNo Comments
It has been used in S4x13 theme. This blog is part 1 of 2. Most often, security technology sales send security alerts to top management to demonstrate their value preposition. Top management is likely forward this "intel" to cybersecurity management team simply with "Please handle" to relieve their obligations from getting intel but do nothing. Cybersecurity management team obtains this directive, then drives the ICT/ICS workforce to apply the recommended work around (change system configuration, apply security patch) and compiles a dashboard for reporting completion status. The ICT/ICS workforce dare not to say no but to accommodate such executive order at extra work load from routine work. This isn't an effective cybersecuruty management. The proper means is to assess the threat, current protection and business consequence. The "Now, Next, Never" in S4x19 best describes the correct attitude. So, if not now, could be next or even never....
Read More

Supporting System

By cliangNo Comments
Mostly, people put focus cybersecurity on critical infrastructure. We must not forget the cybersecurity for supporting systems are equally important as they are also network connected for information exchange or control from the control center. These systems automate protection for the core system. Examples are those commonly known like facility management (or FM such as fire fighting, CRAC, access control, UPS), SIS (Safety Instrumented Systems). If these systems fail, it will impact to the core systems. There is recent incident for cyber attack on SIS. Imagine, if the FM fails, the information processing facility will fail too. More severe impact is the SIS failure, it will affect environment or human safety....
Read More