End of Road

By cliangNo Comments
In physical journey, there is always an end such as End of vacation, back to workRoad blocked by obstacle, detour or get back In cyber journey especially digital transformation, it is never-ending. The target is rolling, compliance to new regulations are demanding, expectations from stake holders are uplifting over time. You need to upkeep security protection against emerging threats even if your business or technologies deployed remain unchanged. New solutions or even new protections will bring new risks. Essentially, regular assessment is required the business environment, technologies deployed and threat landscape, and review how much risks are acceptable to run the business. After all there is never 100% secure system. ...
Read More

Dormant

By cliangNo Comments
Malware nowadays is getting sophisticated - has small footprint, evade sandbox & detection, determine platform to inject the applicable payload, some even change account password, disable all network interfaces to completely lock you out. Backup is one of the mitigation means for recovery of the pre-victim state at cost of losing certain application data. The challenge is that malware might have already existed in the previous state in dormant form and the backup carries it. What should best be done? In extreme case, no Internet and even standalone with communication, no removable media and all I/O ports sealed, zero-trust of any users with all system privileges locked down, application white-listed, use kiosk mode. Imagine you are working in an organization like this. You won't be working long as the business will soon cease in such environment. And after all, who should be appointed to maintain the system that this inevitably requires root privileges. This is a risk taking consideration....
Read More

Deep Packet Inspection (DPI)

By cliangNo Comments
As cyber attacks have already moved from network layer to application tier, DPI is a must to examine contents to detect malicious intention. Some technologies (like web proxy) even break the TLS for content inspection incurring cyber threats from user perspective that https is no longer trusted to be secure. In a corporate environment Privacy is not guaranteed via a blanket statement by consent to being monitored when start using the IT facilities, e.g. displayed in logon banner. As an user, check the site certificate if issued by site owner or another party to understand if traffic is being intercepted For network in public Usually connectivity is via WLANYou have no idea what is behind the infrastructure, whether it has been maniuplated for malicious intention. So, follow the OS platform recommended public network profile upon connection -- Don't allow your device being discovered -- Disable folder sharing -- Setup another web browser without login credential saved for general web surfing -- Never use insecure...
Read More

Expectation & Limitation

By cliangNo Comments
Every technology has its own limitation. Don't just listen to Sales or look at Product Brochure. Their tactics are to highlight what are the strengths or success stories of the desirable protection scenarios and hide limitations. There are many examples of limitations quoted in previous blogs: Is network anomalies detection able to spot "missing" but not extra among "unusual" traffic from baseline profile?Is company "authorized" USB drive effective for DLP or limiting malware?Is Touch ID really secure,,, etc. Understand the technology what works and what doesn't. Set stake holders expectation for limitations and the required compensating controls. Voice these out before recommending the protection technology if really fit for adoption. ...
Read More

Point of Attraction

By cliangNo Comments
Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...
Read More

Technology

By cliangNo Comments
Technology helps avoiding mistake, operating continuously and enforcing certain outcome. However, technology is designed and deployed by human. There must be faults during the above process (that's why we have patch Tuesday or so). In the illustrated vault, it has thick door and wall. That should be strong to withstand theft, physical attack or natural disaster to secure contents stored there. If the access to vault is not well managed, then the intended protection will be void. ...
Read More

Policies #4

By cliangNo Comments
In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...
Read More

Operation Risk #2

By cliangNo Comments
Part of the critical infrastructure is in close proximity for public access. Two main types of attacks causing service interruption. Cyber attack takes advantage of launching behind the scene anywhere. Contributors for successful attack include but not limited to: Lack of cyber protection including detectionVulnerable systems and applications using configuration defaults or outdated versionInsufficient control over remote access However, the facility is also subject to physical attack because of the "weak" perimeter. Prevention is not effective but relying detection to respond, sufficient resilience to maintain service. Therefore, the asset owner needs to Firstly identify or categorize the value and impact of the asset The next is to deploy effective counter-measures and the protection focus should not be just in cyber sense though this is always hot topic exaggerated by media and mostly exploited by vendors to create FUD in convincing asset owner to adopt their solutionsPhysical security, equipment faults, general tear-and wear are equally important to consider ...
Read More

Masking

By cliangNo Comments
Like any types of tools in both physical and cyber worlds, this can be used for legitimate or evil purposes. Examples are illustrated below. Legitimate purpose Content masking: required to protect privacy information in meeting regulatory compliance or certain industry requirements.Penetration test tools: cybersecurity assessment to uncover weakness of the target of evaluation for strengthening Evil purpose Identity masquerading: the usual trick for phishing or social attacks.Without the asset owner authorization, use of penetration test tools is considered as malicious purposes to launch cyber attack and subject to disciplinary action, civil or criminal litigation. Who judges the proper use? It's set out by Corporate policies (if internal matters)Laws & regulations (when externally involving different entities) ...
Read More