Protection

By cliangNo Comments
Image is generated by CoPilot In business world, resources are limited and must be best utilized for purpose. How much protection is sufficient, especially in the cyber world? It depends on the severity of the consequence driven from social impact and regulatory compliance. Take network firewall as example. Its purpose is to regulate network traffic to filter unwanted connections. Itis deployed to connect different systems because systems are now no longer standalone. Communications are needed for information exchange while denying unwanted network traffic. The use of protection measure will require considering the TCO (Total Cost of Ownership) in optimizing the resources. This is not just money but also the human efforts to sustain. To name a few of the maintenance overheads: Plan ahead before the component(s) enters into End of Support (EoS) state from OEM Execute procurement to refresh component(s) entering into EoS Coordinate with operation team with outage window for component(s) refresh Manage access credential to the components Perform backup and recovery test of the component configuration Conduct vulnerability...
Read More

Treat or Trick #2

By cliangNo Comments
I talked about "strengthening human awareness cannot be overlooked". The easiest penetration into a corporate network is via phishing email. To validate workforce awareness and readiness withstanding phishing attacks, organizations start using simulated phishing emails to test who will take the bait: embedded document or hyperlink to track. This is a good motive except other surrounding elements need to be considered. Nowadays, email service provider will mark external emails to draw attention they are coming from outside. There are also emails generated from application for information using SMTP connector which carries the same external marker. Unless the corporate email gateway whitelists these SMTP sources or else workforce will get confused what emails to trust. Mail headers in simulated emails - this will disclose the email is a phishing test exercise for "advanced" or "professional" email users who know how to check the SMTP mail headers. Phishing test results will be affected because real phishing emails do not carry such identification. We should focus more...
Read More

Purpose of Control #2

By cliangNo Comments
When we deploy control, we must understand what is the purpose of the control. I came across certain cybersecurity practitioners that network firewall has to be deployed even in a standalone environment to further segregate the zones within the system just because the policies say so. There will not be material enhancement to cybersecurity but impose recurring maintenance overhead of the addition network components: regular firmware upgrade, end of life monitoring for technology refresh, log review, account/password changes etc. All these can be avoided if no firewall is deployed. In the illustration, the control is informative or advisory. It won't be able to withstand "brute force" bypass. There is also no point to impose. The consequence is the best control that if you go beyond this point, your life would be at risk and you take the sole (not shared) responsibility. ...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

Ice Road

By cliangNo Comments
This is seasonal - only happened a short while during winter time when lake or river is frozen with thickness that can support vehicles riding on it. What is the insight? We face a lot of changes in business environment, make adoption to stay competitiveness while deploying cost-effective protection measures against new threats. Examples are continuous digitization or disruptive technologies that business cannot escape from except cope with these. As standard practice, conduct a comprehensive risk assessment with the right Subject Matter Expert to guide thru the stakeholders to reimagine the new targeting operating model to understand threats and consequence and this decide level of risk acceptance. As always, we have to take risks. Here in the ice road, the risk contributors are the load of the vehicle, vehicle fitness, weather condition at time of crossing and the skillset of the vehicle driver. The prime objective (business outcome) is to stay alive crossing the ice road with the load to reach the destination. ...
Read More

Isolation #2

By cliangNo Comments
In pandemic disease era, facemask is a effective means to protect being infected via airborne transmission. This is usually voluntary but in extreme situation, facemask is mandated by authority for presence in the public. Facemask serves two-folded protection: (a) protecting an individual from infected or (b) containing an infected individual from spreading the disease. In cyber world, similar protection philosophy applies. A device has platform protection (like host firewall) from being attacked by compromised device in the network, or limits its attack to other network neighborhood, if compromised. Further peer isolation in the network, usually enforced in wireless network, will enhance this protection. When formulating protection, we need to think in all perspectives. ...
Read More

Design & Build #3

By cliangNo Comments
Earlier, I talked about similar. When conducting a comprehensive assessment of a facility, we should not just look at the cyber aspects but also the reliability and safety of the facility. Those exposed pipelines could be essential supply of human nessasities or dischargs of waste. If they are physically damaged (intentionally or unintentionally), these facilities will be disrupted therefore affecting normal live or even life. Physical security is also importantly in protecting the cyber components of facilities. ...
Read More

Emergency vs Privacy

By cliangNo Comments
It is common to leave contact information in passport, contact card in wallet such that under emergency situation, others could notify your family member or significant half. This will be helpful if you are travelling alone, or aged. But how do we eliminate scam? Our contact information (email, phone number) is perhaps widely shared when register for web service as 2-step authentication, product registration for warranty, leave as call back for inquiry results, or our friends' devices carrying our contacts are compromised. There is a little trick to beat against scammer by establishing a one-way trust. Put a preset phase in the emergency contact card. Pre-arrange this with your contact(s) the caller must quote this preset phase to prove the contact info is obtained from this emergency contact card but not elsewhere. ...
Read More

Bag Tag

By cliangNo Comments
It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More