Accountability

To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable. Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance. The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner. For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted...
Read More

Access Control #3

Controlling cyber (or network) access is always a main concern to limit threat vectors for lateral movement once they have gained a stepping stone within the infrastructure. The physical access aspect must not be forgotten. No matter how sophiscated controls are implemented and in place, if the core equipment is exposed to access at wish, this will defeat all these cyber controls. Bear in mind that all controls are to defer the access as much as possible. There is no bullet proof solution. A comprehensive risk assessment against the target of evaluation is very important to develop effective compensating controls. ...
Read More

Credential

It's the secret to access your protected resources in the network, or the cyber space. Therefore, you have to keep it to yourself only, traditionally. If we adopt the business continuity concept in personal life, then somehow the secret must be shared with your significant half or else the access is gone forever. Of couse, this must be arranged in advance like asset escrow but so far no credible service in the market for this cyber entity. For optimal & practical setup, use 2-step authentication (most portals now have this feature) and store the password in sealed envelop. This is a split secret arrangement. You hold the second factor with you to control access even the sealed envelop is compromised. ...
Read More

Anonymity

Privacy is a major concern nowadays. Sensitive info need to be tokenized or masked while leaving functional info unchanged during business analytic or conducting system tests. Nevertheless, a function might be uniquely provided by a particular individual within the information sample. In this case, even if the identity is masked, the functional aspect can also traced back to that particular individual. This is something like weak hashing function subject to reversible attack. This is the situation to watch out and need to voice out the limitation to data subject and data owner. ...
Read More

Certificate

Cyber Security practitioners need to acquire relevant certification or credential in demonstrating domain expertise or competency. Learning is life time process. Getting certified is not to fulfil employment but a personal acievement. Even if certified, upkeeping the field knowledge and practices is essential or else falling behind. No matter attending academic course or professional training, these are just opportunities to let you learn how to learn. The context involved is just a catalyst in doing so. Alternatively, helping peers or mentoring will also enable knowledge advancement. Therefore, never be complacent. ...
Read More

Life Cycle Management #2

Like in physical world, automation components do have life time. Example is mechanical attributes of traditional hard disk drive, they are also subject to wear-and-tear during operating life. Storage technology now uses solid state without mechanical portion, we must not forget the underlying platform and applications. Apparently they won't have wear-and-tear operating condition, but the advancement of technology adoption will introduce obsolescence of the platform and applications. From vendors perspective, they will retire products not longer fit for purposes in the market and therefore drop resources to support. Hence, even if your automation components are still operating with minimal wear and tear condition, these components will still need to be refreshed for new version, bugs / vulnerabilities fixed, continuous vendor support in order to maintain the business outcome. Proper life cycle management of the ICT/ICS components cannot be overlooked. ...
Read More

Sense of Security

This is largely based on preception and trust. How do I trust if the infrastructure or system is secure? We need to look at these core elements: Any regulatory mandate in this industry sector? Pick public transportation as example, mandatory insurance coverage, regular inspection for license renewal, periodic operator training, compliance with safety regulations etc.How well is the service provider doing among peers? Let's say, the type and severity or incidents of this provider in past years among others, rating from customer reviews and comments.How does the service provider demonstrate what has been done to secure? Common examples are personal data handling transparency via the published privacy policy, alert end user on login from other rare locations, security tips in their official portal, committed service level pledge. All the above are applied in both the physical and cyber worlds. ...
Read More

Distance

Keeping social distance is recommended to avoid virus infection of COVID-19 attack. Similarly, cyber distance takes the same concept to minimize or slow down cyber attack. The cyber distance is done by incorporating perimeters at multiple layers in network and applications. Don't forget the human awareness and usage behavior are the added layers too. ...
Read More

Broken Process

Secure process by design should be secure if operated according to prescribed scenarios. Passenger screening for human and hand-carried items before entering the departure zone deploys multiple means: Administrative: limited quantity of fluid and no sharp objects, Technical enforcement: human and bags scanning to detect violation If everything goes into departure zone thru this process, then exception can be picked up and assure the policy mandate. But what about supplies to the shops inside the zone? Do these go thru similar process? If not, it's backdoor and a broken process....
Read More

Deception

Everything on earth has good or evil perspectives, same for deception in cyber world. We heard a lot about phishing or scam that is the evil side of deception. However, there is the need for good deception in the cyber space.  To understand how threat actors penetrate or launch attacks, honeypots are established to let them take the bait.  Honeypots can be vulnerable web sites, decoy email address or decoy social network identity that are under monitoring. For vulnerable systems, researchers are able to understand the behaviors and TTP of threat actors from reconnaissance, access, ex-filtrate data, cover the track. Effective counter-measures can be developed in the cyber kill chain. For phishing, researchers are able to spot if new exploits are deployed in content rich email or attachment to masquerade the malicious attempts then alert the community. Scams from social network could also be traced to inform law enforcement agency to take down the malicious identities....
Read More