Tunnel

By cliangNo Comments
"Digital" tunnel is common in the cyber world.  The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure.  Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection.  This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive.  It's the organization policies, laws & regulations to govern the proper usage. ...
Read More

Clock

By cliangNo Comments
Clock displays time of day.  Time is invisible and exists virtually.  Everyone of us has the same amount of time, no matter you're rich or not.  You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc.  Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics.  In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination.  In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network.  There are various considerations: Clock source: National lab, or...
Read More

Aurora

By cliangNo Comments
In physical world, it is beautiful scenery.  In cyber world, Aurora vulnerability refers cyber attack resulting into damage of physical components (the generator) in the electric grid. When the threat actor is able to reach the control network, repeatedly sending command for rapidly open and close a generator's circuit breakers out of phase will cause it explode. For such critical asset with severe consequence when failed, necessary cybersecurity controls shall include but not limited to these measures: Incorporate security at design stage Isolate automation components from external connections Zone components within control system network Apply least privilege principle Control physical access to critical asset Conduct regular cyber maintenance (protection updates Validate incident detection and respond readiness Equip support personnel skill set Execute periodic assessment for assurance Refresh end of life components Manage insider threat ...
Read More

Grade of Protection #2

By cliangNo Comments
Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door.  The door is locked with customer chosen numeric digits each time when closing.  This code will then be used to open the safe.  There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk.  The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...
Read More

Perimeter

By cliangNo Comments
The key difference between physical and cyber perimeters is visibility. To augment physical perimeter limitations, surveillance cameras (probably with video analytic to detect intruder) and guard patrol are required. For cyber perimeter, threat actors need to understand what are behind the Internet-facing entry point (web, remote login etc.) in order to reach the internal cyber assets.  Their first step is to conduct reconnaissance.  See Lockheed Martin, the Cyber Kill Chain® framework. Organizations nowadays must have a web presence in doing business.  The hard part is to minimize the cyber footprint.  It's a matter how well the Internet-facing entry points are configured per best practices (least privileges, exclusion from search engine, scrutinize data input, enforce server-side logic etc.) and sustaining the protection (security patches, version upgrade, hot fixes etc.).  Further, regular validation via black box, white box penetration tests are necessary for assurance....
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

Design & Build

By cliangNo Comments
Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle.  If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning.  Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More

Black List, White List, Sandbox

By cliangNo Comments
Malware is the key attack act in the cyber space. Black list is used in anti-malware protection, anti-spam or web site filters for blocking the bad.  This will require frequent update of the black list definition because new species will evade the filter.  Then we don't know what we don't know. To nail down to the scenario we know what we know, white list defines trusted components or connection and permits their execution.  Examples are application white listing technology or firewall rules. So, what about something in between?  This is because either white list or black list demands regular definition update for effective protection.  Sandbox technology provides an isolated environment to execute and observe behaviors of codes to determine if hostile or not. The ideal solution is a combination of these technologies for best defense.  Of course, this is still not 100% guaranteed to be cyber secure....
Read More

Grade of Protection

By cliangNo Comments
When we deploy protection, normally it might be of civilian grade even it appears harder to break in.  If attack is originated from state-level as a targeted attack, such civilian grade countermeasure won't be effective. That is why a 360 degree assessment is needed to decide threat actors, likelihood, consequence and then the corresponding countermeasures....
Read More