Cybersecurity Transformation

By cliangNo Comments
To be successful in cybersecurity transformation, each one in the organization shall contribute as the baseline. Culture or politic in certain organizations prohibits; and this is not just applied to cybersecurity. If you SEE something need improvement and TALK about it with your boss, you'll become the issue owner to handle the resolution.  This drives the culture of don't see and don't talk.  Top  executives don't HEAR things that potentially affects the organization. The essential success factors in the transformation journey include but not limited to: Senior management buy-in Provide necessary support for sustainability (not just a slogan in the air but actually allocate dedicated resources and invest in human capital) Top-down approach to drive end result with metrics Staff own passion adaptive to the changing business environment Once the people barrier is break-thru, other process issues will then go well....
Read More

Residual Risk

By cliangNo Comments
When deploying protection or counter-measure, it is necessary to understand If new risks are introduced? Will these new risks even exceed the consequence of do nothing? An example is DLP (Data Leakage Protection, not Prevention).  It requires "super" privileges to access every resource being monitored to alert sensitive information being shared improperly.  Even though this might be a system account, mis-configuration or process weakness could exploit the DLP to leak more sensitive information to unintended recipient....
Read More

Split Knowledge

By cliangNo Comments
This is usually a means of control normally deployed in key management such that accessing privileged and critical resource requires multiple designated persons to minimize misuse of such privilege by a single person.  The simplest form is splitting a password into tokens and held by different persons. While security control is enforced, there are needs to consider: - Contingency, e.g. key person(s) is(are) not available in the case of split password.  With technology, there is m of n crypto key recovery so that availability of the selected m persons (where m <= n) can regain access - Further, this assumes all these m persons do not collaborate for malicious act...
Read More

Cryptography

By cliangNo Comments
Example in real world for cyber world. There are 2 salient points in cryptography: Algorithm (or how it works) is publicly known, source codes are even published (mechanism of the combination lock is known) Key is secret, this is the only way to access the cipher text (the combination code you have chosen to unlock) Therefore, never invent your own crypto algorithm no matter how much obfuscation you have made in the codes.  It is just security through obscurity. Of course, even a recognized (or certified) crypto will be subject to attack (online or offline) due to technology advancement over time.  Essentially, counter-measures are to increase the time attacker needs to get thru: regular password change, complex password, 2FA, adding salt and pepper in the stored hash etc....
Read More

Misplaced Control

By cliangNo Comments
Security technologies are secure but if deployed incorrectly, the intended protection will be in vain. It is necessary to have a design review and configuration check to minimize this type of issue.  Preferably, this should be done by 3rd party for independence as well as from fresh eyes. Of course, a reasonable scope of coverage has to be defined.  That's why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables....
Read More

Data-at-rest

By cliangNo Comments
This is one of the commonly referred information states among data-in-use and data-in-motion. Within data-at-rest, there should be further taxonomy: offline (backup provision for recovery), archival (kept as historical record and retrieved when needed) and disposal (no longer needed for business operation). Therefore, protection for all these data-at-rest taxonomy is equally important to secure the content....
Read More

Control #2

By cliangNo Comments
Most consider cybersecurity controls require hi-tech solution such as deep packet inspection, non-revisible encryption, biometric authentication with time of day usage permission, sandbox to validate behavior of unknown executables, event correlation from various log sources to trace the network traffic, data leakage detection, etc. Yes, to some degrees these are true and required.  But controls must be deployed correctly to minimize attack surface or avoid affecting other existing controls.  Further, resources are always limited in real world.  We have to deploy optimal controls.  Examples are: Preventive control - building the separation between opposite lanes is costly Detective control - the traffic camera is less costly but requires process to review events Administrative control - the double solid white lines are the most cost-effective control Notwithstanding all these control types, behind the scene they must be enforceable by regulations for consequence of violation....
Read More

USB Port Misconception

By cliangNo Comments
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now.  There are different needs like keyboard, mouse, IP phone device using USB connection.  They cannot be blocked as a blanket directive.  The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers.  This is totally outside technical control. The reality is that file exchange is always legitimate business needs.  Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...
Read More