Usability

By cliangNo Comments
Everything is now undergoing digital transformation residing in the cyber space. Certain cybersecurity practitioners I met are overkilling business operations with cyber protection claiming to stay secure. Take the illustration above, the glass window provides scenery view from the room. If the reinforced steel covers are put on, it could definitely protect the glass window from strong wind during adverse weather. But if this steel covers are closed all the time, this will drive guests away affecting revenue. We need to be pragmatic and accept there are always risks from various domains to the business. And it's impractical to eliminate all risks. If you attempt doing so, it will end up "The operation was successful. The maharaja is dead." ...
Read More

Isolation

By cliangNo Comments
By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More

“Insecure” Tunnel

By cliangNo Comments
Older TLS (Transport Layer Security) version is marked insecure by vulnerability scanner. Certain cybersecurity practitioners make decision solely based on scanner report and blindly to urge system admin to "fix" it without looking at the big picture. The vulnerability scanner has zero knowledge on the system landscape, criticality of the system being evaluated and most importantly where is the scanner placed in the network. Good practice is to assess the big picture, mark these are non-issues and forget it if it is just an internal system in isolated environment. Resources should be deployed on more important things. ...
Read More

Coverage

By cliangNo Comments
Security technology alone cannot reassure protection. It requires human judgment: What is the value of target being protected? Risks to low value asset or low business impact are simply accepted as part of the operating cost. Example is the anti-theft RFiD tags.How is the controls deployed? Is the control in place properly? Gap in control will leave a loop-hole.Most importantly, how is the control operated and sustained to maintain its effectiveness? Adding controls does not increase security sometimes but incur unnecessary overheads or activities that overkill the purpose. A comprehensive assessment from design, build, deploy, regular validation is required through out the life cycle of the deployed cybersecurity protection. ...
Read More

Misconception

By cliangNo Comments
Administrative control back by legal system is the most effective control Many cybersecurity practitioners has misconception that technical controls are means to secure the cyber environment. They insist for encryption, MFA, session time out, catch up with security patches, deploy latest version, mandate anomalies detection in virtual environment etc. Sometimes, excessive controls will not increase the level of security much. Even worst, new controls will bring to new risks not to mention degrading productivity. Have a thorough understanding the business, cyber environment and attack surface is the essential element. Conducting a risk assessment is to strike the right balance what to invest and what risks can be tolerated. Example #1, if the system is fully isolated, remote exploit thru network even with CVSS score of 10 doesn't matter. Example #2, RFiD tags won't be stick to each piece of commodity in the supermarket. Only high value items are tagged. This is the business risk to accept when running the self-service operating model. ...
Read More

Dynamic Policy

By cliangNo Comments
Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won't stipulate specific protection. Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation. An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder's spending profile, usual spending location, repayment history etc. The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That's why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on...
Read More

Unnecessary Control #2

By cliangNo Comments
Control must be enforceable. If control can be circumvented or bypassed, then there is no point to deploy such control. That's why we need to keep updating the system, infrastructure to sustain their effectiveness over time due to emerging threats are out. There are many examples out there in the cyber world. Attack and defense are competing each other. Once in the digital journey, allocate resources to address multiple aspects to stay secure: Collect threat intelligence and their impacts to own environmentAssess operation risks to prioritize protectionMaintain workforce competency and situation awarenessRefresh technology obsolescenceEstablish achievable and enforceable cybersecurity directives ...
Read More

Perimeter

By cliangNo Comments
When you move the contents to the cloud, it is above the perimeter. Even if you are pretty sure you have the dedicated cloud environment allocated, configuration issues, physical security and human factors could endanger your contents in the cloud. Cyber protections must be imposed properly: access control and management, encryption of all 3 data states (data-in-use, data-in-motion, data-at-rest) and most importantly the key management process. ...
Read More

Administrative Control

By cliangNo Comments
Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks. Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues: People will find ways to circumvent controls because affecting productivity (writing down complex password)New control might introduce new system weaknessExtra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch ...) These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations. ...
Read More

Competency

By cliangNo Comments
Incompetency to react with changing environment will lead to fatality Recently I gave a talk to a local university students about cyber survivability. At the end of the session, it's Q&A. One of the students asked "There are lots of challenges in the cyber space. Among them, what's the most serious challenges that you have met?". I told them people is the serious challenge. Decades ago, the human aspect is considered as the weakest link in cybersecurity. Over times, this remains. It's just a matter the focus has shifted. Now, general users are well aware of cyber deception in the cyber space like phishing and scam, be cautious of unknown requests and things too good to be true. Why is the human aspect still applied? It's about the cybersecurity practitioners. They are supposed the leader in cybersecurity of an organization. They are hired to provide professional judgment in enabling a secure business environment, steer in the right direction....
Read More