Enforcement #4

By cliangNo Comments
A directive must come with sensible enforcement Cybersecurity policy establishment and cybersecurity policy enforcement are usually executed independently in an organization. Normally, policy authors are more knowledgeable to stipulate the rationale behind whether explicitly or implicitly why protection are required to secure the cyber space of the organization. Enforcement team simply follow the book to provide advisories or perform compliance check. The world is not perfect and situation will drive decision if it is a policy exception or the inadequacy of policy for revision. As cybersecurity practitioner, we must exercise our professional judgment to advise pragmatic approach in helping business for policy compliance rather than just a zero or one decision. After all, a "cyber court" in an organization is uncommon where the "cyber judge" will have the final ruling. Certain cybersecurity practitioners even have mal-practice to involve Senior Management for approval without taking up professional responsibility. Senior Management should be in the informed role rather than an approval role. ...
Read More

Spare Capacity

By cliangNo Comments
Roof needs to cater for extra loading due to different weather conditions Availability is one of the protection objectives in cybersecurity. When deploying new systems, the design must cater for spare capacity. Usage patterns need to be understood too as this will surge capacity demand instantaneously. Capacity refers to bandwidth, storage, processing speed. This must be estimated in the next 3-5 years with the projected growth rate plus the peak demand, setting threshold to trigger alert to resolve the capacity issue. It can be adding more storage, or archiving historical records offline, or deleting records per corporate retention policy. It is part of system management to maintain a healthy cyber environment to run business. Otherwise, business services will be interrupted. ...
Read More

Surrealism

By cliangNo Comments
It is easy to for artists to draw something or writers compose fictions beyond imagination. Such creation even stimulates innovation that when putting into practice disrupting the industry and our life. However when writing cybersecurity policies, the directives must be pragmatically achievable and effectively enforceable. After all, policies are the internal company rules for every level to comply with. If the rules cannot be achieved, nor enforced, these rules are just a document in the bookshelf. Follow what the industry or the peers do rather than inventing something high-sounding but cannot be landed on the ground. Non-compliance will be the outcome. ...
Read More

Purpose of control

By cliangNo Comments
When we deploy control, we always have to understand what we are trying to achieve. In the illustration, if the purpose is just to prevent accidential openning of the cabinet door hurting nearby pedestrian, then something fixes the door in position suffices. There is no need to apply a lock because it will involve key management. Without proper key management, accessing the cabinet inside will be affected. As such, don't impose unnecessary and excessive controls. It won't improve but complicate the use case. ...
Read More

Dead End

By cliangNo Comments
Can't turn left nor right and no pass thru ahead Good cybersecurity policies (management directives) should avoid incorrect interpretation nor perception. Further down the road, if policies is not precise generic nor precise specific for just-right coverage - many "policy exceptions" will be resulted. The most incorrect approach is to ask the senior management to approve such exception. The whole game should be the cybersecurity Subject Matter Expert (SME) assesses the area where policies cannot be complied with. The SME shall recommend pragmatic compensating controls and grant temporary approval while senior management is in the role of being informed. We, cybersecurity practitioners, must help senior management to understand cyber risks (mostly perception), how the risks could be exploited n own specific business environment. Like the recent Log4Shell zero-day vulnerability, understand what it is rather than blindly to push applying patches, assess the likelihood of exploitability and stand firm to explain why this is not severe if there are cyber threats intelligence...
Read More

We are all just prisoners here, of our own device …

By cliangNo Comments
The lyrics from "Hotel California": the song was recorded in 1976 and the prediction is so true Disruptive technologies and their rapid advancement have changed the way we live. With proliferation of Internet hotspot (mostly free) & powerful mobile device (smaller size, powerful processor, larger storage), now everyone is able to get connected from casual reading email, browsing the web, sharing status in social media, chatting via instant message to checking flight status, exchange rates, performing critical decision like confirming high value transactions. With so much convenience, we rely heavily on this tiny device to keep our memories (contact info, photos, reminders), credentials (digital wallet, second factor authenticator) and get connected. We can't afford to lose it nor have it malfunctioned. Otherwise, we shall be handicapped in the physical world. We are now the prisoner of our device … ...
Read More

Excessive and Unnecessary Control

By cliangNo Comments
So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...
Read More

ROAM

By cliangNo Comments
Remote Office Access Method (inspired by ISAM, VSAM in old days) has undergone significant changes over the past decades due to technology advancement. The need arises to provide better efficiency for system support especially if expertise is required from overseas. In early days, when remote access is required via dumb terminal with dial up connection, call back is required to authenticate the pre-registered phone number. With routable network, 2-factor authentication via secure token is required to permit the remote session from Virtual Private Network (VPN) connection. This requires complex pre-registration of the user identity associated with the token in generating the one-time password (OTP). The evolution continues into 2-step authentication with OTP in different form factors: SMS, apps in consumer mobile device or designated email. Enrollment becomes easier with guided self-service making admin-less. Access technology is also evolving from full tunnel VPN to split tunnel VPN through Transport Layer Security (TLS) via web browser or apps in workstation with rich desktop experience as if...
Read More

WiFi

By cliang1 Comment
Getting connected to the Internet for various activities (getting updates from email, news, social media, weather, checking maps, traffic condition etc.) becomes an expected living habit due to mature technology and well established infrastructure. This need is even more when travelling around. Free or paid Internet access is available anywhere in library, hotel, airport, café, shopping malls and even inflight. Therefore WiFi cybersecurity is a concern. I have heard criticism from a cybersecurity practitioner on a single workstation (specific business function) in getting system updates via corporate guest WiFi is insecure and the connection should be switched to a 4G/5G data plan but there is no reason behind. This appears as an irrational advice. By default, Internet isn't secure whether it's WiFi or data plan. The recommendation should provide reason why it is insecure and mostly importantly practical measure to secure. If we look at this further, the insecurity from WiFi is likely due to: The infrastructure does not impose...
Read More

Do The Right Thing

By cliangNo Comments
No matter in physical or cyber world, there are facilities built for people using them to achieve certain purposes - whether paid or free. All these facilities are designed per proper usage. That said, if the assumed usage behavior is not exercised, some adverse consequence might be resulted to the facility provider or the facility user. Take Internet banking as an example. Banks always remind people to safeguard their access credential (i.e. password) to avoid account being misused: never disclose the password to 3rd party not even the Bank, mandate 2-step authentication, enforce regular changing of password, never click links from email or from social network shared by others. Further, the Bank will alert account holder via text message or email for any credit card transaction executed with physically wiping the card, impose transaction limit to 3rd parties, etc. So as an user, do the right thing as advised to keep cyber secure. That means in the Internet banking example,...
Read More