Proper Usage #2

By cliangNo Comments
Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Insider #2

By cliangNo Comments
Physical access requires substantial resources while visual accessibility is anywhere Industrial Control Systems (ICS) in a plant are now modernized using commodity hardware and software with networking capability to enhance overall efficiency, business analytics and to standardize skillset in plant operation plus support. With network, remote diagnostic and support are also possible to cut down the turn around time without waiting for engineer on site. Some cybersecurity practitioners put focus only on the cyber portion of the plant. This is not wrong provided that the physical aspects are equally considered at the compatible level. This is because the ICS is just a portion of the entire plant. The physical and mechanical plant conditions must also be secured. If background check is deemed necessary for O&M teams to reduce insider threat, this should also extend to the service crews (e.g. delivery, janitor), physical security guard service, contractors, vendors or even management. Most often, management level is by default granted with...
Read More

Onion Approach

By cliangNo Comments
Information protection is usually via layered defence, sometimes refers as the "onion approach". In physical world, protected contents are placed inside secure facility thru multiple control points with access granularity like site level, particular zone(s) in the site, building, equipment room and cabinet before reaching the target. When things are changed accessible from network, reliance on physical access is still required but there are added controls to the cyber portion. Layered protection counterparts are: network firewall, application firewall, middleware gateway, RBAC, multi-factor authentication. Latest concept is zero-trust (ZT): user identity (and the authorized roles), request originated from which device (and platform), via trusted or untrusted network, type of application raising the request, types of contents for access, industry compliance and latest threat intelligence are all the variables in determining the permission for access. The same onion approach applies except more complexity in setting up and maintenance of these dynamic parameters. ...
Read More

Rule or Ruler

By cliangNo Comments
As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...
Read More

Transformation

By cliangNo Comments
Due to rapid technology advancement, business operations are always undergone transformation. A phone kiosk becomes legacy as the use case is approaching to zero. While transformation creates new jobs, it also makes other jobs extinct. Imagine when there is no need to deploy phone kiosk, job functions regarding the manufacturing line, its supply chain, sales, installation, regular maintenance are no longer needed. Therefore, the transformation shall not only viewed at the business model but also the workforce development and the mentality to accept changes are part of life. Transformation also integrates cybersecurity as part of the job function except the demand of scale and skill might be different. Never complain cybersecurity is none of your business. The positive attitude is to look into the appropriate training to adapt and manage such new challenge. ...
Read More

Deep Packet Inspection (DPI) Firewall

By cliangNo Comments
No doubt, the technology is secure. But without assessing the situation holistically, this is inconclusive. Rulesets might be wrongly set or firewall is wrongly configured, then the DPI firewall is insecure. If the connecting components are in a restricted and lock down environment, a DPI firewall is overkill and won't contribute to enhance more security. By the same token, media always exaggerate cyber threats. We must judge if such threat scenarios are likely in our environment rather than blindly doing unnecessary lock down on existing systems. An example is the ransomware attack via inactive user account thru VPN without 2-factor authentication, or authenticated users via PrintNightmare exploit. Something must be done but not to complete today. Security enhancement must be assessed, managed rather than in a piecemeal manner. The latter might even create more problems after blindly applying the counter-measures. Remember - action without plan is nightmare; plan without action is day dream. ...
Read More

Privacy

By cliangNo Comments
We have a lot of personal data exposed in the cyber world in our daily life. To name a few, the "intrusive components" are: Electronic pass for toll road: where you are heading to, or even your entire journey if throughout the itinerary, there are traffic cameras and auto toll collection pointsCCTV: inside building, public areas, dashcam in vehicles nearbyCredit card: traces back to your identify, location, amount consumed, commodity purchasedHealth monitoring device: you wear in your body to capture your health data continuously, share in the technology provider's community if you wishOperating System: sharing the diagnostic data with the technology vendor when problem occurs or during online trouble shootingWeb site cookies: IP address to geo-location of your web surfing location, your web preferenceDigital photo: modern cameras are equipped with geo-tagging The most intrusive device is your cell phone. You carry it almost all the time. It exposes your geo-location from which cell towers your phone is connecting to. What should...
Read More

Declassification

By cliangNo Comments
Confidential information is costly to maintain. Imagine all the 3 data states (data-in-motion, data-at-rest, data-in-use) will require technology and the underlying process to manage the authorized access and usage while denying otherwise. Most often except a few, sensitive information will diminish its value or impact overtime. An example of the "few" is the formula of a soft drink that remains as trade secret to standout the products from its competitors. Other than technical controls like encryption or multi-factors authentication access for digital information, there are simply regulations to protect artist work copyrights, alogrithm patent etc. that are published in public domain. Secret government documents also have expiry date to release for public interests. The declassification together with destruction process are therefore an important stage in the information lifecycle management process. Without these, the burden to maintain secrecy will increase over time and become unmanageable. ...
Read More

Enforcement #3

By cliangNo Comments
At certain situations, enforcement of policy relies on administrative control when technical controls are not feasible. But how do we ensure no offender? No, we can't. The only thing we can do is to establish consequence-based deterrent enforced by laws & regulations. The most severe deterrent is death sentence. A traffic sign prohibits vehicle longer than 10m or over 10 tones on left turn as illustrated. There is no stopping you to do so but if your truck exceeds this limit and still turning left, your truck might be trapped in the road curve blocking other road users, crashing vehicle in the opposite lane, or damaging any other third party properties. Then you are fully accountable for civil offence if negligence or criminal offence if deliberately doing so. Similarly, management always talks about how to stop insider threats in dealing with cybersecurity. The same philosophy applies - discrepancy action for employees or contractual obligation for business partners with...
Read More

Enforcement #2

By cliangNo Comments
Durnig pandemic situation, InfraRed body temperature detection technology is great - contactless, accurate, multi-persons processing, seamlessly and transparent to customers. But the illustrated scenario lacks of enforcement - persons with detected abnormal body temperature are still able to go in. A policy statement (notice at entrance) must be established to deny visit of persons with abnormal body temperature. Further, a security guard or so needs to watch the outcome of measured body temperature to enforce such policy. Without enforcement, deploying great technology doesn't make sense. This applies to cybersecurity domain as well. ...
Read More