Policy #5

By cliangNo Comments
If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...
Read More

When Security System Fails

By cliangNo Comments
Security function of the business or physical process is protected by security system. Specific security system for the latter is the SIS (Safety Instrumented System). When security system fails, its intended function fails too. It could be lost of view, view being manipulated, sub-standard product produced, high value asset damage, environment pollution and most seriously human fatality. When assessing business impacts, we must not forget to assess the entire ecosystem including these auxiliary systems. ...
Read More

Broken Process

By cliangNo Comments
Secure process by design should be secure if operated according to prescribed scenarios. Passenger screening for human and hand-carried items before entering the departure zone deploys multiple means: Administrative: limited quantity of fluid and no sharp objects, Technical enforcement: human and bags scanning to detect violation If everything goes into departure zone thru this process, then exception can be picked up and assure the policy mandate. But what about supplies to the shops inside the zone? Do these go thru similar process? If not, it's backdoor and a broken process....
Read More

Deception

By cliangNo Comments
Everything on earth has good or evil perspectives, same for deception in cyber world. We heard a lot about phishing or scam that is the evil side of deception. However, there is the need for good deception in the cyber space.  To understand how threat actors penetrate or launch attacks, honeypots are established to let them take the bait.  Honeypots can be vulnerable web sites, decoy email address or decoy social network identity that are under monitoring. For vulnerable systems, researchers are able to understand the behaviors and TTP of threat actors from reconnaissance, access, ex-filtrate data, cover the track. Effective counter-measures can be developed in the cyber kill chain. For phishing, researchers are able to spot if new exploits are deployed in content rich email or attachment to masquerade the malicious attempts then alert the community. Scams from social network could also be traced to inform law enforcement agency to take down the malicious identities....
Read More

Remove, Lock, Take

By cliangNo Comments
We have lots of digital assets on the road, cell phone, notebook, removable storage media etc. There are stringent controls to secure the information inside these containers such as encryption, multi-factor authentication, location awareness, MDM, forced full tunnel VPN. Careless end users might just defeat all these controls if they are unaware they are the biggest threat in protecting information. These simple steps could help to secure: Remove your login session, i.e. logout without waiting the inactivity time out Lock your screen even if you are just turn around your head Take with you the digital asset and don't leave it unattended ...
Read More

If Not Us, Who?

By cliangNo Comments
This blog is part 2 of 2. Most of the time, people expect cybersecurity practitioners are experts to deal with cybersecurity matters.  Yes, they are and take the lead but this is only a small part of the game. For a holistic cybersecurity posture, every one plays an important role in the entire jigsaw.  This is because we are all living in the world flooding with information.  This is highly integrated into our daily life.  Every one has the responsibility to secure information in the cyber space not just as an individual but also helps the counterparts that interacted with. So if not us, it's every one....
Read More

If Not Now, When?

By cliangNo Comments
It has been used in S4x13 theme. This blog is part 1 of 2. Most often, security technology sales send security alerts to top management to demonstrate their value preposition. Top management is likely forward this "intel" to cybersecurity management team simply with "Please handle" to relieve their obligations from getting intel but do nothing. Cybersecurity management team obtains this directive, then drives the ICT/ICS workforce to apply the recommended work around (change system configuration, apply security patch) and compiles a dashboard for reporting completion status. The ICT/ICS workforce dare not to say no but to accommodate such executive order at extra work load from routine work. This isn't an effective cybersecuruty management. The proper means is to assess the threat, current protection and business consequence. The "Now, Next, Never" in S4x19 best describes the correct attitude. So, if not now, could be next or even never....
Read More

Treat or Trick

By cliangNo Comments
Halloween is coming and the tradition is once annually.  It is a children's custom of calling at houses at Halloween with the threat of pranks if they are not given a small gift. In cyber world, this happens every now and then.  You get an email saying you are being selected for award (free air ticket, free miles, lottery, an estate etc.) but you need to register or pay admin fee to claim.  If you trust such too good to be true, you are phished leading to various consequence ranging Leakage of you PII (Personal Identifiable Information) Leakage of access credential of email, ebanking or any registered web portal Financial loss Collateral damage to those you know as using your identity will increase the trust level at the 2nd degree phishing attack against your friends Criminal act as activities are executed under your identity Therefore, it's treat AND trick in cyber world.  Strengthening human awareness cannot be overlooked....
Read More

Assumption #2 (2nd topic)

By cliangNo Comments
No matter individual or enterprise, there are information stored in the cloud. The pre-requisite to use cloud is the communication line from your end point to the hosting location. Most rely the as-built cyber protections like TLS, 2-step authentication offered by the provider. No doubt, these are deemed secure. But if your information is of high value, you need to consider the appropriate level of extra layers, e.g. single tenancy, dedicated hosting location with physical access control,  further end-to-end communication encryption, database level encryption or tokenization, periodic security assessment, regular situation awareness to keep your people from being victim of spear phishing attack. All these don't mean 100% security but to demonstrate your due diligence to secure your data....
Read More

Cyber Footprint

By cliangNo Comments
We are living both in the physical and cyber worlds and these worlds are closely coupled. We have left lots of cyber footprints - posts in social media, emails to others, auto-toll road, facial recognition via video analytics by surveillance camera, RFiD cards in the pocket, cell phone IMEI with location service, electronic identity of many, purchase preference, web browsing habit, medical & education history ... not to mention those event logging.  All these can be traced back to an individual, if intended. An individual might also locate the peers from cyber world to reach out physically.  Common example is proposed contact by social network via your connected friends. Machines are also controlled by automation where these controls are "living" in the cyber world. Performance of machines are feeding back to machine learning to improve physical operational efficiency. Unless you stay in the wild completely off the grid, hunting and farming for food, using natural fuel, living in a closed & trusted community without electronic...
Read More